Win32/Qadars [Threat Name] go to Threat

Win32/Qadars.AB [Threat Variant Name]

Category trojan
Size 445440 B
Detection created Nov 04, 2013
Detection database version 9404
Aliases Trojan-Spy.Win32.SpyEyes.alxs (Kaspersky)
  Trojan:Win32/Qadars.A (Microsoft)
  Win32:Spyeye-AIZ (Avast)
Short description

Win32/Qadars.AB is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­%variable1%\­%variable2%.exe

A string with variable content is used instead of %variable1-2% .


The trojan schedules a task that causes the following file to be executed repeatedly:

  • %appdata%\­%variable1%\­%variable2%.exe

The trojan creates and runs a new thread with its own program code in all running processes except the following:

  • alg.exe
  • csrss.exe
  • lsass.exe
  • lsm.exe
  • services.exe
  • smss.exe
  • spoolsv.exe
  • svchost.exe
  • wininit.exe
  • winlogon.exe
Information stealing

Win32/Qadars.AB is a trojan that steals sensitive information.


The trojan collects the following information:

  • the path to specific folders
  • computer name
  • user name
  • operating system version
  • information about the operating system and system settings
  • cookies
  • HTML forms content
  • installed software
  • digital certificates

The following programs are affected:

  • Internet Explorer
  • Mozilla Firefox

The trojan is able to log keystrokes.


The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (3) URLs. The HTTP protocol is used.


It can execute the following operations:

  • run executable files
  • download files from a remote computer and/or the Internet
  • update itself to a newer version
  • shut down/restart the computer
  • modify the content of websites
  • uninstall itself

The trojan hooks the following Windows APIs:

  • PR_Write (nspr4.dll)
  • PR_Read (nspr4.dll)
  • PR_Poll (nspr4.dll)
  • PR_Available (nspr4.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • HttpSendRequestExA (wininet.dll)
  • HttpSendRequestExW (wininet.dll)
  • HttpQueryInfoA (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • TranslateMessage (user32.dll)
  • GetClipboardData (user32.dll)
  • PeekMessageW (user32.dll)

The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­Classes\­CLSID\­{%variable%}]

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.