"Online Banking Thief II" technical analysis report
Virus Name: Trojan / Keylog.dingxa virus Type: Trojan Virus Size: 16284 byte Mode: Network Compact Mode: Aspack On June 2, 2004, intercepted "Internet Boxing Thief" new variant, the Trojan Theft almost covers all China's current online banking account, password, verification code, etc. to send to the viral author. This Trojan / Psw.hidwebmon has a different effort in April, but there are many banks, and the wide range is the largest, not only caused by the loss of dyed users, but also directly, also A greater security threat and trust crisis for each online bank. The specific technical characteristics are as follows: 1. After the virus is running, theft online bank involves: UnionPay payment gateway -> Implementation payment UnionPay payment gateway: China Industrial and Commercial Bank's new generation online banking China Industrial and Commercial Bank online banking: Industrial and Commercial Bank online payment: Apply for peony Credit card China Merchants Bank Personal Bank China Merchants Bank Netcom: Personal Online Bank China Construction Bank Online Bank Landing Personal Online Banking ;; China Construction Bank China Construction Bank Online Bank: Bank of China Online Bank Bank of China Online Bank: Shenzhen Development Bank Account Query System Shenzhen Development Bank | Personal Bank Shenzhen Development Bank | Personal User Application Form Shenzhen Development Bank: Minsheng Net Personal Master Livelihood Bank: Online Bank - Personal Ordinary Business Huaxia Bank: Shanghai Bank Enterprise Online Bank Shanghai Bank Capital Electronic Mall Merchants Management Platform Capital Electronic Mall Merchants Management China Online Payment Network: iPay Online Payment Center China Online Payment Network Merchants China Merchants Bank Online Payment Center China Merchants Bank online payment personal online banking - Create the following files in the virus computer:% systemdir% / svch0st.exe, 16284 words Section, virus itself 3. Create: "svch0st.exe" = "% systemdir% / svch0st.exe" "Taskmgr% / svch0st.exe" "Taskmgr% / SVCH0ST.EXE" /SVCH0ST.EXE "4. If the virus is run according to the IE window title bar, if the online bank page is discovered, if the bank mentioned above, the virus immediately starts the key value of the keyboard tap, and the record key value includes: AabCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz1! 2 @ 3 # 4 $ 5% 6 ^ 7 & 8 * 9 (0) {BackSpace} {Tab} {Enter} {Shift} {Ctrl} {Alt} {Pause} {Esc} {space} {End} {Home } {Upd} {right} {upd} {DOWN} {INSERT} {delete};: = , <-_.> /? `~] [{/ |]} '{Del} {f1} {f2} {F3} {f4} {f5} {f6} {f7} {f8} {f9} { F10} {f11} {f12} {numlock} {scrolllick} {printscreen} {pageup} {pagedown} 5. After the virus is intercepted to the keyboard value, the information will be sent to the specified http: //*****.com/ **** / get.asp.
