MD5: ac71e26fcf1cc76e059e5d29512fa27b
SHA1: bacde43318324c9930917a27541a1fb3912d0d6f
SHA256: 224b84ef04146981f615e52f5361e8c75fc94b7545bed0c272612c86a9ac88ec
SSDeep: 24576:iFOMMnzV5UanV0xZ9hw3kzjKkkET1PrSj5sbi4bH3SQEAl5sbFT95v5RqBh3SWgp:iVMnEEVAPwEjnTmM3uuETj54BST1WU
Size: 2215936 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC50, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, Armadillov171, UPolyXv05_v6
Company: ????
Created at: 2017-03-17 18:22:17
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

twunk_32.exe:4044
%original file name%.exe:1072

The Trojan injects its code into the following process(es):

CGJNTXZd.exe:4084

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process twunk_32.exe:4044 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Common Files\microsoft shared\MSInfo\CGJNTXZd.bat (84 bytes)
%Program Files%\Common Files\microsoft shared\MSInfo\CGJNTXZd.exe (5253 bytes)

The process %original file name%.exe:1072 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\6.dll (366 bytes)
C:\Windows\System32\ESPI11.dll (723 bytes)
C:\twunk_32.exe (1414 bytes)

Registry activity

The process twunk_32.exe:4044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CGJNTXZd" = "%Program Files%\Common Files\Microsoft Shared\MSINFO\CGJNTXZd.exe"

The process %original file name%.exe:1072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\WinSock2\ESPI11]
"1002" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
"1003" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
"FileName" = "C:\Windows\system32\ESPI11.dll"
"1001" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65"

[HKLM\System\CurrentControlSet\Services\WinSock2\ESPI11]
"1012" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
"1014" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

u$SShe

IPHLPAPI.DLL

iphlpapi.dll

GetAsyncKeyState

SetTcpEntry

GetExtendedTcpTable

UnloadKeyboardLayout

GetKeyboardLayoutList

GetKeyboardLayout

ActivateKeyboardLayout

GetKeyboardLayoutNameA

RegOpenKeyA

RegDeleteKeyA

RegCloseKey

RegCreateKeyA

RegFlushKey

LoadKeyboardLayoutA

{A068799B-7551-46b9-8CA8-EEF8357AFEA4}

crossfire.exe

0200000002

0000260000

6.dll

.inidata

@.reloc

CNotSupportedException

CCmdTarget

commctrl_DragListMsg

COMCTL32.DLL

__MSVCRT_HEAP_SELECT

user32.dll

KERNEL32.dll

USER32.dll

RegOpenKeyExA

ADVAPI32.dll

WS2_32.dll

COMCTL32.dll

GetCPInfo

UnhookWindowsHookEx

SetWindowsHookExA

GetKeyState

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GDI32.dll

WINSPOOL.DRV

comdlg32.dll

SHELL32.dll

SWNPM.dll

.PAVCException@@

.PAVCArchiveException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

4"5(5,50545

8!8/878=8

3"32383|3"4

2 3=3Q3^3h3r3z3

4 41484[4}4

9$9(9,90989

<0=4=8=<=

/6.dll

YY.exe

WINMM.dll

GetProcessHeap

MSVCRT.dll

1.dll

cshell.dll

tenrpcs.dll

1065224

d3dx9_29.dll

user32.DLL

winmm.dll

d3dx9_43.dll

program internal error number is %d.

:"%s"

:"%s".

=$>(>,>0>4>

vcticta.dll

\SouGoo.ime

^}•D

IMM32.dll

imehost.dll

ImeProcessKey

Windows

:):3:9:|:

= =$=(=,=0=4=8=

? ?$?(?,?

\Sougoo.ime

hXXps://jq.qq.com/?_wv=1027&k=46CmeV2

\twunk_32.exe

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

u%CNu

%s[%d]

%s_%d

EInvalidGraphicOperation

USER32.DLL

comctl32.dll

uxtheme.dll

%s%s%s%s%s%s%s%s%s%s

Proportional

MAPI32.DLL

OnKeyDown

OnKeyPress

OnKeyUp

THintActionD%C

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeyword

crSQLWait

%s (%s)

imm32.dll

AutoHotkeys

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

Password

OnExecute

CGJNTXZd.exe

260192.dowei8.com

127.0.0.1

2015-08-03 19:47:36

%Program Files%\ie8\

iexplore.exe

ole32.dll

SourcePort

DestPort

UnitTCPIP

TCPIPORT

TCPIPORT4

ws2_32.dll

1.2.3

<?xml version="1.0" encoding="UNICODE"?><tree2xml app="SVCHOST.exe">

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

(The key is too long to be read.)

HKEY_DYN_DATA

Microsoft\Network\Connections\pbk\rasphone.pbk

rasapi32.dll

rnaph.dll

cmd /c "

%dMB,

" WindowsPath="

" ExeShortName="

" ExeFileName="

\Software\Microsoft\Windows\CurrentVersion\uninstall

\software\microsoft\windows\currentversion\uninstall\

TRemoteShellCmdU

TtcpDDOSThread

TwebDDOSThread

HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; MyIE 3.01)

hXXp://

advapi32.dll

cmd /c shutdown -s -f -t 0

cmd /c shutdown -r -f -t 0

Down.exe

Set objws=WScript.CreateObject("wscript.shell")

objws.Run kavpath,,true

ctfmon.exe

Move.exe

Port

UDPSockError

TMYNMUDP

MYNMUDP

RemotePort<

LocalPort<

ReportLevelL

0.0.0.0

%d.%d.%d.%d

FilterGraph %p pid %x

D:\dat_aq\DSPACK234\src\DSPack\DSUtil.pas

($%x).

vpDoNotRenderColorKeyAndBorder

Operation

TOnDVDCMD

CmdID

OnDVDCMDStartx0I

OnDVDCMDEndL[A

OnDVDWarningFormatNotSupportedL[A

D:\dat_aq\DSPACK234\src\DSPack\DSPack.pas

FormKeyDown

Msxml2.XMLHTTP

\Program Files\Internet Explorer\iexplore.exe

ntdll.dll

Kernel32.dll

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

GetKeyboardType

ReportEventA

RegQueryInfoKeyA

RegEnumKeyExA

RegCreateKeyExA

WinExec

GetWindowsDirectoryA

CreatePipe

mpr.dll

version.dll

gdi32.dll

keybd_event

SetProcessWindowStation

OpenWindowStationA

MsgWaitForMultipleObjects

MapVirtualKeyA

GetProcessWindowStation

GetKeyboardState

GetKeyNameTextA

EnumWindows

EnumThreadWindows

CloseWindowStation

shell32.dll

ShellExecuteExA

ShellExecuteA

SHFileOperationA

wininet.dll

InternetOpenUrlA

URLMON.DLL

URLDownloadToFileA

wsock32.dll

avicap32.dll

imagehlp.dll

ADVAPI32.DLL

DeleteUrlCacheEntry

quartz.dll

333333333333333333

33333833

3333339

3333333333333338

:*"*"$3338

3333333

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

KWindows

UrlMon

.ScktComp

IMYNMUDP

CMDUnit

Font.Charset

Font.Color

Font.Height

Font.Name

Font.Style

VMROptions.Mode

MediaType.data

BaseFilter.data

<requestedExecutionLevel level="requireAdministrator"/>

Super-EChXXp://VVV.super-ec.cnhXXp://VVV.eyybc.com/forum-17-1.html/forum-12-1.html/memcp.php/ip.asp/time.asp/gonggao.txt/ec-user6.php/ec-bd.php/ec-jh.php

hXXp://VVV.super-ec.cn

<input type="text" name="field_2new" size="25" value="" disabled class="txt" />" class="txt" />Function Getcpuid()

Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")

getcpuid=cpu.ProcessorId

Keyboard Layout

Keyboard Layout\Preload

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

F%*.*f

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

Broken pipe

Inappropriate I/O control operation

Operation not permitted

SHLWAPI.dll

MPR.dll

VERSION.dll

RASAPI32.dll

RegisterHotKey

UnregisterHotKey

GetViewportOrgEx

RegEnumKeyA

OLEAUT32.dll

WSOCK32.dll

WININET.dll

CreateDialogIndirectParamA

GetViewportExtEx

Shell32.dll

Mpr.dll

Advapi32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

%s\ESPI%d.dll

hXXp://dywt.com.cn

service@dywt.com.cn

 86(0411)88995834

 86(0411)88995831

(ESPINN.dll(NN

This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit VVV.dywt.com.cn/info

CallerInfoCopyCmd

SetIPPort

GetIPPort

"C:\Windows\System32\ESPI11.dll"

ProviderInstallCopyCmd

SockDataCopyCmd

SockAddrCopyCmd

enetintercept_fnSockAddrSetIPPort

enetintercept_fnSockAddrGetIPPort

enetintercept_fnInstallCopyCmd

enetintercept_fnSockDataCopyCmd

enetintercept_fnSockAddrCopyCmd

enetintercept_fnCallerInfoCopyCmd

VVV.dywt.com.cn

;3 #>6.&

'2, / 0&7!4-)1#

%d%d%d

rundll32.exe shell32.dll,

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCResourceException@@

.PAVCUserException@@

zcÁ

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX

(2004-2010)

hXXp://VVV.eyuyan.com

1.0.0.0

(hXXp://VVV.eyuyan.com)

1, 0, 0, 1

imedllhost09.ime

7Dispatch methods do not support more than 64 parameters&Cannot change the size of a JPEG image

JPEG error #%d

No help keyword specified.

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object

(Service failed in custom message(%d): %s

Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"

No help found for %s#No context-sensitive help installed$No topic-based help system installed

Alt  Clipboard does not support Icons

Cannot open clipboard/Menu '%s' is already being used by another form

Service failed on %s: %s

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Thread creation error: %s

Thread Error: %s (%d)*Windows socket error: %s (%d), on API '%s'

Asynchronous socket error %d

Unsupported clipboard format

List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Failed to create key %s

Failed to get data for '%s'

Failed to set data for '%s'

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Invalid stream format$''%s'' is not a valid component name

Invalid data type for '%s'

Ancestor for '%s' not found

Cannot assign a %s to a %s

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

External exception %x

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value

I/O error %d

Integer overflow Invalid floating point operation

(*.*)

CGJNTXZd.exe_4084:

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

u%CNu

%s[%d]

%s_%d

EInvalidGraphicOperation

USER32.DLL

comctl32.dll

uxtheme.dll

%s%s%s%s%s%s%s%s%s%s

Proportional

MAPI32.DLL

OnKeyDown

OnKeyPress

OnKeyUp

THintActionD%C

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeyword

crSQLWait

%s (%s)

imm32.dll

AutoHotkeys

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

Password

OnExecute

CGJNTXZd.exe

260192.dowei8.com

127.0.0.1

2015-08-03 19:47:36

%Program Files%\ie8\

iexplore.exe

ole32.dll

SourcePort

DestPort

UnitTCPIP

TCPIPORT

TCPIPORT4

ws2_32.dll

iphlpapi.dll

1.2.3

<?xml version="1.0" encoding="UNICODE"?><tree2xml app="SVCHOST.exe">

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

(The key is too long to be read.)

HKEY_DYN_DATA

Microsoft\Network\Connections\pbk\rasphone.pbk

rasapi32.dll

rnaph.dll

cmd /c "

%dMB,

" WindowsPath="

" ExeShortName="

" ExeFileName="

\Software\Microsoft\Windows\CurrentVersion\uninstall

\software\microsoft\windows\currentversion\uninstall\

TRemoteShellCmdU

TtcpDDOSThread

TwebDDOSThread

HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; MyIE 3.01)

hXXp://

advapi32.dll

cmd /c shutdown -s -f -t 0

cmd /c shutdown -r -f -t 0

Down.exe

Set objws=WScript.CreateObject("wscript.shell")

objws.Run kavpath,,true

ctfmon.exe

Move.exe

Port

UDPSockError

TMYNMUDP

MYNMUDP

RemotePort<

LocalPort<

ReportLevelL

0.0.0.0

%d.%d.%d.%d

FilterGraph %p pid %x

D:\dat_aq\DSPACK234\src\DSPack\DSUtil.pas

($%x).

vpDoNotRenderColorKeyAndBorder

Operation

TOnDVDCMD

CmdID

OnDVDCMDStartx0I

OnDVDCMDEndL[A

OnDVDWarningFormatNotSupportedL[A

D:\dat_aq\DSPACK234\src\DSPack\DSPack.pas

FormKeyDown

Msxml2.XMLHTTP

\Program Files\Internet Explorer\iexplore.exe

ntdll.dll

Kernel32.dll

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

192.168.48.135

user32.dll

GetKeyboardType

RegOpenKeyExA

RegCloseKey

ReportEventA

RegQueryInfoKeyA

RegFlushKey

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyExA

RegCreateKeyA

WinExec

GetWindowsDirectoryA

GetCPInfo

CreatePipe

mpr.dll

version.dll

gdi32.dll

SetViewportOrgEx

keybd_event

UnhookWindowsHookEx

SetWindowsHookExA

SetProcessWindowStation

OpenWindowStationA

MsgWaitForMultipleObjects

MapVirtualKeyA

LoadKeyboardLayoutA

GetProcessWindowStation

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

GetAsyncKeyState

EnumWindows

EnumThreadWindows

CloseWindowStation

ActivateKeyboardLayout

shell32.dll

ShellExecuteExA

ShellExecuteA

SHFileOperationA

wininet.dll

InternetOpenUrlA

URLMON.DLL

URLDownloadToFileA

wsock32.dll

avicap32.dll

imagehlp.dll

winmm.dll

ADVAPI32.DLL

DeleteUrlCacheEntry

quartz.dll

333333333333333333

33333833

3333339

3333333333333338

:*"*"$3338

3333333

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

KWindows

UrlMon

.ScktComp

IMYNMUDP

CMDUnit

Font.Charset

Font.Color

Font.Height

Font.Name

Font.Style

VMROptions.Mode

MediaType.data

BaseFilter.data

<requestedExecutionLevel level="requireAdministrator"/>

7Dispatch methods do not support more than 64 parameters&Cannot change the size of a JPEG image

JPEG error #%d

No help keyword specified.

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object

(Service failed in custom message(%d): %s

Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"

No help found for %s#No context-sensitive help installed$No topic-based help system installed

Alt  Clipboard does not support Icons

Cannot open clipboard/Menu '%s' is already being used by another form

Service failed on %s: %s

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Thread creation error: %s

Thread Error: %s (%d)*Windows socket error: %s (%d), on API '%s'

Asynchronous socket error %d

Unsupported clipboard format

List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Failed to create key %s

Failed to get data for '%s'

Failed to set data for '%s'

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Invalid stream format$''%s'' is not a valid component name

Invalid data type for '%s'

Ancestor for '%s' not found

Cannot assign a %s to a %s

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

External exception %x

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value

I/O error %d

Integer overflow Invalid floating point operation

conhost.exe_704:

.text

`.data

.rsrc

@.reloc

GDI32.dll

USER32.dll

msvcrt.dll

ntdll.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

KERNEL32.dll

IMM32.dll

ole32.dll

OLEAUT32.dll

PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected

Invalid message 0x%x

InitExtendedEditKeys: Unsupported version number(%d)

Console init failed with status 0x%x

CreateWindowsWindow failed with status 0x%x, gle = 0x%x

InitWindowsStuff failed with status 0x%x (gle = 0x%x)

InitSideBySide failed create an activation context. Error: %d

GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.

GetModuleFileNameW failed %d.

Invalid EventType: 0x%x

Dup handle failed for %d of %d (Status = 0x%x)

Couldn't grow input buffer, Status == 0x%x

InitializeScrollBuffer failed, Status = 0x%x

CreateWindow failed with gle = 0x%x

Opening Font file failed with error 0x%x

\ega.cpi

NtReplyWaitReceivePort failed with Status 0x%x

ConsoleOpenWaitEvent failed with Status 0x%x

NtCreatePort failed with Status 0x%x

GetCharWidth32 failed with error 0x%x

GetTextMetricsW failed with error 0x%x

GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x

RtlStringCchCopy failed with Status 0x%x

Cannot allocate 0n%d bytes

|%SWj

O.fBf;

ReCreateDbcsScreenBuffer failed. Restoring to CP=%d

Invalid Parameter: 0x%x, 0x%x, 0x%x

ConsoleKeyInfo buffer is full

Invalid screen buffer size (0x%x, 0x%x)

SetROMFontCodePage: failed to memory allocation %d bytes

FONT.NT

Failed to set font image. wc=x, sz=(%x,%x)

Failed to set font image. wc=x sz=(%x, %x).

Failed to set font image. wc=x sz=(%x,%x)

FullscreenControlSetColors failed - Status = 0x%x

FullscreenControlSetPalette failed - Status = 0x%x

WriteCharsFromInput failed 0x%x

WriteCharsFromInput failed %x

RtlStringCchCopyW failed with Status 0x%x

CreateFontCache failed with Status 0x%x

FTPh

\>.Sj

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

GetKeyboardState

UnhookWindowsHookEx

SetWindowsHookExW

GetKeyState

ActivateKeyboardLayout

GetKeyboardLayoutNameA

GetKeyboardLayoutNameW

_amsg_exit

_acmdln

ShipAssert

NtReplyWaitReceivePort

NtCreatePort

NtEnumerateValueKey

NtQueryValueKey

NtOpenKey

NtAcceptConnectPort

NtReplyPort

SetProcessShutdownParameters

GetCPInfo

conhost.pdb

%$%a%b%V%U%c%Q%W%]%\%[%

%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%

version="5.1.0.0"

name="Microsoft.Windows.ConsoleHost"

<requestedExecutionLevel

name="Microsoft.Windows.ConsoleHost.SystemDefault"

publicKeyToken="6595b64144ccf1df"

name="Microsoft.Windows.SystemCompatible"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

< =$>:>@>

2%2X2

%SystemRoot%

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen

WindowSize

ColorTableu

ExtendedEditkeyCustom

ExtendedEditKey

Software\Microsoft\Windows\CurrentVersion

\ !:=/.<>;|&

%d/%d

cmd.exe

desktop.ini

\console.dll

%d/%d

6.1.7601.17641 (win7sp1_gdr.110623-1503)

CONHOST.EXE

Windows

Operating System

6.1.7601.17641

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   twunk_32.exe:4044
   %original file name%.exe:1072

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Program Files%\Common Files\microsoft shared\MSInfo\CGJNTXZd.bat (84 bytes)
   %Program Files%\Common Files\microsoft shared\MSInfo\CGJNTXZd.exe (5253 bytes)
   C:\Windows\System32\6.dll (366 bytes)
   C:\Windows\System32\ESPI11.dll (723 bytes)
   C:\twunk_32.exe (1414 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "CGJNTXZd" = "%Program Files%\Common Files\Microsoft Shared\MSINFO\CGJNTXZd.exe"

5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.