New Worm[solved]

gkthornton
edited June 2008 in Sample submission

The worm was also found with a text file, with the same name as the exe, which contained what appears to be keylogger data.


zip password is "infected".


/applications/core/interface/file/attachment.php?id=342" data-fileid="342" rel="">svchots_.zip


-GT

Comments

  • Thank you for the sample. Detection will be available as of the next signature update and it will be detected as Trojan.PSW.Maha.A


    It is a password stealer targeted at IM passwords (such as ICQ). It drops a file named sqlserver.dll in the system32 directory (also detected with the same name), which is loaded in all the processes, so offline cleaning might be necessary.


    Best regards