Virus Characteristics
-- Update October 31, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.bbc.co.uk/2/hi/technology/7067962.stm
--
Once executed, Captchar trojan starts a hidden instance of iexplore.exe and injects its code into this process. Then it deletes itself.
The trojan attempts to connect a remote server to exchange CAPTCHA information.
After successfully communicating with the server, the trojan displays the following message:
Hi!
My name is melissa. I'm 18 years old and you have come to the
right place to play :)
How to play?
;
Easy, enter the code that you will see and I'm taking off
1 of my things. :) Want to start strip me? Then what are you
waiting for? Click the start play.
The trojan then displays the message with a CAPTCHA input field when a user clicks the start button:
Ok, lets start baby! Lets see if you can strip me :).
Put the word that you see on bottom, if its correct I'll
take off 1 of my xxx :)
If a wrong CAPTCHA code is input by the user, the trojan displays the following message:
Hmmm, nope, the word you entered is
incorrect honey! Lets try again?
After the correct CAPTCHA is input by the user, the trojan sends the correct code to its control server, displays one of the following messages and a new CAPTCHA code to enticing the user into continuing the game.
Outch, nice one, you got it right!
ok, ready for next one? Here it is: