Virus name: Trojan-psw.win32.qqpass.ajo (Kaspersky)
Virus alias: WORM.WIN32.PABUG.CF (Rising), win32.troj.qqpasst.ah.110771 (Poison PA)
Virus size: 32,948 bytes
Adding Shell way: UPX
Sample MD5:772F4DFC995F7C1AD6D1978691190CDE
Sample sha1:e9d2bcc5666a3433d5ef8cc836c4579f03f8b6cc
Associated virus:
Transmission mode: Through malicious Web page transmission, other Trojan download, USB drive and mobile hard disk transmission
Technical analysis
==========
After the Trojan is run, copy itself to:
Code:
%ProgramFiles%\Internet explorer\plugins\syswin7z.jmp
%ProgramFiles%\Internet Explorer\plugins\winsys8z.sys
To create Shellexecutehooks startup information:
Code:
[Hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{f81f75c9-f974-4772-b72d-f28cbcd98c5f}" = ""
[Hkey_classes_root\clsid\{f81f75c9-f974-4772-b72d-f28cbcd98c5f}\inprocserver32]
@= "%ProgramFiles%\Internet Explorer\plugins\syswin7z.sys"
Code:
[HKEY_CURRENT_USER\SOFTWARE\TENCENT\DETA3]
"Ft"
Locate the native E disk and generate it in its root directory:
Autorun.inf and Autorun.exe files, trying to spread through a USB drive.
Trojan virus running automatically from the user QQ randomly select friends, composed of temporary discussion group. It will send the content to the group's friends as "Www.fxxxxx.cn/1651.rar here are my photos help me to the top remember to reply to me oh click on the download" message. Other users in the discussion group may be infected by opening a file in the link. Trojans will visit the network to download other viruses, trojans or [url=http://www.pxue.com/tag/93/1.html] malware programs [/url] to the temp directory and run.
Cleanup steps
==========
1. Delete the shellexecutehooks created by the Trojan (Start menu-run-enter "regedit" into the registry in turn to find instructions and follow the prompts):
Code:
Code:
[Hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
' {f81f75c9-f974-4772-b72d-f28cbcd98c5f} '
[hkey_classes_root\clsid\{f81f75c9-f974-4772-b72d-f28cbcd98c5f}]
2. Restart your computer
3. Delete Trojan file:
Code:
%ProgramFiles%\Internet explorer\plugins\syswin7z.jmp
%ProgramFiles%\Internet Explorer\plugins\winsys8z.sys
If e disk exists, delete:
Code:
E:\Autorun.inf
E:\Autorun.exe
4. Delete Registry information (Start menu-run-enter "regedit" to enter the registry in order to find instructions and follow the prompts):
Code:
[HKEY_CURRENT_USER\SOFTWARE\TENCENT\DETA3]