PWSteal.Navu is a Trojan Horse with keylogging capabilities.
The presence of the file Msdirectx.dll or Navupd.dll is an indication of a possible infection.
Type: Trojan Horse
Infection Length: 901,122 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX
Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Releases confidential info: Intercepts keystrokes.
PWSteal.Navu consists of a .dll file. Routines within the .dll are invoked using Rundll32.exe.
When PWSteal.Navu is executed, it performs the following actions:
Copies itself to the %Windir% directory as:
NOTE: %Windir% is a variable. The Trojan locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
Adds the value:
"NAVUpd" = "rundll32.exe navupd.dll,Startup"
to the registry key:
so that the Trojan starts when Windows starts.
Uses ICQ to send a notification to the Trojan's author that it is running.
Hooks keyboard events, allowing it to log keystrokes.
May display one of the following error messages while the Trojan is running:
"failed at address conversion"
"failed at socket creation"
"failed at startup"