Aliases: WORM_QQPASS.ADH [Trend Micro]
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 25 Sep 2006
Damage: Low

Characteristics: Also known as WORM_QQPASS.ADH, W32.Pasobir was first discovered on September 25, 2006. This type of worm spreads through removable storage devices and lowers security settings. It also steals password in QQ messenger account. The operating systems this worm mostly affects are Windows Systems (Windows 2000, 95, 98, Me, NT, Server 2003 and XP).

More details about W32.Pasobir

This password-stealing worm does several actions to install itself. First, the worm creates files: %System%\SVOHOST.exe, which is a copy of the worm and %System%\winscok.dll. The attributes of these files are set to System and Hidden to avoid easy detection. Then, the worm adds a value to the system registry subkey. Once the Windows starts, the worm enables to run and attempts to disable antivirus software by ending predetermined processes, removing predetermined system registry keys and stopping predetermined services. Next, the worm copies itself as [DRIVE LETTER]:\sxs.exe after checking fixed and removable drives starting with drive D:. Then, it creates [DRIVE LETTER]:\autorun.inf that contains instructions to start the worm to work its infection when the drive is attached to the system. And finally, the worm tries to record logins information especially passwords used in QQ messenger then send them to a preconfigured website or email with the use of its own SMTP engine. Also, the worm may download and execute files from three websites. Remember that downloaded files from unknown URLs brought by worms or viruses may possible contain malicious codes that would affect the computer.

Primarily, the W32.Pasobir program makes the user download and does an installation of files by the use of the internet browser and place it inside the system. As the user performs this operation, the W32.Pasobir program can now do its activity for the damage to be done through the use of the commands being told by the remote server. This application is complex software that repairs, updates and recreates itself. One of the most common ways of becoming infected with the W32.Pasobir program is through unexpected email attachments.