Win32/Kardphisher [Threat Name] go to Threat

Win32/Kardphisher.A [Threat Variant Name]

Category trojan
Size 468503 B
Detection created May 14, 2007
Detection database version 2266
Aliases PSW.Win32.Delf.vz (Kaspersky)
  Trojan.Kardphisher (Symantec)
  Troj/KardPhis-A (Sophos)
Short description

Win32/Kardphisher.A is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to fill in sensitive information. After the sensitive information is entered, the trojan removes itself from the infected computer.

Installation

The trojan does not create any copies of itself.


The following files are dropped into the current folder:

  • keylog.dll (3072 B)

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "soft2" = %malwarepath%

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = "1"
Other information

Win32/Kardphisher.A is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to fill in sensitive information.


The trojan displays the following fake dialog boxes:

After the sensitive information is entered, the trojan removes itself from the infected computer.


The following fields can contain arbitrary data:

  • "Location"
  • "Phone number"
  • "Expiry date"
  • "Name on card"

The following characters are required in the field "Email" :

  • @

The field "Credit card number" must contain 16 characters.


The field "ATM PIN" must contain 4 characters.


The field "CVV2 code" must contain 3-4 characters.


The trojan attempts to send gathered information to a remote machine.


The trojan connects to the following addresses:

  • 81.29.241.170/in.php

The HTTP protocol is used. The trojan blocks keyboard and mouse input.


The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­sft]
    • "c"
    • "d"

The trojan may turn off the computer.


The trojan interferes with the operation of some security applications to avoid detection.

Please enable Javascript to ensure correct displaying of this content and refresh this page.