McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• BackDoor-AQO.dll

• BackDoor.PowerSpider (DrWeb)

• BackDoor.PowerSpider.310 (AVP)

• PSpy.dll application

Characteristics

This is a backdoor trojan that can record various user passwords. Passwords include Windows application passwords, IE brower passwords, etc. The recorded passwords are saved in an encrypted file. The trojan sends the file to a predefined email address using SMTP or ICQ.

The trojan has an UI that allows the hacker to configure various parameters, such as sending email address, number of passwords recorded before sending, etc.

Once configured, the trojan can run in a silent mode on other machines. When run, it copies itself to c:\WINDOWS\system32\iexplore .exe. It creates the following registry key in order to run at Windows start up.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
  "mssysint" = "iexplore .exe"

The backdoor trojan uses a legitimate DLL for retrieving Windows application passwords. This enables the retrieval of 'hidden' passwords from Windows applications.

This DLL is detected as application PSpy.dll with the 4323 DATs or greater. (Previously it was detected as BackDoor-AQO.dll.)

Symptoms

Existence of the file and registry key mentioned above.

Method of Infection

Running of the file will infect the machine.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• BackDoor-AQO.dll

• BackDoor.PowerSpider (DrWeb)

• BackDoor.PowerSpider.310 (AVP)

• PSpy.dll application

Characteristics

Characteristics -

This is a backdoor trojan that can record various user passwords. Passwords include Windows application passwords, IE brower passwords, etc. The recorded passwords are saved in an encrypted file. The trojan sends the file to a predefined email address using SMTP or ICQ.

The trojan has an UI that allows the hacker to configure various parameters, such as sending email address, number of passwords recorded before sending, etc.

Once configured, the trojan can run in a silent mode on other machines. When run, it copies itself to c:\WINDOWS\system32\iexplore .exe. It creates the following registry key in order to run at Windows start up.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
  "mssysint" = "iexplore .exe"

The backdoor trojan uses a legitimate DLL for retrieving Windows application passwords. This enables the retrieval of 'hidden' passwords from Windows applications.

This DLL is detected as application PSpy.dll with the 4323 DATs or greater. (Previously it was detected as BackDoor-AQO.dll.)

Symptoms

Symptoms -

Existence of the file and registry key mentioned above.

Method of Infection

Method of Infection -

Running of the file will infect the machine.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A