Kaspersky Lab recently received a report from a netizen about the theft of a QQ number after checking an image. With years of anti-virus experience, Kaspersky is keenly aware that this is not just a coincidence. Kaspersky virus analysis experts analyzed the relevant samples and found a Trojan named Chifrax (Trojan. Win32.Chifrax. qg.
This trojan uses WinRAR self-decompressed package to generate executable files, but the file icon uses images to trick users into clicking and running. If the user's vigilance is not strong, it is easy to become the victim of this trojan. See:
After running, the trojan will release a key recorder program rstray.exe (Packed. Win32.Black. d) and a key information storage file winhlp32.hlp in the system directory. It is worth noting that these two files are also quite confusing. One is disguised as a common security software process, and the other is disguised as a system file. The keyboard recorder records users' key information, serves to steal users' various account passwords, stores the stolen information in the winhlp32.hlp file, and regularly sends the information to hackers through FTP. After the message is sent, the record file will be deleted regularly, which is highly concealed. As shown in the following two figures:
Html ">
Files released to the system by the Chifrax Trojan
Attackers can log on to FTP to upload stolen data.
Currently, Kaspersky can successfully scan and kill the Chifrax Trojan. We recommend that you update the virus database as soon as possible to prevent unnecessary losses. Kaspersky Lab also reminded the majority of Internet users not to easily open unknown files to avoid losses caused by malicious programs.