McAfee > Theat Center > Virus Detail Page

Overview

This is a detection for a specific variant of the PWS-QQPass trojan. This variant is installed as a Layered Service Provider (LSP) to the TCP/IP stack.

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This is a detection for a specific variant of the PWS-QQPass trojan. This variant is installed as a Layered Service Provider (LSP) to WinSock. When executed, it sniffs and steals account information for QQ instant messenging, and games including "Lineage II", and "Legend of Mir".

A downloader thread is injected into Windows Explorer (Explorer.exe). Executing in the memory of Explorer.exe, this variant contacts a server hosted at (hidden).105875.com.cn on TCP port 16782 to download updated copies of the PWS-QQPass trojan.

This variant modifies certain LSP

Symptoms

Presence of the following file:

• %Windir%\System32\cn_dns60.dll

(Where %Windir% is the Windows folder, e.g. C:\Windows)

Presence of the following registry key(s):

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\Parameters\"PathName" = "%Windir%\System32\cn_dns60.dll
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\Parameters\* = (original PackedCatalogItem value)

Modified registry key(s):

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\*\"PackedCatalogItem" = "%Windir%\System32\cn_dns60.dll"

(The modified registry keys should be repaired manually and is described in the "Removal" section)

Outgoing connections initiated from Windows Explorer (explorer.exe) to the following IP address on Port 18792:

• (hidden).105875.com.cn

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

The removal of this malware can break the normal operation of the TCP/IP stack due to registry key modifications. Instead of inserting an additional LSP, this PSW-QQPass variant replaces all existing LSPs and store the original LSP location in the registry.

This can be repaired manually by using the Registry Editor tool (REGEDIT.EXE). Locations to the original Layered Service Providers (LSP) are stored by the trojan at:

(1) HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\Parameters\* = (String Value)

Each registry entry in this key correspond to a modified entry at:

(2) HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\*\PackedCatalogItem = (Binary Value)

Copy the original locations from (1) into the corresponding modified entry in (2) and reboot the system.

?lt;/p>

?lt;/p>

Variants

Variants

N/A

All Information

Overview -

This is a detection for a specific variant of the PWS-QQPass trojan. This variant is installed as a Layered Service Provider (LSP) to the TCP/IP stack.

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This is a detection for a specific variant of the PWS-QQPass trojan. This variant is installed as a Layered Service Provider (LSP) to WinSock. When executed, it sniffs and steals account information for QQ instant messenging, and games including "Lineage II", and "Legend of Mir".

A downloader thread is injected into Windows Explorer (Explorer.exe). Executing in the memory of Explorer.exe, this variant contacts a server hosted at (hidden).105875.com.cn on TCP port 16782 to download updated copies of the PWS-QQPass trojan.

This variant modifies certain LSP

Symptoms

Symptoms -

Presence of the following file:

• %Windir%\System32\cn_dns60.dll

(Where %Windir% is the Windows folder, e.g. C:\Windows)

Presence of the following registry key(s):

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\Parameters\"PathName" = "%Windir%\System32\cn_dns60.dll
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\Parameters\* = (original PackedCatalogItem value)

Modified registry key(s):

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\*\"PackedCatalogItem" = "%Windir%\System32\cn_dns60.dll"

(The modified registry keys should be repaired manually and is described in the "Removal" section)

Outgoing connections initiated from Windows Explorer (explorer.exe) to the following IP address on Port 18792:

• (hidden).105875.com.cn

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

The removal of this malware can break the normal operation of the TCP/IP stack due to registry key modifications. Instead of inserting an additional LSP, this PSW-QQPass variant replaces all existing LSPs and store the original LSP location in the registry.

This can be repaired manually by using the Registry Editor tool (REGEDIT.EXE). Locations to the original Layered Service Providers (LSP) are stored by the trojan at:

(1) HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\Parameters\* = (String Value)

Each registry entry in this key correspond to a modified entry at:

(2) HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\*\PackedCatalogItem = (Binary Value)

Copy the original locations from (1) into the corresponding modified entry in (2) and reboot the system.

?lt;/p>

?lt;/p>

Variants

Variants -

N/A