New Worm[solved]

gkthornton
gkthornton
edited June 2008 in Sample submission

The worm was also found with a text file, with the same name as the exe, which contained what appears to be keylogger data.


zip password is "infected".


/applications/core/interface/file/attachment.php?id=342" data-fileid="342" rel="">svchots_.zip


-GT

Comments

  • Cd-MaN
    Cd-MaN

    Thank you for the sample. Detection will be available as of the next signature update and it will be detected as Trojan.PSW.Maha.A


    It is a password stealer targeted at IM passwords (such as ICQ). It drops a file named sqlserver.dll in the system32 directory (also detected with the same name), which is loaded in all the processes, so offline cleaning might be necessary.


    Best regards

All Time Leaders

Categories

Defenders of the month