English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan-GameThief.Win32.Nilage.ipj

Detected Feb 26 2011 23:59 GMT
Released Feb 27 2011 05:56 GMT
Published Mar 25 2011 13:41 GMT

Technical Details
Payload
Removal instructions

Technical Details

This Trojan opens different websites in the browser without the user's knowledge. It is a Windows dynamic library (PE DLL file). It is 40 448 bytes in size. It is written in Delphi.


Payload

When the following files are available, the Trojan launches them for execution:

C:\EEQQ\QQE.exe
C:\EEQQ\EEQ.exe
In a separate thread the Trojan searches for the following windows class names:
IEFrame
_____TTFrameWnd__101__
Maxthon2_Frame
360se_Frame
and the names of the child windows:
WorkerW
ReBarWindow32
Address Band Root
Edit
ComboBoxEx32
ComboBox
#32770
XTPDockBar
XTPToolBar
RichEdit20W
XToolBar
XWnd
This way the Trojan checks for browsers launched on the user's computer.

Depending on the found windows the Trojan can:

  1. Determine the process that belongs to this window class and then launch the browser process with one of the following parameters:
    http://www.sf***8.com/?Dll-WZ
    http://www.sf***8.com/?Dll-BT
    http://www.sf***8.com/index.html?Dll-BT
    http://www.sf***8.com/index.html?Dll-WZ
    
  2. Check, whether the user is currently viewing one of the following pages:
    iq123.com; yijidh.com; 250dh.cn; 223.la; kuku123.com; 930930.com; 9123.com; hao123e.com; 020.com; youxi777.com; 1616.net; 1188.com; urldh.com; daohang.la; pp55.com; 9605.com; 05505.cn; 7055.net; 0056.com; 6655.com; 1166.com; 5kip.com; 114xia.com; 265dh.com; 3567.com; 6565.cn; 666t.com; 9223.com; dduu.com; hao123.cn; 5snow.com; 2523.com; 5599.net; tt98.com; zhaodao123.com; kuhao123.com; 5151la.net; 6h.com.cn; zeibi.com; 6e8e.com; th123.com; 9991.com; hao123ol.com; wu123.com; t220.cn; ttver.net; 188HI.com; go2000.com; 5igb.com; bb2000.net; 9wa.com; qq5.com; 365j.com; 7345.com; 2760.com; 361la.com; haojs.com; 5zd.com; i8866.com; 100wz.com; 114hi.com; 234.la; 657.com; 339.la; 365wz.net; 7792.com; 9495.com; dazuimao.com; 71314.com; 265.com; gouwo.com; huai456.com; ku256.com; my180.com; 2522.cn; 405.cn; 44244.com; 111dh.com; 115ku.com; 13387.com; 163yes.com; 256s.com; 2676.com; 3355.net; 365lo.com; 4168.com; 4545.cn; 4688.com; 566.net; 5666.net; 5733.com; 6461.cn; 7356.com; 800186.com; 85851.com; asp51.com; 361dh.com; 5566.net; yulinweb.com; 6296.com.cn; mianfeia.com; ai1234.com; k369.com; msncn.com; ss256.com; min513.com; 88-888.com; lggg.cn; 7771.cn; leeboo.com; jjol.cn; 5566.com; 9166.net; hao253.com; 7b.com.cn; haoei.com; 77114.com; 21310.cn; weiduomei.net; kk3000.cn; 7241.cn; 44384.com; daohang1234.com; 131.cc; 223224.com; 537.com; 9348.cn; bju123.cn; i4455.com; jia123.com; 0666.com.cn; 553.la; 5566.org; 37021.com; 88488.com; 99986.net; 37021.net; k986.com; cc62.com; 5518.cn; 55620.com; 52416.com; 7357.cn; 8c8c.net; 9999q.com; 123shi123.com; yl234.cn; 3322.com; hao222.com; 6313.com; f127.com; 5599cn.cn; 99499.com; 2548.cn; 133.net; ie30.com; 8751.com; se:home; haidaowan.net; 160dh.com; 114115.com; 1322.cn; hh361.com; 2800.cc; 52daohang.com; 186.me; diyidh.com; zaodezhu.com; 7832.com; 3073.com; 2058.cc; 3456.cc; 7771.com; q6789.com; 7k.cc; dianzi88.com; 7802.com; xinbut.com; 59688.com; gjj.cc; youla.com; ok1616.com; i2345.cn; gg8000.com; daohang12345.cn; inina.cn; dowei.com; 1515.net; 41119.cn; 21230.cn; 97youku.com; fast35.net; m32.cn; tom155.cn; 668yo.com; online.cq.cn; shagua.cn; 007247.cn; 603467.cn; 197326.cn; wwwoj.cn; xp22.cn; 84022.cn; 520593.cn; 448789.cn; 141321.cn; 36gggg.cn; 427842.cn; niubihao123.cn; ovooo.cn; rtys520.net; rtxzw.com; uurenti.cc; bo.dy288.com; renti11.com; 123.cd; 336655.com; 9978.net; 520.com; 6l.cn; 420.cn; v989.com; 16551.com; 2tvv.com; m4455.com; mylovewebs.com; 5987.net; 7999.com; caipopo.com; wndhw.com; henku123.com; qu123.com; 94176.com; u526.com; haokan123.com; uusee.net; 9733.com; 173com; qnrwz.com; 999w.com; h935.com; 33250.com; tz911.net; 639e.com; 920xx.cn; 13393.com; tncdh.com; sou185.com; 3566.cc; 580so.com; 2001.cc; hnhao123.com; zz5.net.cn; abc123.name; ekan123.com; 1266.cc; hao123.cc; 126.cc; ie1788.com; 58daohang.com; 6dh.com; 991.cn; 114la.me; 1133.cc; ads8.com; haoz.com; jsing.net; 123.sogou.com; 3321.com; 1155.cc; hao123.com; hao123.net; 6700.cn; 168.com; uu881.com; 6264.cn; 606600.com; 2345.com; 5607.cn; 1111116.com; v7799.com; ie7.com.cn; 365t.cc; 89679.com; se:blank; 35029.com; 8d9a.cn; 400zm.com; 58816.com; 727dh.cn; hao123w.com; 114td.com; 28101.cn; 03336.cn; 79001.cn; 133132.com; 3434.com.cn; 828dh.cn; 64500.cn; 22q.cc; jj77.com; vvyy.net; ie567.com; 5d5e.com; 212dh.cn; 911g.cn; 1616.la; tomatolei.com; 96nn.com; 5543.com; 2288.org; 3322.org; 9966.org; 8800.org; 8866.org; 7766.org; 22409.com; se-se.info; 26043.com; 34414.com; gaoav1.info; 0558114.com; 3333dh.cn; zjialin.com; 22dao.com; soupay.com; langlangdoor.com; 99cu.com; 5555dh.cn; wang123.net; hxdlink; haaoo123.com; 3645.com; hao123q.com; tvsooo.com; gaituba.com; 45566.net; 2298.cn; iexx.com; dh115.com; 97sp.cn; 39r.cn; f8f8.cn; 391kk.cn; 266.cc; jysoso.net; wg510.cn; 114d.org; ie3721.com; 2142.cn; go2000.cc; go2000.cn; 99521.com; yeooo.com; haha123.com; hao.360.cn; 07707.cn; yy2000.net; 1111118.com; 26281.com; 960dh.cn; 300.cc; 163333333.com.cn; kz300.cn; i3525.cn; 67881.net; t2t2.net; mm4000.cn; 669dh.cn; k58n.com; haoha123.com; ab99.com; i2255.com; 054.cc; fffggqq.cn; k2345.net; vv33.com; tuku6.com; mmpp654.com; 228dh.cn; seibb.com; 14164.com; 552dh.cn; hao969.com; lalamao.com; 21225.cn; 5k5.net; 65630.cn; at46.cn; 98928.cn; ads.eorezo.com; 661dh.cn; 6320.com; henbianjie.com; xiushe.com; 5mqxmq.com; 989228.com; i8844.cn; g1476.cn; 4j4j.cn; 1777zzw5.com; 989228.cn; henbucuo.com; 886dh.cn; 2255.net; 160yes.com; u8s.cn; 16711.com; 626dh.cn; rfwow.cn; baiyici.cn; lalamao.cn; 136s.com; huhuyy.cn; 8diq.com; d2fs.cn; 0229.com; yy4000.com; 9934.cn; 3883.net; 151dh.com; 26dh.cn; kkwwxx.com; t67.net; 29dao.cn; 58ju.com; dnc8.net; yl177.com.cn; xj.cn; 950990.cn; 114.com.cn; xxxip.cn; 3628.com; 265.cc; 26.la; 5654.com; zg115.com; 969dh.cn; 111555.com.cn; pic.jinti.com; kk8000.com; wokaokao.cn; duoxxppmmkoo.com; kanlink.cn; 91youa.com; shinia.cn; pp9pp9.cn; ma80.com; 556dh.cn; bu4.cn; 8555.com; e23.la; flash678.cn; yy4000.cn; wo333.com; mv700.com; xcwhgx.cn; 3s11.cn; sp16888.com; k7k7.com; zzw5.com; okdianying.com; 789bb.com; antuoo.com; so06.com; 665532.cn; 7f7f.com; k261.com; fanbaidu.org.cn; iu888.cn; 977k.com; 93w.com; 68566.com.cn; zhidao163.cn; it958.cn; lx8000.cn; sc.cn; ucuc.cc; kkdowns.com; 189189.com; 0002.com; 4737.cn; 226dh.cn; bb115.cn; 06000.cn; u87.cn; sohao123.com; k887.com; hao602.com; t7t7.net; ku4000.cn; v6677.cn; hong666.com; 4000a.com; kk4000.cn; 7767.com; 11227.cn; u9u9.net; 28113.cn; rr55.com; a4000.cn; yunfujkw.cn; 886.com; 2800.cer.cn; zyyu.com; 49la.com; hi3000.cn; sogouliulanqi.com; 888ge.com; 00333.cn; 29wz.com; soso126.com; 180wan.com; kan888.com; 4929.cn; v2233.com; m345.cn; tt265.net; 18ttt.com; 153.cc; 00664.cn; gugogo.com; kk4000.com; 185b.com; uuent.com; 6666dh.cn; 25dao.com; shangla.com; 77177.cn; about:blank; haoq123.com; baiduo.org; lejiu.net; dianxin.cn; u7758.com; dao234.com; 85692.com; xiaosb.com; soso313.cn; 939dh.com; 85952.com; 31346.com; 71528.com; 788dh.com; 91695.com; 5566x.com; 131u.com; 1149.cn; 9281.net; my115.net; 4119.cn; 9m1.net; dh818.com; iehwz.com; wa200.com; hao234.cc; 6781.com; 652dh.com; 16811.com; zhongshu.net; 992k.com; 71628.com; 6701.com; diyou.net; iehao123.com; laidao123.com; yinfen.net; wz4321.com; shangqu.info; 5121.net; 668g.com; 51150.com; 53ff.com; dada123.com; you2000.com; 884599.cn; kuaijiong.com; 398.cn; 32387.com; 82vv.com; 09tao.com; 977dh.com; 598.net; 211dh.com; 9365.info; wblive.com; e722.com; v232.com; 7400.net; 62106.com; ll4xi.com; 3932.com; puZeng.com; 97199.com; 447.cc; 0749.com; 6656.net; niebai.com; 447.com; uuchina.net; hao123cn.info; dao666.com; 9813.org; 91kk.com; freedh.info; yidaba.com; 161111111.com; 009dh.com; qsxx.cn; geyuan.net; 8t8.net; xorg.pl; bij.pl; qqnz.com; srpkw.com; gggdu.com; baiduo.com; wys99.com; leilei.cc; 3633.net; fjta.com; so11.cn; 522dh.com; 9249.com; 3110.cn; 300cc.com; 7669.cn; 5c6.com; 7993.cn; 8336.cn; 03m.net; ou33.com; bv0.net; 163333333.cn; 45575.com; 2637.cn; skyhouse.com.cn; 98453.com; 65642.net; 776la.com; 256.CC; 114king.cn; yyyqq.com; huhu123.com; gyyx.cn; 2888.me; 4444dh.cn; 191pk.com; 118.com; 57xswz.com; how18.cn; sohu12333333.com; xz26.com; 654v.com; 280580.cn; fjgqw.com; 49558.cn; pp8000.cn; 265it.com; soolaa.com; 9899.cn; 18143.com; haoxyz.com; 4555.net; 10du.net; 528988.com; wahahaha123.com; c256.cn; chinaih.com; mnv.cn; 633dh.com; ncjxx.com; 51721.net; 556w.com; 114cc.net; 5go.com.cn; pp4000.com; 8844.com; dd335.cn; qu163.net; itwenba.cn; dou2game.cn; h220.com; neng123.com; pleoc.cn; 6006.cc; 987654.com; 39903.com; ddoowwnn.cn; 788111.com; zhidao001.com; 5hao123.com; 978.la; 135968.cn; bb112.com; r220.cn; 365kong.com; woainame.cn; okgouwu.cn; hao006.com; jipinla.com; 99467.com; wawamm.cn; qian14.cn; ip27.cn; 56dh.cn; 2966.com; game333.net; kukuwz.com; 1-xiu.cn; 92hao123.com; lian9.cn; 222q.cn; jj98.com; 73vv.com; mubanw.com; t262.com; x1258.cn; weishi66.cn; hao990.com; 68la.com; sowang123.cn; 3929.cn; 5665.cn; 81sf.com; kz123.cn; qq806.cn; ffwyt.com

If the user is viewing one of these pages, the Trojan searches for certain input fields and adds one of the following links to these input fields:

http://www.sf***8.com/?Dll-WZ
http://www.sf***8.com/?Dll-BT
http://www.sf***8.com/index.html?Dll-BT
http://www.sf***8.com/index.html?Dll-WZ
It then emulates pressing the "Enter" key.

This way the Trojan contacts resources without the user's knowledge.


Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

  1. Use Task Manager to terminate the Trojan process.
  2. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
  3. Empty the Temporary Internet Files directory:
    %Temporary Internet Files%
  4. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).


md5: 305D925660B612459BEE36208D5817E6
sha1: 6BF1489644169419B3509A97AF9AADBFC4544E94


Bookmark and Share
Share
Trojan-GameThief

This type of malicious program is designed to steal user account information for online games. The data is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.


Other versions