Trojan-GameThief.Win32.Nilage.ipj

Время детектирования	27 фев 2011 03:59 MSK
Время выпуска обновления	27 фев 2011 09:56 MSK
Описание опубликовано	25 мар 2011 17:41 MSK

Технические детали
Деструктивная активность
Рекомендации по удалению

Технические детали

Троянская программа, открывающая в браузере различные веб-страницы без ведома пользователя. Программа является динамической библиотекой Windows (PE DLL-файл). Имеет размер 40448 байт. Написана на Delphi.

Деструктивная активность

При наличии следующих файлов, троянец запускает их на исполнение:

C:\EEQQ\QQE.exe
C:\EEQQ\EEQ.exe

В отдельном потоке троянец ищет следующие имена классов окон:

IEFrame
_____TTFrameWnd__101__
Maxthon2_Frame
360se_Frame

и имена классов дочерних окон:

WorkerW
ReBarWindow32
Address Band Root
Edit
ComboBoxEx32
ComboBox
#32770
XTPDockBar
XTPToolBar
RichEdit20W
XToolBar
XWnd

Таким образом троянец проверяет наличие запущенных браузеров на компьютере пользователя.

В зависимости от найденных окон, троянец может:

Определять процесс принадлежащий классу окна, после чего запускать на исполнение процесс браузера с одним из следующих параметров:
```
http://www.sf***8.com/?Dll-WZ
http://www.sf***8.com/?Dll-BT
http://www.sf***8.com/index.html?Dll-BT
http://www.sf***8.com/index.html?Dll-WZ
```

Проверять, находился ли пользователь на одном из следующих ресурсов:

iq123.com; yijidh.com; 250dh.cn; 223.la; kuku123.com; 930930.com; 
9123.com; hao123e.com; 020.com; youxi777.com; 1616.net; 1188.com;
 urldh.com; daohang.la; pp55.com; 9605.com; 05505.cn; 7055.net; 
0056.com; 6655.com; 1166.com; 5kip.com; 114xia.com; 265dh.com; 
3567.com; 6565.cn; 666t.com; 9223.com; dduu.com; hao123.cn; 
5snow.com; 2523.com; 5599.net; tt98.com; zhaodao123.com; 
kuhao123.com; 5151la.net; 6h.com.cn; zeibi.com; 6e8e.com; 
th123.com; 9991.com; hao123ol.com; wu123.com; t220.cn; ttver.net; 
188HI.com; go2000.com; 5igb.com; bb2000.net; 9wa.com; qq5.com; 
365j.com; 7345.com; 2760.com; 361la.com; haojs.com; 5zd.com; 
i8866.com; 100wz.com; 114hi.com; 234.la; 657.com; 339.la; 365wz.net;
7792.com; 9495.com; dazuimao.com; 71314.com; 265.com; gouwo.com; 
huai456.com; 
ku256.com; my180.com; 2522.cn; 405.cn; 44244.com;
111dh.com; 115ku.com; 13387.com; 163yes.com; 256s.com; 2676.com; 
3355.net; 365lo.com; 4168.com; 4545.cn; 4688.com; 566.net; 5666.net; 
5733.com; 
6461.cn; 7356.com; 800186.com; 85851.com; asp51.com; 
361dh.com; 5566.net; yulinweb.com; 6296.com.cn; mianfeia.com; 
ai1234.com; k369.com; msncn.com; ss256.com; min513.com; 
88-888.com; lggg.cn; 7771.cn; leeboo.com; jjol.cn; 5566.com; 9166.net;
 hao253.com; 7b.com.cn; haoei.com; 77114.com; 21310.cn; weiduomei.net; 
kk3000.cn; 7241.cn; 44384.com; daohang1234.com; 131.cc; 223224.com; 
537.com; 9348.cn; bju123.cn; i4455.com; jia123.com; 0666.com.cn; 553.la;
 5566.org; 37021.com; 88488.com; 99986.net; 37021.net; k986.com; 
cc62.com; 5518.cn; 55620.com; 52416.com; 7357.cn; 8c8c.net; 
9999q.com; 123shi123.com; yl234.cn; 3322.com; hao222.com; 
6313.com; f127.com; 5599cn.cn; 99499.com; 2548.cn; 133.net; 
ie30.com; 8751.com; se:home; haidaowan.net; 160dh.com; 114115.com; 
1322.cn; hh361.com; 2800.cc; 52daohang.com; 186.me; diyidh.com; 
zaodezhu.com; 
7832.com; 3073.com; 2058.cc; 3456.cc; 7771.com; 
q6789.com; 7k.cc; dianzi88.com; 7802.com; xinbut.com; 59688.com; 
gjj.cc; youla.com; ok1616.com; i2345.cn; gg8000.com; 
daohang12345.cn; inina.cn; 
dowei.com; 1515.net; 41119.cn; 21230.cn; 97youku.com; 
fast35.net; m32.cn; tom155.cn; 668yo.com; online.cq.cn; shagua.cn; 
007247.cn; 603467.cn; 197326.cn; wwwoj.cn; xp22.cn; 84022.cn; 
520593.cn; 448789.cn; 141321.cn; 36gggg.cn; 427842.cn; niubihao123.cn; 
ovooo.cn; rtys520.net; rtxzw.com; uurenti.cc; bo.dy288.com; renti11.com;
 123.cd; 336655.com; 9978.net; 520.com; 6l.cn; 420.cn; v989.com; 
16551.com; 2tvv.com; m4455.com; mylovewebs.com; 5987.net; 7999.com; 
caipopo.com; 
wndhw.com; henku123.com; qu123.com; 94176.com; 
u526.com; haokan123.com; uusee.net; 9733.com; 173com; qnrwz.com; 
999w.com; h935.com; 33250.com; tz911.net; 639e.com; 920xx.cn; 
13393.com; tncdh.com; sou185.com; 3566.cc; 580so.com; 2001.cc; 
hnhao123.com; zz5.net.cn; abc123.name; ekan123.com; 1266.cc; 
hao123.cc; 126.cc; ie1788.com; 58daohang.com; 6dh.com; 991.cn; 
114la.me; 1133.cc; ads8.com; haoz.com; jsing.net; 123.sogou.com; 
3321.com; 1155.cc; hao123.com; hao123.net; 6700.cn; 168.com; 
uu881.com; 6264.cn; 606600.com; 2345.com; 5607.cn; 1111116.com; v7799.com; 
ie7.com.cn; 365t.cc; 89679.com; se:blank; 35029.com; 
8d9a.cn; 400zm.com; 58816.com; 727dh.cn; hao123w.com; 114td.com; 
28101.cn; 03336.cn; 79001.cn; 133132.com; 3434.com.cn; 828dh.cn; 
64500.cn; 22q.cc; jj77.com; vvyy.net; ie567.com; 5d5e.com; 212dh.cn; 
911g.cn; 1616.la; tomatolei.com; 96nn.com; 5543.com; 2288.org; 3322.org; 
9966.org; 
8800.org; 8866.org; 7766.org; 22409.com; se-se.info; 26043.com;
 34414.com; gaoav1.info; 0558114.com; 3333dh.cn; zjialin.com; 22dao.com;
 soupay.com; langlangdoor.com; 99cu.com; 5555dh.cn; wang123.net; hxdlink;
 haaoo123.com; 3645.com; hao123q.com; tvsooo.com; gaituba.com; 
45566.net; 2298.cn; iexx.com; dh115.com; 97sp.cn; 39r.cn; f8f8.cn; 
391kk.cn; 266.cc; jysoso.net; wg510.cn; 114d.org; ie3721.com; 2142.cn; 
go2000.cc; go2000.cn; 99521.com; yeooo.com; haha123.com; hao.360.cn;
 07707.cn; yy2000.net; 1111118.com; 26281.com; 960dh.cn; 300.cc; 
163333333.com.cn; kz300.cn; i3525.cn; 67881.net; t2t2.net; mm4000.cn; 
669dh.cn; k58n.com; haoha123.com; ab99.com; i2255.com; 054.cc; 
fffggqq.cn; k2345.net; vv33.com; tuku6.com; mmpp654.com; 228dh.cn; 
seibb.com; 14164.com; 552dh.cn; hao969.com; lalamao.com; 21225.cn; 
5k5.net; 65630.cn; at46.cn; 98928.cn; ads.eorezo.com; 661dh.cn; 6320.com; 
henbianjie.com; xiushe.com; 5mqxmq.com; 989228.com; i8844.cn; g1476.cn; 
4j4j.cn; 1777zzw5.com; 989228.cn; henbucuo.com; 886dh.cn; 2255.net; 
160yes.com; u8s.cn; 16711.com; 626dh.cn; rfwow.cn; baiyici.cn; 
lalamao.cn; 136s.com; huhuyy.cn; 8diq.com; d2fs.cn; 0229.com; 
yy4000.com; 9934.cn; 3883.net; 151dh.com; 26dh.cn; kkwwxx.com; 
t67.net; 29dao.cn; 58ju.com; dnc8.net; yl177.com.cn; xj.cn; 950990.cn; 
114.com.cn; xxxip.cn; 3628.com; 265.cc; 26.la; 5654.com; zg115.com; 
969dh.cn; 111555.com.cn; pic.jinti.com; kk8000.com; wokaokao.cn; 
duoxxppmmkoo.com; 
kanlink.cn; 91youa.com; shinia.cn; pp9pp9.cn; 
ma80.com; 556dh.cn; bu4.cn; 8555.com; e23.la; flash678.cn; yy4000.cn; 
wo333.com; mv700.com; xcwhgx.cn; 3s11.cn; sp16888.com; 
k7k7.com; zzw5.com; okdianying.com; 789bb.com; antuoo.com; 
so06.com; 665532.cn; 7f7f.com; k261.com; fanbaidu.org.cn; iu888.cn; 
977k.com; 93w.com; 68566.com.cn; zhidao163.cn; it958.cn; lx8000.cn; 
sc.cn; ucuc.cc; kkdowns.com; 189189.com; 0002.com; 4737.cn; 
226dh.cn; bb115.cn; 06000.cn; u87.cn; sohao123.com; k887.com; 
hao602.com; t7t7.net; ku4000.cn; v6677.cn; hong666.com; 4000a.com; 
kk4000.cn; 7767.com; 11227.cn; u9u9.net; 28113.cn; rr55.com; a4000.cn;
 yunfujkw.cn; 886.com; 2800.cer.cn; zyyu.com; 49la.com; hi3000.cn; 
sogouliulanqi.com; 888ge.com; 00333.cn; 29wz.com; soso126.com; 
180wan.com; kan888.com; 4929.cn; v2233.com; m345.cn; tt265.net; 
18ttt.com; 153.cc; 00664.cn; gugogo.com; kk4000.com; 185b.com; 
uuent.com; 6666dh.cn; 25dao.com; shangla.com; 77177.cn; about:blank; 
haoq123.com; baiduo.org; lejiu.net; dianxin.cn; u7758.com; dao234.com; 
85692.com; xiaosb.com; soso313.cn; 939dh.com; 85952.com; 31346.com; 
71528.com; 788dh.com; 91695.com; 5566x.com; 131u.com; 1149.cn; 
9281.net; my115.net; 4119.cn; 9m1.net; dh818.com; iehwz.com; 
wa200.com; hao234.cc; 6781.com; 652dh.com; 16811.com; zhongshu.net;
 992k.com; 71628.com; 6701.com; diyou.net; iehao123.com; laidao123.com; 
yinfen.net; wz4321.com; shangqu.info; 5121.net; 668g.com; 51150.com; 
53ff.com; dada123.com; you2000.com; 884599.cn; kuaijiong.com; 398.cn; 
32387.com; 82vv.com; 09tao.com; 977dh.com; 598.net; 211dh.com; 
9365.info; wblive.com; e722.com; v232.com; 7400.net; 62106.com; 
ll4xi.com; 3932.com; puZeng.com; 97199.com; 447.cc; 0749.com; 6656.net;
 niebai.com; 447.com; uuchina.net; hao123cn.info; dao666.com; 9813.org; 
91kk.com; freedh.info; yidaba.com; 161111111.com; 009dh.com; qsxx.cn;
 geyuan.net; 8t8.net; xorg.pl; bij.pl; qqnz.com; srpkw.com; gggdu.com; 
baiduo.com; wys99.com; leilei.cc; 3633.net; fjta.com; so11.cn; 522dh.com; 
9249.com; 3110.cn; 300cc.com; 7669.cn; 5c6.com; 7993.cn; 8336.cn; 03m.net; 
ou33.com; bv0.net; 163333333.cn; 45575.com; 2637.cn; skyhouse.com.cn; 
98453.com; 65642.net; 776la.com; 256.CC; 114king.cn; yyyqq.com; 
huhu123.com; gyyx.cn; 2888.me; 4444dh.cn; 191pk.com; 118.com; 
57xswz.com; how18.cn; sohu12333333.com; xz26.com; 654v.com; 
280580.cn; fjgqw.com; 49558.cn; pp8000.cn; 265it.com; soolaa.com; 
9899.cn; 18143.com; haoxyz.com; 4555.net; 10du.net; 528988.com; 
wahahaha123.com; c256.cn; chinaih.com; mnv.cn; 633dh.com; ncjxx.com; 
51721.net; 556w.com; 114cc.net; 5go.com.cn; pp4000.com; 8844.com; 
dd335.cn; qu163.net; itwenba.cn; dou2game.cn; h220.com; neng123.com; 
pleoc.cn; 6006.cc; 987654.com; 39903.com; ddoowwnn.cn; 788111.com; 
zhidao001.com; 5hao123.com; 978.la; 135968.cn; bb112.com; r220.cn; 
365kong.com; woainame.cn; okgouwu.cn; hao006.com; jipinla.com; 
99467.com; wawamm.cn; qian14.cn; ip27.cn; 56dh.cn; 2966.com; 
game333.net; kukuwz.com; 1-xiu.cn; 92hao123.com; lian9.cn; 222q.cn; 
jj98.com; 73vv.com; mubanw.com; t262.com; x1258.cn; weishi66.cn; 
hao990.com; 68la.com; sowang123.cn; 3929.cn; 5665.cn; 81sf.com; 
kz123.cn; qq806.cn; ffwyt.com

Если пользователь находился на одном из следующих ресурсов, тогда троянец ищет определенные поля ввода, добавляет туда одну из ссылок:

http://www.sf***8.com/?Dll-WZ
http://www.sf***8.com/?Dll-BT
http://www.sf***8.com/index.html?Dll-BT
http://www.sf***8.com/index.html?Dll-WZ

после этого эмулирует нажатие "клавиши ввода".

Таким образом троянец выполняет обращение к ресурсам без ведома пользователя.

Trojan-GameThief.Win32.Nilage.ipj

Технические детали

Деструктивная активность

Рекомендации по удалению

kaspersky.ru

securelist.com