QQHelper.Z Trojan Found

Name: Trj/QQHelper.Z
Threat Danger Level: Medium
Type: Trojan
Effects: It uses several rootkits in order to make its detection more difficult, as it hides the files processes and registry entries belonging to the Trojan. It adds a link to a Chinese website in the section Favorites of Internet Explorer. It does not spread automatically by its own means.
Plataforms: Windows 2003/XP/2000/NT/ME/98/95
Detected on: March 31, 2008

Technical Details:

It adds a link to a Chinese website in the section Favorites of Internet Explorer. The following image is an screen capture of the website:

QQHelper.Z

It connects to a website in order to download a file called logo.jpeg, this file downloads two rootkits in the affected computer. These rootkits make the presence of the Trojan more difficult, as they hide the files, processes and registry entries belonging to it.

QQHelper.Z creates the following files:

TEMPAQ, in the Windows directory.
7S2WCAML.DLL, in the Windows system directory.

It also makes two random files with extension of .sys in the folder drivers of the WINDOWS folder. These files belong to two rootkits used by the Trojan to hide its files, porcesses and entries in order to make its detection more difficult.

QQHelper.Z
creates the following entries in the Windows registry.

“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IE4” Main = %random characters% 
“HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\%rootkit 1%”
“HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\%rootkit 2%”
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%rootkit 1%”
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%rootkit 2%”

Where %rootkit 1% and %rootkit 2% belong to the rootkits used by QQHelper.Z, which have random names.
By creating these entries, the two rootkits register themselves as services. This way they ensure that they are run whenever Windows is started.

QQHelper.Z is written in the Visual C++ language. This Trojan is 20,480 bytes in size.

If you have ay questions about other virus or any malware, please contact us @ Dietrevers@gmail.com

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: