Robber and Hare Mutant virus

Jiangmin 7.24 virus Broadcast

Jiangmin today to remind you: In today's virus, TROJAN/HIJACKER.GX "Bandit" variant GX and TROJAN/RABBIT.BW "Hare" variant bw are noteworthy.

English Name: TROJAN/HIJACKER.GX

Chinese name: "Robber" variant GX

Virus Length: 13907 bytes

Virus type: Trojan Horse

Danger level: ★

Impact Platform: Win 9x/me/nt/2000/xp/2003

MD5 Check: 1845c496742deb96b8d828b0b6413468

Feature Description:

TROJAN/HIJACKER.GX "Bandit" variant GX is one of the newest members of the "Bandit" Trojan family, written in Microsoft Visual C + + 6.0, and is a DLL-functional component released by other malicious programs. "Bandit" Variant GX after running, the infected system will be read in the "%systemroot%\fonts\" directory to save the encrypted delivery address of the configuration file "Fntqwucnn5dw4etk.ttf." Traverses all running processes in the current system and tries to end them once the specified security software is found, thereby achieving self-protection purposes. "Bandit" Variant GX is a special steal "princes online" network game member account Trojan program, after the operation will first confirm whether they have been inserted into the desktop process "Explorer.exe", and through the installation of message hooks and other means of monitoring the system state, waiting for malicious operation. Inserts the specified game process "Gc_zh.exe", uses the technology of the message hook, the memory interception and so on to steal the network game player's game account, the game password, the area service, the role level and so on the information, and sends the stolen information in the backstage to the hacker designated URL "http://www.ht*79.cn/ Fenhm2/mangfu/post.asp "(Address encryption storage), resulting in the network game player's account, equipment, items, money, etc. lost, to the game players caused a different degree of loss. In addition, the "robber" variant GX will modify the registry key "Shellexecutehooks" key value, in order to achieve after the power-on automatic operation.

English Name: TROJAN/RABBIT.BW

Chinese name: "Hare" variant bw

Virus Length: 21144 bytes

Virus type: Trojan Horse

Danger level: ★

Impact Platform: Win 9x/me/nt/2000/xp/2003

MD5 Check: dba39018ce485ca2d682d94615da6e1d

Feature Description:

TROJAN/RABBIT.BW "Hare" variant bw is one of the newest members of the "Hare" Trojan family, written in a high-level language and protected by shell. After the "Hare" variant bw runs, it replicates itself to the "C:\Documents_and_Settings\Administrator" directory of the infected system and renames "Administrator.exe". A malicious program "bn*" is also released in the temporary folder and under "%systemroot%\system32\drivers\". TMP "and malicious driver" Securentm.sys ". The Trojan will inject malicious code into the newly created "Svchost.exe" process of covert operation, so as to prevent easy killing. The use of rootkit technology to hide Trojan files, registry entries, processes and other related content, increased concealment, thereby enhancing their own survival probability. In the background connection hacker designated server "69.64.*.194", "75.125.*.202" and so on, download other malicious programs, or carry out the information and send malicious behavior, which may result in the disclosure of the user's private information, thus bringing greater risk. In addition, the "Hare" variant bw will start the Trojan by adding the key value "Administrator" to the registry startup entry of the infected system.