Технические детали
Троянская программа, открывающая в браузере различные веб-страницы без ведома пользователя. Программа является динамической библиотекой Windows (PE DLL-файл). Имеет размер 40448 байт. Написана на Delphi.
Деструктивная активность
При наличии следующих файлов, троянец запускает их на исполнение:
C:/EEQQ/QQE.exe
C:/EEQQ/EEQ.exe
В отдельном потоке троянец ищет следующие имена классов окон:
IEFrame
_____TTFrameWnd__101__
Maxthon2_Frame
360se_Frame
и имена классов дочерних окон:
WorkerW
ReBarWindow32
Address Band Root
Edit
ComboBoxEx32
ComboBox
#32770
XTPDockBar
XTPToolBar
RichEdit20W
XToolBar
XWnd
Таким образом троянец проверяет наличие запущенных браузеров на компьютере пользователя.
В зависимости от найденных окон, троянец может:
- Определять процесс принадлежащий классу окна, после чего запускать на исполнение процесс браузера с одним из следующих параметров:
http://www.sf***8.com/?Dll-WZ
http://www.sf***8.com/?Dll-BT
http://www.sf***8.com/index.html?Dll-BT
http://www.sf***8.com/index.html?Dll-WZ
- Проверять, находился ли пользователь на одном из следующих ресурсов:
iq123.com; yijidh.com; 250dh.cn; 223.la; kuku123.com; 930930.com;
9123.com; hao123e.com; 020.com; youxi777.com; 1616.net; 1188.com;
urldh.com; daohang.la; pp55.com; 9605.com; 05505.cn; 7055.net;
0056.com; 6655.com; 1166.com; 5kip.com; 114xia.com; 265dh.com;
3567.com; 6565.cn; 666t.com; 9223.com; dduu.com; hao123.cn;
5snow.com; 2523.com; 5599.net; tt98.com; zhaodao123.com;
kuhao123.com; 5151la.net; 6h.com.cn; zeibi.com; 6e8e.com;
th123.com; 9991.com; hao123ol.com; wu123.com; t220.cn; ttver.net;
188HI.com; go2000.com; 5igb.com; bb2000.net; 9wa.com; qq5.com;
365j.com; 7345.com; 2760.com; 361la.com; haojs.com; 5zd.com;
i8866.com; 100wz.com; 114hi.com; 234.la; 657.com; 339.la; 365wz.net;
7792.com; 9495.com; dazuimao.com; 71314.com; 265.com; gouwo.com;
huai456.com;
ku256.com; my180.com; 2522.cn; 405.cn; 44244.com;
111dh.com; 115ku.com; 13387.com; 163yes.com; 256s.com; 2676.com;
3355.net; 365lo.com; 4168.com; 4545.cn; 4688.com; 566.net; 5666.net;
5733.com;
6461.cn; 7356.com; 800186.com; 85851.com; asp51.com;
361dh.com; 5566.net; yulinweb.com; 6296.com.cn; mianfeia.com;
ai1234.com; k369.com; msncn.com; ss256.com; min513.com;
88-888.com; lggg.cn; 7771.cn; leeboo.com; jjol.cn; 5566.com; 9166.net;
hao253.com; 7b.com.cn; haoei.com; 77114.com; 21310.cn; weiduomei.net;
kk3000.cn; 7241.cn; 44384.com; daohang1234.com; 131.cc; 223224.com;
537.com; 9348.cn; bju123.cn; i4455.com; jia123.com; 0666.com.cn; 553.la;
5566.org; 37021.com; 88488.com; 99986.net; 37021.net; k986.com;
cc62.com; 5518.cn; 55620.com; 52416.com; 7357.cn; 8c8c.net;
9999q.com; 123shi123.com; yl234.cn; 3322.com; hao222.com;
6313.com; f127.com; 5599cn.cn; 99499.com; 2548.cn; 133.net;
ie30.com; 8751.com; se:home; haidaowan.net; 160dh.com; 114115.com;
1322.cn; hh361.com; 2800.cc; 52daohang.com; 186.me; diyidh.com;
zaodezhu.com;
7832.com; 3073.com; 2058.cc; 3456.cc; 7771.com;
q6789.com; 7k.cc; dianzi88.com; 7802.com; xinbut.com; 59688.com;
gjj.cc; youla.com; ok1616.com; i2345.cn; gg8000.com;
daohang12345.cn; inina.cn;
dowei.com; 1515.net; 41119.cn; 21230.cn; 97youku.com;
fast35.net; m32.cn; tom155.cn; 668yo.com; online.cq.cn; shagua.cn;
007247.cn; 603467.cn; 197326.cn; wwwoj.cn; xp22.cn; 84022.cn;
520593.cn; 448789.cn; 141321.cn; 36gggg.cn; 427842.cn; niubihao123.cn;
ovooo.cn; rtys520.net; rtxzw.com; uurenti.cc; bo.dy288.com; renti11.com;
123.cd; 336655.com; 9978.net; 520.com; 6l.cn; 420.cn; v989.com;
16551.com; 2tvv.com; m4455.com; mylovewebs.com; 5987.net; 7999.com;
caipopo.com;
wndhw.com; henku123.com; qu123.com; 94176.com;
u526.com; haokan123.com; uusee.net; 9733.com; 173com; qnrwz.com;
999w.com; h935.com; 33250.com; tz911.net; 639e.com; 920xx.cn;
13393.com; tncdh.com; sou185.com; 3566.cc; 580so.com; 2001.cc;
hnhao123.com; zz5.net.cn; abc123.name; ekan123.com; 1266.cc;
hao123.cc; 126.cc; ie1788.com; 58daohang.com; 6dh.com; 991.cn;
114la.me; 1133.cc; ads8.com; haoz.com; jsing.net; 123.sogou.com;
3321.com; 1155.cc; hao123.com; hao123.net; 6700.cn; 168.com;
uu881.com; 6264.cn; 606600.com; 2345.com; 5607.cn; 1111116.com; v7799.com;
ie7.com.cn; 365t.cc; 89679.com; se:blank; 35029.com;
8d9a.cn; 400zm.com; 58816.com; 727dh.cn; hao123w.com; 114td.com;
28101.cn; 03336.cn; 79001.cn; 133132.com; 3434.com.cn; 828dh.cn;
64500.cn; 22q.cc; jj77.com; vvyy.net; ie567.com; 5d5e.com; 212dh.cn;
911g.cn; 1616.la; tomatolei.com; 96nn.com; 5543.com; 2288.org; 3322.org;
9966.org;
8800.org; 8866.org; 7766.org; 22409.com; se-se.info; 26043.com;
34414.com; gaoav1.info; 0558114.com; 3333dh.cn; zjialin.com; 22dao.com;
soupay.com; langlangdoor.com; 99cu.com; 5555dh.cn; wang123.net; hxdlink;
haaoo123.com; 3645.com; hao123q.com; tvsooo.com; gaituba.com;
45566.net; 2298.cn; iexx.com; dh115.com; 97sp.cn; 39r.cn; f8f8.cn;
391kk.cn; 266.cc; jysoso.net; wg510.cn; 114d.org; ie3721.com; 2142.cn;
go2000.cc; go2000.cn; 99521.com; yeooo.com; haha123.com; hao.360.cn;
07707.cn; yy2000.net; 1111118.com; 26281.com; 960dh.cn; 300.cc;
163333333.com.cn; kz300.cn; i3525.cn; 67881.net; t2t2.net; mm4000.cn;
669dh.cn; k58n.com; haoha123.com; ab99.com; i2255.com; 054.cc;
fffggqq.cn; k2345.net; vv33.com; tuku6.com; mmpp654.com; 228dh.cn;
seibb.com; 14164.com; 552dh.cn; hao969.com; lalamao.com; 21225.cn;
5k5.net; 65630.cn; at46.cn; 98928.cn; ads.eorezo.com; 661dh.cn; 6320.com;
henbianjie.com; xiushe.com; 5mqxmq.com; 989228.com; i8844.cn; g1476.cn;
4j4j.cn; 1777zzw5.com; 989228.cn; henbucuo.com; 886dh.cn; 2255.net;
160yes.com; u8s.cn; 16711.com; 626dh.cn; rfwow.cn; baiyici.cn;
lalamao.cn; 136s.com; huhuyy.cn; 8diq.com; d2fs.cn; 0229.com;
yy4000.com; 9934.cn; 3883.net; 151dh.com; 26dh.cn; kkwwxx.com;
t67.net; 29dao.cn; 58ju.com; dnc8.net; yl177.com.cn; xj.cn; 950990.cn;
114.com.cn; xxxip.cn; 3628.com; 265.cc; 26.la; 5654.com; zg115.com;
969dh.cn; 111555.com.cn; pic.jinti.com; kk8000.com; wokaokao.cn;
duoxxppmmkoo.com;
kanlink.cn; 91youa.com; shinia.cn; pp9pp9.cn;
ma80.com; 556dh.cn; bu4.cn; 8555.com; e23.la; flash678.cn; yy4000.cn;
wo333.com; mv700.com; xcwhgx.cn; 3s11.cn; sp16888.com;
k7k7.com; zzw5.com; okdianying.com; 789bb.com; antuoo.com;
so06.com; 665532.cn; 7f7f.com; k261.com; fanbaidu.org.cn; iu888.cn;
977k.com; 93w.com; 68566.com.cn; zhidao163.cn; it958.cn; lx8000.cn;
sc.cn; ucuc.cc; kkdowns.com; 189189.com; 0002.com; 4737.cn;
226dh.cn; bb115.cn; 06000.cn; u87.cn; sohao123.com; k887.com;
hao602.com; t7t7.net; ku4000.cn; v6677.cn; hong666.com; 4000a.com;
kk4000.cn; 7767.com; 11227.cn; u9u9.net; 28113.cn; rr55.com; a4000.cn;
yunfujkw.cn; 886.com; 2800.cer.cn; zyyu.com; 49la.com; hi3000.cn;
sogouliulanqi.com; 888ge.com; 00333.cn; 29wz.com; soso126.com;
180wan.com; kan888.com; 4929.cn; v2233.com; m345.cn; tt265.net;
18ttt.com; 153.cc; 00664.cn; gugogo.com; kk4000.com; 185b.com;
uuent.com; 6666dh.cn; 25dao.com; shangla.com; 77177.cn; about:blank;
haoq123.com; baiduo.org; lejiu.net; dianxin.cn; u7758.com; dao234.com;
85692.com; xiaosb.com; soso313.cn; 939dh.com; 85952.com; 31346.com;
71528.com; 788dh.com; 91695.com; 5566x.com; 131u.com; 1149.cn;
9281.net; my115.net; 4119.cn; 9m1.net; dh818.com; iehwz.com;
wa200.com; hao234.cc; 6781.com; 652dh.com; 16811.com; zhongshu.net;
992k.com; 71628.com; 6701.com; diyou.net; iehao123.com; laidao123.com;
yinfen.net; wz4321.com; shangqu.info; 5121.net; 668g.com; 51150.com;
53ff.com; dada123.com; you2000.com; 884599.cn; kuaijiong.com; 398.cn;
32387.com; 82vv.com; 09tao.com; 977dh.com; 598.net; 211dh.com;
9365.info; wblive.com; e722.com; v232.com; 7400.net; 62106.com;
ll4xi.com; 3932.com; puZeng.com; 97199.com; 447.cc; 0749.com; 6656.net;
niebai.com; 447.com; uuchina.net; hao123cn.info; dao666.com; 9813.org;
91kk.com; freedh.info; yidaba.com; 161111111.com; 009dh.com; qsxx.cn;
geyuan.net; 8t8.net; xorg.pl; bij.pl; qqnz.com; srpkw.com; gggdu.com;
baiduo.com; wys99.com; leilei.cc; 3633.net; fjta.com; so11.cn; 522dh.com;
9249.com; 3110.cn; 300cc.com; 7669.cn; 5c6.com; 7993.cn; 8336.cn; 03m.net;
ou33.com; bv0.net; 163333333.cn; 45575.com; 2637.cn; skyhouse.com.cn;
98453.com; 65642.net; 776la.com; 256.CC; 114king.cn; yyyqq.com;
huhu123.com; gyyx.cn; 2888.me; 4444dh.cn; 191pk.com; 118.com;
57xswz.com; how18.cn; sohu12333333.com; xz26.com; 654v.com;
280580.cn; fjgqw.com; 49558.cn; pp8000.cn; 265it.com; soolaa.com;
9899.cn; 18143.com; haoxyz.com; 4555.net; 10du.net; 528988.com;
wahahaha123.com; c256.cn; chinaih.com; mnv.cn; 633dh.com; ncjxx.com;
51721.net; 556w.com; 114cc.net; 5go.com.cn; pp4000.com; 8844.com;
dd335.cn; qu163.net; itwenba.cn; dou2game.cn; h220.com; neng123.com;
pleoc.cn; 6006.cc; 987654.com; 39903.com; ddoowwnn.cn; 788111.com;
zhidao001.com; 5hao123.com; 978.la; 135968.cn; bb112.com; r220.cn;
365kong.com; woainame.cn; okgouwu.cn; hao006.com; jipinla.com;
99467.com; wawamm.cn; qian14.cn; ip27.cn; 56dh.cn; 2966.com;
game333.net; kukuwz.com; 1-xiu.cn; 92hao123.com; lian9.cn; 222q.cn;
jj98.com; 73vv.com; mubanw.com; t262.com; x1258.cn; weishi66.cn;
hao990.com; 68la.com; sowang123.cn; 3929.cn; 5665.cn; 81sf.com;
kz123.cn; qq806.cn; ffwyt.com
Если пользователь находился на одном из следующих ресурсов, тогда троянец ищет определенные поля ввода, добавляет туда одну из ссылок:
http://www.sf***8.com/?Dll-WZ
http://www.sf***8.com/?Dll-BT
http://www.sf***8.com/index.html?Dll-BT
http://www.sf***8.com/index.html?Dll-WZ
после этого эмулирует нажатие "клавиши ввода".
Таким образом троянец выполняет обращение к ресурсам без ведома пользователя.
Рекомендации по удалению
Если ваш компьютер не был защищен антивирусом и оказался заражен данной вредоносной программой, то для её удаления необходимо выполнить следующие действия:
- При помощи Диспетчера задач завершить процесс троянца.
- Удалить оригинальный файл трояна (его расположение на зараженном компьютере зависит от способа, которым программа попала на компьютер).
- Очистить каталог Temporary Internet Files.
- Произвести полную проверку компьютера Антивирусом Касперского с обновленными антивирусными базами (скачать пробную версию).
Источник: securelist.com.
| 
