Gen.Variant.Graftor.Elzob.16171_882689867a

by malwarelabrobot on December 17th, 2014 in Malware Descriptions.

UDS:DangerousObject.Multi.Generic (Kaspersky), Gen:Variant.Graftor.Elzob.16171 (B) (Emsisoft), Gen:Variant.Graftor.Elzob.16171 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericInjector.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 882689867a2c60c21109902888f4a393
SHA1: d365be1d989567b607272f0cb7124114bcbf3317
SHA256: a58a50cdb0961d339e3512843f113590b8295cdb47ddc8539e60510b1a26e8f2
SSDeep: 12288:rj0zqkhPfG0dXqcMbVDH/fRbbVtDRkbhD/Pgl5hc3IMFq73x:rj0zqaBEcUVFbfDRxl83lFGx
Size: 1073152 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2014-10-26 11:32:16
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

mscorsvw.exe:172

The Trojan injects its code into the following process(es):

%original file name%.exe:1712

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1712 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5N561HSH\sq.login2[2].js (1659 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IXOTW1GL\sq.dialog[2].js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5N561HSH\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5N561HSH\sq.login2[1].js (392 bytes)
C:\AntiVC.dll (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GHEF4H63\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5L27O96R\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5L27O96R\btn[1].png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B6.tmp (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5N561HSH\bg-btn-20140729[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IXOTW1GL\bg-line-20140102[1].jpg (356 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GHEF4H63\sq.core[1].js (44865 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GHEF4H63\h[2].js (16 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hm.baidu[1].txt (164 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@37[1].txt (169 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GHEF4H63\base[1].css (7681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GHEF4H63\login[1].js (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GHEF4H63\ico-24[1].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5L27O96R\jquery.placeholder[1].js (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IXOTW1GL\bg-side[1].jpg (3434 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\my.37[1].xml (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5L27O96R\btn[2].png (362 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5L27O96R\login[1].htm (2337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5L27O96R\wl[1].htm (153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B4.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5N561HSH\login[1].css (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GHEF4H63\h[1].js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IXOTW1GL\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5L27O96R\bg-main-20141127[1].jpg (20376 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (788 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B5.tmp (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IXOTW1GL\sq.dialog[1].js (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\B4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5N561HSH\sq.login2[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5L27O96R\btn[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GHEF4H63\h[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B6.tmp (0 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\www.aaa[1].xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IXOTW1GL\sq.dialog[1].js (0 bytes)

Registry activity

The process mscorsvw.exe:172 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "1260000"

The process %original file name%.exe:1712 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 13 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 DE 41 E9 55 3B 88 81 BA DC F1 12 90 E4 6B 4C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
ed0c74815e4d0c37563d89c7af54f2cc c:\AntiVC.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 767063 770048 4.50928 64cece694cf25ac7df4f3d61f3e6bdfc
.rdata 774144 194514 196608 4.072 51f37f4978f0b3ea0ed1a1d73e09e491
.data 970752 206120 77824 3.68196 132f5db2a9d51ca4e918553bb82af212
.rsrc 1179648 22336 24576 3.31244 a19afd71f47cc4600d064ad508821e6e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://14.29.82.186/wl.html
hxxp://hm.e.shifen.com/h.js?2bff1797982a3dfe38d535d59aca3334
hxxp://my.37.com/wl.html
hxxp://hm.baidu.com/h.js?2bff1797982a3dfe38d535d59aca3334 61.135.185.140


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /wl.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://my.37.com/login.html?url=hXXp://my.37.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: my.37.com
Connection: Keep-Alive
Cookie: PHPSESSID=9ba78725ef428c15d8f7d87900e3fac4


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 16 Dec 2014 03:23:22 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
37web: gz_82_143_web
99..<!DOCTYPE HTML>.<html>.<head>.<meta http-equi
v="Content-Type" content="text/html; charset=utf-8">.<title>l
oading</title>.</head>..<body>.</body>.</ht
ml>...0..



GET /h.js?2bff1797982a3dfe38d535d59aca3334 HTTP/1.1
Accept: */*
Referer: hXXp://my.37.com/login.html?url=hXXp://my.37.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: hm.baidu.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Etag: b3e5121cd323f2b64b500a7805d46837
Cache-Control: max-age=0, must-revalidate
Content-Encoding: gzip
Content-Type: application/javascript
Set-Cookie: HMACCOUNT=223660F09C98F03D; Path=/; Domain=hm.baidu.com; Expires=Sun, 18 Jan 2038 00:00:00 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Connection: Keep-Alive
Content-Length: 6318
Date: Tue, 16 Dec 2014 03:23:23 GMT
Server: apache
...............(function(){var h={},mt={},c={id:"2bff1797982a3dfe38d53
5d59aca3334",dm:["37.com"],js:"tongji.baidu.com/hm-web/js/",etrk:[],ic
on:'',ctrk:false,align:-1,nv:-1,vdur:1800000,age:31536000000,rec:0,rp:
[],trust:0,vcard:0,qiao:0,lxb:0,conv:0,apps:''};.:iw..... h4O!,..l.MH.
.....I..4...J.HB.c.2I.v%..7.p..,o.9.@,3..03.R.....Y..E......(..|.Q....
.(..a^.. ...^`.2..X,.....Zd2}:.qN."/I...2.n(}^....S?......5......1..Ye
.z]..ir....2..g...F.[ ....... ..[ .R)c.6...z..]rG.;.3.Lg9..L......3.=.
...8W..Y~P}Y...d.{y...`.......;...N..v.[...%.q.. ..oM....4J.?...H.D"..
...5'..D"...1t...N...S."....U....>...y....| O~~..].....%.g..e.[..`.
..0..."].2_.........I..k....l.>:.#j:...PK.I.....C1:....!.0R..j[r...
.y...K..n}.$..O.Z.....D..b.n...}_..-...e........T.V.1O...9..p..bgp..a"
^..."\H...F.F#.P.56Z1........4Lbt.,Y......)5.R# S..&.Mhe..HnoD........
..d..~APPO...y(<i.N....Q.]>....LL...... ..H.'.|.;w...Z.....T...I
.<...)(`.}..5........C.....n........%.-.... y.."W.....e.*W....j....
....j........y..W..~6..FS... .ff~?.....Od. .... .>....=.../"W....d?
.q..3..b.>.#..r..m.B..b.M.P.....8...@...s..BP.`.5.8.E..............
1..o.2..3.2."g...........-X.q.$...D....Qr..^..qr..n*..S..v:.......PV..
U..(e!.l..cB !Y.. 6.w.n../.UJy......"..L...h..:...t..zq.I..}...Xc...zq
./..vz.I/.}......."cG...)..V..S@.[.....%y...f"{{...&s......,..4..Q....
.. .mqL:..).>`..4c.A.....6.(.Z.....0.(..6-....&MF....G....w...C..i.
.^..LF..@.7....U.......4..H.. ...#....@....n..y.;aB..~....S...........
.E...[a..9.../....g.}(-?....s.'.l..G.39. ....P.....@..`.(.m.......
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1712:

.text
`.rdata
@.data
.rsrc
t$(SSh
~%UVW
u$SShe
kernel32.dll
Kernel32.dll
ntdll.dll
ws2_32.dll
WS2_32.dll
mswsock.dll
AntiVC.dll
ole32.dll
wininet.dll
user32.dll
Shlwapi.dll
MsgWaitForMultipleObjects
gdi32.dll
&password=
hXXp://my.37.com/api/login.php?action=login&login_account=
&showlogintype=3
hXXp://gameapp.37.com/controller/enter_game.php?game_id=237&sid=
&key=dts_entergame&action=check_code
hXXp://gameapp.37.com/controller/code.php?code=
hXXp://gameapp.37.com/controller/code.php
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXp://
windows
\AntiVC.dll
.xy(.
%d.#9
"/%S h
qaL;a%d
k;)O%9uR
OADVAPI32.dll
/,@*.*
15638236
*s %d
. (0x%X
cessHeap
.RH(H1
M.lKw
__o.OO
\:.tT
`.rdata3m
KERNEL32.DLL
GDI32.dll
gdiplus.dll
MSVCRT.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
WININET.dll
GetUrlCacheEntryInfoA
gameapp.37.com
):$%C
dm.dmsoft
KeyPress
KeyDown
KeyUp
ShowScrMsg
SetShowErrorMsg
GetWindowState
SetWindowSize
SetWindowState
SetKeypadDelay
SetExportDict
FindWindowSuper
KeyDownChar
KeyUpChar
KeyPressChar
KeyPressStr
EnableKeypadPatch
EnableKeypadSync
EnableRealKeypad
GetKeyState
WaitKey
EnumWindowSuper
EnableKeypadMsg
EnableMouseMsg
EnumIniKey
EnumIniKeyPwd
20140404
hXXp://my.37.com
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
RASAPI32.dll
GetProcessHeap
WinExec
KERNEL32.dll
SetWindowsHookExA
UnhookWindowsHookEx
EnumThreadWindows
EnumChildWindows
GetViewportOrgEx
WINMM.dll
MSIMG32.dll
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
ShellExecuteA
OLEAUT32.dll
COMCTL32.dll
oledlg.dll
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetCPInfo
CreateDialogIndirectParamA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
RegCreateKeyExA
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
(*.htm;*.html)|*.htm;*.html
msctls_hotkey32
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
2,3,0,0402
yadinae@qq.com
(*.*)
1.0.0.0
(hXXp://VVV.eyuyan.com)

%original file name%.exe_1712_rwx_10001000_0004E000:

ADVAPI32.dll
,@*.*
Local Settings\Temporary Internet Files\Content.IE5
$@15638236
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
O@kernel32.dll
user32.dll
gdi32.dll
WININET.dll
gdiplus.dll
GdiPlus.dll
ole32.dll
GetUrlCacheEntryInfoA
program internal error number is %d. (0x%Xh)
GetProcessHeap
GetWindowsDirectoryA
.RH(H1
&33827272
.text
`.rdata
@.data
.rsrc
.reloc
OADVAPI32.dll
/,@*.*
15638236


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    mscorsvw.exe:172

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5N561HSH\sq.login2[2].js (1659 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IXOTW1GL\sq.dialog[2].js (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5N561HSH\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5N561HSH\sq.login2[1].js (392 bytes)
    C:\AntiVC.dll (48 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GHEF4H63\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5L27O96R\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5L27O96R\btn[1].png (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B6.tmp (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5N561HSH\bg-btn-20140729[1].jpg (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IXOTW1GL\bg-line-20140102[1].jpg (356 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GHEF4H63\sq.core[1].js (44865 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GHEF4H63\h[2].js (16 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@hm.baidu[1].txt (164 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@37[1].txt (169 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GHEF4H63\base[1].css (7681 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GHEF4H63\login[1].js (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GHEF4H63\ico-24[1].png (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5L27O96R\jquery.placeholder[1].js (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IXOTW1GL\bg-side[1].jpg (3434 bytes)
    %Documents and Settings%\%current user%\UserData\2Z89WTQV\my.37[1].xml (266 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5L27O96R\btn[2].png (362 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5L27O96R\login[1].htm (2337 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5L27O96R\wl[1].htm (153 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B4.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5N561HSH\login[1].css (337 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GHEF4H63\h[1].js (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IXOTW1GL\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5L27O96R\bg-main-20141127[1].jpg (20376 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (788 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B5.tmp (3361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IXOTW1GL\sq.dialog[1].js (1 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2024 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now