Spy, Data or Password Stealing Trojan (generic description)
A spy, data or password stealing trojan is usually a standalone
program that allows a hacker to monitor user's activities on an
infected computer. Password stealing trojans are quite popular.
Some backdoors and worms drop password stealing trojans to a
system they try to infect.
A password stealing trojan is usually a standalone application
that installs itself to system and sometimes drops a keylogging
component. Such trojan stays active in Windows memory and starts
keylogging (recording keystrokes) when a user is asked to input a
login and a password. Then a trojan stores the recorded
keystrokes data for later submission or sends this data to a
hacker immediately. In many cases such trojans also send
information about user's computer IP, RAS (remote access server),
and network configuration. A hacker who gets this info is capable
of misusing other person's Internet account and in some cases
hack into user's network. Stolen logins and passwords can allow a
hacker to read user's e-mail on public and corporate mail
servers.
A data stealing trojan is usually a standalone program that
searches for specific files or data on an infected computer and
then sends this data to a hacker. For example some data stealing
trojans try to locate 'key' files that contain authentication
information for some program or service. Other data stealing
trojans try to steal serial numbers of software installed on an
infected system. A few e-mail worms attach random data files
(excel or word files, images) to e-mails that they send from
infected systems.
A spy is usually a standalone program that installs itself to
system and records certain events on an infected computer. For
example such trojan can record keyboard activities, keep the list
of applications that a user ran, archive URLs that a user opened
and so on. A spying trojan sends out a recorded log to a hacker
at certain intervals. In some cases spying trojans have a certain
time window. For example they work only until a certain date and
then uninstall themselves from a system.
Most famous spies, data and password stealing trojans: Coced,
Hooker, GOP, Kuang, Platan, Klogger.
Disinfection
Security Advisory
Various spying and data stealing trojans compromise system
security by providing authentication information (logins and
passwords, credit card numbers, etc.) to hackers. So it is very
important to change all logins and passwords after cleaning a
computer from these trojans. Also, if your credit card number has
been stolen or your on-line bank account info has been
compromised, it is recommened to contact your credit card company
or on-line bank for help.
Please note that stealing credit card or online bank information
information is a serious abuse, so you might want to contact the
local cybercrime authorities for investigation. In this case do
not perform any disinfection actions on your computer before it
is inspected by the authorities.
Automatic Disinfection
Usually standalone malware (backdoors, worms, trojans, etc.) is
automatically removed by F-Secure Anti-Virus (FSAV) starting from
version 5.40. Malware files get automatically renamed by FSAV, so
they can not be started any more. In some rare cases, when
automatic disinfection is not possible, a user can select
disinfection action by him/herself to make FSAV rename or delete
an infected file. In some special cases it is recommended to use
specific disinfection tools provided by F-Secure. They can be
downloaded from our ftp site:
F-Secure Anti-Virus can be purchased from our webshop or from our
authorised distributors. A trial version F-Secure Anti-Virus,
limited to 30 days, can be downloaded from our website:
All the latest versions of FSAV can download anti-virus database
updates automatically. However, these updates can be also
downloaded and installed manually from our web or ftp sites:
To manually disinfect standalone malware (backdoors, worms,
trojans, etc.) it's usually enough to delete all infected files
from a computer and to restart it. Active malware files are
usually locked by operating system so different disinfection
approaches are required for different operating systems.
Please note that manual disinfection is a risky process, so it is
recommended only for advanced users.
Windows 95, 98, ME
If Windows 9x operating system is used, it is recommended to
restart a computer from a bootable system diskette and to delete
an infected file from command prompt. For example if a malicious
file named ABC.EXE is located in Windows folder, it is usually
enough to type the following command at command prompt:
DEL C:\WINDOWS\ABC.EXE
and to press Enter. After that an infected file will be gone.
Windows NT, 2000, XP
If Windows NT, 2000 or XP is used, a malicious file has to be
renamed with a different extension (for example .VIR) and then a
system has to be restarted. After restart a renamed malicious
file will no longer be active and it can be easily deleted
manually.
System Restore issue
If Windows ME or XP is used, it is recommended to disable System
Restore feature of these operating systems to prevent a computer
from re-infection by an already removed malware. The fact is that
System Restore feature of these operating systems might save an
infected file into the special folder and copy it back to a hard
drive it every time it's been renamed or deleted by F-Secure
Anti-Virus or by a user. Instructions on how to disable System
Restore feature are here:
It is recommended to re-enable System Restore after disinfection
in order to restore stable system configuration in the future,
if any crash or incompatibility issue occurs.
Contacting F-Secure for help
If you have problems with disinfection, please consult a computer
technician or send a message (and a sample) to our Viruslab. We
have guidelines for sending virus samples, hoaxes and
virus-related questions to F-Secure Viruslab published here:
