MD5: a1155573bb7398fdf486feae5453ba12
SHA1: 0e46ce8f5eacaf4a6a7147aca1c13ede8b0208e8
SHA256: 61b21fb69fae0c5f23a6d41c08bb5e02e427be0c945b1849d524e831aee54ec6
SSDeep: 3072:M1abGWGT2TK1dbzlF9OVtSZjCw8geIr/QAuCgNVfpxICuQsKUIZn:9bpGtfoVtScw2RCgrzItQB
Size: 173492 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPXv0896v102v105v122Delphistub, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1096

The Trojan injects its code into the following process(es):

HKF.EXE:800

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1096 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\OAG.EXE (173 bytes)
%Documents and Settings%\HNV.EXE (173 bytes)
C:\filedebug (633 bytes)
C:\System Volume Information\GRTSH.EXE (174 bytes)
C:\totalcmd\OWIKOI.EXE (173 bytes)
%Documents and Settings%\ACZ.EXE (173 bytes)
C:\System Volume Information\ZEHPN.EXE (174 bytes)
C:\totalcmd\VKTNIL.EXE (174 bytes)
%Documents and Settings%\ZFP.EXE (173 bytes)
C:\System Volume Information\OCOJF.EXE (174 bytes)

The process HKF.EXE:800 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\filedebug (80 bytes)
C:\System Volume Information\UGASK.EXE (174 bytes)

Registry activity

The process %original file name%.exe:1096 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 07 EA 5D 48 54 8B EC D9 58 24 FF 0A 16 F9 44"

[HKCR\QQQ.file\shell\open\command]
"(Default)" = "%Documents and Settings%\HNV.EXE %1"

[HKCR\txtfile\shell\open\command]
"(Default)" = "C:\totalcmd\VKTNIL.EXE %1"

[HKCR\inffile\shell\open\command]
"(Default)" = "C:\System Volume Information\ZEHPN.EXE %1"

[HKCR\QQQfile\shell\open\command]
"(Default)" = "%Documents and Settings%\ACZ.EXE %1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"workfile" = "QzpcUGVybFxIS0YuRVhF"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GRTSH.EXE" = "%Documents and Settings%\ZFP.EXE"

The process HKF.EXE:800 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE 06 96 C4 9E 4A C6 39 4E FD 43 BD CE 5E 71 2C"

[HKCR\exefile\shell\open\command]
"(Default)" = "C:\System Volume Information\UGASK.EXE %1 %*"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.rsrc

Portions Copyright (c) 1983,99 Borland

kernel32.dll

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

EInvalidOperation

%s[%d]

%s_%d

EInvalidGraphicOperation

USER32.DLL

comctl32.dll

PasswordCharXSC

OnKeyDown

OnKeyPress

OnKeyUp

OnKeyUpx

TKeyEvent

TKeyPressEvent

crSQLWait

%s (%s)

IMM32.DLL

TContainedActionh%C

AutoHotkeys

:].tJ

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreviewxPC

WindowState

UhG%D

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

Password

OnExecute

Port<

ReportLevel

Max Udp pack size=

Initializaton of windows sockets failed

Invalid seek origin = %d

NMsmtp

TNMSMTP

NMSMTP1

NMSMTP1Connect

NMSMTP1SendStart

AUTH LOGIN

PassWord_ThreadU

Kernel32.dll

Software\Microsoft\Windows\CurrentVersion\Setup

qqpass7

Msread.dt

smtp_fuwuqi

kav9x.exe

kavsvc9x.exe

kavsvcui.exe

kav32.exe

smenu.exe

ravmon.exe

passwordguard.exe

vpc32.exe

watcher.exe

autorun.inf

QQQ.file\shell\open\command

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Notepad.exe

HH.exe

regedit.exe "

c:\filedebug

netapi32.dll

svrapi.dll

FTPF0

Operation would block

Operation now in progress

Operation already in progress

Socket operation on non-socket

Protocol not supported

Socket type not supported

!Operation not supported on socket

Protocol family not supported

/Address family not supported by protocol family

#Incompatible version of WINSOCK.DLL

KWindows

.ScktComp

UrlMon

.StopFireW_Thread

getpass_Thread

Font.Charset

Font.Color

Font.Height

Font.Name

Font.Style

Port

%Copyright ?1996-1998 NetMasters L.L.C

1-888-2-GET-WEB (In USA)

E-mail info@netmastersllc.com

http://www.netmastersllc.com

! Obtain Support and Source Code

,Version: 5.3.0 Build:1055 Date:5/26/99

Submit Bug Report

WinExec

GetCPInfo

RegOpenKeyExA

RegCloseKey

ReportEventA

RegFlushKey

RegCreateKeyExA

SetViewportOrgEx

UnhookWindowsHookEx

SetWindowsHookExA

MsgWaitForMultipleObjects

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

EnumWindows

EnumThreadWindows

ActivateKeyboardLayout

GetKeyboardType

.idata

.rdata

P.reloc

P.rsrc

Web }

bu%sA&4u

KERNEL32.DLL

advapi32.dll

gdi32.dll

ole32.dll

oleaut32.dll

user32.dll

wsock32.dll

- Dock zone has no control%List does not allow duplicates ($0%x)

Failed to get data for '%s'/Menu '%s' is already being used by another form

Service failed on %s: %s

shutdown(Service failed in custom message(%d): %s

Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"

Unable to insert a line Clipboard does not support Icons

Invalid data type for '%s'

Failed to set data for '%s'

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name

A class named %s already exists

Error reading %s%s%s: %s

Ancestor for '%s' not found

Unsupported clipboard format

Cannot assign a %s to a %s

Cannot create file %s

Cannot open file %s

Class %s not found

Resource %s not found

List index out of bounds (%d) List capacity out of bounds (%d)

List count out of bounds (%d) Operation not allowed on sorted string list

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Win32 Error. Code: %d.

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

!'%s' is not a valid integer value

I/O error %d

Integer overflow Invalid floating point operation

HKF.EXE_800_rwx_00401000_0006B000:

Portions Copyright (c) 1983,99 Borland

kernel32.dll

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

EInvalidOperation

%s[%d]

%s_%d

EInvalidGraphicOperation

USER32.DLL

comctl32.dll

PasswordCharXSC

OnKeyDown

OnKeyPress

OnKeyUp

OnKeyUpx

TKeyEvent

TKeyPressEvent

crSQLWait

%s (%s)

IMM32.DLL

TContainedActionh%C

AutoHotkeys

:].tJ

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreviewxPC

WindowState

UhG%D

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

Password

OnExecute

Port<

ReportLevel

Max Udp pack size=

Initializaton of windows sockets failed

Invalid seek origin = %d

NMsmtp

TNMSMTP

NMSMTP1

NMSMTP1Connect

NMSMTP1SendStart

AUTH LOGIN

PassWord_ThreadU

Kernel32.dll

Software\Microsoft\Windows\CurrentVersion\Setup

qqpass7

Msread.dt

smtp_fuwuqi

kav9x.exe

kavsvc9x.exe

kavsvcui.exe

kav32.exe

smenu.exe

ravmon.exe

passwordguard.exe

vpc32.exe

watcher.exe

autorun.inf

QQQ.file\shell\open\command

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Notepad.exe

HH.exe

regedit.exe "

c:\filedebug

netapi32.dll

svrapi.dll

FTPF0

Operation would block

Operation now in progress

Operation already in progress

Socket operation on non-socket

Protocol not supported

Socket type not supported

!Operation not supported on socket

Protocol family not supported

/Address family not supported by protocol family

#Incompatible version of WINSOCK.DLL

KWindows

.ScktComp

UrlMon

.StopFireW_Thread

getpass_Thread

Font.Charset

Font.Color

Font.Height

Font.Name

Font.Style

Port

%Copyright ?1996-1998 NetMasters L.L.C

1-888-2-GET-WEB (In USA)

E-mail info@netmastersllc.com

http://www.netmastersllc.com

! Obtain Support and Source Code

,Version: 5.3.0 Build:1055 Date:5/26/99

Submit Bug Report

WinExec

GetCPInfo

RegOpenKeyExA

RegCloseKey

ReportEventA

RegFlushKey

RegCreateKeyExA

SetViewportOrgEx

UnhookWindowsHookEx

SetWindowsHookExA

MsgWaitForMultipleObjects

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

EnumWindows

EnumThreadWindows

ActivateKeyboardLayout

GetKeyboardType

.idata

.rdata

P.reloc

P.rsrc

- Dock zone has no control%List does not allow duplicates ($0%x)

Failed to get data for '%s'/Menu '%s' is already being used by another form

Service failed on %s: %s

shutdown(Service failed in custom message(%d): %s

Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"

Unable to insert a line Clipboard does not support Icons

Invalid data type for '%s'

Failed to set data for '%s'

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name

A class named %s already exists

Error reading %s%s%s: %s

Ancestor for '%s' not found

Unsupported clipboard format

Cannot assign a %s to a %s

Cannot create file %s

Cannot open file %s

Class %s not found

Resource %s not found

List index out of bounds (%d) List capacity out of bounds (%d)

List count out of bounds (%d) Operation not allowed on sorted string list

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Win32 Error. Code: %d.

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

!'%s' is not a valid integer value

I/O error %d

Integer overflow Invalid floating point operation

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1096
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\OAG.EXE (173 bytes)
   %Documents and Settings%\HNV.EXE (173 bytes)
   C:\filedebug (633 bytes)
   C:\System Volume Information\GRTSH.EXE (174 bytes)
   C:\totalcmd\OWIKOI.EXE (173 bytes)
   %Documents and Settings%\ACZ.EXE (173 bytes)
   C:\System Volume Information\ZEHPN.EXE (174 bytes)
   C:\totalcmd\VKTNIL.EXE (174 bytes)
   %Documents and Settings%\ZFP.EXE (173 bytes)
   C:\System Volume Information\OCOJF.EXE (174 bytes)
   C:\System Volume Information\UGASK.EXE (174 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "GRTSH.EXE" = "%Documents and Settings%\ZFP.EXE"

5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.