Content

PWS-QQGame!3C925D85

Type
Trojan
SubType
Password
Discovery Date
06/25/2008
Length
30830
Minimum DAT
5324 (06/24/2008)
Updated DAT
5324 (06/24/2008)
Minimum Engine
5.2.00
Description Added
06/25/2008
Description Modified
06/25/2008 9:33 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

File PropertyProperty Value
File Named29.exe
McAfee DetectionPWS-QQGame
Length30,830 bytes
CRC323C925D85
MD521883551E9FAE0EDC29B192D14C989DC
SHA1B482AD7033E9E11239562AC79A786B4A8D7B5E21

Other Common Detection Aliases

Company NameDetection Name
AVG (GriSoft)psw.generic6.pfp
Normanw32/malware.czxb
SymantecInfostealer.Qphook

Avert® Labs has observed the following system activities:

ActivityRisk Level
Hijacks an Executables Execution
High
Modifies Memory of Other Processes
High
Enumerates open windows
Low
Registers DLLsInformational

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

The following files have been added to the system:

  • %PROGRAMFILES%\internet explorer\plugins\unixsys08.sys
    • %PROGRAMFILES%\internet explorer\plugins\unixsys32.jmp

        • The following registry elements have been created:

      • HKEY_CURRENT_USER\software\tencent\unix\
        • eo9 = kk
      • HKEY_LOCAL_MACHINE\software\classes\clsid\{74381dec-d78b-43e4-ba5d-5244f669ebe4}\inprocserver32\
        • (default) = c:\program files\internet explorer\plugins\unixsys08.sys
        • threadingmodel = apartment

        • Symptoms

        This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

        Method of Infection

        Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

        Removal

        AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

        Additional Windows ME/XP removal considerations

        Variants

        Variants

          N/A

        All Information

        Overview -

        This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

        Characteristics

        Characteristics -

        File PropertyProperty Value
        File Named29.exe
        McAfee DetectionPWS-QQGame
        Length30,830 bytes
        CRC323C925D85
        MD521883551E9FAE0EDC29B192D14C989DC
        SHA1B482AD7033E9E11239562AC79A786B4A8D7B5E21

        Other Common Detection Aliases

        Company NameDetection Name
        AVG (GriSoft)psw.generic6.pfp
        Normanw32/malware.czxb
        SymantecInfostealer.Qphook

        Avert® Labs has observed the following system activities:

        ActivityRisk Level
        Hijacks an Executables Execution
        		High
        Modifies Memory of Other Processes
        		High
        Enumerates open windows
        		Low
        Registers DLLsInformational

        System Changes

        These are general defaults for typical path variables. (Although they may differ, these examples are common.):
        %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
        %SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
        %ProgramFiles% = \Program Files

        The following files have been added to the system:

      • %PROGRAMFILES%\internet explorer\plugins\unixsys08.sys
        • %PROGRAMFILES%\internet explorer\plugins\unixsys32.jmp

            • The following registry elements have been created:

          • HKEY_CURRENT_USER\software\tencent\unix\
            • eo9 = kk
          • HKEY_LOCAL_MACHINE\software\classes\clsid\{74381dec-d78b-43e4-ba5d-5244f669ebe4}\inprocserver32\
            • (default) = c:\program files\internet explorer\plugins\unixsys08.sys
            • threadingmodel = apartment

            • Symptoms

            Symptoms -

            This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

            Method of Infection

            Method of Infection -

            Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

            Removal -

            Removal -

            AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

            Additional Windows ME/XP removal considerations

            Variants

            Variants -

              N/A