PandaLabs has informed about the new Trojan Therat.B. This malicious code is designed to steal all types of passwords. However, it also has an extremely dangerous function, which is the capacity to steal the passwords that could be stored in the AutoComplete feature in the user’s Internet browser. By simply entering one or two characters of usernames or passwords, this feature automatically completes them in forms for accessing the most common Internet services used by the user.
To do this, it accesses an entry in the Windows Registry where this information is logged. Although it is encrypted, applications are available that are designed to decrypt it.
Furthermore, Therat.B has a keylogger function. This means that it logs the keystrokes entered by the user through the keyboard, which could contain interesting information for the cyber-criminal: user names, passwords, bank account numbers or credit card numbers, PINs, etc.
Once installed on the computer, the Trojan creates several files in the Windows system directory. These files include SOCKETIME.EXE, which is a copy of the Trojan, and 32THERAT.LOG, in which it stores the stolen information. This information is then sent to the cyber-criminal at a predetermined email address.
Therat.B also modifies an entry in the Windows Registry in order to ensure it is run whenever the computer is restarted.
This Trojan is not designed to spread through its own means, and therefore, needs intervention from a malicious user to do so. Therefore, it could be found in all types of email messages, files downloaded from the Internet or P2P networks, etc.