Virus Alert: Visual Basic Trojan Steals Passwords
Symantec reports the appearance of Trojan.PWS.QQPass.D, which steals passwords and user information. The Trojan requires the presence of Microsoft Visual Basic run-time libraries to run.
The Trojan is a Visual Basic application that requires the presence of Microsoft Visual Basic run-time libraries for it to run. The company is giving the Trojan a low risk rating.
When Trojan.PWS.QQPass.C is executed, it does the following:
1. Copies itself to the file: %Windir%\Notepade.exe.
NOTE: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
2. Modifies %Windir%\System.ini file by changing:
so that the Trojan runs when you start Windows (Window 95/98/Me only).
3. Adds the value:
to the registry key:
so that the Trojan runs when you start Windows.
4. Attempts to steal the QQ passwords and send them to the author of the Trojan.
Find out how to remove the Trojan on this Symantec page.
W32.Bokya.Int Worm Also Written in VB
Another virus written in Visual Basic, the W32.Bokya.Int worm also was reported Thursday by Symantec.
W32.Bokya.Int is an intended worm that attempts to disguise itself as a pictures folder. It is also considered low-risk. This threat is compressed with UPX. Because this threat has been modified, it cannot be unpacked by UPX itself. The VB run-time libraries must be installed on the computer for it to execute.
The threat contains code designed to spread itself to the root folder of all the drives.
See technical details here.
Long List of Viruses Already For January
Already halfway through January, MessageLabs has compiled a long list of virus threats for the month. To view the entire list and read the details, visit this MessageLabs page.
Compiled by Esther Shein.