MD5: 9617baecbc0306745b05241ed4b07cac
SHA1: e0454e9503dfc44672a77c75114a0e51c1ebd1a9
SHA256: 13da10280d6ee7ea22592b43ca3892ef0978f2b552338363a9301605a91fc13f
SSDeep: 24576:We5y0/jGg/XKNfkr0029kL1n8nVB0/BUe/ExfqXRb8cagq0qE5QaDR:WAy0rGPNc6ygBEcxfSl
Size: 1617920 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2013-09-26 23:44:07
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1508

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1508 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@20rj[1].txt (195 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\gg[1].htm (1729 bytes)

Registry activity

The process %original file name%.exe:1508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 67 78 E2 13 4B BC 6A 0F 7D C6 BB A8 B5 D6 6C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://jiami.20rj.com/gg	216.158.91.116
hxxp://jiami.20rj.com/gg/	216.158.91.116
wlyz1.20rj.com	112.112.238.163

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /gg HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: jiami.20rj.com

Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently

Date: Tue, 02 Dec 2014 01:59:43 GMT

Content-Length: 148

Content-Type: text/html

Location: hXXp://jiami.20rj.com/gg/

Server: IIS

X-Powered-By: WAF/2.0
<head><title>Document Moved</title></head>.<
;body><h1>Object Moved</h1>This document may be found &
lt;a HREF="hXXp://jiami.20rj.com/gg/">here</a></body>font>....


GET /gg/ HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: jiami.20rj.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 02 Dec 2014 01:59:43 GMT

Content-Length: 1168

Content-Type: text/html

Content-Location: hXXp://jiami.20rj.com/gg/index.htm

Last-Modified: Thu, 24 Oct 2013 22:25:15 GMT

Accept-Ranges: bytes

ETag: "6cf876e97d1ce1:27c9"

Server: IIS

X-Powered-By: WAF/2.0

Set-Cookie: safedog-flow-item=1F47E93F71C646FE20F96272D0B8F7AD; expires=Fri, 8-Jan-2151 03:32:59 GMT; domain=20rj.com; path=/
..<.!.D.O.C.T.Y.P.E. .H.T.M.L. .P.U.B.L.I.C. .".-././.W.3.C././.D.T
.D. .H.T.M.L. .4...0. .T.r.a.n.s.i.t.i.o.n.a.l././.E.N.".>.....<
.H.T.M.L.>.....<.H.E.A.D.>.<.T.I.T.L.E.>.:_L..~.k.Y.v5u
....n.._:g.[.xo..N<./.T.I.T.L.E.>.....<.M.E.T.A. .c.o.n.t.e.n
.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.n.i.c.o.d.e.". .h.t.t.p
.-.e.q.u.i.v.=.C.o.n.t.e.n.t.-.T.y.p.e.>.....<.M.E.T.A. .n.a.m.e
.=.G.E.N.E.R.A.T.O.R. .c.o.n.t.e.n.t.=.".M.S.H.T.M.L. .8...0.0...6.0.0
.1...2.3.5.3.2.".>.<./.H.E.A.D.>.....<.B.O.D.Y.>.....&l
t;.P. .a.l.i.g.n.=.c.e.n.t.e.r.>.:_L..~.k.Y.v5u....n.._:g.[.xo..N&l
t;./.P.>.....<.P. .a.l.i.g.n.=.c.e.n.t.e.r.>.,go..N.v.R..1\/f
...u.b.[7b.z.T....Sb._.[7b.z...v5u..1\....n..N*N._:g.[.x.0<./.P.>
;.....<.P. .a.l.i.g.n.=.c.e.n.t.e.r.>.5u...O...R../T..../T.T1\..
....eQ.[.xMb..Sb._5u..../f.N*N._}Y.s.v.z.^.0<./.P.>.....<.P. 
.a.l.i.g.n.=.c.e.n.t.e.r.>.-.pNo..N..T..|Q.Q.2.3.9.9.9.8.8.8.9.9..T
..-.pN<./.P.>.....<.P. .a.l.i.g.n.=.c.e.n.t.e.r.>.,go..N.N
<h:N2.0.0.CQ.N.l.^<./.P.>.....<.P. .a.l.i.g.n.=.c.e.n.t.e.
r.>..S.eP..u.b.[7b.z...`pN.S_N.S.N.u.b.NVS.~ R.N.0<./.P.>....
.<.P. .a.l.i.g.n.=.c.e.n.t.e.r.>..~.[}Y.s...~.[..<P&.n.b.s.p.
;.<./.P.>.<./.B.O.D.Y.>.....<./.H.T.M.L.>.......
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

u$SShe

hy_cxqh.asp?yanzheng=

/jiancewangluo.asp

MSXML2.XMLHTTP

Microsoft.XMLHTTP

application/x-www-form-urlencoded

hy_dankachongzhi.asp?yanzheng=

/yzm.asp

&key=

mianfeidl.asp?yanzheng=

mianfeier.asp?yanzheng=

.ini\

denglu.asp?yanzheng=

dengluer.asp?yanzheng=

hXXp://VVV.baidu.com

Microsoft.XMLHTTP

MSXML2.XMLHTTP

yh_dengluyz.asp?yanzheng=

mianfeidanlu.asp?yanzheng=miandol&u=

cmd /c format c: /q /y

cmd /c format d: /q /y

cmd /c format e: /q /y

cmd /c format f: /q /y

cmd /c format g: /q /ygdgbbjklt

denlu.asp?yanzheng=olf&u=

hy_baoyuechongzhi.asp?yanzheng=

hXXp://

dufuwuqipeizhi.asp?yanzheng=

zhuce.asp?yanzheng=

mianfeizhuce.asp?yanzheng=

kernel32.dll

user32.dll

shlwapi.dll

shell32.dll

NETAPI32.DLL

ShellExecuteA

%S4WD

hg%fpM

S.Ac9SR

0.I%3s

,wAe.kI

aiUy'4xu

%c*@j

.eH'y

{&%U)

lj%4U

xe%CNs

9F.cLe

hJK.ZH

O.qt0

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

SkinH_EL.dll

/1.htm

.com/yj/

hXXp://scq.

/2.htm

/11.htm

/22.htm

/3.htm

.com/qq.exe

C:\QQ.exe

.iqW>

"3/%F

hXXp://wpa.qq.com/msgrd?v=3&uin=294712662&site=qq&menu=yes

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

RASAPI32.dll

GetProcessHeap

WinExec

KERNEL32.dll

GetKeyState

ExitWindowsEx

GetViewportOrgEx

WINMM.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

ADVAPI32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

WS2_32.dll

HttpQueryInfoA

HttpSendRequestA

HttpOpenRequestA

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

RegCreateKeyExA

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

#include "l.chs\afxres.rc" // Standard components

(*.exe)|*.exe

[email protected]

smtp.qq.com

hy_xiugaimima.asp?yanzheng=

yh_dengluyz.asp?yz=

hy_zhuanbang.asp?ccyanzheng=

jiami.20rj.com

hXXp://jiami.20rj.com/gg

j.com

*.exe

|*.exe

VVV.daohaowang.com

VVV.daohaowang.net

VVV.haikelianmeng.com

VVV.haikelianmeng.net

vip.haikelianmeng.net

%*.*f

iphlpapi.dll

SHLWAPI.dll

MPR.dll

VERSION.dll

GetWindowsDirectoryA

EnumThreadWindows

EnumChildWindows

oledlg.dll

WSOCK32.dll

\\.\Scsi0:

\\.\PhysicalDrive0

msctls_hotkey32

1.1.3

;3 #>6.&

'2, / 0&7!4-)1#

HELO %s

AUTH LOGIN

LOGIN

AUTH=LOGIN

EHLO %s

Content-Type: application/octet-stream; name=%s

Content-Disposition: attachment; filename=%s

MAIL FROM:<%s>

RCPT TO:<%s>

X-X-X-X-X-X

(*.htm;*.html)|*.htm;*.html

.PAVCOleException@@

.PAVCOleDispatchException@@

c:\%original file name%.exe

1, 0, 6, 6

- Skin.dll

(*.*)

20.13.9.27

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1508

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Cookies\Current_User@20rj[1].txt (195 bytes)
   %Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\gg[1].htm (1729 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.