Home | hacker invade | crack analyzes | hacker course | Exploit | encryption decipher | network management | System crack | the virus to be related | invades the examination | firewall
You are here: hacking technology > the virus to be related > Content
Hot Articles
Worm.Win32.AutoRun.eee a
Trojan-Downloader.Win32.
TalkTalk selects F-Secur
The machine dog presents
The resistance kills the
Trojan-PSW.Win32.OnLineG
Trojan-Downloader.Win32.
How does the Trojan Hors
Copperfasten Mail Firewa
EH20 compact escape hood
DeviceWall 5.0 extends U
Everybody may kill the p
Careful ^hard disk devi
Trojan-GameThief.Win32.O
Trojan-PSW.Win32.QQPass.
Recommend Articles
Trojan-PSW.Win32.QQPass.
The machine dog presents
Everybody may kill the p
Trojan-Dropper.Win32.Sma
How does the Trojan Hors
The resistance kills the
Careful ^hard disk devi
Trojan-PSW.Win32.OnLineG
Jinshan virus early warn
Under Professor differen
Trojan-Downloader.Win32.
08 year the first half o
Win32.Troj.OnlineGamesT.
Worm.Win32.AutoRun.eee a
07.13 viral early warnin
New Articles
EXC ears solo work safet
Comodo Internet Security
Sality polymorphic virus
Sicherheitsma?measures s
Speedy Hire used ScanSaf
The Tri-Air Developments
Gro?Britain and France a
Law enforcement is catch
The game is a very attra
Most of the new threats
Sality polymorphic virus
X6 VirusBarrier antiviru
Device Control protects
Workers anf?lliger for p
Cyber criminals use vuln
Trojan-PSW.Win32.QQPass.cdw analysis
  Add date: 07/08/2008   Publishing date: 07/08/2008   Hits: 56
Total 3 pages, Current page:1, Jump to page:
 
Viral label:
Viral name: Trojan-PSW.Win32.QQPass.cdw
Viral type: Wooden horse
Document MD5: 9527A14F4190E49EC31E601295A5717C
Public scope: Completely public
Harm rank: 3
Document length: Adds the shell latter 30,840 bytes to peel off the shell the latter 104,056 bytes
Infection system: Windows98 above edition
Development kit: Borland Delphi 6.0 - 7.0
Adds the shell type: UPX 0.89.6 - 1.02/1.05 - 1.24
 
Viral description:
  This virus to steal the QQ account number the wooden horse, after viral movement, duplicates oneself to %Program Files%
\ Internet Explorer \ under the PLUGINS table of contents, pays equal attention to the naming is UnixSys32.Jmp, and under this table of contents
The derivation includes hideaway attribute virus document UnixSys08.Sys; The newly built registry item, founds the CLSID value, the increase
The HOOK item, achieves, when system initiation time loads UnixSys08.Sys using the Explorer.exe advancement; Browsing
Kidnaps, the increase registry BHO item, uses for, when IE movement loads UnixSys08.Sys; And attempts through the overall situation to hang
The hook pours into UnixSys08.Sys to all advancements, gains QQ through the interception current user's keyboard and the mouse news
The account number and the password, transmit URL which assigns to the viral author; This virus after realizing own code, will finish oneself
Advancement.
 
Behavioral analysis:
Local behavior:
1st, after document movement, will release the following document:
    %Program Files% \ Internet Explorer
    \ PLUGINS \ UnixSys08.Sys         44,664 bytes
    %Program Files% \ Internet Explorer
    \ PLUGINS \ UnixSys32.Jmp         30,840 bytes
2nd, additional registry:
    
    [HKEY_CURRENT_USER \ Software \ Tencent \ Unix]
    Registration tabular value: “Eo9”
    Type: REG_SZ
    String of character: “kk”
    
    [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID
    \ {74381DEC-D78B-43E4-BA5D-5244F669EBE4}
    \ InProcServer32]
    Registration tabular value: “@”
    Type: REG_SZ
    String of character: “C:\Program Files\Internet Explorer
    \ PLUGINS \ UnixSys08.Sys "
    
    [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID
    \ {74381DEC-D78B-43E4-BA5D-5244F669EBE4}
    \ InProcServer32]
    Registration tabular value: “ThreadingModel”
    Type: REG_SZ
    String of character: “Apartment”
    Description: Registers the CLSID value
    [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft
    \ Windows \ CurrentVersion \ Explorer
    \ ShellExecuteHooks]
    Registration tabular value: “{74381DEC-D78B-43E4-BA5D-5244F669EBE4}”
    Type: REG_SZ
    String of character: ""
    Description: Achieves, when system initiation time uses Explorer.exe
    The advancement loads UnixSys08.Sys

 
Other pages: : 1 * 2 * 3 * Next>>
Prev:The machine dog presents the new variety downloading many kinds of evil intention procedures Next:Everybody may kill the poisonous small move to throw off the big wooden horse

Comment:

Category: Home > the virus to be related
Home