"Miracle World Account Stealer" (Win32.Troj.Suicide.xx.10528): This is an account-stealing Trojan. After execution, it generates virus files in the system directory and adds startup items for the virus. The virus will monitor user processes in real time. When it detects a "Miracle World" process, it performs malicious operations.
"Random Trojan 94250" (Win32.Troj.Winko.u.94250): This is a variant of a Trojan that generates random 8-digit filenames. After execution, it creates a random 8-digit file in the system folder and registers a service with a random 8-digit name to ensure auto-start on boot. It then injects into the desktop process, monitors QQ processes and windows, stealing users' QQ numbers and passwords. Additionally, the virus releases USB drive viruses on each partition, modifies the registry to disable the display of hidden files, and downloads a large number of virus files from remote servers to install on the local computer.
---
**I. Miracle World Account Stealer" (Win32.Troj.Suicide.xx.10528) Threat Level: ★**
This virus is an account-stealing Trojan. After successful execution, it self-deletes the original virus file so that the user cannot locate it. It also generates two virus files in the system's temporary folder: IntelX86.dll and IntelX86.exe. These files are deceptive as they mimic legitimate system files but are identified as viruses because they are not located in the system32 folder. The virus automatically modifies startup settings so that it runs when the system starts. Once running, it injects into the explorer.exe process and monitors all active processes. Upon detecting the sungame.exe process, it performs malicious operations by reading memory to intercept the user's "Miracle World" account information.
The stolen information is transmitted via IntelX86.dll in the temporary folder to the following websites: http://www.*****.net/sun/04/lin.asp and http://www1.*****.com/aiya/sun/zong/lin.asp, allowing the attacker to successfully steal the user's online game credentials, resulting in the loss of virtual property.
**II. "Random Trojan 94250" (Win32.Troj.Winko.u.94250) Threat Level: ★**
The most distinctive feature of this virus is that its generated filenames consist of random 8-digit numbers, making it difficult for users to identify the virus files. These files are created in the %system32% directory, and autorun viruses (auto.exe and autorun.inf) are generated on each disk partition, both of which have hidden attributes. The virus also adds services to the registry, ensuring it starts alongside system services when the system boots. It maliciously alters the system's hidden file settings, preventing users from locating the virus files. Double-clicking any disk drive with the mouse triggers the virus. A randomly named DLL is injected into the explorer.exe system process upon virus activation, monitoring all open processes. If a QQ process is detected, it performs theft operations.
The virus also reads remote text files, downloading additional malware based on the paths specified in these files onto the user's machine. Finally, the virus spreads via USB drives. Any USB drive connected to an infected machine becomes a new infection source, spreading the virus further.