Win32/Qadars [Threat Name] go to Threat
Win32/Qadars.AB [Threat Variant Name]
| Category | trojan |
| Size | 445440 B |
| Aliases | Trojan-Spy.Win32.SpyEyes.alxs (Kaspersky) |
| Trojan:Win32/Qadars.A (Microsoft) | |
| Win32:Spyeye-AIZ (Avast) |
Short description
Win32/Qadars.AB is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.
Installation
When executed, the trojan copies itself into the following location:
- %appdata%\%variable1%\%variable2%.exe
A string with variable content is used instead of %variable1-2% .
The trojan schedules a task that causes the following file to be executed repeatedly:
- %appdata%\%variable1%\%variable2%.exe
The trojan creates and runs a new thread with its own program code in all running processes except the following:
- alg.exe
- csrss.exe
- lsass.exe
- lsm.exe
- services.exe
- smss.exe
- spoolsv.exe
- svchost.exe
- wininit.exe
- winlogon.exe
Information stealing
Win32/Qadars.AB is a trojan that steals sensitive information.
The trojan collects the following information:
- the path to specific folders
- computer name
- user name
- operating system version
- information about the operating system and system settings
- cookies
- HTML forms content
- installed software
- digital certificates
The following programs are affected:
- Internet Explorer
- Mozilla Firefox
The trojan is able to log keystrokes.
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (3) URLs. The HTTP protocol is used.
It can execute the following operations:
- run executable files
- download files from a remote computer and/or the Internet
- update itself to a newer version
- shut down/restart the computer
- modify the content of websites
- uninstall itself
The trojan hooks the following Windows APIs:
- PR_Write (nspr4.dll)
- PR_Read (nspr4.dll)
- PR_Poll (nspr4.dll)
- PR_Available (nspr4.dll)
- HttpSendRequestA (wininet.dll)
- HttpSendRequestW (wininet.dll)
- HttpSendRequestExA (wininet.dll)
- HttpSendRequestExW (wininet.dll)
- HttpQueryInfoA (wininet.dll)
- InternetReadFile (wininet.dll)
- InternetReadFileExA (wininet.dll)
- InternetCloseHandle (wininet.dll)
- InternetQueryDataAvailable (wininet.dll)
- TranslateMessage (user32.dll)
- GetClipboardData (user32.dll)
- PeekMessageW (user32.dll)
The trojan keeps various information in the following Registry key:
- [HKEY_CURRENT_USER\Software\Classes\CLSID\{%variable%}]
A string with variable content is used instead of %variable% .