Home / malware PWS:Win32/QQpass.EI.dll
First posted on 07 September 2010.
Source: SecurityHomeAliases :
PWS:Win32/QQpass.EI.dll is also known as Win-Trojan/Agent.30720.ALO (AhnLab), Trojan-PSW.Win32.Agent.sdo (Kaspersky), W32/Malware.MSKU (Norman), Trojan horse Generic18.RGF (AVG), Trojan.Generic.4181448 (BitDefender), Trojan.PWS.Biaozhi.origin (Dr.Web), Trojan.SuspectCRC (Ikarus), Generic PWS.y!ctu (McAfee), Trojan.Win32.Generic.520773DF (Rising AV), Troj/Agent-MPR (Sophos), Trojan.Win32.Generic!BT (Sunbelt Software).
Explanation :
PWS:Win32/QQpass.EI.dll is a detection for certain obfuscated/protected password stealers. The malware may masquerade as a .JPG in an effort to trick the user into thinking it is an image and launch it.
Top
PWS:Win32/QQpass.EI.dll is a detection for certain obfuscated/protected password stealers. The malware may masquerade as a .JPG in an effort to trick the user into thinking it is an image and launch it. InstallationWhen executed, PWS:Win32/QQpass.EI.dll drops the following files:
m_user.dll under directory <system folder> v3lght.dll under directory <system folder> del2fa73.bat under directory %windir% a modified version of sfc_os.dll a modified version of comres.dll Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. Using Windows hooks, PWS:Win32/QQpass.EI.dll injects the password stealing component into running processes. Payload Steals sensitive information The password stealer steals passwords from running applications and communicates to the following locations:
shenkgjiu.com/19da/dc/ndf.asp shenkgjiu.com/19da/mz/maoxiandao.asp shenkgjiu.com/19da/nt/nate.asp
Analysis by Daniel RaduLast update 07 September 2010
