HKTL_MAILPASS
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Hacking Tool
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This hacking tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This hacking tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This hacking tool drops the following files:
- %System Root%\ProgramData\Microsoft\Windows\NetCC437.dll
- %System Root%\ProgramData\Microsoft\Windows\QQlive.exe
(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)
It creates the following folders:
- %System Root%\ProgramData
- %System Root%\ProgramData\Microsoft
- %System Root%\ProgramData\Microsoft\Windows
- %System Root%\ProgramData\Microsoft\Windows\Common
(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)
Other System Modifications
This hacking tool adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Security\
Log
u={email address entered}|p={password entered} = "CBMail"
It adds the following registry keys as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_EVNTSYSAPP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\CliSysapp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\EvntSysapp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\metSvcUpdate
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NetMon
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\RegUpdate
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SessionLog
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\W32Update