Virus Name: Trojan-psw.win32.onlinegames.kuu
Chinese name: Online stolen Trojan Horse
Virus type: Trojan Horse
File Md5:d1ca82fd63c7c760cbe43a2520a28e34
File Length: 14,703 bytes
Infection System: Windows98 above version
Development tools: Borland Delphi v4.0-v5.0
Packers type: Upack 0.3.9 beta2s
Virus Description:
The virus is a Trojan class, the virus ran after the virus file to the system directory, and delete itself; Modify the registry to insert a virus-derived DLL file into the Windows application process, preventing Windows from automatically updating features; The virus can steal users ' online game accounts and passwords.
Behavioral Analysis:
Local behavior:
1, virus operation after the deletion of their own, derived virus files:
%WINDIR%\Fonts\enfeafx.fon
%system32%\kafyjaz.exe
%system32%\kafyjcs.dll
%system32%\kafyjzy.dll
2. Modify the Registration form:
Inserting a virus-derived DLL file into the Windows application process
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Nt\
Currentversion\windows\
Key values: string: "Appinit_dlls" = "Kafyjzy.dll"
Hkey_local_machine\software\classes\clsid\
{ab681598-ad5f-bc8c-77dc-748fac8d3fba}\inprocserver32\@
Key values: string: "C:\WINDOWS\system32\kafyjzy.dll"
3, the virus modifies the registry, prevents Windows to update automatically:
Hkey_local_machine\software\policies\microsoft\windows\
Windowsupdate\au\auoptions
Value: Dword:1 (0x1)
Hkey_local_machine\software\policies\microsoft\windows\
Windowsupdate\au\noautoupdate
Value: Dword:1 (0x1)
4, virus-derived virus files Kafyjzy.dll inserted into the Explorer.exe and the process of the response level.
Network behavior:
The virus will be the stolen game account and password sent to the following address:
Before encryption:
CE382424206A7F7F2727277E27313E3431687E333F3D7F242836353E3729257F203F23247E312320