17173 website Trojans exposed

Some time ago, I often browsed Trojans in the 17173 legend area, and posted a post on WY. today, I have just seen a master analyzing the Trojan horse loaded on 17173. To prevent more players from suffering, I Will repost this post as follows. I hope you can be vigilant, after all, we feel the same pain!


In June 24, a MM called me to find a plug-in. I never liked any online games, but I have heard that www.17173.com is a famous site in the game, so I opened this site at will. When the webpage is not completely displayed, a dialog window is displayed, indicating that "" ms-its: mhtml: file: // C: foo. mht cannot be opened! $ {PATH}/game. chm:/launch.htm ". This is not the IE vulnerability. Although foreigners have made public the code for this method, at least there is no public tool in China. The patch was released in April 13. How to put a Trojan on a website like LLD? After analyzing the HTLM file on the webpage, they found that they put the malicious code in it using a hidden webpage, this will not display too much in the source file of the webpage, nor will it show the trojan path on the title of IE in the future. At that time, my first reaction was that the site was hacked, X .. SOHU, the largest portal site in China, ranks 23 in the world. Its access volume exceeds 263, with an average of more than 1 million visitors a day! There is a webpage Trojan on such a website homepage, which is a relatively new IE vulnerability. How many people are affected,
I became curious and wanted to see what the trojan was, so I took game. chm down directly according to the path. And it runs on my own machine. The input svch0st_.exe is displayed immediately. Specifically, winnthas two additional files named "“svch0st_.exe”and “lsas.bmp". It seems that one is the process EXE and the other is used by the DLL insertion thread. Through port analysis, we found the IP address "61.129.50.82" for the Trojan to be put out ". The other party accepts port 80. PING the IP to check whether the returned TTL is WIN. It seems that the data obtained by this trojan is sent to an ASP program on this machine. After disassembly and Analysis of the EXE Trojan using hexadecimal text, the network data has been monitored to obtain the address for receiving the password. X used to steal the legendary Trojan Horse. After anti-virus software testing, none of the three major anti-virus software in China can scan and kill the "hacker" code in this program, after algorithm restoration, the background "http://www.hackerchina.cn/down/mir/mirdat.asp?" of the receiving password of this trojan is connected to analytics. Is there a mailbox address ?! 17173@chinamir2.com ".
To avoid further attacks, I published the addresses of the two sending passwords of this trojan horse. According to the disassembly code, this trojan should have been written by DELPHI, and the code is very delicate. It is definitely a master's work, which I admire very much, this code can obtain the legendary password, level, equipment, server and other information in WIN2000 dynamic memory and send it to the ASP background of a network space. The detailed analysis process is complicated. I will not discuss it too much. Here I will only talk about it.
A fact. To avoid further harm!
Note: The trojan was entered in the virus broadcast in March June 22. You can go to the main site of Rising Star to search for svch0st_.exe directly. I also hope that I can study this Trojan horse for a long time. I want to know that I have been washed N times before. If I can't do anything about it, then I have no language ~

Then, enable the trojan scan to check the virus. The result is OK.
Processes. I knew I was lucky. I immediately checked the Rising anti-virus information and found that it was a legendary Trojan Horse. follow the steps to clear it. finally, I went to the major forums and found a post about Trojan Analysis on 17173. I will show it to you ~