Threat Descriptions

QQRob.GV

Classification

Category :

Malware

Type :

Trojan

Platform :

W32

Aliases :

QQRob.GV, Trojan-PSW.Win32.QQRob.gv

Summary

QQRob.GV logs keystrokes and sends the results to an email address.Upon execution, QQRob.GV drops a copy of itself on Windows System Directory as:

  • %systemdir%\NTdhcp.exe

Note: %systemdir% is by default C:\Windows\System32Please see the lower section for additional details.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Upon execution, QQRob.GV drops a copy of itself in the Windows System Directory as:

  • %systemdir%\NTdhcp.exe

Note: %systemdir% is by default C:\Windows\System32*It uses a notepad icon. It also creates the following non-malicious batch file in the Windows Directory:

  • %windir%\deleteme.bat

Note: %windir% is by default C:\WindowsQQRob.GV then creates the following registry value for its auto-start mechanism:

  • HKLM\Software\Microsoft\Windows\Currentversion\RunNTdhcp = "%systemdir%\NTdhcp.exe

It checks for the file:

  • %systemdir%\Kvnative.exe

If the file above exists, it will rename the file to Kvnative.bakQQRob.GV terminates the following security and antivirus related processes:

  • CCAPP.EXE
  • EGHOST.EXE
  • FireTray.exe
  • Iparmor.exe
  • KASMain.EXE
  • KAV32.EXE
  • KAVPFW.EXE
  • KAVPLUS.EXE
  • KAVStart.exe
  • KmailMon.EXE
  • KPFW32.EXE
  • KPOPMON.EXE
  • KVCenter.kxp
  • KvDetech.exe
  • KVFW.EXE
  • KWatch9x.exe
  • KWATCHUI.EXE
  • MAILMON.EXE
  • MCAGENT.EXE
  • MCVSESCN.EXE
  • MSKAGENT.EXE
  • RAV.EXE
  • RAVMON.EXE
  • RavTask.exe
  • RAVTIMER.EXE
  • RegGuide.exe
  • SHSTAT.EXE
  • SmartUp.exe
  • TBMon.exe
  • TrojanDetector.EXE
  • UIHost.exe
  • UpdaterUI.exe
  • WNILOGON.exe

QQRob.GV disables the following services through the registry [HKLM\System\CurrentControlSet]:

  • ccEvtMgr
  • ccProxy
  • ccSetMgr
  • FireSvc
  • kavsvc
  • KPfwSvc
  • KVSrvXP
  • KVWSC
  • KWatchSvc
  • McAfeeFramework
  • McShield
  • McTaskManager
  • MskService
  • navapsvc
  • NPFMntor
  • RfwService
  • RsCCenter
  • RsRavMon
  • SNDSrvc
  • SPBBCSvc
  • Symantec Core LC
  • wscsvc

QQRob.GV also checks for security and antivirus related registry values in [HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run].If the following registry keys exist, they will be deleted:

  • ccApp
  • iDuba Personal FireWall
  • KAVPersonal50
  • KavPFW
  • KAVRun
  • KavStart
  • KpopMon
  • Kulansyn
  • KvMonXP
  • KvPpWall_autorun
  • KvXP
  • KWatch9x
  • McAfeeUpdaterUI
  • MCAgentExe
  • McRegWiz
  • MCUpdateExe
  • MSKAGENTEXE
  • MSKDetectorExe
  • NAV CfgWiz
  • Network Associates Error Reporting Service
  • RavTask
  • RavTimer
  • RfwMain
  • Services
  • ShStatEXE
  • SonudMan
  • SSC_UserPrompt
  • VirusScan Online
  • VSOCheckTask

QQRob.GV logs keyboard strokes of the user and sends it to a certain email address using its own SMTP engine.