Viral label:
Viral name: Trojan-PSW.Win32.OnLineGames.aprb
Viral type: Wooden horse
Document MD5: 0939DB9C70F25A1D26C482ABCDD2538A
Public scope: Completely public
Harm rank: 3
Document length: Adds the shell latter 15,297 bytes to peel off the shell the latter 74,752 bytes
Infection system: Windows98 above edition
Development kit: Microsoft Visual C++ 6.0
Adds the shell type: FSG 2.0
Viral description:
This virus for burglary network game “rainbow island” account number wooden horse. After viral movement, duplicates own, the derivation to include hidden
Hides attribute viral document bndfxdh.cfg, bndfxdh.dll, ghjsw.dll, zxdtye.dll to %WinDir%,
And bndfxdh.dll, ghjsw.dll, the zxdtye.dll revision time is established as the system initial assembly date. The increase opens
Moves the item, achieves, when random user initialize the system moves this viral document. The virus attempts through the overall situation to link up
bndfxdh.dll pours into to all advancements, through gives the advancement which in the current system carries out to take the snapshot, then in traversal snapshot
The record advancement tabulation, judges whether to have the AVP.exe advancement, the existence then revised the system time is in 2003, the month, the date
Invariable, causes Caba the Siji expired expiration; If discovers the LaTaleClient.exe advancement, then finished its advancement, when user
When lands once more, through reads server.dat to obtain the user in the server related information, through interception current user
The keyboard and the mouse news gains the network game “the rainbow island” the account number and the password, transmit URL which assigns to the viral author. This
The virus after realizing own code, will then finish own advancement, deleted own document.
Behavioral analysis:
Local behavior:
1st, after document movement, will release the following document:
%System32% \ bndfxdh.cfg 144 bytes
%System32% \ bndfxdh.dll 26,768 bytes
%System32% \ bndfxdh.exe 15,297 bytes
%System32% \ ghjsw.dll 6,144 bytes
%System32% \ zxdtye.dll 6,144 bytes
2nd, additional registry:
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft
\ Windows \ CurrentVersion \ Run]
Registration tabular value: “bndfxdh”
Type: REG_SZ
String of character: “C:\WINDOWS\system32\bndfxdh.exe”
Description: Increase start item
3rd, use long-distance thread injection function CreateRemoteThread attempts through the overall situation to link up bndfxdh.dll
Pours into to all advancements, uses for in the supervisory system the current all advancements.
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft
\ Windows \ CurrentVersion \ ShellServiceObjectDelayLoad]
Registration tabular value: “DesktopWin”
Type: REG_SZ
String of character: “{DA191DE0-AA86-4ED0-4B87-292A3D48BE99}”
Other pages: : 1 * 2 * 3 * Next>>
|