MD5: dae49fc2d1e9cafa499f94b44e5a08be
SHA1: bf352771a1e87a8405d3877dbbdfd697acb254b8
SHA256: 8ab6b34b5ecf943362aefa277879380a79246c2ba899bdc478f514111e98ba44
SSDeep: 49152: gXx30xghc/DcEMoC5sZdeHPSdfztGh6y9irfmjBm8UWrVYiSQ: Ax3KgaLvMDSZAv8tGhxirimHCV//
Size: 2830703 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2011-09-11 21:12:22
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2060

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2060 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut847B.tmp (18994 bytes)
C:\yyxieyi\九歌协议.exe (33674 bytes)
C:\yyxieyi\Q群18109333.key (6 bytes)
C:\Windows\System32\drivers\etc\hosts (992 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut847A.tmp (196 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut847B.tmp (0 bytes)
C:\Windows\System32\drivers\etc\hosts (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut847A.tmp (0 bytes)

Registry activity

The process %original file name%.exe:2060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{e29ac6c2-7037-11de-816d-806e6f6e6963}]
"NameServer" = "60.190.219.142 60.190.219.142"

[HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{03967CDD-F8BD-4AC9-8369-0D2BD8F246F5}]
"NameServer" = "60.190.219.142 60.190.219.142"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 542 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright: ????YY?:1501830
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3.3.7.15
File Description: ???? YY?:1501830
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
dns.msftncsi.com
teredo.ipv6.microsoft.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

`.rsrc

s%j.Zf

Bv.SCvt

GetProcessWindowStation

operator

This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.

uxtheme.dll

kernel32.dll

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is not compiled with PCRE_UTF8 support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with PCRE_UCP support

ICMP.DLL

advapi32.dll

RegDeleteKeyExW

Error text not found (please report)

zcÁ

GetProcessHeap

CreatePipe

GetWindowsDirectoryW

GetCPInfo

RegDeleteKeyW

RegCreateKeyExW

RegEnumKeyExW

RegCloseKey

RegOpenKeyExW

SetViewportOrgEx

ShellExecuteExW

SHFileOperationW

ShellExecuteW

RegisterHotKey

GetKeyboardLayoutNameW

EnumThreadWindows

GetAsyncKeyState

SetKeyboardState

GetKeyboardState

GetKeyState

VkKeyScanW

EnumWindows

EnumChildWindows

MapVirtualKeyW

CloseWindowStation

SetProcessWindowStation

OpenWindowStationW

UnregisterHotKey

keybd_event

ExitWindowsEx

InternetCrackUrlW

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

FtpOpenFileW

FtpGetFileSize

InternetOpenUrlW

.text

`.rdata

@.data

.rsrc

W[.Zg

Yw.lt

^acX)%FS

ub%CR

.rdn4

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"></assemblyIdentity>

KERNEL32.DLL

ADVAPI32.dll

COMCTL32.dll

COMDLG32.dll

GDI32.dll

MPR.dll

ole32.dll

OLEAUT32.dll

PSAPI.DLL

SHELL32.dll

USER32.dll

USERENV.dll

VERSION.dll

WININET.dll

WINMM.dll

WSOCK32.dll

mscoree.dll

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

>>>AUTOIT NO CMDEXECUTE<<<

CMDLINERAW

CMDLINE

/AutoIt3ExecuteLine

/AutoIt3ExecuteScript

%s (%d) : ==> %s.:

Line %d:

Line %d (File "%s"):

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

All files (*.*)

#NoAutoIt3Execute

APPSKEY

04090000

%u.%u.%u.%u

0.0.0.0

Mddddd

%s (%d) : ==> %s:

UDPSTARTUP

UDPSHUTDOWN

UDPSEND

UDPRECV

UDPOPEN

UDPCLOSESOCKET

UDPBIND

TRAYGETMSG

TCPSTARTUP

TCPSHUTDOWN

TCPSEND

TCPRECV

TCPNAMETOIP

TCPLISTEN

TCPCONNECT

TCPCLOSESOCKET

TCPACCEPT

SHELLEXECUTEWAIT

SHELLEXECUTE

REGENUMKEY

MSGBOX

ISKEYWORD

HTTPSETUSERAGENT

HTTPSETPROXY

HOTKEYSET

GUIREGISTERMSG

GUIGETMSG

GUICTRLSENDMSG

GUICTRLRECVMSG

FTPSETPROXY

\??\%s

GUI_RUNDEFMSG

SendKeyDelay

SendKeyDownDelay

TCPTimeout

AUTOITCALLVARIABLE%d

255.255.255.255

Keyword

AutoIt.Error

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

HOTKEYPRESSED

AUTOITEXE

WINDOWSDIR

3, 3, 7, 15

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%d/d/d

c:\%original file name%.exe

C:\%original file name%.exe

3.3.7.15

:1501830

1501830

%original file name%.exe_2060_rwx_00401000_000C8000:

s%j.Zf

Bv.SCvt

GetProcessWindowStation

operator

This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.

uxtheme.dll

kernel32.dll

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is not compiled with PCRE_UTF8 support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with PCRE_UCP support

ICMP.DLL

advapi32.dll

RegDeleteKeyExW

Error text not found (please report)

zcÁ

GetProcessHeap

CreatePipe

GetWindowsDirectoryW

GetCPInfo

RegDeleteKeyW

RegCreateKeyExW

RegEnumKeyExW

RegCloseKey

RegOpenKeyExW

SetViewportOrgEx

ShellExecuteExW

SHFileOperationW

ShellExecuteW

RegisterHotKey

GetKeyboardLayoutNameW

EnumThreadWindows

GetAsyncKeyState

SetKeyboardState

GetKeyboardState

GetKeyState

VkKeyScanW

EnumWindows

EnumChildWindows

MapVirtualKeyW

CloseWindowStation

SetProcessWindowStation

OpenWindowStationW

UnregisterHotKey

keybd_event

ExitWindowsEx

InternetCrackUrlW

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

FtpOpenFileW

FtpGetFileSize

InternetOpenUrlW

.text

`.rdata

@.data

.rsrc

W[.Zg

Yw.lt

^acX)%FS

ub%CR

mscoree.dll

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

>>>AUTOIT NO CMDEXECUTE<<<

CMDLINERAW

CMDLINE

/AutoIt3ExecuteLine

/AutoIt3ExecuteScript

%s (%d) : ==> %s.:

Line %d:

Line %d (File "%s"):

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

All files (*.*)

#NoAutoIt3Execute

APPSKEY

04090000

%u.%u.%u.%u

0.0.0.0

Mddddd

%s (%d) : ==> %s:

UDPSTARTUP

UDPSHUTDOWN

UDPSEND

UDPRECV

UDPOPEN

UDPCLOSESOCKET

UDPBIND

TRAYGETMSG

TCPSTARTUP

TCPSHUTDOWN

TCPSEND

TCPRECV

TCPNAMETOIP

TCPLISTEN

TCPCONNECT

TCPCLOSESOCKET

TCPACCEPT

SHELLEXECUTEWAIT

SHELLEXECUTE

REGENUMKEY

MSGBOX

ISKEYWORD

HTTPSETUSERAGENT

HTTPSETPROXY

HOTKEYSET

GUIREGISTERMSG

GUIGETMSG

GUICTRLSENDMSG

GUICTRLRECVMSG

FTPSETPROXY

\??\%s

GUI_RUNDEFMSG

SendKeyDelay

SendKeyDownDelay

TCPTimeout

AUTOITCALLVARIABLE%d

255.255.255.255

Keyword

AutoIt.Error

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

HOTKEYPRESSED

AUTOITEXE

WINDOWSDIR

3, 3, 7, 15

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%d/d/d

c:\%original file name%.exe

C:\%original file name%.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut847B.tmp (18994 bytes)
   C:\yyxieyi\九歌协议.exe (33674 bytes)
   C:\yyxieyi\Q群18109333.key (6 bytes)
   C:\Windows\System32\drivers\etc\hosts (992 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut847A.tmp (196 bytes)

4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.