Orange Temptation and Warcraft thief variant

Jiangmin 7.27 virus Broadcast

English Name: Trojan/chifrax.ol

Chinese name: "Orange Temptation" variant ol

Virus Length: 288105 bytes

Virus type: Trojan Horse

Danger level: ★

Impact Platform: Win 9x/me/nt/2000/xp/2003

MD5 Check: 5f6eb2e5f76fb2ff91033d3f9fac331e

Feature Description:

Trojan/chifrax.ol "Orange Temptation" variant ol is the "Orange Temptation" Trojan family in one of the newest members, using SFX self-extracting format storage. "Orange Temptation" variant ol run, will be under the "%systemroot%\system32\" folder release malicious program "Fz1.exe" and fast-broadcast video-on-demand software "Qvod3.exe". When "Fz1.exe" is run, the malicious DLL component "Killdll.dll" is released in the "%systemroot%\system32\" directory of the infected system, "%systemroot%\system32\drivers\" The directory releases the malicious driver "Pcidump.sys", "AEC." SYS "or" Asyncmac.sys "will also release the malicious program" Update~.exe "in a temporary folder and replace the system file" Userinit.exe "with a malicious driver for the purpose of booting up. Copy yourself to the "%systemroot%\system32\" directory and rename it to "Scvhost.exe." The use of its release of malicious drivers to turn off the self-protection of security software, while terminating a large number of security software, System tools, application processes and related system services, and so on, causing the user's computer system to lose protection. Connect hacker specified remote server site "http://d.qv7*8.com/", read config file "... \host.txt ", according to the configuration to modify the"%systemroot%\system32\drivers\etc\hosts "file, through the domain name image hijacking function shielding a large number of sites. Get Malicious program Download List "... \down\01\fz.txt ", download the malicious program specified in the file and automatically invoke the run. Among them, the downloaded malicious program may be the network game theft Trojan Horse, remote control Trojan or malicious advertising program (Rogue software), and so on to the user caused a different degree of loss. The malicious file also connects to the specified page "http://count.key51*8.com/down/01/get.asp" to count the infection.

English name: TROJAN/PSW. Wow.ahe

Chinese name: "Warcraft thief" variant Ahe

Virus Length: 17218 bytes

Virus type: Theft Trojan

Danger level: ★

Impact Platform: Win 9x/me/nt/2000/xp/2003

MD5 Check: 1fa5462493898f1fc078c33e27418223

Feature Description:

TROJAN/PSW. Wow.ahe "Warcraft Thief" Variant Ahe is "Warcraft thief" Trojan family in one of the newest members, the use of high-level language writing, and through the shell protection treatment. "Warcraft thief" variant Ahe after running, will be copied to the infected system in the "%systemroot%\system32\" directory, renamed to "Vip0501.exe", the file property set to "system." It also modifies the time attribute of the file ("Creation time" and "modification Time") to confuse the user, thereby achieving a better stealth effect. "Warcraft Thief" variant Ahe running, will be in the infected system background link hacker designated remote server site "http://www.iy*y.cn/down/ly/", Get Malicious program download List "Down.txt", and then download the specified malicious program and automatically invoke run. Among them, the downloaded malicious program may be the network game theft Trojan Horse, remote control Trojan or malicious advertising program (Rogue software), etc., resulting in more users face the threat. "Warcraft Thief" variant Ahe also feedback the basic information of the infected computer, in order to statistical infection or trojan Automatic Updates. In addition, "Warcraft thief" variant Ahe will be infected in the computer registered as "Vip0501" system services, in order to realize the Trojan boot.