Before and after the wow Trojan event

Frankly speaking, this is the first time I have been stolen. I mean, it includes all the network accounts. The following is a simple description.

On the evening of October August 25, the guild organized MC. Of course I attended the event. When I was about to hit boss 7, I suddenly fell offline. I felt strange that since I changed my network equipment, this is an accident? When I log on again, the system prompts that the password is wrong. I enter the password again and the result is the same. Needless to say, the password was stolen. To confirm the problem, I contacted a friend online through my mobile phone, they said that my account is still online, which makes it even more certain. I immediately called jiucheng and frozen my account. When I attempt to log on again, the system prompts that the account has been frozen. I am relieved for the moment, but the damage to the equipment is inevitable. I started to be vigilant. I disabled the network access permissions of all suspicious processes by using the personal firewall of Skynet, including the vast majority of system processes. Symantec and ewido were used to scan and kill the machines, and some suspicious programs were indeed found, here I would like to praise the ewido software and find out a keyboard hook program I wrote a long time ago. It is incredible that I used hijackthis again to view and remove all suspicious Service Startup projects, after that, I changed the password and PIN code of another account and thought it was basically safe. The most ironic thing is that the next day I retrieved the stolen account and unfrozen it. After playing the game, I found my role on another account and logged on to the game. I almost fainted-the other account was stolen! This is why I took the time to study this incredible Trojan.

To be honest, in addition to irrational hate, I admire the technology of the Trojan horse author. This Trojan is really not simple, and even attacked me with a strong sense of defense, it also makes my it R & D staff feel helpless. 1. If the PIN code technology is used well, it is indeed a type of encryption that can hardly be cracked (if the number of digits is low, there is a probability that it can be cracked by enumeration) even if a network packet is intercepted, the meaning of the packet cannot be determined because the key cannot be obtained. the random distribution software disk provided is immune to trojans such as keyboard hooks, the trojan saw the pin, but it was really not common (but after the experiment, I almost took the bomb to blow the 9 cities, and then I said the reason); 2. I actually avoided the strict firewall, it seems that I cannot intercept it. 3. ewido and Symantec cannot detect it (my library is the latest). Although this is not surprising, but it is also relatively strong, and Trojan Horse is likely to be added with a shell.

The following are some questions about this Trojan:

Skynet almost disables network access for all suspicious Processes

No suspicious items found in hijackthis

After learning about the trojan through the Internet, I finally got some knowledge about it. foreign websites are rarely introduced and basically won the bid in China. Later I considered that the trojan connection is a domestic IP address. Needless to say, it must be a Chinese Trojan.

The following is the description of this trojan by rising:

Source: rising Corporation
Time: 10:08:06
Rising yellow (level 3) Security Alert
On the morning of June 23, August 14, rising global anti-virus monitoring network first captured two vicious viruses spreading by exploiting high-risk system vulnerabilities in China-"worm. mocbot. a) "and" magic wave Variant B (worm. mocbot. b) virus. According to statistics from the rising customer service center, thousands of users in China have been attacked by this virus. Rising Antivirus experts said the virus will use Microsoft MS06-040 high-risk vulnerabilities to spread. When a user's computer suffers a virus attack, symptoms such as system service crash and inability to access the Internet may occur. Because the virus is only a few days away from Microsoft's release of patches, many users have not yet had time to update the system. As a result, rising has issued a yellow (level 3) security alert, and rising anti-virus experts predict that more computers will be attacked by the virus, the "magic wave" virus may even erupt on a large scale like the "Shock Wave" or "Shock Wave" virus. According to the analysis, the magic wave virus will automatically search for computers with system vulnerabilities on the network, and direct these computers to download and execute virus files. These users' computers may be infected as long as they do not install patches and access the internet. Computers infected with the virus automatically connect to specific channels of a specific IRC server and receive remote control commands from hackers. Users' bank card accounts, passwords, and other private information may be stolen by hackers. Because the IRC server connected by the virus is in the Chinese mirror, the virus is likely to be compiled by Chinese people. Rising has upgraded to this virus. Version 18.40.01 and later of the anti-virus software version 2006 can thoroughly scan and kill the virus, so that the majority of users can promptly. At the same time, rising recommends that you enable rising personal firewall 2006 and disable ports 139 and 445. At the same time, log on to the Microsoft website to download and install the MS-06-040 patch to prevent this virus attack. Users suffering from this virus attack can also call the anti-virus emergency number 010-82678800 for help.

The above describes a magic wave (World of Warcraft Shock Wave ?) The trojan is similar to the Trojan I have encountered, but not exactly the same. I guess I have encountered a variant that is more targeted. By the way, I have provided Microsoft patches here:
Http://www.microsoft.com/china/technet/security/bulletin/MS06-040.mspx
(Note that this vulnerability exists in various Windows versions. I think it is unreliable for some people to replace WindowsXP with Windows2000)

Later I found the description of the Trojan on Kingsoft Website:

Source: KingSoft Antivirus Knowledge Base
Win32.troj. pswwow.
Virus alias: Processing Time: 2006-05-26 threat level:★
Chinese name: Virus Type: Trojan affected system: Win 9x/Me, Win 2000/NT, Win XP, Win 2003
Virus behavior:
This is a trojan virus that steals the password of the ghost game. The virus runs in process injection mode and has
High concealment.
1. The Trojan is a dynamic link file and cannot be run independently. It must be loaded through the trojan Releaser.
2. The Trojan Releaser (win32.troj. pswwow. d.212133) releases the trojan and copies it to the root directory of the system disk. The hacker creates the trojan as a system service and leaves the following key values in the registry:
[HKLM/system/CurrentControlSet/services/networklogon]
"Type" = DWORD: 00000110
"Start" = DWORD: 00000002
"Errorcontrol" = DWORD: 00000000
"ImagePath" = "rundll32 kb896445.log, start"
"Displayname" = "network logon"
"Objectname" = "LocalSystem"
"Description" = "supports remote computer logon events on the network. If this service is disabled, network login will be unavailable. If this service is disabled, any service dependent on it cannot be started. "
3. When the virus runs in the form of a system service, it will try to inject itself into the assumer.exepolicie.exeto pass the wow.exe process. Monitors user windows and steals game-related information.

This description is almost exactly the same as what I encountered! If you are interested in this trojan, take a look at my analysis and summary:

Trojan location in the Registry

A Trojan is indeed a piece of executable code, not a file-type virus embedded in the wow program as I thought previously (I think it is my firewall that didn't block it ), the trojan is located at: (Windows installation directory)/system32/kb8964225.log. Yes, this is the "log" file, and another copy is in "C:/nxldr. dat ", you can open it in the binary editor, and you will find that they are completely consistent. When I open it, a significant" MZ "in the file header reminds me, this is an executable program. You can use depends to view its content and find that the stop and start interfaces are clear.

Trojan Origin

View with depends

So how does it run and bypass the firewall to access the network? I would like to tell you the answer below. The reason why I did not find it in the previous hijackthis is that at that time I have deleted the service item. If the service item is not deleted, then hijackthis may appear in the following section: o23-NT Service: networklogon-unknown owner-rundll32.exe (file missing). The service name is networklogon, which is very confusing ...... (Isn't that nonsense? Trojans are confusing. If you find that you have a service name named "networklogon", most of them will be attacked.

This is mine. Fortunately, the service is not running.

The secrets are the windows Resource Manager and IE. According to this statement, the Trojan horse may detect that you opened the home page of jiucheng and then entered the user name/password, so when you think that the password is safe and complacent, the Black Hand may already be in your account, and in this process, you are not running the game at all, this is perhaps the most terrible thing.

As you can see, the trojan tries to open ports 455 and 139, while the process that opens ports is system. network access of this process cannot be blocked in the Skynet, it is no wonder that SkyNet is completely ineffective. It seems that the interception of processes is not completely reliable.

Use System processes to avoid skynet

Finally, it is about the most bizarre PIN code theft. The trojan has the screenshot function, and I cannot say this is right or wrong for the time being, however, using screenshots to steal PIN code is indeed an effective method. But here I want to tell you that the PIN code of jiucheng is like a false one! What do I need to modify the PIN code? ID card number, OK. Now you are logged on to the 9-City website and try to modify the PIN code. However, please enter the wrong ID card number. If the number is correct, the line on the date of birth will not deviate too far, will prompt that the modification is successful, my God! Do you want to blow a bomb to jiucheng.

I have almost finished writing the article, and I have almost re-installed the system to ensure my security. I would like to remind you that security depends on technology and system. Banks are safe. Why? Their system is too strict. I have read an article about the fact that an employee in a bank has nothing to worry about. I opened an account for myself and saved 1 RMB for it. Then I was discovered that, fired! There is no human feelings, because he violates the banking management system. You have never seen any computer in a bank that can browse webpages and download movies, right? The same is true for the National Information Security Bureau, this is also true for companies with strict confidentiality requirements. This is a system and has nothing to do with technology. So what is our system? Those are old-fashioned. They do not browse unfamiliar webpages, Run ActiveX programs on any webpages, enhance script permission restrictions, and do not download any unfamiliar programs, do not use any sharing software with plug-ins ...... I do plan to designate such a system for myself so that I can defend against more than 99% of attacks. This time, due to the moles and Trojans planted in the Forum, this tragedy happened. However, I am not responsible for myself and have insufficient strict control over ie, strict control may lose some features, but remember: everything is safe first! I mentioned here, "simply browsing the Web page will not be infected with viruses ." Don't laugh, this sentence was fully established before 98 years ago. When it comes to it, I mean technology is changing with each other, such a powerful Microsoft company cannot completely ensure the security of its own products. We will face a lot more in the future. Only by constantly learning and "Keeping Pace with the Times", those officials often talk about it.

20060828 in huamu town, Pudong, Shanghai