Be careful when using new QQ Trojans to steal online game equipment

Recently, it was found that many netizens accidentally fell into a trap and the equipment and property of online games were stolen.

The process of account theft is roughly as follows:

The person preparing the trojan will usually build a small number in online games, which is generally the MM number. In the game, find a well-equipped large number to dress up like the MM set. If you use a large image, you will soon be requested to add QQ. If this person is added to QQ unfortunately, soon the other party will frequently use the "Beauty Scheme" to lure you into the bait. The most common thing to see is video with you. In fact, videos are all fake. There have been tools for forging QQ videos for a long time, and the other party will surely laugh at the videos of netizens who have been hooked up.

Next, the trojan will usually send you a picture. If you do not view the file extension, you will be cheated. The other party uploads the exe post-upload, And the icon is the trojan program of the image file. It is by no means a MM photo. The result of double-clicking is that the account is stolen.

Do not count on active defense. Social engineering spoofing is the most effective means of breakthrough. Take a look at the analysis report of the "Network matchmaker" Trojan:

Virus Overview

The virus name of the network matchmaker sample detected by the drug overlord is Win32.Troj. Agent.401408, which is a remote control trojan virus. It creates a client locally and transmits the local computer information to the remote server. Attackers can steal useful information.

Virus Behavior

1. The following virus files are generated after the virus runs.

% SystemRoot % \ system32 \ aedl.exe
% SystemRoot % \ system32 \ aedl. dat
% SystemRoot % \ system32 \ aedl. jpg

The actual file name for virus release may be different. The jpg file released by this tool is the file name of the virus plus space and the jpg extension.

2. Create a service to start with the system.

3. the system time will be modified within a short period of time, affecting the security software operation. In addition, find the pop-up window of Kaspersky and micropoints, and send a mouse click message to the window to allow virus operations.

4. Modify the data in the system to hide the service. You cannot find the service in the service console.

5. Enter the space of other programs and run viruses in other program spaces.

6. Connect to the remote server and upload local information, including the computer name, system version, and user name.

7. Execute server commands to capture videos, capture audio, capture images, create files, read files, delete files, and modify files,

Enumerate services, modify service properties, start services, delete services, stop services, obtain the list of current processes, module lists, and terminate processes,

Create a process, execute commands, and obtain the title of the window.

8. Monitor the keyboard and mouse movements of the Local Computer and send these actions to the server.

Process of stealing online game accounts

As a remote control software, the network matchmaker can easily steal information from computers that have been infiltrated. Such as online game accounts and bank accounts.

First, the person holding the virus server will install the client on the target computer through various means. The most common method is the one mentioned at the beginning of this article.

After the client program runs, it monitors the keyboard and mouse movements and collects information about the client computer. Then, send the information to the remote server. The server can send a command to view the desktop, the title of the currently running window, the list of files, and the content of the file. When useful information is found, the server is stolen. Therefore, information such as online game accounts and email accounts stored in plain text files may be stolen. In addition, the server can also guess the login user name and password based on the content of the window currently opened on the target computer and the keyboard and mouse records.