Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Support
Windows Malware Removal Help & Support
"Security Alert" for Malware.Win32/Caphaw
Message
<blockquote data-quote="jjdid" data-source="post: 269983" data-attributes="member: 28483"><p>Here is the full notification again.</p><p></p><p>Win32/Caphaw often uses a legitimate file name to avoid suspicion. It scans the <system folder> folder for legitimate file names, then copies itself into the %APPDATA% folder using the same name. For example, the file name for Task Manager is <system folder>\taskmgr.exe. Caphaw might copy itself into your PC as %APPDATA%\taskmgr.exe.</p><p>Caphaw can also use these file names:</p><p></p><p><system folder> \lssas.exe - note that a legitimate file called lsass.exe exists in the same folder</p><p>%windir% \assembly\nativeimages_v2.0.50727_32\temp\zapf.tmp\system.data.entity.design.dll</p><p>%windir% \svchost.exe - note that a legitimate file with the same name exists in <system folder></p><p></p><p>Caphaw injects itself into legitimate processes like the following to make it more difficult to remove:</p><p>cmd.exe</p><p>explorer.exe</p><p>firefox.exe</p><p>iexplore.exe</p><p>reader_sl.exe</p><p>svchost.exe</p><p></p><p>Caphaw creates mutexes to make sure that only one instance of itself is running in memory.</p><p>To run every time Windows starts, some variants of Caphaw create an entry in the system registry:</p><p></p><p>In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run</p><p>Sets value: "<random CLSID>" (for example, {FAD5ADC3-DABB-6BFF-ED11-CB329C7D70E2})</p><p>With data: "<malware path and file name>" (for example "%APPDATA%\Microsoft\Excel\xlstart\winmine.exe")</p><p></p><p>Older variants of Caphaw also install a rootkit component. An infected master boot record (MBR) is detected as Trojan<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite116" alt=":D" title="Big grin :D" loading="lazy" data-shortname=":D" />OS/Caphaw.A.</p><p></p><p>Spreads Via</p><p></p><p>Skype</p><p>One Caphaw variant, Win32/Caphaw.N, can do a number of actions on Skype, including:</p><p>Disabling audio alerts</p><p>Downloading files from a remote server</p><p>Sending messages and files to your </p><p>Removing traces of its actions on Skype, like file transfers , recent conversations</p><p></p><p>Facebook</p><p>Caphaw can spread by hijacking your Facebook account and posting a copy of itself into your friends' walls.</p><p></p><p>Shared and removable drives</p><p>Caphaw can spread to other PCs via shared and removable drives. It creates shortcut files that link to a hidden Caphaw copy in the root folder of the shared or removable drive. If you click on the shortcut file, the Caphaw copy runs.</p><p></p><p>Drive-by malware</p><p>Caphaw can be installed via drive-by exploits. It's been known to be installed using vulnerabilities in Adobe Flash or Java.</p><p></p><p>Payload</p><p></p><p>Lets a malicious hacker control your PC</p><p></p><p>Caphaw lets a malicious hacker access and control your PC. The actions we've observed include:</p><p></p><p>Control your desktop</p><p>Control your mouse and keyboard</p><p>Access your files and folders</p><p>Upload your files to a hacker-controlled FTP server</p><p>Delete files</p><p>Download and run other files</p><p>Redirect Internet traffic via a proxy server</p><p>Send ICMP packets that can be used in distributed denial-of-service</p><p>Log and redirect web traffic from Firefox and Internet Explorer</p><p>Shut down or restart your PC</p><p>Spread to other PCs upon command</p><p>Log keystrokes</p><p>Change your PC settings</p><p>Start or stop programs</p><p>Update itself</p><p></p><p>Steals banking information</p><p></p><p>Caphaw can inject code and fake phone numbers into online banking websites when you visit them. It does this to try and steal your login information for these websites. It targets the online banking websites for these institutions:</p><p></p><p>Barclays</p><p>Bank of Scotland</p><p>Co-Operative Bank</p><p>Egg.Com</p><p>Fidelity</p><p>First Direct</p><p>HSBC</p><p>InterActive Brokers</p><p>John Lewis Financial</p><p>Leicester</p><p>Lloyds Bank</p><p>MBNA</p><p>NatWest</p><p>POFS Save Credit</p><p>RBS</p><p>Santander</p><p>Tesco Finance</p><p>Theaa</p><p>Ulster Bank</p><p>VirginMoney</p><p>YorkShire Bank</p></blockquote><p></p>
[QUOTE="jjdid, post: 269983, member: 28483"] Here is the full notification again. Win32/Caphaw often uses a legitimate file name to avoid suspicion. It scans the <system folder> folder for legitimate file names, then copies itself into the %APPDATA% folder using the same name. For example, the file name for Task Manager is <system folder>\taskmgr.exe. Caphaw might copy itself into your PC as %APPDATA%\taskmgr.exe. Caphaw can also use these file names: <system folder> \lssas.exe - note that a legitimate file called lsass.exe exists in the same folder %windir% \assembly\nativeimages_v2.0.50727_32\temp\zapf.tmp\system.data.entity.design.dll %windir% \svchost.exe - note that a legitimate file with the same name exists in <system folder> Caphaw injects itself into legitimate processes like the following to make it more difficult to remove: cmd.exe explorer.exe firefox.exe iexplore.exe reader_sl.exe svchost.exe Caphaw creates mutexes to make sure that only one instance of itself is running in memory. To run every time Windows starts, some variants of Caphaw create an entry in the system registry: In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "<random CLSID>" (for example, {FAD5ADC3-DABB-6BFF-ED11-CB329C7D70E2}) With data: "<malware path and file name>" (for example "%APPDATA%\Microsoft\Excel\xlstart\winmine.exe") Older variants of Caphaw also install a rootkit component. An infected master boot record (MBR) is detected as Trojan:DOS/Caphaw.A. Spreads Via Skype One Caphaw variant, Win32/Caphaw.N, can do a number of actions on Skype, including: Disabling audio alerts Downloading files from a remote server Sending messages and files to your Removing traces of its actions on Skype, like file transfers , recent conversations Facebook Caphaw can spread by hijacking your Facebook account and posting a copy of itself into your friends' walls. Shared and removable drives Caphaw can spread to other PCs via shared and removable drives. It creates shortcut files that link to a hidden Caphaw copy in the root folder of the shared or removable drive. If you click on the shortcut file, the Caphaw copy runs. Drive-by malware Caphaw can be installed via drive-by exploits. It's been known to be installed using vulnerabilities in Adobe Flash or Java. Payload Lets a malicious hacker control your PC Caphaw lets a malicious hacker access and control your PC. The actions we've observed include: Control your desktop Control your mouse and keyboard Access your files and folders Upload your files to a hacker-controlled FTP server Delete files Download and run other files Redirect Internet traffic via a proxy server Send ICMP packets that can be used in distributed denial-of-service Log and redirect web traffic from Firefox and Internet Explorer Shut down or restart your PC Spread to other PCs upon command Log keystrokes Change your PC settings Start or stop programs Update itself Steals banking information Caphaw can inject code and fake phone numbers into online banking websites when you visit them. It does this to try and steal your login information for these websites. It targets the online banking websites for these institutions: Barclays Bank of Scotland Co-Operative Bank Egg.Com Fidelity First Direct HSBC InterActive Brokers John Lewis Financial Leicester Lloyds Bank MBNA NatWest POFS Save Credit RBS Santander Tesco Finance Theaa Ulster Bank VirginMoney YorkShire Bank [/QUOTE]
Insert quotes…
Verification
Post reply
Top