PWS-JP is a Trojan that upon execution runs silently, no GUI messages appear on the screen.

It drops a file called hook.dll, into the %Windows\%System directory, for example

Basically this is a keylogger, it may capture data using temporary files like "form.txt" and it tries to mail these files out (encrypted) automatically.

It modifies the windows registry:

  • hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\\proxybypass="1"
  • hkey_local_machine\software\microsoft\windows\currentversion\run \msn=""C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kosa.exe" /INITSERVICE"

    • More information can be found at this McAfee page.