Gen.Variant.Buzy.3914_d86dc0768e

by malwarelabrobot on July 10th, 2016 in Malware Descriptions.

Trojan-Dropper.Win32.Agent.bjrmme (Kaspersky), Gen:Variant.Buzy.3914 (B) (Emsisoft), Gen:Variant.Buzy.3914 (AdAware), Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, GenericEmailWorm.YR, GenericInjector.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: d86dc0768e0ea415ac0ed66b37efba35
SHA1: 36ccbef104b1cfd82564240eea53aa1cbf54a532
SHA256: 106193fcc48a628bfa05131402c4b4d00d92dc1a4cf3a70d41965e040e670aa5
SSDeep: 49152:LWIgtpkC9jAvP8ZDFTOI2DrLBt6PTHLA3OG0YULrXcJ:lGptjwMDFkdt67LO/fU/sJ
Size: 2879006 bytes
File type: EXE
Platform: WIN32
Entropy: Probably Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2011-04-04 08:49:22
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:168

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:

RasPbFile
ShimCacheMutex

File activity

No files have been created.

Registry activity

The process %original file name%.exe:168 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Copyright (C) 2010 Www.Hookdlq.Com
Product Name: JavaDlq
Product Version: 1.0.0.0
Legal Copyright: Copyright (C) 2010 Www.Hookdlq.Com ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: JAVA???
Comments: JAVADLQ
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 933511 933888 4.49713 c86bf2fd3ade530584e297a7d4970604
CODE 937984 338768 338944 4.58127 e3152f3849cb81408b388a18b7487c9b
.rdata 1277952 846286 846336 4.67905 1ca96fc041b1caa7a80ac7bd5439959b
.data 2125824 207404 67584 3.93279 b273bd9bd001e3c529163a89878f9504
DATA 2334720 69260 69632 5.14547 b976e89ff5af8a037f285f69212e7ee7
BSS 2404352 25785 26112 0 09117bd1c93e17d89f54fa63cc98bd31
.rsrc 2433024 20384 20480 3.19314 f2f172594f04d5ec0aa192fa7e9a7db9
.reloc 2453504 105196 105472 3.44001 8edd7f98ec3c1d06f3a432cfbe991b07

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_168:

.text
`.rdata
@.data
.rsrc
@.reloc
t%SVh
t$(SSh
|$D.tm
~%UVW
u$SShe
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
u%CNu
Uh.bO
MaxKeySize
Invalid key size
%UUUU1E
%UUUU3
5 passes)
1.2.3
DB00735E-CFFB-47E6-B060-BB0D74008B7A
[email protected]
advapi32.dll
psapi.dll
ntdll.dll
user32.dll
gdi32.dll
shlwapi.dll
VERSION.DLL
shell32.dll
KERNEL32.DLL
NTDLL.DLL
ole32.dll
atl.dll
urlmon.dll
unrar.dll
wininet.dll
Kernel32.dll
SetWindowsHookExA
GetWindowsDirectoryA
EnumWindows
RegOpenKeyA
RegCloseKey
URLDownloadToFileA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
[email protected]
*.wix
\krnln.fnr
\Data\NewDragon.wix
\Data\NewDragon.wil
\GQInfo.conf
\GQModule.dat
\shell.fne
\krnln.fne
*.Dat|*.dll|*.key|*.exe
\!Game.ini
\Data\37000.txt
mir1.dat
*.oue
\drivers\GamesGuard.dat
\drivers\GamesGuard.dat\
\drivers\GamesGuard.dat\...\
\drivers\GamesGuardNet.dat
\drivers\GamesGuardNet.dat\
\drivers\GamesGuardNet.dat\...\
\drivers\GamesGuardNetAAWF.dat
\drivers\GamesGuardNetAAWF.dat\
\drivers\GamesGuardNetAAWF.dat\...\
Explorer.exe
\Data\npc.wil
.rdata
.data
.reloc
.aspack
.adata
0tJ.XDK
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
RegCreateKeyExA
ADVAPI32.dll
USER32.dll
OLEAUT32.dll
SkyGuard.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
msvcrt.dll
\Bass.dll
WINMM.dll
MSACM32.dll
BASS_GetCPU
BASS_StreamCreateURL
BASS.dll
zVt.IZE;"
.N.pub
\b.rZ$
l.pW/
JKecRt
J%fpS
3%x'=
ÎwG
5%xUmQ
.bA>.IP
.ZTYQ
.kD85
57%C<
<j.mRq_i *
127.0.0.1
winmm.dll
131,61,20,0,160
127.0.0.1
ShowInitialMsg
ServerPort
LoginNo
20100708
WS2_32.dll
SHLWAPI.dll
PSAPI.DLL
Call.dll
GetCPU_NT
EndSpeedupWindows
StartSpeedupWindows
wsock32.dll
WS2_32.DLL
0,0,0,0,0
ws2_32.dll
program internal error number is %d. (0x%Xh)
4_5
Ev9gxjswKSGNH7DaV/8J46YZuTpbFMnIc0CB5Oydfik1mze3RUloqWQrL2P XthAkey
Software\Microsoft\Windows\ShellNoRoam\MUICache
Mir.exe
mirsettings.exe
GameLogin.exe
,0,0,0,0,0
00,00,00
\Data\FullScreen.ini
\Data\Hum.wil
\DlqTemp.tmp
wshom.ocx
WindowStyle
Hotkey
Http://
.rar|
\unrar.dll
$tnue4.Qb
&.XBHX
CryptKeyCa
.IqY%
t%s2>
*1L.aK
RH%S$
!]H%s
4AEmncs,%UnZA
?e.SIMULATE_TLS: w
01234567
!"#$%&'1* ,-./
ADVAPI32.DLL
USER32.DLL
RARSetPassword
_unrar.dll
Data\Magic.wil
Data\Hum.wil
usp10.dll
lpk.dll
\windows\
hXXp://
cA.tmp
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.1
[email protected]
.exe|.rar|.zip|.gif|.jpg|.mp3|.rm
2007:02:08 00:21:47
urlTEXT
MsgeTEXT
HhXXp://ns.adobe.com/xap/1.0/
<x:xapmeta xmlns:x='adobe:ns:meta/' x:xaptk='XMP toolkit 2.8.2-33, framework 1.5'>
<rdf:RDF xmlns:rdf='hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#' xmlns:iX='hXXp://ns.adobe.com/iX/1.0/'>
<rdf:Description about='uuid:4e9d50c0-b6c7-11db-acec-9e30b1af2652'
xmlns:xapMM='hXXp://ns.adobe.com/xap/1.0/mm/'>
<xapMM:DocumentID>adobe:docid:photoshop:2a1d2139-b6c7-11db-acec-9e30b1af2652</xapMM:DocumentID>
2007:02:08 00:22:49
<rdf:Description about='uuid:4e9d50c4-b6c7-11db-acec-9e30b1af2652'
<xapMM:DocumentID>adobe:docid:photoshop:4e9d50c2-b6c7-11db-acec-9e30b1af2652</xapMM:DocumentID>
2007:02:08 00:19:48
<rdf:Description about='uuid:06fc66c1-b6c7-11db-acec-9e30b1af2652'
<xapMM:DocumentID>adobe:docid:photoshop:d8f3e0ca-b6c6-11db-acec-9e30b1af2652</xapMM:DocumentID>
2007:02:08 00:21:01
<rdf:Description about='uuid:2a1d2132-b6c7-11db-acec-9e30b1af2652'
<xapMM:DocumentID>adobe:docid:photoshop:2a1d2130-b6c7-11db-acec-9e30b1af2652</xapMM:DocumentID>
2007:02:08 00:20:05
<rdf:Description about='uuid:06fc66c5-b6c7-11db-acec-9e30b1af2652'
<xapMM:DocumentID>adobe:docid:photoshop:06fc66c3-b6c7-11db-acec-9e30b1af2652</xapMM:DocumentID>
2007:02:08 00:20:38
<rdf:Description about='uuid:06fc66c9-b6c7-11db-acec-9e30b1af2652'
<xapMM:DocumentID>adobe:docid:photoshop:06fc66c7-b6c7-11db-acec-9e30b1af2652</xapMM:DocumentID>
WsJ.ZS
#.XsG
9'i%f
F..Vxb
2007:02:08 00:30:39
 .IBR
<rdf:Description about='uuid:86252392-b6c8-11db-acec-9e30b1af2652'
<xapMM:DocumentID>adobe:docid:photoshop:86252390-b6c8-11db-acec-9e30b1af2652</xapMM:DocumentID>
(,%DP
2007:02:08 00:31:10
<rdf:Description about='uuid:86252397-b6c8-11db-acec-9e30b1af2652'
<xapMM:DocumentID>adobe:docid:photoshop:86252395-b6c8-11db-acec-9e30b1af2652</xapMM:DocumentID>
-S|K.HQmm
:1975/08/21
1976/09/28
xljsq.dll
putao.dll
pttd.dll
Inject.dll
pk.dll
speed.dll
inproc.dll
GearNtKe.dll
speederDll.dll
BYFZCQSJ.dll
ntport.dll
JSHJ.dll
cmdok.dll
ymwj.dll
NTPerf.dll
fiendlib.dll
vipstart.dll
csbfw.dll
gamedll.dll
Woool.dll
Hero.dll
speedUp.exe
speeder.exe
socket.dll
Soul.dll
mydll.dll
51jx.dll
fiendlib1014.dll
speedext.dll
BException.dll
stdlib.vbs
babout.dll
ZNTPORT.SYS
cooper.dll
Dtr.dll
Gear9x.dll
oem_sp.dat
activate.dat
zzcsw8.dat
tjsh.dll
jszx.dll
SSCL.DLL
SSCL.dll
iswrab.dll
Cqfir.dll
wVVV.dll
abcdefgh.dll
jedy8.dll
PORTTALK.SYS
PORTTALK.dll
PORTTALK.vxd
js.ucu
51JX.DLL
SPEED.DLL
BABOUT.DLL
BEXCEPTION.DLL
MYDLL.DLL
SPDWIN.DLL
HOOB.DLL
GEARNTKB.DLL
ABCDEFGH.DLL
FLY2HELL.DLL
HXCX.DLL
D3DX81AB.DLL
KPIC510.DLL
IJL11.DLL
TJSH.DLL
ZZCSW8.DAT
ACTIVATE.DAT
OEM_SP.DAT
GEAR9X.DLL
DTR.DLL
COOPER.DLL
INPROC.DLL
SPEEDEXT.DLL
FIENDLIB1014.DLL
SOCKET1231.DLL
GAMEDLL.DLL
VIPSTART.DLL
FIENDLIB.DLL
CSBFW.DLL
NTPERF.DLL
NTPORT.DLL
BYFZCQSJ.DLL
GSspeed.exe
XP.exe
jsq.exe
mir2tianji.exe
js1.ucu
aspeeder.exe
Hoobsdkf.dll
Gear9xsd.dll
02.exe
cqx.exe
GearNT.exe
Speeder.exe
jack0520.dll
Game Cheater ArtMoney v6.08.exe
0520.exe
wpe.exe
52wpe.exe
CHKenCap.exe
un_.exe
AnitGameMon.exe
WpeSpy.dll
wpe pro.exe
wpepro.exe
XXXX.DLL
advpn.dll
syxgj.dll
vmware-vmx.exe
vmware.exe
GameWatcher.exe
Gwken.dll
superbwr.dll
BL_DLL_2.dll
MIRHAOJIASU.dll
|kernel32.dll|3221|6|727792|747792
#|DHTObjectW|USER32.dll|2649|10|370928|390928
#|PtVisible|USER32.dll|6252|9|440560|460560
#|$xtZXtU0u|USER32.dll|5236|9|703728|723728
#|wwwwwwww|USER32.dll|3415|20|105502|125502
#|CreateWindowExA|USER32.dll|6521|15|179358|199358
#|ADVAPI32.DLL|USER32.dll|6666|12|134409|154409
#|SetDlgItemTextA|USER32.dll|6665|15|92546|112546
#|yyddy.dll|kernel32.dll|3337|9|195824|215824
#|UnrealizeObject|kernel32.dll|3543|15|195824|215824
#|olepro32.dll|kernel32.dll|3329|12|155376|175376
#|ShellExecuteA|kernel32.dll|3325|13|107760|127760
#|TOwnerDrawState|kernel32.dll|3434|15|911712|1111712
#|W2v7|kernel32.dll|5433|4|1595744|1795744
#|odComboBoxEdit|kernel32.dll|3457|14|2097504|2297504
#|GetEnhMetaFileBits|kernel32.dll|3121|18|1464892|1664892
#|SysListView32|kernel32.dll|45658|13|141584|161584
#|Failed|kernel32.dll|45662|6|137456|157456
#|GetFilterState|USER32.dll|8785|14|277028|297028
#|fOPTUQgh|kernel32.dll|32571|8|512230|532230
#|TMeasureItemEvent|USER32.dll|186228|17|1384174|1584174
#|CWYeCgTq|USER32.dll|3235145|8|3200772|3400772
#|C4uvlwX|USER32.dll|2432524|7|2364164|2564164
#|RHmismg|USER32.dll|534045|7|914420|934420
#|xu3Nv|USER32.dll|35428|5|1608843|1808843
#|C:\WINDuOxS1syjemG|USER32.dll|20733|18|3091145|3291145
#|GetFileVersionInfoSizeA|USER32.dll|5010|23|91819|93819
#|EVariantOutOfMemoryError|USER32.dll|63943|24|2097504|2297504
#|CreateStreamOnHGlobal|USER32.dll|38973|21|424170|444170
|kernel32.dll|4612|16|149744|169744
#|EnumProcessModules|kernel32.dll|47904|18|133360|153360
|USER32.dll|1128|8|196336|216336
|USER32.dll|1081|6|455920|475920
c|kernel32.dll|1056|4|280304|300304
|kernel32.dll|1100|4|112368|132368
|kernel32.dll|4569|8|93311|95311
#|VQSRV|kernel32.dll|5425|5|27081|29081
q|kernel32.dll|1223|4|222960|242960
z|kernel32.dll|34215|8|751344|771344
|kernel32.dll|7885|6|534997|554997
s|kernel32.dll|784215|4|1406816|1606816
|kernel32.dll|54344|4|541434|561434
t|kernel32.dll|33446|4|1359210|1559210
|kernel32.dll|7560|6|27081|29081
b|kernel32.dll|8668|4|543929|563929
l|kernel32.dll|78669|4|277045|297045
|kernel32.dll|8762|4|27081|29081
#|8SUV|kernel32.dll|242472|4|1103244|1303244
#|7!GD5b|USER32.dll|313763|6|624880|644880
#|d05d|USER32.dll|2027|4|618224|638224
VVV.msjsq.cn
WWW.CSKYWG.CN
64382059
VVV.hackwl
91006100
.odY.`s
1zMm Z}'%x
Z"%Uh
t:c.Dq
a3%c.
^C.ai
Kw.OmO
)nI%Fz~b?
%Sb%|
q:%Fg
.Yq6ug<ls
j.Mv\
ûWa^JFbDr
y4.Aa
bZ"*%UV
j%UUWb"&
RL.rU
*.qy!
2&'*%Uh
I=OC#.ME
SeXEa
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
?#%X.y
GetProcessWindowStation
operator
RASAPI32.dll
WinExec
GetCPInfo
GetKeyState
GetKeyboardType
GetViewportOrgEx
GDI32.dll
WINSPOOL.DRV
RegOpenKeyExA
RegDeleteKeyA
ShellExecuteA
SHELL32.dll
COMCTL32.dll
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
1.1.3
;3 #>6.&
'2, / 0&7!4-)1#
[%s:%d]
Range: bytes=%s-
[%s:%d]
PASS %s
PASS ******
USER %s
E:\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp
SIZE %s
PORT
User-Agent: %s
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Referer: %s
Host: %s
GET %s HTTP/1.1
HTTP/1.0
Cookie: %s
%d, %s
\\192.168.0.129\TCP\1037
NSPlayer/9.0.0.2980; {%s}; Host: %s
rmff_fix_header: assuming data.size=%i
rmff_fix_header: assuming data.num_packets=%i
rmff_fix_header: assuming prop.num_packets=%i
rmff_fix_header: setting prop.data_offset from %i to %i
rmff_fix_header: correcting prop.num_streams from %i to %i
rmff_fix_header: correcting prop.size from %i to %i
%s %s %s
Session: %s
Cseq: %u
%*s %s
%*s %u
CSeq: %u
rtsp://%s:%i
rtsp://%s:%i/%s
ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586
GUID: 00000000-0000-0000-0000-000000000000
[%s:%d]
User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)
Range: npt=%s-
%s/streamid=1
%s/streamid=0
Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play
If-Match: %s
RealChallenge2: %s, sd=%s
Title: %s
Copyright: %s
Author: %s
real: Content-length for description too big (> %uMB)!
Require: com.real.retain-entity-for-setup
SupportsMaximumASMBandwidth: 1
Bandwidth: %u
Challenge1: %s
hash output: %x %x %x %x
hash input: %x %x %x %x
stream=%u;rule=%u,
Illegal character '%c' in input.
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
*.yUW
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
#include "l.chs\afxres.rc" // Standard components
8ˆ8C8u8
3%3X3m3x3
1 1$1(1,101
0,1014181
1/2
5%5S5\5i5{5
6 6$6(6,6064686<6
: :$:(:,:
2$3@3[3|3
9-9B9V9a9n9w9}9
1 1'161=1_1
7 7$7(7,7
4"4*424:4
0 0$0(0,0004080<0@0`0
:!:%:):-:1:5:
=#='= =}=
77c7v7
9 9$9(9,9094989<9#:9:`:
; ;$;(;,;4;?;
9.19.949.1104
2.4.6
1999-2010
Unrar.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
(*.*)
1.0.0.0
Copyright (C) 2010 Www.Hookdlq.Com
Copyright (C) 2010 Www.Hookdlq.Com


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:168

  2. Delete the original Trojan file.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now