The Trojan is a Visual Basic application that requires the presence of Microsoft Visual Basic run-time libraries for it to run. The company is giving the Trojan a low risk rating.
When Trojan.PWS.QQPass.C is executed, it does the following:
1. Copies itself to the file: %Windir%\Notepade.exe.
NOTE: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
2. Modifies %Windir%\System.ini file by changing:
shell=Explorer.exe
to:
shell=Explorer.exe Notepade.exe
so that the Trojan runs when you start Windows (Window 95/98/Me only).
3. Adds the value:
sesteym %Windir%\Notepade.exe
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that the Trojan runs when you start Windows.
4. Attempts to steal the QQ passwords and send them to the author of the Trojan.
Find out how to remove the Trojan on this Symantec page.
W32.Bokya.Int Worm Also Written in VB
Another virus written in Visual Basic, the W32.Bokya.Int worm also was reported Thursday by Symantec.
W32.Bokya.Int is an intended worm that attempts to disguise itself as a pictures folder. It is also considered low-risk. This threat is compressed with UPX. Because this threat has been modified, it cannot be unpacked by UPX itself. The VB run-time libraries must be installed on the computer for it to execute.
The threat contains code designed to spread itself to the root folder of all the drives.
See technical details here.
Long List of Viruses Already For January
Already halfway through January, MessageLabs has compiled a long list of virus threats for the month. To view the entire list and read the details, visit this MessageLabs page.
Compiled by Esther Shein.
Loading Comments...