Summary

Spy, Data or Password Stealing Trojan (generic description)

A spy, data or password stealing trojan is usually a standalone program that allows a hacker to monitor user's activities on an infected computer. Password stealing trojans are quite popular. Some backdoors and worms drop password stealing trojans to a system they try to infect.

Disinfection

Security Advisory

Various spying and data stealing trojans compromise system security by providing authentication information (logins and passwords, credit card numbers, etc.) to hackers. So it is very important to change all logins and passwords after cleaning a computer from these trojans. Also, if your credit card number has been stolen or your on-line bank account info has been compromised, it is recommened to contact your credit card company or on-line bank for help.

Please note that stealing credit card or online bank information information is a serious abuse, so you might want to contact the local cybercrime authorities for investigation. In this case do not perform any disinfection actions on your computer before it is inspected by the authorities.

Disinfection

Additional Details

A password stealing trojan is usually a standalone application that installs itself to system and sometimes drops a keylogging component. Such trojan stays active in Windows memory and starts keylogging (recording keystrokes) when a user is asked to input a login and a password. Then a trojan stores the recorded keystrokes data for later submission or sends this data to a hacker immediately. In many cases such trojans also send information about user's computer IP, RAS (remote access server), and network configuration. A hacker who gets this info is capable of misusing other person's Internet account and in some cases hack into user's network. Stolen logins and passwords can allow a hacker to read user's e-mail on public and corporate mail servers.

A data stealing trojan is usually a standalone program that searches for specific files or data on an infected computer and then sends this data to a hacker. For example some data stealing trojans try to locate 'key' files that contain authentication information for some program or service. Other data stealing trojans try to steal serial numbers of software installed on an infected system. A few e-mail worms attach random data files (excel or word files, images) to e-mails that they send from infected systems.

A spy is usually a standalone program that installs itself to system and records certain events on an infected computer. For example such trojan can record keyboard activities, keep the list of applications that a user ran, archive URLs that a user opened and so on. A spying trojan sends out a recorded log to a hacker at certain intervals. In some cases spying trojans have a certain time window. For example they work only until a certain date and then uninstall themselves from a system.

Most famous spies, data and password stealing trojans: Coced, Hooker, GOP, Kuang, Platan, Klogger.

Writeup: Alexey Podrezov, July 14th, 2003;

Description Updated: Alexey Podrezov, November 17th, 2004;