This Trojan steals confidential data. It is a Windows PE EXE file. The Trojan components vary in size from 39 to 48KB.
Installation
When launching, the Trojan extracts the following file from its body:
%System%\msvcrl.dll – this file is 39 424 bytes in size and is packed using UPX.
The Trojan gets the path to Internet Explorer and modifies iexplore.exe, by adding an import from %System%\scvcrl.dll to the import table
This ensures that the Trojan file will be loaded every time Microsoft Internet Explorer is launched.
The original Trojan file will then be deleted.
Payload
The Trojan harvests passwords from the data files of the following instant messenging clients:
QIP2005
Trillian
MSN Messenger
Yahoo Messenger
AOL
Miranda
The Trojan also harvests passwords to FTP servers from the configuration files of the following FTP clients:
WS_FTP
Total Commander
CuteFTP
FAR
It harvests account passwords from the configuration files of the following mail clients:
TheBat
Outlook Express
Outlook
It also harvests the IE Auto Complete Fields dictionary.
The Trojan hooks the following API functions:
InternetReadFile
InternetOpenURL
This enables it to track which sites a user visits. The Trojan also intercepts data which is entered in web forms and transmitted in Internet Explorer.
In addition, when addresses are opened in Internet Explorer which coincide with an address coded into the Trojan, the Trojan will redirect the browser to the remote malicious user’s site.
Harvested information will be sent in an HTTP request to the remote malicious user's site.
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
Use Task Manager to terminate all iexplore.exe processes.
Delete the following file:
%System%\msvcrl.dll
Restore the original iexplore.exe file using the Windows installation disk.
Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
看不懂:(
