Simple Analysis of MA worm. win32.qqpass. A hanging on the Literature Forum
EndurerOriginal
1Version
This is similar to the previous worm. win32.agent. IMH (see the simple analysis of horse worm. win32.agent. IMH hanging on the Literature Forum.
0. EXE with upx1 shelling
Before shelling:
File Description: D:/test/0.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 16944 bytes, 16.560 KB
MD5: ceb6f4d04c9f5ff2f6636dd7233460d9
Hsa1: 9f48898eca47463712d65752c4af0c072f200c8f
After shelling:
File Description: D:/test/0_org.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 19:21:18
Modification time: 19:21:14
Access time:
Size: 22064 bytes, 21.560 KB
MD5: 4797f454f6b22a7f14b4d90c18c9a5ce
Hsa1: 0ee42a949864724b6f04eb2d14d025fe286c792e
Kaspersky reportsWorm. win32.qqpass.The rising report isTrojan. psw. win32.agent. VCD
Copy yourself to/program files/Internet Explorer/plugins/. The file name is newtemp. BKK and newtemp. dll.
Modify the registry and register it to shellexecutehooks. the CLSID is {0ea66ad2-cf26-2e23-532b-b292e22f3266 }.