国外杀软上报不杀的,描述把这些贴上去:- Recently, we discovered a plug-in program disguised as a virus, which will collect and return private data for the majority of gamers, including files with pornographic-related keywords and files with keywords such as passwords, account numbers, address books, notes, etc. , The types of files collected include documents, pictures, videos, etc. Homepages related to malicious programs are: http://www.qqfzn.com/, http://www.qqfz95.com/, etc., and C&C servers for malicious programs are: http://www.bseas.com/, etc.
- Through analysis, it is found that the creator of the Trojan horse program will blacklist any QQ number through cloud control and delete a large number of its files.
- After analysis, it is found that the module includes cloud control uploading files and deleting files logic. When the user uses the software, the specified file will be uploaded according to the configuration (the upload switch is not turned on yet). At the same time, when the user's QQ number or point card number is in the blacklist configured by the virus, the disk will be traversed to delete the user's files.
- The virus will request configuration from the C&C server (http://www.bseas.com/sm/qb6/k.xml), which contains information such as upgrade, blacklist, upload file configuration and so on.
- The virus obtains the logged-in QQ number on the user's machine by traversing the QQ UserDataSavePath directory. If the user's QQ account or point card number is in the blacklist, the virus will traverse the disk and delete the suffixes except for .exe, .dll,. sys, .ini, .txt, .db, .lnk, .log and files other than the fileextp field suffix in the configuration file.
- In addition, the malicious program will traverse the upload extensions according to the fileext and fileext2 fields in the upload configuration. doc, .docx, .xls, .xlsx, .ppt, .pptx, .jpg, .txt, .zip, .rar, .mp4, .wmv, .mpeg files (and the upload file size must be less than 16M). The tryflag field is a switch to try to upload user files. After analysis, it is found that the switch is temporarily closed.
- When a file is uploaded, the malicious code will determine whether the file name contains the specified keyword (yeskey is the keyword for uploading the file, and nokey is the keyword for prohibiting the upload of the file).
复制代码 卡巴我就是这么干的,现在回复我说Hello,
Thank you for your inquiry to Kaspersky Lab.
Your request is processing.
|