Tracking and releasing the Trojan horse-analyzing the Trojan horse's handwriting from the Trojan Horse

Source: Internet
Author: User
Two years ago, the article was taken to fill the facade. -------------------- Tracking and releasing "horse" thieves-analyze the Releaser's notes from Trojans

(Author: mikespook | Release Date: | views: 545)

Keywords: base64, QQ, Trojan
This article is only intended to provide guidance to many cainiao like me. Here, I would like to thank Xiaojin (lk007) for its help.

In the morning, I got up and received a text message from my girlfriend, saying that QQ was stolen. As soon as I heard it, I got it? When I was too old, why did I steal my lazy cat? I have asked in detail about the situation on the phone. I'm afraid it's a Trojan. After thinking about it, I remember that she had received an "my photo flash" email two days ago, containing an attachment. Well, it seems that the thief who wants to arrest the Trojan can only start with this email.
I grabbed the pony and opened it in the editor. After searching for the executable file header, one executable file contains two executable file headers. Suddenly, it was a bundled device. Let's take a look. Well? There are some records like this:

// Note that I have modified the content. It is not the original text. I am afraid it will be a bunch of garbled characters if you decode the content as follows ^ @ ^

Mima_wenjian: zt4 =
Fuwuqi: c810ac4xbjupy14v
Jieshou_youxiang: umpyqpy14vju =
Yonghu_ming: umpy
Yonghu_mima: = My
Smtp_biaozhi: ysc =
Fasong_zhti: wfhywfg =

We can see at a glance that this is a Trojan configuration record. Well, it seems that we can only start from here.
Obviously, the information is encrypted. What should I do? What exactly is this? No way to start ............ Later I asked, Xiaojin said it may be base64 encoded and looks very similar. Later, I saw the "base64" in the Data Segment of the Trojan file. Is it actually base64 encoded? The author also used it too easily. Well, there is no other way, so I had to die as a "horse" as a living "horse" doctor. I checked the base64 encoding information: "When the number of digits is not enough, use '=' to supplement it ." Well, it seems that base64 encoding is used. Try decoding all the codes. Haha, the user name, server, email subject, and email receiving ...... All at a glance. The only difference is the user password. It seems that the user password encoding method is not that simple.
This is the result again. Well, what is this trojan? Open the trojan file again and carefully observe the data section. The data section contains the characters psss6.5”"“winplo.exe "and" msread. dt ". I am afraid this should be some data of the Trojan before bundling. Go to black and white to see if there are any gains.
From the black and white perspective, the first QQ tool is a piece of software named "qqpass598. "QQ killer "? Go to the author's homepage. Haha, I don't know. It turns out that pass6.5 was a new version of the author in August, and the old version of black and white was. I caught this "QQ killer". I configured several Trojan Files and compared them with the bundled file. It is indeed the same Trojan !!! Okay, the trojan knows what it is, but how is the password encrypted? Helpless, try it. The dead horse will survive again.
I set the user passwords to "1" and "2" respectively "...... The results show in the configuration file that the encoded passwords are "= QM", "= GM "...... Well? How is it like base64? But "=" ran to the front, instead of filling in the back. I immediately came to the spirit, Mo Fei .................. If you don't do it, you never stop. Try decoding. The original Decoding for "MQ =" and "Mg =" is "1" and "2 ". Haha, I wrote such a classic software, but the encryption method is too simple, right? All right, whistle, and hum a minor to decode the email password of the thief "Ma.
Look in his mailbox? A lot of QQ passwords. It seems that he is already a veteran. I found my girlfriend's QQ. He even got two QQ passwords. Another 8-digit number may be long and not required. Too much !!! I deleted those emails and deleted all the emails that he didn't see in the past two days, reducing others' losses. Well, he still saved the trojan email in his mailbox? Hey, I replaced the attachment. You just need to wait for the password to be sent ~~~ Hahaha ~~
I didn't change his password. I was also preparing to monitor him for a period of time. Maybe I 'd like to come up with a more cruel way to deal with him. Hey ~~ Late cats have an idea.

Okay, this is the basic decoding process. To sum up, mima_wenjian: zt4 =, fuwuqi: Signature, signature: umpyqpy14vju =, yonghu_ming: umpy, signature: ysc =, fasong_zhti: wfhywfg = the information is directly encoded by base64, the original content can be obtained after decoding. Yonghu_mima: = My. In fact, you can reverse "= My" to "ym =" and then use base64 to decode the password.
Here, the lazy cat reminds everyone to be careful when receiving emails from strangers with attachments. (In fact, if you are a master who wants to harm you, you don't need attachments at all. emails in the form of nimuda virus are a headache .) There are also reminders of the "horse" thieves who don't know unless they do what they do. Be careful to harm others, but harm yourself.
Now this guy I 've been thinking about him and collecting more information about him. Haha ~~ If you have received an email like "My photo flash", you can try the above method to play the "horse" thief in the palm of your hand.

Maybe something is wrong because I am a cainiao. Some details may not be taken into consideration. If you know, you may wish to give me some advice. Thank you !!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.