PUA_TECENT.GA
Windows
![](/vinfo/imgFiles/legend.jpg)
Threat Type: Potentially Unwanted Application
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Potentially Unwanted Application may be manually installed by a user.
TECHNICAL DETAILS
Arrival Details
This Potentially Unwanted Application may be manually installed by a user.
Installation
This Potentially Unwanted Application drops the following files:
- %User Temp%\nsz3E49.tmp\System.dll - Deleted afterwards
- %User Temp%\nsz3E49.tmp\nsisFirewallW.dll - Deleted afterwards
- %User Temp%\nse60D6.tmp\inetc.dll - Deleted afterwards
- %User Temp%\webplugin_install.log
- %Program Files%\Tencent\QQMicroGameBoxService\1.0.5.2\Microsoft.VC90.CRT.manifest
- %Program Files%\Tencent\QQMicroGameBoxService\1.0.5.2\Plugin.exe
- %Program Files%\Tencent\QQMicroGameBoxService\1.0.5.2\QQMGBWebserver.exe
- %Program Files%\Tencent\QQMicroGameBoxService\1.0.5.2\QQMicroGameBoxService.exe
- %Program Files%\Tencent\QQMicroGameBoxService\1.0.5.2\QQMicroGameBoxServiceUpdate.exe
- %Program Files%\Tencent\QQMicroGameBoxService\1.0.5.2\QXMatrix.dll
- %Program Files%\Tencent\QQMicroGameBoxService\1.0.5.2\bugreport.exe
- %Program Files%\Tencent\QQMicroGameBoxService\1.0.5.2\log.dll
- %Program Files%\Tencent\QQMicroGameBoxService\1.0.5.2\msvcp90.dll
- %Program Files%\Tencent\QQMicroGameBoxService\1.0.5.2\msvcr90.dll
- %Program Files%\Tencent\QQMicroGameBoxService\1.0.5.2\skin\Install.ico
- %Application Data%\Tencent\WebGamePlugin\1.0.5.2\HttpDownloader.dll
- %Application Data%\Tencent\WebGamePlugin\1.0.5.2\InstallerToolkit.dll
- %Application Data%\Tencent\WebGamePlugin\1.0.5.2\Launcher.exe
- %Application Data%\Tencent\WebGamePlugin\1.0.5.2\PluginManager.dll
- %Application Data%\Tencent\WebGamePlugin\1.0.5.2\TXWGameIeHelper.dll
- %Application Data%\Tencent\WebGamePlugin\1.0.5.2\Utility.dll
- %Application Data%\Tencent\WebGamePlugin\1.0.5.2\npqqwebgame.dll
(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.. %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
Other System Modifications
This Potentially Unwanted Application adds the following registry entries:
HKEY_CURRENT_USER\Software\Tencent\
bugReport\TXWebServer
bUseInterMod = 1
HKEY_CURRENT_USER\Software\MozillaPlugins\
@1.qq.com/npqqwebgame
Path = %Application Data%\Tencent\WebGamePlugin\1.0.5.2\npqqwebgame.dll
HKEY_CURRENT_USER\Software\Tencent\
WebGamePlugin
Path = %Application Data%\Tencent\WebGamePlugin\1.0.5.2\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\QQMicroGameBoxService
version = "1.0.5.2"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\QQMicroGameBoxService
Type = 272
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\QQMicroGameBoxService
Start = 2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\QQMicroGameBoxService
ErrorControl = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\QQMicroGameBoxService
ImagePath = "%Program Files%\Tencent\QQMicroGameBoxService\1.0.5.2\QQMicroGameBoxService.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\QQMicroGameBoxService
DisplayName = "QQMicroGameBoxService"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\QQMicroGameBoxService
ObjectName = "LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\QQMicroGameBoxService
Description = {string}
Other Details
This Potentially Unwanted Application connects to the following possibly malicious URL:
- http://{BLOCKED}s.{BLOCKED}e.qq.com/wan/box/Tlog/Report.php
- http://{BLOCKED}s.{BLOCKED}p.qq.com/cm/ReportNew.php