PWSteal.Navu is a Trojan Horse with keylogging capabilities.

The presence of the file Msdirectx.dll or Navupd.dll is an indication of a possible infection.

Type: Trojan Horse
Infection Length: 901,122 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX

THREAT ASSESSMENT

Wild:

Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Moderate

Wild:
Low
Damage:
Medium
Distribution:
Low

Damage

Payload:
Releases confidential info: Intercepts keystrokes.

TECHNICAL DETAILS

PWSteal.Navu consists of a .dll file. Routines within the .dll are invoked using Rundll32.exe.

When PWSteal.Navu is executed, it performs the following actions:


Copies itself to the %Windir% directory as:

msdirectx.dll
navupd.dll

NOTE: %Windir% is a variable. The Trojan locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.


Adds the value:

"NAVUpd" = "rundll32.exe navupd.dll,Startup"

to the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

so that the Trojan starts when Windows starts.


Uses ICQ to send a notification to the Trojan's author that it is running.


Hooks keyboard events, allowing it to log keystrokes.


May display one of the following error messages while the Trojan is running:

"failed at address conversion"
"failed at socket creation"
"failed at startup"
For complete details visit:
http://securityresponse.symantec.com...teal.navu.html

Cheers,
BD]Hobbit