Gen.Trojan.Heur.pnGfrT6EoBijf_0a1c2895cf

by malwarelabrobot on August 4th, 2015 in Malware Descriptions.

Gen:Trojan.Heur.pnGfrT6EoBijf (B) (Emsisoft), Gen:Trojan.Heur.pnGfrT6EoBijf (AdAware), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 0a1c2895cf8f04e833db11f11606f7b6
SHA1: 5507b2b5360f69e75193f5a64172d1eb1f1ed66b
SHA256: a13bcec42b2fc2191e041d4cbb71fccee875a89f6fc81245dfe18322d07d6305
SSDeep: 24576:bdrjuHh6BhUAszKJrCD/geDjF9Sf6f9lHIi7hHH6HmD4eQJL WIldRCOk5:bdrjuB6g2IrgeDjF9SSDZFHH6Hmp9jVX
Size: 1304576 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-04-10 18:30:54
Analyzed on: WindowsXP SP3 32-bit


Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:188

Mutexes

The following mutexes were created/opened:

ZonesCacheCounterMutex
ZonesLockedCacheCounterMutex
ZonesCounterMutex
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
RasPbFile
ShimCacheMutex

File activity

The process %original file name%.exe:188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O1MJGDMZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\888888 (1 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AM37NIVC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\B7VTVYFD\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1176 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UA97X8QI\desktop.ini (67 bytes)
%WinDir%\%original file name%.exe (7971 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\360Safe.lnk (639 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (0 bytes)

Registry activity

The process %original file name%.exe:188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 45 4C 69 2D 80 C4 E2 D8 32 07 D4 EC 55 46 53"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 1802240 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 1806336 737280 733696 5.49805 380fee0e4e176a747f7be1e181aedfd1
.rsrc 2543616 573440 569856 5.50494 247f2f2b5feaedf998830e4de5343afd

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.baidu.com/


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET / HTTP/1.1
User-Agent: test
Host: VVV.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Mon, 03 Aug 2015 18:34:55 GMT
Content-Type: text/html
Content-Length: 14613
Last-Modified: Wed, 03 Sep 2014 02:48:32 GMT
Connection: Keep-Alive
Vary: Accept-Encoding
Set-Cookie: BAIDUID=FEA17037CA92618C02EE50C561503582:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BIDUPSID=FEA17037CA92618C02EE50C561503582; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: PSTM=1438626895; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BDSVRTM=0; path=/
P3P: CP=" OTI DSP COR IVA OUR IND COM "
Server: BWS/1.1
X-UA-Compatible: IE=Edge,chrome=1
Pragma: no-cache
Cache-control: no-cache
BDPAGETYPE: 1
BDQID: 0xc8c48cb8000196a1
BDUSERID: 0
Accept-Ranges: bytes
<!DOCTYPE html><!--STATUS OK-->..<html>..<head>
;...<meta http-equiv="content-type" content="text/html;charset=utf-
8">...<meta http-equiv="X-UA-Compatible" content="IE=Edge">..
.<link rel="dns-prefetch" href="//s1.bdstatic.com"/>...<link 
rel="dns-prefetch" href="//t1.baidu.com"/>...<link rel="dns-pref
etch" href="//t2.baidu.com"/>...<link rel="dns-prefetch" href="/
/t3.baidu.com"/>...<link rel="dns-prefetch" href="//t10.baidu.co
m"/>...<link rel="dns-prefetch" href="//t11.baidu.com"/>...&l
t;link rel="dns-prefetch" href="//t12.baidu.com"/>...<link rel="
dns-prefetch" href="//b1.bdstatic.com"/>...<title>...........
................</title>...<link href="hXXp://s1.bdstatic.com
/r/www/cache/static/home/css/index.css" rel="stylesheet" type="text/cs
s" />...<!--[if lte IE 8]><style index="index" >#conten
t{height:480px\9}#m{top:260px\9}</style><![endif]-->...<
;!--[if IE 8]><style index="index" >#u1 a.mnav,#u1 a.mnav:vis
ited{font-family:simsun}</style><![endif]-->...<script&
gt;var hashMatch = document.location.href.match(/# (.*wd=[^&]. )/);if 
(hashMatch && hashMatch[0] && hashMatch[1]) {document.location.replace
("hXXp://" location.host "/s?" hashMatch[1]);}var ns_c = function(){};
</script>...<script>function h(obj){obj.style.behavior='ur
l(#default#homepage)';var a = obj.setHomePage('//VVV.baidu.com/');}<
;/script>...<noscript><meta http-equiv="refresh" conte
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_188:

`.rsrc
t%SVh
t$(SSh
~%UVW
u$SShe
ole32.dll
user32.dll
OLEACC.DLL
gdiplus.dll
kernel32.dll
gdi32.dll
advapi32.dll
GdiplusShutdown
MsgWaitForMultipleObjects
RegCreateKeyA
RegOpenKeyA
RegEnumKeyA
RegCloseKey
RegFlushKey
RegOpenKeyExA
RegCreateKeyExA
RegDeleteKeyA
c:\888888
-&&&hXXp://hi.baidu.com/qiu0832/item/47b577b1ff20ce45bb0e1233###-------------------------------------------------------------------------------------------------------------------------
[email protected]
C:\windows\
hXXps://shenghuo.alipay.com/transfer/ac/acFill.htm
hXXps://cashierzue.alipay.com/standard/deposit/depositCardForm.htm
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
hXXp://
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
text|password|file
comdlg32.dll
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
WSOCK32.dll
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
%s\%s.lnk
Software\Microsoft\Windows\CurrentVersion\Run
hXXp://VVV.baidu.com
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
.text
`.rdata
@.data
.sxdata
.rsrc
@.reloc
t^Ht.Hu$
u.hHf
@.PjNZ
9^ uZ8^%uU
.tiItM
`kernel32.dll
OLEAUT32.dll
USER32.dll
MSVCRT.dll
KERNEL32.dll
7z.dll
video.flv
audio.flv
Windows NT
Windows 95
LIVE_SUPPORT
Windows CE
Windows CUI
Windows GUI
.debug
.rsrc_1
.rsrc_2
CERTIFICATE
ImportAssets2
ImportAssets
ExportAssets
EXPORTABLE
Windows
lzma 7z ace arc arj bz bz2 deb lzo lzx gz pak rpm sit tgz tbz tbz2 tgz cab ha lha lzh rar zoo zip jar ear war msi 3gp avi mov mpeg mpg mpe wmv aac ape fla flac la mp3 m4a mp4 ofr ogg pac ra rm rka shn swa tta wv wma wav swf chm hxi hxs gif jpeg jpg jp2 png tiff bmp ico psd psp awg ps eps cgm dxf svg vrml wmf emf ai md cad dwg pps key sxi max 3ds iso bin nrg mdf img pdi tar cpio xpi vfd vhd vud vmc vsv vmdk dsk nvram vmem vmsd vmsn vmss vmtm inl inc idl acf asa h hpp hxx c cpp cxx rc java cs pas bas vb cls ctl frm dlg def f77 f f90 f95 asm sql manifest dep mak clw csproj vcproj sln dsp dsw class bat cmd xml xsd xsl xslt hxk hxc htm html xhtml xht mht mhtml htw asp aspx css cgi jsp shtml awk sed hta js php php3 php4 php5 phptml pl pm py pyo rb sh tcl vbs text txt tex ans asc srt reg ini doc docx mcw dot rtf hlp xls xlr xlt xlw ppt pdf sxc sxd sxi sxg sxw stc sti stw stm odt ott odg otg odp otp ods ots odf abw afp cwk lwp wpd wps wpt wrf wri abf afm bdf fon mgf otf pcf pfa snf ttf dbf mdb nsf ntf wdb db fdb gdb exe dll ocx vbx sfx sys tlb awx com obj lib out o so pdb pch idb ncb opt
CMDLINE
].xml
000000000
3333333
:#:*:1:8:?:
3&444;4|4
6l6
8!8'898_8
8Œ9u9
7$7 727_7}7
0'0.050<0
=$= =2=9=
:$:*:0:6:
>&>,>2>8>
=$=;=[=}=
7 7$7(7,7074787<7
Thawte Certification1
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
.Fp2F
hXXp://sf.symcb.com/sf.crl0f
hXXps://d.symcb.com/cps0%
hXXps://d.symcb.com/rpa0
hXXp://sf.symcd.com0&
hXXp://sf.symcb.com/sf.crt0
<VeriSign Class 3 Public Primary Certification Authority - G50
hXXps://VVV.verisign.com/cps0*
hXXps://VVV.verisign.com/rpa0
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://crl.verisign.com/pca3-g5.crl04
hXXp://ocsp.verisign.com0
hXXp://VVV.taobao.com 0
GetCPInfo
WinExec
GetProcessHeap
GetViewportExtEx
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
ShellExecuteA
SetWindowsHookExA
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
InternetCanonicalizeUrlA
InternetCrackUrlA
InternetOpenUrlA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
ZookÊR
UrlA3
MR*G.Hd@
.fA@0
=K.xu7,GGr
2211/U.RTONPL-ffJJdcb
}|÷
qY.rl"'
.Wo,1
({.sZ
ka%FH
))3%U|
<8%xyy
;$D%s*N/
5444755
PssH#
.mln\p
.Oh>T
D,%f&bHI
T.crz
%u|7Cy
-6}~[
5}.sw
Ab%X)
zT%4u
m(A
%ufXv
.MN81~
gV%FJ
NM.pbrm
%S$,J !
.dg()%R
M|.Afr
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
GDI32.dll
RASAPI32.dll
SHELL32.dll
WININET.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
(*.*)
* * .tar .tar
string.txt
d~.swf
n[TOC].xml
* .tar
7za.dll

%original file name%.exe_188_rwx_00401000_0026A000:

t%SVh
t$(SSh
~%UVW
u$SShe
ole32.dll
user32.dll
OLEACC.DLL
gdiplus.dll
kernel32.dll
gdi32.dll
advapi32.dll
GdiplusShutdown
MsgWaitForMultipleObjects
RegCreateKeyA
RegOpenKeyA
RegEnumKeyA
RegCloseKey
RegFlushKey
RegOpenKeyExA
RegCreateKeyExA
RegDeleteKeyA
c:\888888
-&&&hXXp://hi.baidu.com/qiu0832/item/47b577b1ff20ce45bb0e1233###-------------------------------------------------------------------------------------------------------------------------
[email protected]
C:\windows\
hXXps://shenghuo.alipay.com/transfer/ac/acFill.htm
hXXps://cashierzue.alipay.com/standard/deposit/depositCardForm.htm
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
hXXp://
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
text|password|file
comdlg32.dll
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
WSOCK32.dll
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
%s\%s.lnk
Software\Microsoft\Windows\CurrentVersion\Run
hXXp://VVV.baidu.com
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
.text
`.rdata
@.data
.sxdata
.rsrc
@.reloc
t^Ht.Hu$
u.hHf
@.PjNZ
9^ uZ8^%uU
.tiItM
`kernel32.dll
OLEAUT32.dll
USER32.dll
MSVCRT.dll
KERNEL32.dll
7z.dll
video.flv
audio.flv
Windows NT
Windows 95
LIVE_SUPPORT
Windows CE
Windows CUI
Windows GUI
.debug
.rsrc_1
.rsrc_2
CERTIFICATE
ImportAssets2
ImportAssets
ExportAssets
EXPORTABLE
Windows
lzma 7z ace arc arj bz bz2 deb lzo lzx gz pak rpm sit tgz tbz tbz2 tgz cab ha lha lzh rar zoo zip jar ear war msi 3gp avi mov mpeg mpg mpe wmv aac ape fla flac la mp3 m4a mp4 ofr ogg pac ra rm rka shn swa tta wv wma wav swf chm hxi hxs gif jpeg jpg jp2 png tiff bmp ico psd psp awg ps eps cgm dxf svg vrml wmf emf ai md cad dwg pps key sxi max 3ds iso bin nrg mdf img pdi tar cpio xpi vfd vhd vud vmc vsv vmdk dsk nvram vmem vmsd vmsn vmss vmtm inl inc idl acf asa h hpp hxx c cpp cxx rc java cs pas bas vb cls ctl frm dlg def f77 f f90 f95 asm sql manifest dep mak clw csproj vcproj sln dsp dsw class bat cmd xml xsd xsl xslt hxk hxc htm html xhtml xht mht mhtml htw asp aspx css cgi jsp shtml awk sed hta js php php3 php4 php5 phptml pl pm py pyo rb sh tcl vbs text txt tex ans asc srt reg ini doc docx mcw dot rtf hlp xls xlr xlt xlw ppt pdf sxc sxd sxi sxg sxw stc sti stw stm odt ott odg otg odp otp ods ots odf abw afp cwk lwp wpd wps wpt wrf wri abf afm bdf fon mgf otf pcf pfa snf ttf dbf mdb nsf ntf wdb db fdb gdb exe dll ocx vbx sfx sys tlb awx com obj lib out o so pdb pch idb ncb opt
CMDLINE
].xml
000000000
3333333
:#:*:1:8:?:
3&444;4|4
6l6
8!8'898_8
8Œ9u9
7$7 727_7}7
0'0.050<0
=$= =2=9=
:$:*:0:6:
>&>,>2>8>
=$=;=[=}=
7 7$7(7,7074787<7
Thawte Certification1
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
.Fp2F
hXXp://sf.symcb.com/sf.crl0f
hXXps://d.symcb.com/cps0%
hXXps://d.symcb.com/rpa0
hXXp://sf.symcd.com0&
hXXp://sf.symcb.com/sf.crt0
<VeriSign Class 3 Public Primary Certification Authority - G50
hXXps://VVV.verisign.com/cps0*
hXXps://VVV.verisign.com/rpa0
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://crl.verisign.com/pca3-g5.crl04
hXXp://ocsp.verisign.com0
hXXp://VVV.taobao.com 0
GetCPInfo
WinExec
GetProcessHeap
GetViewportExtEx
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
ShellExecuteA
SetWindowsHookExA
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
InternetCanonicalizeUrlA
InternetCrackUrlA
InternetOpenUrlA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
(*.*)
* * .tar .tar
string.txt
d~.swf
n[TOC].xml
* .tar
7za.dll


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O1MJGDMZ\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (720 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    C:\888888 (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AM37NIVC\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (386 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\B7VTVYFD\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (1176 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UA97X8QI\desktop.ini (67 bytes)
    %WinDir%\%original file name%.exe (7971 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\360Safe.lnk (639 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now