Home / malwarePDF  

QQRob.GV


First posted on 13 September 2006.
Source: SecurityHome

Aliases :

QQRob.GV is also known as Trojan-PSW.Win32.QQRob.gv.

Explanation :

QQRob.GV logs keystrokes and sends the results to an e-mail address.

Upon execution, QQRob.GV drops a copy of itself on Windows System Directory as:

%systemdir%NTdhcp.exe

Note: %systemdir% is by default C:WindowsSystem32

Please see the lower section for additional details.

Upon execution, QQRob.GV drops a copy of itself in the Windows System Directory as:
%systemdir%NTdhcp.exe

Note: %systemdir% is by default C:WindowsSystem32
*It uses a notepad icon.

It also creates the following non-malicious batch file in the Windows Directory:
%windir%deleteme.bat

Note: %windir% is by default C:Windows

QQRob.GV then creates the following registry value for its auto-start mechanism:
HKLMSoftwareMicrosoftWindowsCurrentversionRun NTdhcp = "%systemdir%NTdhcp.exe

It checks for the file:
%systemdir%Kvnative.exe

If the file above exists, it will rename the file to Kvnative.bak

QQRob.GV terminates the following security and antivirus related processes:
CCAPP.EXE
EGHOST.EXE
FireTray.exe
Iparmor.exe
KASMain.EXE
KAV32.EXE
KAVPFW.EXE
KAVPLUS.EXE
KAVStart.exe
KmailMon.EXE
KPFW32.EXE
KPOPMON.EXE
KVCenter.kxp
KvDetech.exe
KVFW.EXE
KWatch9x.exe
KWATCHUI.EXE
MAILMON.EXE
MCAGENT.EXE
MCVSESCN.EXE
MSKAGENT.EXE
RAV.EXE
RAVMON.EXE
RavTask.exe
RAVTIMER.EXE
RegGuide.exe
SHSTAT.EXE
SmartUp.exe
TBMon.exe
TrojanDetector.EXE
UIHost.exe
UpdaterUI.exe
WNILOGON.exe

QQRob.GV disables the following services through the registry [HKLMSystemCurrentControlSet]:
ccEvtMgr
ccProxy
ccSetMgr
FireSvc
kavsvc
KPfwSvc
KVSrvXP
KVWSC
KWatchSvc
McAfeeFramework
McShield
McTaskManager
MskService
navapsvc
NPFMntor
RfwService
RsCCenter
RsRavMon
SNDSrvc
SPBBCSvc
Symantec Core LC
wscsvc

QQRob.GV also checks for security and antivirus related registry values in [HKLMSoftWareMicrosoftWindowsCurrentVersionRun].
If the following registry keys exist, they will be deleted:
ccApp
iDuba Personal FireWall
KAVPersonal50
KavPFW
KAVRun
KavStart
KpopMon
Kulansyn
KvMonXP
KvPpWall_autorun
KvXP
KWatch9x
McAfeeUpdaterUI
MCAgentExe
McRegWiz
MCUpdateExe
MSKAGENTEXE
MSKDetectorExe
NAV CfgWiz
Network Associates Error Reporting Service
RavTask
RavTimer
RfwMain
Services
ShStatEXE
SonudMan
SSC_UserPrompt
VirusScan Online
VSOCheckTask

QQRob.GV logs keyboard strokes of the user and sends it to a certain e-mail address using its own SMTP engine.

Last update 22 May 2007

 

TOP

Malware :

Family: