MD5: 26174ad308524227c51063d00ace9a7b
SHA1: 6eb058b1b8319e3dd50113d36b9fe0df37430cee
SHA256: 3eb850360a44765ea3bdaec97c7892e170420c2a20a6c2b320d7d30b1fc5bd13
SSDeep: 3072:Il7FUj85b3C A6s 6HaBccMlQp80JKHZ4x4:Ilw A6s 6HyccMWKHZ4e
Size: 114688 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-04 15:35:59
Analyzed on: Windows7 SP1 32-bit

Summary:

Virus. A program that recursively replicates a possibly evolved copy of itself.

Payload

No specific payload has been found.

Process activity

The Virus creates the following process(es):

WerFault.exe:576
wermgr.exe:1808

The Virus injects its code into the following process(es):

%original file name%.exe:452

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:452 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

C:\Windows\System32\osmism.exe (601 bytes)

The process WerFault.exe:576 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_efc8641810adfc9375b33ce4a8d3f47972b83d3_cab_02540e71\WERE36.tmp.mdmp (2105 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_efc8641810adfc9375b33ce4a8d3f47972b83d3_cab_02540e71\WERDA7.tmp.WERInternalMetadata.xml (3 bytes)
C:\Windows\Temp\WERE36.tmp.mdmp (104835 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_efc8641810adfc9375b33ce4a8d3f47972b83d3_cab_02540e71\WERD97.tmp.appcompat.txt (3 bytes)
C:\Windows\Temp\WERDA7.tmp.WERInternalMetadata.xml (51370 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_efc8641810adfc9375b33ce4a8d3f47972b83d3_cab_02540e71\Report.wer (147356 bytes)
C:\Windows\Temp\WERDC8.tmp.hdmp (283339 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_efc8641810adfc9375b33ce4a8d3f47972b83d3_cab_02540e71\WERDC8.tmp.hdmp (3361 bytes)
C:\Windows\Temp\WERD97.tmp.appcompat.txt (2056 bytes)

The Virus deletes the following file(s):

C:\Windows\Temp\WERDC8.tmp (0 bytes)
C:\Windows\Temp\WERD97.tmp (0 bytes)
C:\Windows\Temp\WERDA7.tmp.WERInternalMetadata.xml (0 bytes)
C:\Windows\Temp\WERE36.tmp.mdmp (0 bytes)
C:\Windows\Temp\WERE36.tmp (0 bytes)
C:\Windows\Temp\WERDC8.tmp.hdmp (0 bytes)
C:\Windows\Temp\WERD97.tmp.appcompat.txt (0 bytes)
C:\Windows\Temp\WERDA7.tmp (0 bytes)

The process wermgr.exe:1808 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_efc8641810adfc9375b33ce4a8d3f47972b83d3_cab_02540e71\Report.wer.tmp (148134 bytes)

Registry activity

The process %original file name%.exe:452 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\SRDSL]
"InstallTime" = "2017-05-10 14:45"
"Description" = "¹ÜÀí»ùÓÚ×é¼þ¶ÔÏóÄ£Ð͵ĺËÐÄ·þÎñ¡£Èç¹û·þÎñ±»½ûÓ㬼ÆËã»ú½«ÎÞ·¨Õý³£ÔËÐС£"
"Group" = "5.03"

The process WerFault.exe:576 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\145]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[HKU\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_efc8641810adfc9375b33ce4a8d3f47972b83d3_cab_02540e71"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\145]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000571]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000572]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\146]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_efc8641810adfc9375b33ce4a8d3f47972b83d3_cab_02540e71"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\145]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\146]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000572]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\146\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"1000000005823" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000055E1]
"145" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore]
"_CurrentObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\145\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000055E1" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\146]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList]
"CurrentLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000571]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\145]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\146]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"ExceptionRecord" = "05 00 00 C0 00 00 00 00 00 00 00 00 00 00 00 00"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\146]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\1000000005823]
"146" = "Type: REG_QWORD, Length: 8"

The process wermgr.exe:1808 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_efc8641810adfc9375b33ce4a8d3f47972b83d3_cab_02540e71"

[HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_efc8641810adfc9375b33ce4a8d3f47972b83d3_cab_02540e71"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Virus installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
ZwCreateUserProcess
ZwCreateProcessEx
NtCreateProcess
ZwCreateFile

Propagation

VersionInfo

Company Name:
Product Name: tot ????
Product Version: 1, 0, 0, 1
Legal Copyright: ???? (C) 2004
Legal Trademarks:
Original Filename: tot.EXE
Internal Name: tot
File Version: 1, 0, 0, 1
File Description: tot Microsoft ???????
Comments:
Language: Chinese (Simplified, PRC)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
zwj19940929.f3322.org	49.4.140.253
ilo.brenz.pl	148.81.111.121

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Known Hostile Domain ilo.brenz.pl Lookup

Traffic

The Virus connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

GetProcessHeap

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyA

RegOpenKeyExA

ADVAPI32.dll

MSVCRT.dll

_acmdln

WININET.dll

SHLWAPI.dll

userenv.dll

%s\%d.bak

SYSTEM\CurrentControlSet\Services\%s

%s\shell\open\command

%s %s

Applications\iexplore.exe\shell\open\command

VVV.baidu.com

zwj19940929.f3322.org

VVV.qq.com

hXXp://ip.xpcha.com/?q=

%s:%d:%s

M-%.2d-%.2d %.2d:%.2d

Oleaut32.dll

Ole32.dll

%d*%sMHz

kernel32.dll

%s Win7

Dr.WEB

%c%c%c%c%c%c.exe

wininet.dll

ws2_32.dll

EnumWindows

ExitWindowsEx

User32.dll

user32.dll

InternetOpenUrlA

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyExA

.NMb(

t.4d%.dSV

?.xN:

ADVAPI32.DLL

JOIN #.%d

DSTAMP %ddd

\USERINIT.EXE

%s:*:enabled:@shell32.dll,-1

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

ilo.brenz.pl

ant.trenz.pl

NICK zmejknnx

SFC.DLL

SFC_OS.DLL

USER32.DLL

SHLWAPI.DLL

WSOCK32.DLL

WININET.DLL

%.6x . . :%c%.8x%x  *%s

KERNEL32.DLL

windowsupdate

drweb

1, 0, 0, 1

tot.EXE

Tot.Document

(*.*)

Output.prn$

(*.prn)|*.prn|

(*.*)|*.*||

%original file name%.exe_452_rwx_001D0000_00008000:

ADVAPI32.DLL

JOIN #.%d

DSTAMP %ddd

\USERINIT.EXE

%s:*:enabled:@shell32.dll,-1

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

ilo.brenz.pl

ant.trenz.pl

NICK ndwscint

SFC.DLL

SFC_OS.DLL

USER32.DLL

SHLWAPI.DLL

WSOCK32.DLL

WININET.DLL

%.6x . . :%c%.8x%x  *%s

KERNEL32.DLL

windowsupdate

drweb

UNC\192.168.50.163\SANDBOXOUTPUT\2017-05-10\26174AD308524227C51063D00ACE9A7B\DUMPS\26174AD308524227C51063D00ACE9A7B.EXE_452.DMP

ALMETADATA.XML

%WinDir%\SYSTEM32\MAGNIFY.EXE

\WMPLAYER.EXE

k|qubpya.com

hwabij.com

aaotlr.com

azoiky.com

ycokye.com

gvyedt.com

xzinmo.com

yaxyac.com

daoake.com

hvyxau.com

waqsgh.com

aluqqf.com

wonpxa.com

otxeuo.com

aeehha.com

vrnacq.com

buovhe.com

utoajb.com

cmwqyk.com

poguql.com

uxipbj.com

tzgmaw.com

srwuue.com

adyugx.com

rvkasf.com

erazvf.com

uataax.com

ivgfew.com

ljkxga.com

hkipav.com

uoqika.com

ynajeb.com

fxudpp.com

qyehif.com

iosghq.com

iahlqs.com

dyzauu.com

etumax.com

soiimk.com

doneyu.com

uetnji.com

rzpxue.com

yoftzd.com

zbyaov.com

rbbkhd.com

eltvae.com

etftpe.com

wpiyeg.com

ocjato.com

dpeydl.com

dfhfqc.com

ywqaye.com

iixojs.com

doocxk.com

hcvvcy.com

uioaka.com

ktyxko.com

szmauo.com

giempj.com

qlryqi.com

gyzjvq.com

ycjulb.com

bzpwbe.com

ipcyve.com

kyfxqp.com

vbrofi.com

dvmoge.com

leacsj.com

ogjgbr.com

ysgvgg.com

automy.com

egqyrs.com

vutyrj.com

hyahza.com

eamvif.com

ykogpu.com

mowtnv.com

owouua.com

eagaoi.com

ehnuoa.com

krmiby.com

oxweeq.com

yoweve.com

fcueie.com

tvvyay.com

jjtmpu.com

quywxi.com

medzam.com

tuxpiz.com

yyyhvi.com

nzoorw.com

jyqaru.com

cfbglu.com

orpoux.com

dyabbe.com

frhqiy.com

axgfek.com

yawpfz.com

tqorki.com

egkirp.com

%original file name%.exe_452_rwx_00416000_00007000:

ADVAPI32.DLL

JOIN #.%d

DSTAMP %ddd

\USERINIT.EXE

%s:*:enabled:@shell32.dll,-1

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

ilo.brenz.pl

ant.trenz.pl

NICK zmejknnx

SFC.DLL

SFC_OS.DLL

USER32.DLL

SHLWAPI.DLL

WSOCK32.DLL

WININET.DLL

%.6x . . :%c%.8x%x  *%s

KERNEL32.DLL

windowsupdate

drweb

svchost.exe_3032:

.text

`.data

.rsrc

@.reloc

msvcrt.dll

API-MS-Win-Core-ProcessThreads-L1-1-0.dll

KERNEL32.dll

NTDLL.DLL

API-MS-Win-Security-Base-L1-1-0.dll

API-MS-WIN-Service-Core-L1-1-0.dll

API-MS-WIN-Service-winsvc-L1-1-0.dll

RPCRT4.dll

ole32.dll

ntdll.dll

_amsg_exit

RegCloseKey

RegOpenKeyExW

GetProcessHeap

svchost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Services.SvcHost"

<description>Host Process for Windows Services</description>

<requestedExecutionLevel

Software\Microsoft\Windows NT\CurrentVersion\Svchost

Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost

\PIPE\

Host Process for Windows Services

6.1.7600.16385 (win7_rtm.090713-1255)

svchost.exe

Windows

Operating System

6.1.7600.16385

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   WerFault.exe:576
   wermgr.exe:1808

3. Delete the original Virus file.
   
4. Delete or disinfect the following files created/modified by the Virus:
   

   C:\Windows\System32\osmism.exe (601 bytes)
   C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_efc8641810adfc9375b33ce4a8d3f47972b83d3_cab_02540e71\WERE36.tmp.mdmp (2105 bytes)
   C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_efc8641810adfc9375b33ce4a8d3f47972b83d3_cab_02540e71\WERDA7.tmp.WERInternalMetadata.xml (3 bytes)
   C:\Windows\Temp\WERE36.tmp.mdmp (104835 bytes)
   C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_efc8641810adfc9375b33ce4a8d3f47972b83d3_cab_02540e71\WERD97.tmp.appcompat.txt (3 bytes)
   C:\Windows\Temp\WERDA7.tmp.WERInternalMetadata.xml (51370 bytes)
   C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_efc8641810adfc9375b33ce4a8d3f47972b83d3_cab_02540e71\Report.wer (147356 bytes)
   C:\Windows\Temp\WERDC8.tmp.hdmp (283339 bytes)
   C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_efc8641810adfc9375b33ce4a8d3f47972b83d3_cab_02540e71\WERDC8.tmp.hdmp (3361 bytes)
   C:\Windows\Temp\WERD97.tmp.appcompat.txt (2056 bytes)
   C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_efc8641810adfc9375b33ce4a8d3f47972b83d3_cab_02540e71\Report.wer.tmp (148134 bytes)

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.