Trojan-PSW.Win32.OnLineGames.aprb analysis

Add date: 07/17/2008 Publishing date: 07/17/2008 Hits: 16

Total 3 pages, Current page:1, Jump to page:

Viral label:
Viral name: Trojan-PSW.Win32.OnLineGames.aprb
Viral type: Wooden horse
Document MD5: 0939DB9C70F25A1D26C482ABCDD2538A
Public scope: Completely public
Harm rank: 3
Document length: Adds the shell latter 15,297 bytes to peel off the shell the latter 74,752 bytes
Infection system: Windows98 above edition
Development kit: Microsoft Visual C++ 6.0
Adds the shell type: FSG 2.0

Viral description:
This virus for burglary network game “rainbow island” account number wooden horse. After viral movement, duplicates own, the derivation to include hidden
Hides attribute viral document bndfxdh.cfg, bndfxdh.dll, ghjsw.dll, zxdtye.dll to %WinDir%,
And bndfxdh.dll, ghjsw.dll, the zxdtye.dll revision time is established as the system initial assembly date. The increase opens
Moves the item, achieves, when random user initialize the system moves this viral document. The virus attempts through the overall situation to link up
bndfxdh.dll pours into to all advancements, through gives the advancement which in the current system carries out to take the snapshot, then in traversal snapshot
The record advancement tabulation, judges whether to have the AVP.exe advancement, the existence then revised the system time is in 2003, the month, the date
Invariable, causes Caba the Siji expired expiration; If discovers the LaTaleClient.exe advancement, then finished its advancement, when user
When lands once more, through reads server.dat to obtain the user in the server related information, through interception current user
The keyboard and the mouse news gains the network game “the rainbow island” the account number and the password, transmit URL which assigns to the viral author. This
The virus after realizing own code, will then finish own advancement, deleted own document.

Behavioral analysis:
Local behavior:
1st, after document movement, will release the following document:
¡¡¡¡¡¡¡¡%System32% \ bndfxdh.cfg ¡¡¡¡¡¡¡¡144 bytes
¡¡¡¡¡¡¡¡%System32% \ bndfxdh.dll ¡¡¡¡¡¡¡¡26,768 bytes
¡¡¡¡¡¡¡¡%System32% \ bndfxdh.exe ¡¡¡¡¡¡¡¡15,297 bytes
¡¡¡¡¡¡¡¡%System32% \ ghjsw.dll ¡¡¡¡¡¡¡¡¡¡ 6,144 bytes
¡¡¡¡¡¡¡¡%System32% \ zxdtye.dll ¡¡¡¡¡¡¡¡¡¡6,144 bytes
2nd, additional registry:
¡¡¡¡¡¡¡¡
¡¡¡¡¡¡¡¡[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft
¡¡¡¡¡¡¡¡\ Windows \ CurrentVersion \ Run]
¡¡¡¡¡¡¡¡Registration tabular value: “bndfxdh”
¡¡¡¡¡¡¡¡Type: REG_SZ
¡¡¡¡¡¡¡¡String of character: “C:\WINDOWS\system32\bndfxdh.exe”
¡¡¡¡¡¡¡¡Description: Increase start item
3rd, use long-distance thread injection function CreateRemoteThread attempts through the overall situation to link up bndfxdh.dll
¡¡ Pours into to all advancements, uses for in the supervisory system the current all advancements.
¡¡¡¡¡¡¡¡
¡¡¡¡¡¡¡¡[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft
¡¡¡¡¡¡¡¡\ Windows \ CurrentVersion \ ShellServiceObjectDelayLoad]
¡¡¡¡¡¡¡¡Registration tabular value: “DesktopWin”
¡¡¡¡¡¡¡¡Type: REG_SZ
¡¡¡¡¡¡¡¡String of character: “{DA191DE0-AA86-4ED0-4B87-292A3D48BE99}”

Other pages: : 1 * 2 * 3 * Next>>

Prev:Kills the poisonous strategic move: After the impediment virus document kills, regenerates

Next:07.16 viral early warnings: ¡°the long-distance advertisement¡± revises IE, to supply the hacker ill

Comment:

Category: Home > the virus to be related