Technical Details
This Trojan opens different websites in the browser without the user's knowledge. It is a Windows dynamic library (PE DLL file). It is 40 448 bytes in size. It is written in Delphi.
Payload
When the following files are available, the Trojan launches them for execution:
C:\EEQQ\QQE.exe
C:\EEQQ\EEQ.exe
In a separate thread the Trojan searches for the following windows class names:IEFrame
_____TTFrameWnd__101__
Maxthon2_Frame
360se_Frame
and the names of the child windows:WorkerW
ReBarWindow32
Address Band Root
Edit
ComboBoxEx32
ComboBox
#32770
XTPDockBar
XTPToolBar
RichEdit20W
XToolBar
XWnd
This way the Trojan checks for browsers launched on the user's computer.
Depending on the found windows the Trojan can:
- Determine the process that belongs to this window class and then launch the browser process with one of the following parameters:
http://www.sf***8.com/?Dll-WZ http://www.sf***8.com/?Dll-BT http://www.sf***8.com/index.html?Dll-BT http://www.sf***8.com/index.html?Dll-WZ - Check, whether the user is currently viewing one of the following pages:
iq123.com; yijidh.com; 250dh.cn; 223.la; kuku123.com; 930930.com; 9123.com; hao123e.com; 020.com; youxi777.com; 1616.net; 1188.com; urldh.com; daohang.la; pp55.com; 9605.com; 05505.cn; 7055.net; 0056.com; 6655.com; 1166.com; 5kip.com; 114xia.com; 265dh.com; 3567.com; 6565.cn; 666t.com; 9223.com; dduu.com; hao123.cn; 5snow.com; 2523.com; 5599.net; tt98.com; zhaodao123.com; kuhao123.com; 5151la.net; 6h.com.cn; zeibi.com; 6e8e.com; th123.com; 9991.com; hao123ol.com; wu123.com; t220.cn; ttver.net; 188HI.com; go2000.com; 5igb.com; bb2000.net; 9wa.com; qq5.com; 365j.com; 7345.com; 2760.com; 361la.com; haojs.com; 5zd.com; i8866.com; 100wz.com; 114hi.com; 234.la; 657.com; 339.la; 365wz.net; 7792.com; 9495.com; dazuimao.com; 71314.com; 265.com; gouwo.com; huai456.com; ku256.com; my180.com; 2522.cn; 405.cn; 44244.com; 111dh.com; 115ku.com; 13387.com; 163yes.com; 256s.com; 2676.com; 3355.net; 365lo.com; 4168.com; 4545.cn; 4688.com; 566.net; 5666.net; 5733.com; 6461.cn; 7356.com; 800186.com; 85851.com; asp51.com; 361dh.com; 5566.net; yulinweb.com; 6296.com.cn; mianfeia.com; ai1234.com; k369.com; msncn.com; ss256.com; min513.com; 88-888.com; lggg.cn; 7771.cn; leeboo.com; jjol.cn; 5566.com; 9166.net; hao253.com; 7b.com.cn; haoei.com; 77114.com; 21310.cn; weiduomei.net; kk3000.cn; 7241.cn; 44384.com; daohang1234.com; 131.cc; 223224.com; 537.com; 9348.cn; bju123.cn; i4455.com; jia123.com; 0666.com.cn; 553.la; 5566.org; 37021.com; 88488.com; 99986.net; 37021.net; k986.com; cc62.com; 5518.cn; 55620.com; 52416.com; 7357.cn; 8c8c.net; 9999q.com; 123shi123.com; yl234.cn; 3322.com; hao222.com; 6313.com; f127.com; 5599cn.cn; 99499.com; 2548.cn; 133.net; ie30.com; 8751.com; se:home; haidaowan.net; 160dh.com; 114115.com; 1322.cn; hh361.com; 2800.cc; 52daohang.com; 186.me; diyidh.com; zaodezhu.com; 7832.com; 3073.com; 2058.cc; 3456.cc; 7771.com; q6789.com; 7k.cc; dianzi88.com; 7802.com; xinbut.com; 59688.com; gjj.cc; youla.com; ok1616.com; i2345.cn; gg8000.com; daohang12345.cn; inina.cn; dowei.com; 1515.net; 41119.cn; 21230.cn; 97youku.com; fast35.net; m32.cn; tom155.cn; 668yo.com; online.cq.cn; shagua.cn; 007247.cn; 603467.cn; 197326.cn; wwwoj.cn; xp22.cn; 84022.cn; 520593.cn; 448789.cn; 141321.cn; 36gggg.cn; 427842.cn; niubihao123.cn; ovooo.cn; rtys520.net; rtxzw.com; uurenti.cc; bo.dy288.com; renti11.com; 123.cd; 336655.com; 9978.net; 520.com; 6l.cn; 420.cn; v989.com; 16551.com; 2tvv.com; m4455.com; mylovewebs.com; 5987.net; 7999.com; caipopo.com; wndhw.com; henku123.com; qu123.com; 94176.com; u526.com; haokan123.com; uusee.net; 9733.com; 173com; qnrwz.com; 999w.com; h935.com; 33250.com; tz911.net; 639e.com; 920xx.cn; 13393.com; tncdh.com; sou185.com; 3566.cc; 580so.com; 2001.cc; hnhao123.com; zz5.net.cn; abc123.name; ekan123.com; 1266.cc; hao123.cc; 126.cc; ie1788.com; 58daohang.com; 6dh.com; 991.cn; 114la.me; 1133.cc; ads8.com; haoz.com; jsing.net; 123.sogou.com; 3321.com; 1155.cc; hao123.com; hao123.net; 6700.cn; 168.com; uu881.com; 6264.cn; 606600.com; 2345.com; 5607.cn; 1111116.com; v7799.com; ie7.com.cn; 365t.cc; 89679.com; se:blank; 35029.com; 8d9a.cn; 400zm.com; 58816.com; 727dh.cn; hao123w.com; 114td.com; 28101.cn; 03336.cn; 79001.cn; 133132.com; 3434.com.cn; 828dh.cn; 64500.cn; 22q.cc; jj77.com; vvyy.net; ie567.com; 5d5e.com; 212dh.cn; 911g.cn; 1616.la; tomatolei.com; 96nn.com; 5543.com; 2288.org; 3322.org; 9966.org; 8800.org; 8866.org; 7766.org; 22409.com; se-se.info; 26043.com; 34414.com; gaoav1.info; 0558114.com; 3333dh.cn; zjialin.com; 22dao.com; soupay.com; langlangdoor.com; 99cu.com; 5555dh.cn; wang123.net; hxdlink; haaoo123.com; 3645.com; hao123q.com; tvsooo.com; gaituba.com; 45566.net; 2298.cn; iexx.com; dh115.com; 97sp.cn; 39r.cn; f8f8.cn; 391kk.cn; 266.cc; jysoso.net; wg510.cn; 114d.org; ie3721.com; 2142.cn; go2000.cc; go2000.cn; 99521.com; yeooo.com; haha123.com; hao.360.cn; 07707.cn; yy2000.net; 1111118.com; 26281.com; 960dh.cn; 300.cc; 163333333.com.cn; kz300.cn; i3525.cn; 67881.net; t2t2.net; mm4000.cn; 669dh.cn; k58n.com; haoha123.com; ab99.com; i2255.com; 054.cc; fffggqq.cn; k2345.net; vv33.com; tuku6.com; mmpp654.com; 228dh.cn; seibb.com; 14164.com; 552dh.cn; hao969.com; lalamao.com; 21225.cn; 5k5.net; 65630.cn; at46.cn; 98928.cn; ads.eorezo.com; 661dh.cn; 6320.com; henbianjie.com; xiushe.com; 5mqxmq.com; 989228.com; i8844.cn; g1476.cn; 4j4j.cn; 1777zzw5.com; 989228.cn; henbucuo.com; 886dh.cn; 2255.net; 160yes.com; u8s.cn; 16711.com; 626dh.cn; rfwow.cn; baiyici.cn; lalamao.cn; 136s.com; huhuyy.cn; 8diq.com; d2fs.cn; 0229.com; yy4000.com; 9934.cn; 3883.net; 151dh.com; 26dh.cn; kkwwxx.com; t67.net; 29dao.cn; 58ju.com; dnc8.net; yl177.com.cn; xj.cn; 950990.cn; 114.com.cn; xxxip.cn; 3628.com; 265.cc; 26.la; 5654.com; zg115.com; 969dh.cn; 111555.com.cn; pic.jinti.com; kk8000.com; wokaokao.cn; duoxxppmmkoo.com; kanlink.cn; 91youa.com; shinia.cn; pp9pp9.cn; ma80.com; 556dh.cn; bu4.cn; 8555.com; e23.la; flash678.cn; yy4000.cn; wo333.com; mv700.com; xcwhgx.cn; 3s11.cn; sp16888.com; k7k7.com; zzw5.com; okdianying.com; 789bb.com; antuoo.com; so06.com; 665532.cn; 7f7f.com; k261.com; fanbaidu.org.cn; iu888.cn; 977k.com; 93w.com; 68566.com.cn; zhidao163.cn; it958.cn; lx8000.cn; sc.cn; ucuc.cc; kkdowns.com; 189189.com; 0002.com; 4737.cn; 226dh.cn; bb115.cn; 06000.cn; u87.cn; sohao123.com; k887.com; hao602.com; t7t7.net; ku4000.cn; v6677.cn; hong666.com; 4000a.com; kk4000.cn; 7767.com; 11227.cn; u9u9.net; 28113.cn; rr55.com; a4000.cn; yunfujkw.cn; 886.com; 2800.cer.cn; zyyu.com; 49la.com; hi3000.cn; sogouliulanqi.com; 888ge.com; 00333.cn; 29wz.com; soso126.com; 180wan.com; kan888.com; 4929.cn; v2233.com; m345.cn; tt265.net; 18ttt.com; 153.cc; 00664.cn; gugogo.com; kk4000.com; 185b.com; uuent.com; 6666dh.cn; 25dao.com; shangla.com; 77177.cn; about:blank; haoq123.com; baiduo.org; lejiu.net; dianxin.cn; u7758.com; dao234.com; 85692.com; xiaosb.com; soso313.cn; 939dh.com; 85952.com; 31346.com; 71528.com; 788dh.com; 91695.com; 5566x.com; 131u.com; 1149.cn; 9281.net; my115.net; 4119.cn; 9m1.net; dh818.com; iehwz.com; wa200.com; hao234.cc; 6781.com; 652dh.com; 16811.com; zhongshu.net; 992k.com; 71628.com; 6701.com; diyou.net; iehao123.com; laidao123.com; yinfen.net; wz4321.com; shangqu.info; 5121.net; 668g.com; 51150.com; 53ff.com; dada123.com; you2000.com; 884599.cn; kuaijiong.com; 398.cn; 32387.com; 82vv.com; 09tao.com; 977dh.com; 598.net; 211dh.com; 9365.info; wblive.com; e722.com; v232.com; 7400.net; 62106.com; ll4xi.com; 3932.com; puZeng.com; 97199.com; 447.cc; 0749.com; 6656.net; niebai.com; 447.com; uuchina.net; hao123cn.info; dao666.com; 9813.org; 91kk.com; freedh.info; yidaba.com; 161111111.com; 009dh.com; qsxx.cn; geyuan.net; 8t8.net; xorg.pl; bij.pl; qqnz.com; srpkw.com; gggdu.com; baiduo.com; wys99.com; leilei.cc; 3633.net; fjta.com; so11.cn; 522dh.com; 9249.com; 3110.cn; 300cc.com; 7669.cn; 5c6.com; 7993.cn; 8336.cn; 03m.net; ou33.com; bv0.net; 163333333.cn; 45575.com; 2637.cn; skyhouse.com.cn; 98453.com; 65642.net; 776la.com; 256.CC; 114king.cn; yyyqq.com; huhu123.com; gyyx.cn; 2888.me; 4444dh.cn; 191pk.com; 118.com; 57xswz.com; how18.cn; sohu12333333.com; xz26.com; 654v.com; 280580.cn; fjgqw.com; 49558.cn; pp8000.cn; 265it.com; soolaa.com; 9899.cn; 18143.com; haoxyz.com; 4555.net; 10du.net; 528988.com; wahahaha123.com; c256.cn; chinaih.com; mnv.cn; 633dh.com; ncjxx.com; 51721.net; 556w.com; 114cc.net; 5go.com.cn; pp4000.com; 8844.com; dd335.cn; qu163.net; itwenba.cn; dou2game.cn; h220.com; neng123.com; pleoc.cn; 6006.cc; 987654.com; 39903.com; ddoowwnn.cn; 788111.com; zhidao001.com; 5hao123.com; 978.la; 135968.cn; bb112.com; r220.cn; 365kong.com; woainame.cn; okgouwu.cn; hao006.com; jipinla.com; 99467.com; wawamm.cn; qian14.cn; ip27.cn; 56dh.cn; 2966.com; game333.net; kukuwz.com; 1-xiu.cn; 92hao123.com; lian9.cn; 222q.cn; jj98.com; 73vv.com; mubanw.com; t262.com; x1258.cn; weishi66.cn; hao990.com; 68la.com; sowang123.cn; 3929.cn; 5665.cn; 81sf.com; kz123.cn; qq806.cn; ffwyt.com
If the user is viewing one of these pages, the Trojan searches for certain input fields and adds one of the following links to these input fields:
http://www.sf***8.com/?Dll-WZ
http://www.sf***8.com/?Dll-BT
http://www.sf***8.com/index.html?Dll-BT
http://www.sf***8.com/index.html?Dll-WZ
It then emulates pressing the "Enter" key.
This way the Trojan contacts resources without the user's knowledge.
Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Use Task Manager to terminate the Trojan process.
- Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
- Empty the Temporary Internet Files directory:
%Temporary Internet Files%
Žádné komentáře:
Okomentovat