Analysis of PSW.Win32.OnLineGames.kuu of Trojan Horse

Virus Name: Trojan-psw.win32.onlinegames.kuu

Chinese name: Online stolen Trojan Horse

Virus type: Trojan Horse

File Md5:d1ca82fd63c7c760cbe43a2520a28e34

File Length: 14,703 bytes

Infection System: Windows98 above version

Development tools: Borland Delphi v4.0-v5.0

Packers type: Upack 0.3.9 beta2s

Virus Description:

The virus is a Trojan class, the virus ran after the virus file to the system directory, and delete itself; Modify the registry to insert a virus-derived DLL file into the Windows application process, preventing Windows from automatically updating features; The virus can steal users ' online game accounts and passwords.

Behavioral Analysis:

Local behavior:

1, virus operation after the deletion of their own, derived virus files:

%WINDIR%\Fonts\enfeafx.fon
%system32%\kafyjaz.exe
%system32%\kafyjcs.dll
%system32%\kafyjzy.dll

2. Modify the Registration form:

Inserting a virus-derived DLL file into the Windows application process

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Nt\

Currentversion\windows\

Key values: string: "Appinit_dlls" = "Kafyjzy.dll"

Hkey_local_machine\software\classes\clsid\

{ab681598-ad5f-bc8c-77dc-748fac8d3fba}\inprocserver32\@

Key values: string: "C:\WINDOWS\system32\kafyjzy.dll"

3, the virus modifies the registry, prevents Windows to update automatically:

Hkey_local_machine\software\policies\microsoft\windows\

Windowsupdate\au\auoptions

Value: Dword:1 (0x1)

Hkey_local_machine\software\policies\microsoft\windows\

Windowsupdate\au\noautoupdate

Value: Dword:1 (0x1)

4, virus-derived virus files Kafyjzy.dll inserted into the Explorer.exe and the process of the response level.

Network behavior:

The virus will be the stolen game account and password sent to the following address:

Before encryption:

CE382424206A7F7F2727277E27313E3431687E333F3D7F242836353E3729257F203F23247E312320