Name: Trojan.PSW.Win32.XYOnline.acd
Warning level: Dangerous
Detection Date: Mar 10, 2008
Description Date: Mar 28, 2008
Behavior: Trojan.PSW
Affected System: Windows XP/NT/Server 2003/2000
Spreading: Medium
Damage: Low
Effected RISING: 20.35.10
Technical Details:
This is a account information stealing virus. The virus steals the account number and password information of XYOnline II. The main program and dll of this virus was written by C language, and adds a shell by upx as protection. After this virus startup, it will start the following operation:
1. Release the following files:
%system32%\msosdohs00.dll
%system32%\drivers\msosfpids32.sys
2. Add the following information into registry and system file to startup with system
To registry:
1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
"AppInit_DLLs" = MSOSDOHS00.DLL
2 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fpids32(Display
Name)fpids32 = (IMAGEPATH)\??\%SYSTEM%\DRIVERS\MSOSFPIDS32.SYS
3. Search avp.exe and shut it down.
4. Drop dll into explorer.exe.
5. Load msosfpids32.sys driver.
And the dll virus will take the following operation:
1. Search and break anti-virus software process by other threads.
2. Search xy2.exe and drop itself into it. Steal account number and password by the method of search memory.
3. Communicate with virus driver program, to protect itself in this way.
4. Drop the virus into IE process, upon the HTTP Protocal, send the recorded account information out of Firewall protection.
The following operation is from sys of this virus:
Pick-up ZwQueryDirectoryFile function by ssdt, to prevent its virus files.
Anti-virus experts suggest that computer users take the following measures to protect against this virus:
1. Install Rising Anti-virus, personal firewall, update in time, and at least 3 times per day for updating Rising.
2. Use Rising Vulnerability Check, patch your computer system in a timely manner as many viruses spread by taking advantage of the system exploits or vulnerabilities.
3. Do not browse suspicious websites, and suspicious inserter; turn off or delete unnecessary system services.
4. Do not receive the suspicious file from QQ, MSN, Email, etc.
5. Open auto-protect and auto-monitor function when accessing to the internet.
6. Put your account information of networks bank, networks game, QQ etc, into Rising Application Protection, Rising Application Protection can protect specified applications from attack by malicious programs. A user can apply rules to game software, instant messenger, etc. to customize protection.
