Troj/CashGrab-C

Aliases	PWS-Cashgrabber Trojan.Win32.Agent.cc Trojan.Win32.Agent.cw
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Drops more malware Installs itself in the registry
Protection available since	2 June 2005 22:15:56 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

Change any data that may have become compromised.

More Information

Summary
Action
More Information

Troj/CashGrab-C is a password stealing Trojan which attempts to steal confidential information and send it to a remote location.

When the Trojan is installed the following files are created:

<Windows system folder>\msupdate.dll
<Windows system folder>\windows.idn
<Windows system folder>\winsetup.exe
<Windows system folder>\winst.msi

msupdate.dll is also detected as Troj/CashGrab-C. winsetup.exe is detected as Troj/CashGrab-A. windows.idn and winst.msi are harmless text files.

The file msupdate.dll is registered as a Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:

HKCR\CLSID\{3A4E6FF3-BF59-446E-9DC8-731BCE2F349A}\

Troj/CashGrab-C monitors browser windows for content indicative of an internet banking site. Upon encountering such windows, the Trojan attempts to record any data entered into these windows and send it to the author via an HTTP form submission.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Sophos blogs

Troj/CashGrab-C

Summary

Action

More Information