Gen.Variant.Graftor.123006_4fb297e023

by malwarelabrobot on June 2nd, 2016 in Malware Descriptions.

Gen:Variant.Graftor.123006 (B) (Emsisoft), Gen:Variant.Graftor.123006 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 4fb297e02394a219f293bdacbb1a49d4
SHA1: c93566eae4d279e84154b308dee25ae6efe01312
SHA256: 910dba5ef2d4d6babc099d1a2a904a4f5bd91f27cb165bf69ff90a26fcdd119c
SSDeep: 24576:y8W 5/u84coPSwtbTZaqdiXSp0c02uFG6dAk3CMNEzoRER:yU/5/wdTZaqdwk0c05HGiuU6R
Size: 1622016 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: Xacti, LLC
Created at: 2014-12-01 17:27:23
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:312

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:312 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\load[1].gif (817 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\qlogin[1].htm (6 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\cross_proxy[1].html (1001 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\qlogin[1].com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=0 (680 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cross_proxy[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\h_xui[1].js (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\icon_3[1].png (7 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\qlogin[1].com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\cross_proxy[1].html (0 bytes)

Registry activity

The process %original file name%.exe:312 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 F5 A5 99 4C 0B 7D 60 B3 72 B3 C2 FE 1F 60 6F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	559931	561152	4.52917	bd7bdf49a2acdaba5f6cdcbb2ab754ab
.rdata	565248	945114	946176	5.41208	9992464fa18e9d8f4dab2ba601b7d114
.data	1511424	241000	65536	3.5161	5cbca942b2989393939a7e712c8259d0
.rsrc	1753088	41624	45056	4.18583	56f8da68df43025dd4c2fda23a8eb12a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://ui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&param=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=0
hxxp://imgcache.qq.com.cdngc.net/ptlogin/v4/style/11/images/icon_3.png	151.249.89.137
hxxp://imgcache.qq.com.cdngc.net/ptlogin/ver/10158/js/h_xui.js?max_age=604800	151.249.89.137
hxxp://ui.ptlogin2.qq.com/cross_proxy.html
hxxp://imgcache.qq.com.cdngc.net/ptlogin/v4/style/0/images/load.gif	151.249.89.137
hxxp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&param=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=0	163.177.72.188
hxxp://imgcache.qq.com/ptlogin/v4/style/0/images/load.gif	151.249.89.137
hxxp://imgcache.qq.com/ptlogin/v4/style/11/images/icon_3.png	151.249.89.137
hxxp://imgcache.qq.com/ptlogin/ver/10158/js/h_xui.js?max_age=604800	151.249.89.137
log.wtlogin.qq.com	183.61.38.241

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /ptlogin/ver/10158/js/h_xui.js?max_age=604800 HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912¶m=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=0

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: imgcache.qq.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Wed, 01 Jun 2016 12:25:17 GMT

Server: PWS/8.1.36.0005

X-Px: ms h0-s1129.p11-fra ( h0-s1195.p11-fra), ht h0-s1195.p11-fra.cdngp.net

ETag: "5742a28b-5525"

Cache-Control: max-age=600

Expires: Wed, 01 Jun 2016 12:29:41 GMT

Age: 336

Content-Length: 7458

Content-Type: application/x-javascript; charset=utf-8

Content-Encoding: gzip

Vary: Accept-Encoding

Px-Uncompress-Origin: 21797

Last-Modified: Mon, 23 May 2016 06:26:19 GMT

Connection: keep-alive
...........<ko$.q../.}.rF..'y.]6..{H..t'.g..Q..l.rt.3s3.$...I. ..'_
..1.....A.....`..3:Y.....~......I..$.q....U]....<pS/.jS.......g.N\.
,.'.G..r7....l...V.,m&.........=......iz4.....c.~x...1?}4..#...X..5.I.
Gb$..$..`j..g......{..1w.1....;.,....VlS....x.\.N..Y.}..t...p.ZN<..
.1i...sN..2..<.j|9..N.Q....p.-9......Sv...O...[r9.....(..0]D|....u.
...T..:N...t...?.`%.3X....C,.g.C........|t4..x.n..b..........w..~.?.{.
N..........5I5...I.......:.=(T.....=..{..t::~...}..|M.0).9.Cg<.....
G../x.%.b.m.....#g..A...q..bc.n.>.8#r)..I.............g.4.#.k.A..G.
Eh...0I..I.L....Zgp8..1....c..w.}....r.7s...t..s.P.M,.._.......O.....O
........>..'.../^..?>......?"........... ......e<..J....&W.x 
\.E..X..:e.....MG1.o...9g.A....gY....6.BJ....>..i......`(9...J6a,..
&b.p.tO...IE....g..p.........D..wBS........r.5H........l*[email protected]....
..<=...&.\.q.-,K.!_rV..M..wi h.^..AI.i..5..?d\.agk......!..xg>co
..5]..V.R.].;\....a]..t....1...L.....^..z.R...o....Q./.;..c..`..x..v..
.w.a|.;...Z.(..M......A@.. .......5....;.`...b)8#.4'.3...d...GP.a.....
oz.M......l:H.X..to....w\n...`[email protected].\kQwH.\.....'1q.
..$.4......,[email protected]..&..!A...a.ao........{.!0p....
.....i.A..S....F.N&...G.....v....n.^....N.!...].j...=S..I..1., ..4....
..aP..J......S..Ch.....{.w.>z..;..{.....=.....w...8...*.5Du.....u.6
7iG...P..t..B|(\-'U.a..LT.....%h.l.....Z.....Y...>#'vf...x....0.fSa
.<..f... Gi.%}8I~...F!.$7.....J....9H.YKi..;.6..tYu1D..F.....Y..^..
z..i...2f[p...(..4.......-.B....;BM...s..9i......_O....#..".8...I.<<< skipped >>>

GET /cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912¶m=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=0 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: xui.ptlogin2.qq.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Wed, 01 Jun 2016 12:25:10 GMT

Content-Type: text/html

Content-Length: 2706

Connection: keep-alive

Server: QZHTTP-2.38.20

P3P: CP="CAO PSA OUR"

Cache-Control: max-age=604800

Set-Cookie: pt_local_token=518370393; PATH=/; DOMAIN=ptlogin2.qq.com;

Last-Modified: Thu, 08 Mar 2012 02:04:00 GMT

Content-Encoding: gzip
...........Yys....*.f.!G$...-..<......# M.4.Y.Krm.......q..9.....5.
.N..mb i..j..SA...W..]...;.'.v2...o..........K..;..tX.U..p........bmI.
...W.{b..I....z...2.{.....HA...C.677.....mm}M...*.p.Yf....... ....^dN.
R....0'%.Y\[email protected]._&bd.i.{C.;8..3{.U..F..v...>!..
.-r...A...o...8..4}g.......Rw.X....K.!..=\:.R...[Wv?.yC.E....T..F..m..
......8.k.z~Uqi... ...\ ..=2.}.}.!..bn.d..p.&6{.CB..A..=..P3.....^T.o.
8.6..I7.~... ..........>..}.l.B....v.6........Z.\.T.6f5..V.h...$.(8
......*[email protected].\9T......8O..:x!.l.G..G..c~c.:.c.V..,.....:VD\b.~.
.v...C:83.%.......2v..o.%....~.7#..1.pI..5.x.q#.ptdr....bd..R.K..aC..0
.,....D".,.*..:......>.dzc.mc.F.I]......z..'.)...:W.Nk.. ..*.....Q.
.m.z........p 3.M.=-`W. .l.\...F~h.>.t..aEMt..S. VN.U.Chr ...^..L..
#...6S.O...oa....7..........$.3..!<......\2.9._-.h>O..dJnB>%!
....-..sR .&!9.%N....|#.Y.d"( u.J/J.\.T...r...5.c.=.1d../..z..M.:$.y..
...Dm.zR....._OK.z.hQ..|.<..... .G..O.......3 .).D..d..!...(...-...
.N.%il."6V....B.|.P.........mE.~.#...@m...]E..S.E....l.k.{.4........*"
....".........j..Q..q...G..{.C.....<.,}..xF.G.&3.H;y.=.3..s..:z.7.-
.B.a.u......./0..b#.6.....V I[..;..... ....G.........^. ...D.:YS.4U.Z^
.Z"..A.O..FN......rd.FiP..B...f..iG.<N....ijE.....y....%......*....
......G.y0.q....!"32...H#.U.D&E.B.....03..4....J>.h:6<..L. .`...
[email protected]...{...s..]..-.*....F.eA.M0..!.....L_|. .!9y...BC..~hf;V.
.h...C...sd ..VW...U...A..a:..<...q.n.r...d|.`8.Cv.....nV7.l..}...g
:0aB.2..a.#........T,....}......w......t...fX..&...=.A......<..<<< skipped >>>

GET /cross_proxy.html HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912¶m=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=0

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ui.ptlogin2.qq.com

Connection: Keep-Alive

Cookie: pt_local_token=518370393; ptui_qstatus=3


HTTP/1.1 200 OK

Date: Wed, 01 Jun 2016 12:22:10 GMT

Content-Type: text/html

Content-Length: 1001

Connection: keep-alive

Server: QZHTTP-2.38.20

Last-Modified: Mon, 01 Jun 2015 01:52:25 GMT

Content-Encoding: gzip

Cache-Control: public; max-age=86400

Expires: Thu, 02 Jun 2016 12:25:18 GMT
...........U[o.E.~.H........S.H.'[email protected]]..:.xwlo..qgfc..R....-OE%B..
<TH.VB..A......_`f.N.KA..3.|.;.9..c.J....%P...\.~.....Y.>:[@h...
>~..|...3..p.......-]....h..j.Zv..MY..WP[q......c../|xnrb>..n..w
N.....js.&.W....([email protected].......}...hD Br..h.3..E
J.....BR..n.5..*[email protected]..(.\.)B
Z....FA.Bk_.9.m.D...^..y.....KM5.<E.<F9_.......BFP.f.3i.....6-..
.l......w/.?....L.....{.l.....6~L~.L.....=..s......~6.~.../.......`D.L
.a.....1...}.8u....i..21N...e...k..b....a.$.$....:!),..e...;../v_>.
...A.m......Cr.)h..g..W....?I.?......V.....7...d..:0..S;...MN...p.....
'. ^.s.........m4i$S?..F..........j9o.iXR`...0>.....^H99.O%.J.g....
.uRc.#L..0*..[.<....|...VR.....4.V..zF.....V.G.0T..6.x...-.....e..@
....y;&.#..#l......Ys.Zr...z....7QF.4....L..B~...f,yp..[..Q..H...D.]W"
J.u]T.FL..q..q..^.By...5n&.-......l....`W..t.X.|7....]Pn.i..Z..<..r
i:[^......R.q,5[...*.v.x......A.....L"..C..H..,0.H.......0l...R..U.-..
=..~.7..r.....3.....;.F!..........).6.._.....$.....HTTP/1.1 200 OK..Da
te: Wed, 01 Jun 2016 12:22:10 GMT..Content-Type: text/html..Content-Le
ngth: 1001..Connection: keep-alive..Server: QZHTTP-2.38.20..Last-Modif
ied: Mon, 01 Jun 2015 01:52:25 GMT..Content-Encoding: gzip..Cache-Cont
rol: public; max-age=86400..Expires: Thu, 02 Jun 2016 12:25:18 GMT....
.........U[o.E.~.H........S.H.'[email protected]]..:.xwlo..qgfc..R....-OE%B..&l
t;TH.VB..A......_`f.N.KA..3.|.;.9..c.J....%P...\.~.....Y.>:[@h...&g
t;~..|...3..p.......-]....h..j.Zv..MY..WP[q......c../|xnrb>..n.<<< skipped >>>

GET /ptlogin/v4/style/11/images/icon_3.png HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912¶m=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=0

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: imgcache.qq.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Wed, 01 Jun 2016 12:25:17 GMT

Server: PWS/8.1.36.0005

X-Px: ms h0-s1129.p11-fra ( h0-s1195.p11-fra), ht h0-s1195.p11-fra.cdngp.net

ETag: "5506987d-1d59"

Cache-Control: max-age=7200

Expires: Wed, 01 Jun 2016 14:06:51 GMT

Age: 1106

Content-Length: 7513

Content-Type: image/png

Last-Modified: Mon, 16 Mar 2015 08:46:53 GMT

Connection: keep-alive
.PNG........IHDR.......c.......tu....tEXtSoftware.Adobe ImageReadyq.e&
lt;....PLTE....................Bt......./..-..&.....".... .....oX.....
.........$....N1.........YZb..~.........y.*..............}.........n..
A..{....................u.)[...........}.,..........o....../[email protected]
....~....gf0/;...........`............................E&...?AP....:,..
..........."....R.,~.5........=......k.&........................~..j..
lnr.<... j.2Q....[I..p.&..7..G..................h....tRNS..........
......................................................................
................................................8.Kg....IDATx....C....
a..N./N.>.G@Eiw_4h....M.(G 1-,K.S..v..q..4...}......Pl....|*.~<.
.Z3...R.|....L..D.e..t(..........X....."aK!QH...D!QH...D!QH...D!QH...D
!QH...D!QH...D!QH...D!QH...D!QH... Q;fY.;f.C.. .w......B@D...,@bjJ.L@.
@.l...(....O.....n)....g5..D.._Q"]..&>...W9.i.......].....d.."a....
...Hn.WH...D!QH...D!QH...D!QH...D!QH...D!QH...D!QH...D!QH...D!Q...]n.H
.^HYEB(.H...... 2....N.j.N!..S.... ..a.i.q.o.M.V.rj.|......^?.g=..<
<..Oo...z.i.^_.[o..o.4..#..D..._{.7...O..KO..O4..D.:.......z....X.:
.......B..l....C|.. ?)$.....z.#.19..I..@..=..KL...8W]..W.u.H...Y.V.s..
|..?....VH.....~. $...j.9.. ....sG.>.D!9...z,......X..B.5...F..^..k
$_...Dr..B$..c)$..B........:Dr.......k$......./..B.1.W..-....._._.....
K....?>..%_{K..BGH._^..C..R....9;@.L.zyp.P:X...sv..Z-Y..L.$...W....
[email protected]. ...z......%.J3.`....>D......OL.Db.iC..#
)..n..X."..I.u.GH...#.f.m..n$.. ......v$.;....E....j&.....%5....u.<<< skipped >>>

GET /ptlogin/v4/style/0/images/load.gif HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912¶m=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=0

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: imgcache.qq.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Wed, 01 Jun 2016 12:25:19 GMT

Server: PWS/8.1.36.0005

X-Px: ms h0-s1129.p11-fra ( h0-s1210.p11-fra), ht h0-s1210.p11-fra.cdngp.net

ETag: "5506987c-331"

Cache-Control: max-age=7200

Expires: Wed, 01 Jun 2016 13:25:05 GMT

Age: 3614

Content-Length: 817

Content-Type: image/gif

Last-Modified: Mon, 16 Mar 2015 08:46:52 GMT

Connection: keep-alive
GIF89a.....................................wul..y............!..NETSCA
PE2.0.....!.......,..........O.......{....Y..`....I.D8.. S.....(......
.D..(.I~.. .H`....Z.f....k.N..q...;'.L..!.......,..........N.......{..
@.1....Q]AiN.:..)S.T...,........b....$?...Q(0.).j.f....{....n.-~N....!
.......,..........M.........,Eeu......%5..E...f3. ......g(..<...L..
.D".X`.RJ.J.N..........9...=..!.......,..........N...J..Z.'B. ..q`....
.P)8./,S&.$.$.......y....D...."..`.R.ak.b.........m..^S....!.......,..
........M......Z.gJ.....}.H..I...b$.(.t..}.......~9..@Y,2..........i00
......|......t;..!.......,..........M...R..Z..R.. ..}.H..I.l....t.P0..
..B....v>.CG1.2...i.P....J.0.R-.....J....t;..!.......,..........M..
....Z..Z..$..}.H..I.l...at..0..........8..B d..L.I.B)...q80...&..t....
...3..;/*  |xGv00|a0977a7e1f04529fe4ad7ac9aebd6177 */..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_312:

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

u$SShe

wininet.dll

ole32.dll

SkinH_EL.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

MsgWaitForMultipleObjects

302795079

hXXp://qun.qzone.qq.com/group

skey=

hXXp://qun.qzone.qq.com/cgi-bin/get_group_list?groupcount=4&count=4&callbackFun=_GetGroupPortal&uin=

hXXp://shang.qq.com/wpa/qunwpa?idkey=4a82e548e7b84a60b2d50df833eea1771563c60e1333cc7e83f8f389c5c80c1d

hXXp://infinitus.qq.com/weixin/startGame

hXXp://infinitus.qq.com/weixin/recordData?score=80&rd=0.

hXXp://infinitus.qq.com/weixin/route

hXXp://infinitus.qq.com/weixin/getRedPacket

https

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

http=

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

hXXps://

hXXp://

1970-01-01 08:00:00

fJ.WM_

CX%xm

Õ6m*

n.BjCw

%s;7*

0%x@w

%C^L:

%s T5

]E4%F(

.Funr

k%UPp

fg.VG

%C',@

>Ùd

0'.Ll

[I(3/#N0.bd

j"%u=w

q%Xn`

@|H.NI

.wdd!

S|%u4

*.Ea]S

Q.CGo

fTpe

.LLbX

-.Mdl

\-A}=3K

Y:.akpS

$.Zcqn

.WE= T!N

#?%s(C(

u.Jck~

zx/%FN[

%s=\RI

}j%c%Y)

Rx.GR

4o#.dM

IeS`%C

[n 4\.UY

,4.qO,

gQ'.Io

%cLur?

s%DHB

]I%%X

5r.US

:mD].tB

f%fUZ

.fOuV12

*_.dC

&-N}<

({?.cQm

.Cqx~c

.`.Qw

**.dU

!n]%x

%X,Cr

&.PFy{xh

.um ZZE7L

/^p%u$

I.NoQY

zu.ew

D/.nT

b\SkinH_EL.dll

C$%cmb

.ppM|

 aZ.mO

%-^

.hk;~

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912¶m=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=0

F%D,3

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

user32.dll

RASAPI32.dll

GetProcessHeap

WinExec

KERNEL32.dll

GetKeyState

GetViewportOrgEx

WINMM.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

OLEAUT32.dll

oledlg.dll

WS2_32.dll

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

RegCreateKeyExA

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

(*.htm;*.html)|*.htm;*.html

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

zcÁ

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

1, 0, 6, 6

(*.*)

1.0.0.0

(hXXp://VVV.eyuyan.com)

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:312
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\load[1].gif (817 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\qlogin[1].htm (6 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\cross_proxy[1].html (1001 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\qlogin[1].com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=0 (680 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cross_proxy[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\h_xui[1].js (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\icon_3[1].png (7 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Gen.Variant.Graftor.123006_4fb297e023

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Gen.Variant.Graftor.123006_4fb297e023

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet