Two years ago, the article took over the facade.
----------------------
Track "Horse" Thia - Analysis of Trojans from Trojans
(Author: mikespook | Date: 2002-12-25 | Views: 545)
Keywords: Base64, QQ, Trojan Prequel: This article is just a guideline that is the same as the rookie like me. Here I will thank Xiaojin (LK007) to my help. I climbed up in the morning and received a text message from my girlfriend, saying that QQ was stolen. I heard it, this is still there? When I was soothing, I actually steal my lazy cat. I asked in the phone in detail, I am estimated that I am afraid it is Trojan. I think carefully, I remember that she took a "My Photo Flash" message two days ago, with an attachment. Well, it seems that I want to grab this "horse" thief only from this email. Put the little "horse" back and open it with the editor. Searched for the executable file, there are two executable file headers in an executable. Suddenly, it is the stuff tied by the bundled machine. Look down again. Yep? There are some records like this: // Note that these content I have modified, not the original, if you decode it, I am afraid it is a pile of garbled to make it ^ @ ^ mima_wenjian: zt4 = Fuwuqi: c810ac4xbjupy14vjieshou_youxiang: umpyqpy14vju = YONGHU_MINGHU_MIMA: == mysmtp_biaozhi: ysc = fasong_zhuti: wfhywfg = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx looks out, this is Trojan configuration record. Well, it seems that only from here. Obviously, the information is encrypted. How to do? What is this? I haven't started ......... I later asked, Xiao Jin said that it may be Base64 encoding, it looks very similar. Later, I saw the words "Base64" in the data segment of the Trojan file. Is it really base64 encoding? The author is too simple to use. Well, but there is no other way, then the good death "horse" is treated as a "horse" doctor. I checked the Base64 encoded information: "When the number is not enough, use '=' to make up." Well, it seems that ten eight nine is Base64 encoded. Try it, understand all encodes. Haha, come out, user name, server, email theme, receive mailbox ... list is unbed. The only thing that is not coming is the user password. It seems that the user's password is not as simple as it is. This is called again. Well, what is this Trojan? Open the Trojan file, carefully observe the data segment, discover the words "PSSS6.5", "WinPlo.exe", "MSRead.dt" in the data segment, I am afraid this should be some of the data in the troh of the bundle. Go to black and white, have you got. To black and white, the first QQ tool in the lower ranking is a software called "QQPass598" called "QQ killer". "QQ killer"? Go to the author's homepage. Haha, I don't know, the original pass6.5 is the new, black and white, the author in October. Catch it back this "QQ killer", I have configured several Trojan files, and compared the bundled documents. It is indeed the same Trojan! ! ! Ok, Trojan knows what is, but how is the password encrypted? Helpless, try it, let alone "Ma" will live once.
