MD5: 7456ac27e27884d4c696e2235895d899
SHA1: a60ffccfdcdd75aa2b6cf77fe8a1d27111044b74
SHA256: ec75e5f82881e71fd9de94d03d0eebf13ddf37003c62ba2ae3d41e4950c112c5
SSDeep: 3072:3qEH GiEs2SMylNOjyFbxJqH5CsRSVueeDnh7r/i5Bm/a:6sehzRF6LSUe 9e2C
Size: 98816 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: BorlandDelphi30, MicrosoftVisualCv60SPx, UPolyXv05_v6
Company: no certificate found
Created at: 2003-03-25 09:08:18
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

dllcache.exe:164
gfi.exe:1632
%original file name%.exe:1328

The Trojan injects its code into the following process(es):

dllcache.exe:456

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process gfi.exe:1632 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%WinDir%\dllcache.exe (45 bytes)

The process %original file name%.exe:1328 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\gfi.exe (1568 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\gfi.exe (0 bytes)

Registry activity

The process dllcache.exe:456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 99 A6 CD 60 8D 7C D2 C6 9D F0 17 7F 1E 7F F5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process gfi.exe:1632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 4D 38 CC DD 02 B9 03 D5 1D 89 ED AA 34 6D EC"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Dynamic Library Cache" = "dllcache.exe"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process %original file name%.exe:1328 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 6A B8 12 C2 E4 F5 CD F7 BA 57 AF 5A 1A 1D ED"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread its copies through the MSN Messanger.

VersionInfo

Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 6.00.3790.0
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE
Internal Name: Wextract
File Version: 6.00.3790.0 (srv03_rtm.030324-2048)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://301.myspace.com/Browse/Browse.aspx
hxxp://browseusers.myspace.com/Browse/Browse.aspx	63.135.90.70
myspace.com	63.135.90.70

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /Browse/Browse.aspx HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: browseusers.myspace.com

Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently

Location: hXXps://myspace.com/

Connection: close

Cache-Control: no-cache

Pragma: no-cache

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

t1SSSSh

SSSh|

r.getfile

r.new

r.update

r.upd4te

login

msn.msg

msn.stop

aim.msg

aim.stop

triton.msg

triton.stop

GetWindowsDirectoryA

KERNEL32.dll

VkKeyScanA

keybd_event

USER32.dll

MSVCRT.dll

_acmdln

RegCloseKey

RegCreateKeyExA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

%s Welcome.

%s Fail.

%s Spy: %s!%s@%s (PM: "%s")

%s Fail by: %s!%s@%s (Pass Tried: %s)

%s %s out.

%s <%i> out.

%s No user at: <%i>

%s Invalid slot: <%i>

%s Kill: <%d> threads

%s No threads

%s Killed thread: <%s>

%s Failed kt: <%s>

%s %s already running: <%d>.

%s Fail start %s, err: <%d>.

%s Status: %s. Box Uptime: %s, Bot Uptime: %s, Connected for: %s.

%s Bot installed on: %s.

Go fuck yourself %s.

MSN// Message & Zipfile sent to: %d contacts.

MSN// Message sent to: %d Contacts.

MSN// Sent Stats - Messages: %d :: Files: %d :: Message & Files: %d.

%s logged in.

Removed by: %s!%s@%s

%s Advapi.dll Failed

%s PStore.dll Failed.

%s Naim thd.

%s RuC.

%s mis param.

%s Failed to parse command.

%s Downloading URL: %s to: %s.

%s Downloading update from: %s to: %s.

%seraseme_%d%d%d%d%d.exe

%s Thread Disabled.

%s Thread Activated: Sending Message.

%s Bad URL or DNS Error, error: <%d>

%s Update failed: Error executing file: %s.

%s Process Finished: "%s", Total Running Time: %s.

%s Created process: "%s", PID: <%d>

%s Failed to create process: "%s", error: <%d>

%s Couldn't parse path, error: <%d>

%s File download: %.1fKB to: %s @ %.1fKB/sec.

%s Couldn't open file for writing: %s.

Ping Timeout? (%d-%d)%d/%d

USER %s * 0 :%s

NICK %s

PASS %s

QUIT %s

PONG %s

NICK

PRIVMSG

JOIN

PRIVMSG %s :%s

JOIN %s

JOIN %s %s

MODE %s %s %s

MODE %s %s

__oxFrame.class__

shlwapi.dll

psapi.dll

SQLDisconnect

SQLFreeHandle

SQLAllocHandle

SQLExecDirect

SQLSetEnvAttr

SQLDriverConnect

odbc32.dll

ShellExecuteA

shell32.dll

mpr.dll

GetUdpTable

GetTcpTable

iphlpapi.dll

dnsapi.dll

netapi32.dll

Mozilla/4.0 (compatible)

InternetCrackUrlA

InternetOpenUrlA

FtpPutFileA

FtpGetFileA

HttpSendRequestA

HttpOpenRequestA

wininet.dll

ws2_32.dll

RegEnumKeyExA

advapi32.dll

user32.dll

kernel32.dll

%s!%s@%s

dllcache.exe

*!*@fbi.gov

Windows Dynamic Library Cache

cache.stupidnsm.cn

hXXp://browseusers.myspace.com/Browse/Browse.aspx

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

%s\%s

%s No %s thread found.

%s %s thread stopped. (%d thread(s) stopped.)

del "%s">nul

if exist "%s" goto Repeat

ping 0.0.0.0>nul

%s\removeMe%i%i%i%i.bat

192.168.11.129

dllcache.exe_456_rwx_00400000_0004C000:

.text

`.rdata

@.data

t1SSSSh

SSSh|

r.getfile

r.new

r.update

r.upd4te

login

msn.msg

msn.stop

aim.msg

aim.stop

triton.msg

triton.stop

GetWindowsDirectoryA

KERNEL32.dll

VkKeyScanA

keybd_event

USER32.dll

MSVCRT.dll

_acmdln

RegCloseKey

RegCreateKeyExA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

%s Welcome.

%s Fail.

%s Spy: %s!%s@%s (PM: "%s")

%s Fail by: %s!%s@%s (Pass Tried: %s)

%s %s out.

%s <%i> out.

%s No user at: <%i>

%s Invalid slot: <%i>

%s Kill: <%d> threads

%s No threads

%s Killed thread: <%s>

%s Failed kt: <%s>

%s %s already running: <%d>.

%s Fail start %s, err: <%d>.

%s Status: %s. Box Uptime: %s, Bot Uptime: %s, Connected for: %s.

%s Bot installed on: %s.

Go fuck yourself %s.

MSN// Message & Zipfile sent to: %d contacts.

MSN// Message sent to: %d Contacts.

MSN// Sent Stats - Messages: %d :: Files: %d :: Message & Files: %d.

%s logged in.

Removed by: %s!%s@%s

%s Advapi.dll Failed

%s PStore.dll Failed.

%s Naim thd.

%s RuC.

%s mis param.

%s Failed to parse command.

%s Downloading URL: %s to: %s.

%s Downloading update from: %s to: %s.

%seraseme_%d%d%d%d%d.exe

%s Thread Disabled.

%s Thread Activated: Sending Message.

%s Bad URL or DNS Error, error: <%d>

%s Update failed: Error executing file: %s.

%s Process Finished: "%s", Total Running Time: %s.

%s Created process: "%s", PID: <%d>

%s Failed to create process: "%s", error: <%d>

%s Couldn't parse path, error: <%d>

%s File download: %.1fKB to: %s @ %.1fKB/sec.

%s Couldn't open file for writing: %s.

Ping Timeout? (%d-%d)%d/%d

USER %s * 0 :%s

NICK %s

PASS %s

QUIT %s

PONG %s

NICK

PRIVMSG

JOIN

PRIVMSG %s :%s

JOIN %s

JOIN %s %s

MODE %s %s %s

MODE %s %s

__oxFrame.class__

shlwapi.dll

psapi.dll

SQLDisconnect

SQLFreeHandle

SQLAllocHandle

SQLExecDirect

SQLSetEnvAttr

SQLDriverConnect

odbc32.dll

ShellExecuteA

shell32.dll

mpr.dll

GetUdpTable

GetTcpTable

iphlpapi.dll

dnsapi.dll

netapi32.dll

Mozilla/4.0 (compatible)

InternetCrackUrlA

InternetOpenUrlA

FtpPutFileA

FtpGetFileA

HttpSendRequestA

HttpOpenRequestA

wininet.dll

ws2_32.dll

RegEnumKeyExA

advapi32.dll

user32.dll

kernel32.dll

%s!%s@%s

dllcache.exe

*!*@fbi.gov

Windows Dynamic Library Cache

cache.stupidnsm.cn

hXXp://browseusers.myspace.com/Browse/Browse.aspx

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

%s\%s

%s No %s thread found.

%s %s thread stopped. (%d thread(s) stopped.)

del "%s">nul

if exist "%s" goto Repeat

ping 0.0.0.0>nul

%s\removeMe%i%i%i%i.bat

192.168.11.129

iexplore.exe_1692:

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

8888880

8887080

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   dllcache.exe:164
   gfi.exe:1632
   %original file name%.exe:1328

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
   %WinDir%\dllcache.exe (45 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\gfi.exe (1568 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Windows Dynamic Library Cache" = "dllcache.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   "wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.