This is popular/epidemy nowadays ICQ virus:
SHA-1: b0f3ccd65414853eb120b01e1ad7fbf25fc59690
Size: 916 KB (938 496 bytes)
after start:
Identify is end.
Info: this virus (Symantec detection: Infostealer) is stealing the UIN ICQ number and password and send a itself to others using all contact list of compromised user, it include a bot, which can represent an a small conversation with contacted users.
You add with virus to yours database - You know it - I think You test it or just can help me and others in the next question:
Question is:
How can this Infostealer virus stealing the ICQ password?
I invented 3 theoretical methods:
1) decryption of password was saved in ICQ client;
2) access the already executed ICQ client memory cache and decrypt saved password from it;
3) (ICQ client is already executed) access the ICQ server and somehow (may be client is authorized to do this, or there is vulnerability in ICQ protocol/server) get the password.
For all: need to review all cases.
For me: if I never stored my password in ICQ client and ICQ client during active infection was executed - shall I change my ICQ password or this Infostealer did not capable to access it in this case.
I think You test it before you add it to Yours database.
So please help me and others by professional review of this risk. Need to knew more about it.