F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Contact Us

F-Secure Trojan Information Pages: QQRob.GV

[Summary] | [Detailed Description] | [Detection]

Name:QQRob.GV
Alias:Trojan-PSW.Win32.QQRob.gv
Type:Trojan
Category:Trojan
Platform:Win32
Date of Discovery:August 09, 2006

Summary
QQRob.GV logs keystrokes and sends the results to an e-mail address.

Upon execution, QQRob.GV drops a copy of itself on Windows System Directory as:
  • %systemdir%\NTdhcp.exe
Note: %systemdir% is by default C:\Windows\System32

Please see the lower section for additional details.
Back to the Top

Detailed Description
Upon execution, QQRob.GV drops a copy of itself in the Windows System Directory as:
  • %systemdir%\NTdhcp.exe
Note: %systemdir% is by default C:\Windows\System32
*It uses a notepad icon.

It also creates the following non-malicious batch file in the Windows Directory:
  • %windir%\deleteme.bat
Note: %windir% is by default C:\Windows

QQRob.GV then creates the following registry value for its auto-start mechanism:
  • HKLM\Software\Microsoft\Windows\Currentversion\Run
    NTdhcp = "%systemdir%\NTdhcp.exe
It checks for the file:
  • %systemdir%\Kvnative.exe
If the file above exists, it will rename the file to Kvnative.bak

QQRob.GV terminates the following security and antivirus related processes:
  • CCAPP.EXE
  • EGHOST.EXE
  • FireTray.exe
  • Iparmor.exe
  • KASMain.EXE
  • KAV32.EXE
  • KAVPFW.EXE
  • KAVPLUS.EXE
  • KAVStart.exe
  • KmailMon.EXE
  • KPFW32.EXE
  • KPOPMON.EXE
  • KVCenter.kxp
  • KvDetech.exe
  • KVFW.EXE
  • KWatch9x.exe
  • KWATCHUI.EXE
  • MAILMON.EXE
  • MCAGENT.EXE
  • MCVSESCN.EXE
  • MSKAGENT.EXE
  • RAV.EXE
  • RAVMON.EXE
  • RavTask.exe
  • RAVTIMER.EXE
  • RegGuide.exe
  • SHSTAT.EXE
  • SmartUp.exe
  • TBMon.exe
  • TrojanDetector.EXE
  • UIHost.exe
  • UpdaterUI.exe
  • WNILOGON.exe
QQRob.GV disables the following services through the registry [HKLM\System\CurrentControlSet]:
  • ccEvtMgr
  • ccProxy
  • ccSetMgr
  • FireSvc
  • kavsvc
  • KPfwSvc
  • KVSrvXP
  • KVWSC
  • KWatchSvc
  • McAfeeFramework
  • McShield
  • McTaskManager
  • MskService
  • navapsvc
  • NPFMntor
  • RfwService
  • RsCCenter
  • RsRavMon
  • SNDSrvc
  • SPBBCSvc
  • Symantec Core LC
  • wscsvc
QQRob.GV also checks for security and antivirus related registry values in [HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run].
If the following registry keys exist, they will be deleted:
  • ccApp
  • iDuba Personal FireWall
  • KAVPersonal50
  • KavPFW
  • KAVRun
  • KavStart
  • KpopMon
  • Kulansyn
  • KvMonXP
  • KvPpWall_autorun
  • KvXP
  • KWatch9x
  • McAfeeUpdaterUI
  • MCAgentExe
  • McRegWiz
  • MCUpdateExe
  • MSKAGENTEXE
  • MSKDetectorExe
  • NAV CfgWiz
  • Network Associates Error Reporting Service
  • RavTask
  • RavTimer
  • RfwMain
  • Services
  • ShStatEXE
  • SonudMan
  • SSC_UserPrompt
  • VirusScan Online
  • VSOCheckTask
QQRob.GV logs keyboard strokes of the user and sends it to a certain e-mail address using its own SMTP engine.
Back to the Top

Detection

F-Secure Anti-Virus detects this malware with the following updates:

[FSAV_Database_Version]

Version = 2006-08-09_02.
Back to the Top



F-Secure Corporation


  Description Index