Overview
This is a detection for a specific variant of the PWS-QQPass trojan. This variant is installed as a Layered Service Provider (LSP) to the TCP/IP stack.
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
|
Minimum DAT
4856 (2006-09-20) Updated DAT4856 (2006-09-20) |
Minimum Engine
5.1.00 File Length24,064 bytes |
Description Added
2006-09-20 Description Modified2006-09-20 |
Malware Proliferation
Characteristics
This is a detection for a specific variant of the PWS-QQPass trojan. This variant is installed as a Layered Service Provider (LSP) to WinSock. When executed, it sniffs and steals account information for QQ instant messenging, and games including "Lineage II", and "Legend of Mir".
A downloader thread is injected into Windows Explorer (Explorer.exe). Executing in the memory of Explorer.exe, this variant contacts a server hosted at (hidden).105875.com.cn on TCP port 16782 to download updated copies of the PWS-QQPass trojan.
This variant modifies certain LSP
Symptoms
Presence of the following file:
- %Windir%\System32\cn_dns60.dll
(Where %Windir% is the Windows folder, e.g. C:\Windows)
Presence of the following registry key(s):
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\Parameters\"PathName" = "%Windir%\System32\cn_dns60.dll
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\Parameters\* = (original PackedCatalogItem value)
Modified registry key(s):
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\*\"PackedCatalogItem" = "%Windir%\System32\cn_dns60.dll"
(The modified registry keys should be repaired manually and is described in the "Removal" section)
Outgoing connections initiated from Windows Explorer (explorer.exe) to the following IP address on Port 18792:
- (hidden).105875.com.cn
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.
Removal
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
The removal of this malware can break the normal operation of the TCP/IP stack due to registry key modifications. Instead of inserting an additional LSP, this PSW-QQPass variant replaces all existing LSPs and store the original LSP location in the registry.
This can be repaired manually by using the Registry Editor tool (REGEDIT.EXE). Locations to the original Layered Service Providers (LSP) are stored by the trojan at:
(1) HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\Parameters\* = (String Value)
Each registry entry in this key correspond to a modified entry at:
(2) HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\*\PackedCatalogItem = (Binary Value)
Copy the original locations from (1) into the corresponding modified entry in (2) and reboot the system.
?lt;/p>
?lt;/p>
Variants