Aliases: Trojan.Win32.VB.xb, W32/Qeds , W32/Qeds-A, PE_QEDS.A-O
Variants: W32.Qdens.E

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America, Asia
Removal: Easy
Platform: W32
Discovered: 24 May 2005
Damage: Medium

Characteristics: W32.Qdens.A is a Trojan. It infects windows system and spreads through QQ Messenger or Tencent Messenger. When executed, it copies itself as lsas32.exe in the Windows Syste folder. It alters the registry and makes sure it loads itself during startup. It checks for strings in Chinese characters. It also terminates security-related processes.

More details about W32.Qdens.A

The Trojan W32.Qdens propagates itself using QQ Messenger or Tencent Messenger. When the Trojan is executed, it copies itself as the filename Isas32.exe in the Windows System folder. To make sure it runs every Windows startup, it adds values to the registry. The worm checks for the following strings in Chinese characters: Jiaotanzhong, Liaotianzhong, and Fasong xinxi. When the worm finds these strings, it checks if QQ.EXE or TM.EXE is runnig or not. When these two files are running, the worm sends a copy of itself to online contacts using QQ Messenger or TM Messenger. It also ends processes associated with security software tools. The worm injects its code in these files to make sure it runs every Windows start up. It then attempts to download executable files from predetermined websites.

The W32.Qdens program may be sent to the user via e-mail or instant message. It may also be downloaded from peer-to-peer networks or infected websites. Other downloader applications can also spread and install the program. It is known to run in the background. It is often not listed on the running processes.