TSPY_QQPASS.LN
a variant of Win32/PSW.QQPass.NRI (ESET); Trojan-PSW.Win32.QQPass.cbcc (Kaspersky);
Windows
Threat Type: Spyware
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
Downloaded from the Internet
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It gathers information and reports it to its servers.
TECHNICAL DETAILS
206092 bytes
EXE
Yes
27 Dec 2013
Displays fake login console
Arrival Details
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Other Details
This spyware connects to the following URL(s) to get the affected system's IP address:
- ip.qq.com
It requires the following additional components to properly run:
- (malware file path)\200
It gathers the following information and reports it to its servers:
- user id
- password
NOTES:
It monitors the following application via its Window Class
- QQ Messenger
It monitors the following Window Class:
- TxGuiFoundation
It displays a fake login box to be able to steal the users' password. It sends its stolen info to its C&C. However, its component file contains the C&C site.
SOLUTION
9.800
10.834.03
02 Jun 2014
10.835.00
03 Jun 2014
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Scan your computer with your Trend Micro product to delete files detected as TSPY_QQPASS.LN. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.