|BackDoor-CAY - password stealer trojan. Also known as Backdoor.Carufax (AVP), Troj/Volver (Sophos), Win32.Reign (CA).
This trojan uses a stealth technique to circumvent certain scanning technology.
The trojan attempts to capture typed keystrokes and steal web site passwords.
Trojan do not self-replicate. It is spread manually, often under the premise that the executable is something beneficial.
Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.
When run, the trojan creates a hidden directory named f~a within the WINDOWS SYSTEM directory.
Adds the value: "f~a" = C:\WINNT\System32\f~a\ra32.exe
to the registry keys:
Within this directory, several files are created:
usr_ext.dll (captures keystrokes and steals password)
usrvcrt.dll (captures web site username/password)
Use antivirus (also check How To Remove section)Startup Optimizer to remove this trojan.