Some security vendors have issued alerts for PWS-Hotworld, a password stealing Trojan that captures keystrokes and sends notification and captured information to the author via email. The Trojan is able to perform the following actions:

  • download and execute files
  • take screenshots
  • capture keystrokes
  • read system information
  • read the configuration of Outlook
  • read ICQ configuration
  • kill running processes

    This dialog is for obfuscation only; the trojan installs itself anyway to the %windir%\system32 directory, using the filename:


    "svchost.exe" Note: There's a space in front of the name!

    It creates a registry run key to load itself at Windows start up.

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "regedit" = "C:\WINNT\System32\ svchost.exe" ccRegVfy

    The Trojan also creates a log file in %windir%\system32 directory. The following file names are used:

  • CFXP.DRV
  • CHJO.DRV
  • MMSYSTEM.DLX
  • OLECLI.DLX
  • OLECLISystemUpdate_[date] [time].DLX

    The Trojan takes screenshots and saves them as OLECLISystemUpdate_[date] [time].DLX and inserts the current date and time into the filename. These files are harmless JPEG files.

    More information can be found at this McAfee page.

    Trojan.Hotword.B is a Trojan horse that opens a back door and steals confidential information from a compromised computer. The Trojan sends the stolen information to a remote server.

    Technical details can be found at this Symantec page.