附:AVG中国区实验室对其关键行为的分析:
1.枚举windows窗口,通过检查窗口类名是否匹配“Internet Explorer_Server”来查找IE浏览器
2.找到IE浏览器之后,从Oleacc.dll中获得ObjectFromLresult函数,然后注册一个WM_HTML_GETOBJECT消息,该消息用来获得网页中星号密码框中的密码
3.注册消息后,该病毒会循环判断当前网页地址中是否包含如下地址:
• https://cashier.alipay.com/home/error.htm?errorCode=SYSTE
• https://cashier.alipay.com/standard/result/rnPaymentResul
• https://b2c.icbc.com.cn/servlet/ICBCINBSEBusinessServlet
• netpay.cmbchina.com/netpayment/BaseHttp.d
• https://ibsbjstar.ccb.com.cn/app/ccbMain
• https://ebspay.boc.cn/PGWPortal/RecvOrder.do
• https://easyabc.95599.cn/b2c/NotCheckStatus/PaymentModeAct.ebf?TOKEN=
• https://pbank.95559.com.cn/netpay/MerPayB2C
• https://ebank.spdb.com.cn/payment/main
• https://ebank.gdb.com.cn/payment/ent_payment.jsp
• https://b2c.bank.ecitic.com/pec/e3rdplaceorder.do
• https://www.cebbank.com/per/preEpayLogin.do
• https://www.cib.com.cn/NetPayment.jsp
• https://cmpay.10086.cn/OPRTPRGN/100115.dow?BAL_TYP=1&BNK_NO=