Gen.Variant.Graftor.131194_0f22b5d8f7

by malwarelabrobot on March 3rd, 2014 in Malware Descriptions.

Gen:Variant.Graftor.131194 (BitDefender), VirTool:Win32/Injector.gen!BB (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.MulDrop5.9365 (DrWeb), Gen:Variant.Graftor.131194 (B) (Emsisoft), Artemis!0F22B5D8F7E5 (McAfee), Virus.Win32.Injector.BB (Ikarus), Trojan:W32/DelfInject.R (FSecure), Win32/DH{QSAiJU1SO1CBB3lPFVEcU2hnJygT} (AVG), Win32:Malware-gen (Avast), Gen:Variant.Graftor.131194 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Virus, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Static Analysis
Relationships
Map
Removal Recommendations

MD5: 0f22b5d8f7e510bc16063846abc2a7cf
SHA1: 5d8cbd2573460ece073ae2462a5bafb82852f4f0
SHA256: 93f1bea8fa35ad4bcd7548c61ad64b367556d695db3702d393a4d1a531d99149
SSDeep: 24576:TD/4tdONNCdAOP HkkSygKhYn4Cecp08DN7Ed:Tb4np5GUptEd
Size: 1200128 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: PolyEnE001byLennartHedlund, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2014-02-10 14:23:37
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:264

The Trojan injects its code into the following process(es):
No processes have been created.

File activity

The process %original file name%.exe:264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\icons[1].gif (7856 bytes)
%System%\їс.sys (70144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\xui[1].js (9118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\qlogin[1].htm (9087 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014021820140219\index.dat (32768 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\go[1].htm (846 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013093020131001 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013093020131001\index.dat (0 bytes)
%System%\їс.sys (0 bytes)

Registry activity

The process %original file name%.exe:264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014021820140219]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014021820140219]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32]
"(Default)" = "%System%\oleacc.dll"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCR\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib]
"Version" = "1.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014021820140219]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 2F 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 BA F4 CF A0 6E 2F 92 F8 D0 30 9B 01 3C 48 8D"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "www.2345.com/?k744606640"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014021820140219]
"CachePrefix" = ":2014021820140219:"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKCR\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib]
"(Default)" = "{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014021820140219]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014021820140219\"

[HKLM\SOFTWARE\Microsoft\InternetExplorer\Main]
"Start Page" = "www.2345.com/?k744606640C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013093020131001]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Network activity (URLs)

URL IP
hxxp://img.users.51.la/4354769.asp?314354300307QQ310272263311324261321351326244304243277351 117.21.191.223
hxxp://ui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=&param=u1%3Dhttp%253A%252F%252Fwww.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0
hxxp://a1165.b.akamai.net/ptlogin/ver/10067/js/xui.js?v=10007
hxxp://a1165.b.akamai.net/ptlogin/v4/style/0/images/icons.gif
web.51.la 222.187.223.75
imgcache.qq.com 23.3.90.91
xui.ptlogin2.qq.com 112.90.83.106


HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following kernel-mode hooks:

ZwQuerySystemInformation
ZwReadVirtualMemory
ZwWriteVirtualMemory

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 672850 675840 4.52141 cf91b57f1f607e58aa85acf14f083674
.rdata 679936 403468 405504 5.05839 f5760ce8295bf07d382672787842688f
.data 1085440 263211 81920 3.59047 db8bc9ffe4fc17e46b31c382e443d720
.rsrc 1351680 29624 32768 3.92791 9b92f5327021ad4ae4e1bbe987102c7c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:264

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\icons[1].gif (7856 bytes)
    %System%\їс.sys (70144 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\xui[1].js (9118 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\qlogin[1].htm (9087 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014021820140219\index.dat (32768 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\go[1].htm (846 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\desktop.ini (67 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now