VirusQQPass!tr.pws
Analysis
- Creates a mutex named mutouXXXXX to make sure that only one instance is running.
- Copies itself to the file undefinedProgram Filesundefined\Outlook Express\myqqbi.
- Drops the malicious DLL file undefinedProgram Filesundefined\Outlook Express\mqq.dll.
- Drops the BAT file delself.bat, which deletes the original virus file after executing.
- Adds the following registry entries:
HKLM\SOFTWARE\Classes\CLSID\{25E1EECB-E580-4032-97A2-A456D33820D1}
This enables the process explorer.exe to load mqq.dll automatically.
InProcServer32 = "undefinedProgram Filesundefined\Outlook Express\mqq.dll"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
{25E1EECB-E580-4032-97A2-A456D33820D1}
- Installs a hook procedure that monitors messages posted to QQ.exe in order to gather information, which it sends to the following URLs:
- http://jump.{REMOVED}.com/clienturl_simp_17?clientuin=
- http://gb.{REMOVED}.com/hall/money/acc01.shtml
- http://paycenter.{REMOVED}.com/cgi-bin/showopenservice.cgi?service_type=qqshow
- http://pass.{REMOVED}.com/cgi-bin/ssoindex
- http://my.{REMOVED}.com/cgi-bin/portal/showlogin.cgi
- http://www.{REMOVED}.cn/
Recommended Action
-
FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extended | |
| FortiClient | |
| FortiMail | |
| FortiSandbox | |
| FortiWeb | |
| Web Application Firewall | |
| FortiIsolator | |
| FortiDeceptor | |
| FortiEDR |