Isignup. sys, isignup. dll, and other Trojans

IT168
Abstract: This Trojan is a number stealing trojan written in "Delphi". It uses the "UPX" Shelling method to avoid scanning by signatures. The length after shelling is 45,056 bytes ", the virus extension is "exe", which is mainly transmitted through "file bundling", "downloader download", and "webpage Trojans". The virus is mainly used to steal users' virtual property, download and execute the new virus.
This trojan is an account stealing trojan written in "Delphi". It uses the "UPX" Shelling method to avoid pattern scanning. The length after shelling is "45,056 bytes", and the virus extension is "exe ", the virus is mainly transmitted through "file bundling", "downloader download", and "webpage Trojans". The main purpose of the virus is to steal users' virtual property, download new viruses, and execute the virus.

After the user is poisoned, the system prompts that QQJDDEXE is not responding, the system is running slowly, the network speed is reduced, the virtual property is stolen for no reason, and a large number of unknown processes are displayed.

(1) The virus will rename itself to % ProgramFiles % Internet assumerconnection Wizardisignup. dll, set this file property to hidden.

(2) release the dynamic link library % ProgramFiles % Internet assumerconnection Wizardisignup. sys.

(3) Search for the window named "qqjddExe" and check whether the trojan runs. If not, search for the window named "qqjddDll" and check whether the trojan Dll is uninstalled. If no Trojan is found, the trojan is not running and isignup. sys is loaded.

(4) inject virus code into the target process by modifying the registry and installing hooks, monitor user keyboard input, and steal user sensitive and privacy information, it also attempts to steal the account and password of most popular online games. The virus will create an SMTP server, send the stolen data to the email address and website address specified by the virus author, and then download the new virus from the specified website to the Local Machine for running.

(5) Create and execute batch processing _ xiaran. bat in the directory of the virus main program to delete the virus itself. Delete _ xiaran. bat.

Virus File Creation:

% ProgramFiles % Internet assumerconnection Wizardisignup. dll

% ProgramFiles % Internet assumerconnection Wizardisignup. sys

X: \ _ xiaran. bat (X indicates the drive letter of the virus Master Program)

Virus File Deletion:

X: \ _ xiaran. bat (X indicates the drive letter of the virus Master Program)

Create a registry for viruses:

HKEY_CLASSES_ROOTCLsID {B8A170A8-7AD3-4678-B2FE-F2D7381CC1B5}

Hkey_local_machinesoftwaremicrosoftwindowscurrentversionpolicershellexecutehooks

{B8A170A8-7AD3-4678-B2FE-F2D7381CC1B5}

HKEY_LOCAL_MACHINESOFTWAREMicrosoftqqjdd

Virus access network:

Http: // www. ****. org/vv. asp

Http: // www. ****. org/vv. php

Http: // www. ****. org/down1.exe

Http: // www. ****. org/down2.exe

Liu *** bin9@163.com (virus author email)

Manual solution:

1. manually delete the following files:

% ProgramFiles % Internet assumerconnection Wizardisignup. dll

% ProgramFiles % Internet assumerconnection Wizardisignup. sys

2. manually delete the following registry values:

Key: HKEY_CLASSES_ROOTCLsID {B8A170A8-7AD3-4678-B2FE-F2D7381CC1B5}

Key: hkey_local_machinesoftwaremicrosoftwindowscurrentversionpolicershellexecutehooks {B8A170A8-7AD3-4678-B2FE-F2D7381CC1B5}

Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftqqjdd