This Trojan opens different websites in the browser without the user's knowledge. It is a Windows dynamic library (PE DLL file). It is 40 448 bytes in size. It is written in Delphi.
When the following files are available, the Trojan launches them for execution:
In a separate thread the Trojan searches for the following windows class names:
IEFrame _____TTFrameWnd__101__ Maxthon2_Frame 360se_Frame
and the names of the child windows:
WorkerW ReBarWindow32 Address Band Root Edit ComboBoxEx32 ComboBox #32770 XTPDockBar XTPToolBar RichEdit20W XToolBar XWnd
This way the Trojan checks for browsers launched on the user's computer.
Depending on the found windows the Trojan can:
- Determine the process that belongs to this window class and then launch the browser process with one of the following parameters:
http://www.sf***8.com/?Dll-WZ http://www.sf***8.com/?Dll-BT http://www.sf***8.com/index.html?Dll-BT http://www.sf***8.com/index.html?Dll-WZ
- Check, whether the user is currently viewing one of the following pages:
iq123.com; yijidh.com; 250dh.cn; 223.la; kuku123.com; 930930.com; 9123.com; hao123e.com; 020.com; youxi777.com; 1616.net; 1188.com; urldh.com; daohang.la; pp55.com; 9605.com; 05505.cn; 7055.net; 0056.com; 6655.com; 1166.com; 5kip.com; 114xia.com; 265dh.com; 3567.com; 6565.cn; 666t.com; 9223.com; dduu.com; hao123.cn; 5snow.com; 2523.com; 5599.net; tt98.com; zhaodao123.com; kuhao123.com; 5151la.net; 6h.com.cn; zeibi.com; 6e8e.com; th123.com; 9991.com; hao123ol.com; wu123.com; t220.cn; ttver.net; 188HI.com; go2000.com; 5igb.com; bb2000.net; 9wa.com; qq5.com; 365j.com; 7345.com; 2760.com; 361la.com; haojs.com; 5zd.com; i8866.com; 100wz.com; 114hi.com; 234.la; 657.com; 339.la; 365wz.net; 7792.com; 9495.com; dazuimao.com; 71314.com; 265.com; gouwo.com; huai456.com; ku256.com; my180.com; 2522.cn; 405.cn; 44244.com; 111dh.com; 115ku.com; 13387.com; 163yes.com; 256s.com; 2676.com; 3355.net; 365lo.com; 4168.com; 4545.cn; 4688.com; 566.net; 5666.net; 5733.com; 6461.cn; 7356.com; 800186.com; 85851.com; asp51.com; 361dh.com; 5566.net; yulinweb.com; 6296.com.cn; mianfeia.com; ai1234.com; k369.com; msncn.com; ss256.com; min513.com; 88-888.com; lggg.cn; 7771.cn; leeboo.com; jjol.cn; 5566.com; 9166.net; hao253.com; 7b.com.cn; haoei.com; 77114.com; 21310.cn; weiduomei.net; kk3000.cn; 7241.cn; 44384.com; daohang1234.com; 131.cc; 223224.com; 537.com; 9348.cn; bju123.cn; i4455.com; jia123.com; 0666.com.cn; 553.la; 5566.org; 37021.com; 88488.com; 99986.net; 37021.net; k986.com; cc62.com; 5518.cn; 55620.com; 52416.com; 7357.cn; 8c8c.net; 9999q.com; 123shi123.com; yl234.cn; 3322.com; hao222.com; 6313.com; f127.com; 5599cn.cn; 99499.com; 2548.cn; 133.net; ie30.com; 8751.com; se:home; haidaowan.net; 160dh.com; 114115.com; 1322.cn; hh361.com; 2800.cc; 52daohang.com; 186.me; diyidh.com; zaodezhu.com; 7832.com; 3073.com; 2058.cc; 3456.cc; 7771.com; q6789.com; 7k.cc; dianzi88.com; 7802.com; xinbut.com; 59688.com; gjj.cc; youla.com; ok1616.com; i2345.cn; gg8000.com; daohang12345.cn; inina.cn; dowei.com; 1515.net; 41119.cn; 21230.cn; 97youku.com; fast35.net; m32.cn; tom155.cn; 668yo.com; online.cq.cn; shagua.cn; 007247.cn; 603467.cn; 197326.cn; wwwoj.cn; xp22.cn; 84022.cn; 520593.cn; 448789.cn; 141321.cn; 36gggg.cn; 427842.cn; niubihao123.cn; ovooo.cn; rtys520.net; rtxzw.com; uurenti.cc; bo.dy288.com; renti11.com; 123.cd; 336655.com; 9978.net; 520.com; 6l.cn; 420.cn; v989.com; 16551.com; 2tvv.com; m4455.com; mylovewebs.com; 5987.net; 7999.com; caipopo.com; wndhw.com; henku123.com; qu123.com; 94176.com; u526.com; haokan123.com; uusee.net; 9733.com; 173com; qnrwz.com; 999w.com; h935.com; 33250.com; tz911.net; 639e.com; 920xx.cn; 13393.com; tncdh.com; sou185.com; 3566.cc; 580so.com; 2001.cc; hnhao123.com; zz5.net.cn; abc123.name; ekan123.com; 1266.cc; hao123.cc; 126.cc; ie1788.com; 58daohang.com; 6dh.com; 991.cn; 114la.me; 1133.cc; ads8.com; haoz.com; jsing.net; 123.sogou.com; 3321.com; 1155.cc; hao123.com; hao123.net; 6700.cn; 168.com; uu881.com; 6264.cn; 606600.com; 2345.com; 5607.cn; 1111116.com; v7799.com; ie7.com.cn; 365t.cc; 89679.com; se:blank; 35029.com; 8d9a.cn; 400zm.com; 58816.com; 727dh.cn; hao123w.com; 114td.com; 28101.cn; 03336.cn; 79001.cn; 133132.com; 3434.com.cn; 828dh.cn; 64500.cn; 22q.cc; jj77.com; vvyy.net; ie567.com; 5d5e.com; 212dh.cn; 911g.cn; 1616.la; tomatolei.com; 96nn.com; 5543.com; 2288.org; 3322.org; 9966.org; 8800.org; 8866.org; 7766.org; 22409.com; se-se.info; 26043.com; 34414.com; gaoav1.info; 0558114.com; 3333dh.cn; zjialin.com; 22dao.com; soupay.com; langlangdoor.com; 99cu.com; 5555dh.cn; wang123.net; hxdlink; haaoo123.com; 3645.com; hao123q.com; tvsooo.com; gaituba.com; 45566.net; 2298.cn; iexx.com; dh115.com; 97sp.cn; 39r.cn; f8f8.cn; 391kk.cn; 266.cc; jysoso.net; wg510.cn; 114d.org; ie3721.com; 2142.cn; go2000.cc; go2000.cn; 99521.com; yeooo.com; haha123.com; hao.360.cn; 07707.cn; yy2000.net; 1111118.com; 26281.com; 960dh.cn; 300.cc; 163333333.com.cn; kz300.cn; i3525.cn; 67881.net; t2t2.net; mm4000.cn; 669dh.cn; k58n.com; haoha123.com; ab99.com; i2255.com; 054.cc; fffggqq.cn; k2345.net; vv33.com; tuku6.com; mmpp654.com; 228dh.cn; seibb.com; 14164.com; 552dh.cn; hao969.com; lalamao.com; 21225.cn; 5k5.net; 65630.cn; at46.cn; 98928.cn; ads.eorezo.com; 661dh.cn; 6320.com; henbianjie.com; xiushe.com; 5mqxmq.com; 989228.com; i8844.cn; g1476.cn; 4j4j.cn; 1777zzw5.com; 989228.cn; henbucuo.com; 886dh.cn; 2255.net; 160yes.com; u8s.cn; 16711.com; 626dh.cn; rfwow.cn; baiyici.cn; lalamao.cn; 136s.com; huhuyy.cn; 8diq.com; d2fs.cn; 0229.com; yy4000.com; 9934.cn; 3883.net; 151dh.com; 26dh.cn; kkwwxx.com; t67.net; 29dao.cn; 58ju.com; dnc8.net; yl177.com.cn; xj.cn; 950990.cn; 114.com.cn; xxxip.cn; 3628.com; 265.cc; 26.la; 5654.com; zg115.com; 969dh.cn; 111555.com.cn; pic.jinti.com; kk8000.com; wokaokao.cn; duoxxppmmkoo.com; kanlink.cn; 91youa.com; shinia.cn; pp9pp9.cn; ma80.com; 556dh.cn; bu4.cn; 8555.com; e23.la; flash678.cn; yy4000.cn; wo333.com; mv700.com; xcwhgx.cn; 3s11.cn; sp16888.com; k7k7.com; zzw5.com; okdianying.com; 789bb.com; antuoo.com; so06.com; 665532.cn; 7f7f.com; k261.com; fanbaidu.org.cn; iu888.cn; 977k.com; 93w.com; 68566.com.cn; zhidao163.cn; it958.cn; lx8000.cn; sc.cn; ucuc.cc; kkdowns.com; 189189.com; 0002.com; 4737.cn; 226dh.cn; bb115.cn; 06000.cn; u87.cn; sohao123.com; k887.com; hao602.com; t7t7.net; ku4000.cn; v6677.cn; hong666.com; 4000a.com; kk4000.cn; 7767.com; 11227.cn; u9u9.net; 28113.cn; rr55.com; a4000.cn; yunfujkw.cn; 886.com; 2800.cer.cn; zyyu.com; 49la.com; hi3000.cn; sogouliulanqi.com; 888ge.com; 00333.cn; 29wz.com; soso126.com; 180wan.com; kan888.com; 4929.cn; v2233.com; m345.cn; tt265.net; 18ttt.com; 153.cc; 00664.cn; gugogo.com; kk4000.com; 185b.com; uuent.com; 6666dh.cn; 25dao.com; shangla.com; 77177.cn; about:blank; haoq123.com; baiduo.org; lejiu.net; dianxin.cn; u7758.com; dao234.com; 85692.com; xiaosb.com; soso313.cn; 939dh.com; 85952.com; 31346.com; 71528.com; 788dh.com; 91695.com; 5566x.com; 131u.com; 1149.cn; 9281.net; my115.net; 4119.cn; 9m1.net; dh818.com; iehwz.com; wa200.com; hao234.cc; 6781.com; 652dh.com; 16811.com; zhongshu.net; 992k.com; 71628.com; 6701.com; diyou.net; iehao123.com; laidao123.com; yinfen.net; wz4321.com; shangqu.info; 5121.net; 668g.com; 51150.com; 53ff.com; dada123.com; you2000.com; 884599.cn; kuaijiong.com; 398.cn; 32387.com; 82vv.com; 09tao.com; 977dh.com; 598.net; 211dh.com; 9365.info; wblive.com; e722.com; v232.com; 7400.net; 62106.com; ll4xi.com; 3932.com; puZeng.com; 97199.com; 447.cc; 0749.com; 6656.net; niebai.com; 447.com; uuchina.net; hao123cn.info; dao666.com; 9813.org; 91kk.com; freedh.info; yidaba.com; 161111111.com; 009dh.com; qsxx.cn; geyuan.net; 8t8.net; xorg.pl; bij.pl; qqnz.com; srpkw.com; gggdu.com; baiduo.com; wys99.com; leilei.cc; 3633.net; fjta.com; so11.cn; 522dh.com; 9249.com; 3110.cn; 300cc.com; 7669.cn; 5c6.com; 7993.cn; 8336.cn; 03m.net; ou33.com; bv0.net; 163333333.cn; 45575.com; 2637.cn; skyhouse.com.cn; 98453.com; 65642.net; 776la.com; 256.CC; 114king.cn; yyyqq.com; huhu123.com; gyyx.cn; 2888.me; 4444dh.cn; 191pk.com; 118.com; 57xswz.com; how18.cn; sohu12333333.com; xz26.com; 654v.com; 280580.cn; fjgqw.com; 49558.cn; pp8000.cn; 265it.com; soolaa.com; 9899.cn; 18143.com; haoxyz.com; 4555.net; 10du.net; 528988.com; wahahaha123.com; c256.cn; chinaih.com; mnv.cn; 633dh.com; ncjxx.com; 51721.net; 556w.com; 114cc.net; 5go.com.cn; pp4000.com; 8844.com; dd335.cn; qu163.net; itwenba.cn; dou2game.cn; h220.com; neng123.com; pleoc.cn; 6006.cc; 987654.com; 39903.com; ddoowwnn.cn; 788111.com; zhidao001.com; 5hao123.com; 978.la; 135968.cn; bb112.com; r220.cn; 365kong.com; woainame.cn; okgouwu.cn; hao006.com; jipinla.com; 99467.com; wawamm.cn; qian14.cn; ip27.cn; 56dh.cn; 2966.com; game333.net; kukuwz.com; 1-xiu.cn; 92hao123.com; lian9.cn; 222q.cn; jj98.com; 73vv.com; mubanw.com; t262.com; x1258.cn; weishi66.cn; hao990.com; 68la.com; sowang123.cn; 3929.cn; 5665.cn; 81sf.com; kz123.cn; qq806.cn; ffwyt.com
If the user is viewing one of these pages, the Trojan searches for certain input fields and adds one of the following links to these input fields:
http://www.sf***8.com/?Dll-WZ http://www.sf***8.com/?Dll-BT http://www.sf***8.com/index.html?Dll-BT http://www.sf***8.com/index.html?Dll-WZIt then emulates pressing the "Enter" key.
This way the Trojan contacts resources without the user's knowledge.
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Use Task Manager to terminate the Trojan process.
- Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
- Empty the Temporary Internet Files directory:
%Temporary Internet Files%
- Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).