Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation

When executed, the trojan copies itself in the following location:

Program Files\Internet Explorer\PLUGINS\system2.jmp

The following file is dropped in the same folder:

SystemKb.sys

Size of the file is approximately 40 kB. The following Registry entries are set:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{754FB7D8-B8FE-4810-B363-A788CD060F1F}\InProcSever32]
default = "c:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys"
"ThreadingModel" = "Apartment"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{754FB7D8-B8FE-4810-B363-A788CD060F1F}

[HKEY_CURRENT_USER\Software\Tencent\Hook2]
"First" = "wk"

 

Code of the trojan is injected in running processes.

Information stealing

The trojan collects various information when QQ Instant Messenger is being used. The trojan can send the information to a remote machine. The HTTP protocol is used.