Interpretation of the Dragon Valley Trojan Horse Trojan Trojan-PSW.Win32.

Please note that you should not sacrifice it!

Dragon Valley account theft Trojan

Trojan-PSW.Win32.OnLineGames.d

Capture Time

2010-9-13

Hazard level

Medium

Virus symptoms

This sample is a trojan horse written using "VC" and shelled with Upack. Automatically captured by the micro-point active defense software, the length is "25,436 bytes", the virus extension is "exe ", it is spread through "file bundling", "downloader downloading", and "webpage Trojans, the main purpose of the virus is to steal the "username" and "password" of the online game "Dragon Valley.

After the user is poisoned, the game "Dragon Valley" is closed for no reason, the user name, password, and password are entered, and the game runs slowly during password protection, which will eventually lead to the theft of virtual property by hackers.

Infected object

Windows 2000/Windows XP/Windows 2003/Windows Vista/Windows 7

Communication channels

File bundle, webpage Trojan, download

Manual solution for active defense software without anti-virus software installed:

1. manually delete the following files:

% Temp % TML4.tmp

% SystemRoot % system32d3d9. dll. tmpz

% SystemRoot % system32d3d9. dll

% SystemRoot % system32DllCached3d9. dll

% SystemRoot % system32DllCached3d9. dll. tmpx

2. Manually change the following files

Use the normal d3d9. dll to replace the infected

% SystemRoot % system32d3d9. dll

% SystemRoot % system32DllCached3d9. dll

Variable declaration:

% SystemDriver % system partition, usually "C :"

% SystemRoot % mongodws directory, usually "C: Windows"

% Documents and Settings % USER document directory, usually "C: Documents and Settings"

% Temp % Temporary Folder, usually "C: Documents and Settings current user name \ Local SettingsTemp"

% ProgramFiles % default system program installation directory, usually "C: ProgramFiles"

Virus analysis

1. Use SC .exe to enable the Service, stop and delete the cryptsvc service, and disable the system authentication protection function;

2. Find the path of the Temporary Folder and create the file TML4.tmp under % Temp % to improve the process permissions;

3. Set up the progress editor and check the progress history for assumer.exe. then, inject tml4.tmpinto assumer.exe to hide the process;

4. Obtain the system path and find the system file % SystemRoot % system32d3d9. dll, and copy it to d3d9. dll. tmpz, and rewrite the file. After the system file is completed, d3d9. rename dll to d3d9. dll. tmpx, and % SystemRoot % system32 d3d9 after infection. dll. copy tmpz to % SystemRoot % system32d3d9. dll and % SystemRoot % system32 DllCached3d9. dll, the original d3d9 in the DLLCache folder is normal. rename dll to d3d9. dll. tmpx, delete % SystemRoot % system32d3d9. dll. tmpx;

5. Find the System File sfc-os.dll, damage the Windows File Protection.

6. Set up the progress Editor, find the dragonnest.exe process, and find it to end the game process;

7. Obtain the path of the Temporary Folder and create a batch process. % Temp % delself. bat to delete the virus source file and itself.

8. After the game is running, the infected % SystemRoot % system32d3d9. dll will be automatically loaded. This file will allow the game program to load TML4.tmp;

After loading the TML4.tmp file, create a message hook, obtain the user account password and other information, and send it to the specified web site by the hacker.

Virus File Creation:

% Temp % TML4.tmp

% SystemRoot % system32d3d9. dll. tmpx

% SystemRoot % system32d3d9. dll. tmpz

% SystemRoot % system32DllCached3d9. dll. tmpx

% Temp % delself. bat

Virus replacement file:

% SystemRoot % system32d3d9. dll

% SystemRoot % system32DllCached3d9. dll

SystemRoot % system32sfc-os.dll

Virus File Deletion:

% SystemRoot % system32d3d9. dll. tmpx

% Temp % delself. bat