MD5: c3199e60629cd96f407f1f0d229eef5a
SHA1: 75aa95693e365af66c91f0eb895db157bfdff0bf
SHA256: c17cd8e44647cf7aa14365011a21c2025dfcc9c2fbb3f11180ac83aa362ea983
SSDeep: 12288:lojzoucNj2BOQoh9/iEK8eKisrgr/G4F2Q2QajqB7IrGbEo1s:lojuNj2BOQoh9aEK8lrgbJFqQajXrGbS
Size: 610304 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: ICorporation
Created at: 2014-04-28 17:25:42
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1332

Mutexes

The following mutexes were created/opened:

CTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
RasPbFile
ShimCacheMutex

File activity

The process %original file name%.exe:1332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\qlogin[1].htm (897 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\xui[1].js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\icons[1].gif (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

Registry activity

The process %original file name%.exe:1332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 48 09 44 BE 2A 9C 87 EC 42 52 F8 6C 8E AD F2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://ui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=&param=u1%3Dhttp%253A%252F%252Fwww.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0
hxxp://imgcache.qq.com.cdngc.net/ptlogin/ver/10159/js/xui.js?v=10007	174.35.71.28
hxxp://imgcache.qq.com.cdngc.net/ptlogin/v4/style/0/images/icons.gif	174.35.71.28
hxxp://imgcache.qq.com/ptlogin/ver/10159/js/xui.js?v=10007	174.35.71.28
hxxp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=&param=u1%3Dhttp%253A%252F%252Fwww.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0	163.177.72.188
hxxp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif	174.35.71.28

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /ptlogin/ver/10159/js/xui.js?v=10007 HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=¶m=u1%3Dhttp%253A%252F%252FVVV.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: imgcache.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 31 May 2016 21:02:06 GMT

Server: PWS/8.1.36.0005

X-Px: ms h0-s1210.p11-fra ( h0-s1214.p11-fra), rf-ht h0-s1214.p11-fra ( h0-s1022.p7-icn), ht h0-s1022.p7-icn.cdngp.net

ETag: "574d2c38-21f8"

Cache-Control: max-age=600

Expires: Tue, 31 May 2016 21:07:31 GMT

Age: 276

Content-Length: 3459

Content-Type: application/x-javascript

Content-Encoding: gzip

Vary: Accept-Encoding

Last-Modified: Tue, 31 May 2016 06:16:24 GMT

Connection: keep-alive
....8,MW...Z.w.... X....,..i..qR'..........#.....w........O.i.#''.F..4
3..4.2.m.......s.D...E`'....0q.2..n}....2..E.g..oD$G.....=.Ca..w.j..M.
[email protected]\[email protected]...]R.m6.....zr~u.K.8}wv.K....H5........LWj.
..X.\..=5.>:...:9$....S......?V.*v.....vG...`.{..t...v.....<.".N
.:.(.b.G....:....:..g.............1...r.......9H..cT.._.....Z.n.p.....
&...8t.0P......C....LN........._..;[email protected]......._...^....F
dbq.LI..na...p......X...F.r.....2...6.q..8..H.B....;j .......-.....fs.
j.Q .......?..Kb&H........>h.|.......e>...*...H..J<.E?..Uv.,.
@77W.O...C.]O...,.....Co.,.z.1*..W....j..J.\..s=...`.....*.../Dma.....
t.p.0...~......1$m3...;F~>n&_f?_\}<..]^..._.&>..T.<..".S..
..b.......;...f...IL..E.Q...U>..P..iZ..B*V....V..../....|....&.....
.|.....)........[l..!..N..........R=. dZ.X...x........_,...!."t.~_...-
.....g!....1..S.#..J.~...p .q..q...

GET /ptlogin/v4/style/0/images/icons.gif HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=¶m=u1%3Dhttp%253A%252F%252FVVV.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: imgcache.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 31 May 2016 21:02:06 GMT

Server: PWS/8.1.36.0005

X-Px: ms h0-s1210.p11-fra ( h0-s1214.p11-fra), ht h0-s1214.p11-fra.cdngp.net

ETag: "5506987c-1ede"

Cache-Control: max-age=7200

Expires: Tue, 31 May 2016 22:03:54 GMT

Age: 3492

Content-Length: 7902

Content-Type: image/gif

Last-Modified: Mon, 16 Mar 2015 08:46:52 GMT

Connection: keep-alive
GIF89as.r.................................................^....A......
.............! ............B.....}....................1)-t............
........j...........................................................c.
.>..p[E............z...........q.....u.....j.......................
..................Z.................b.................................
.................^................................!.......,....s.r....
.'..........X......'...............................X..................
...........X......................................)....Fz%.K.1.......*
\......#J.H.....3".........I.....'K.S..e..0..\).&..-m...RgO.3w..94(..F
..T.t...P.J.J.*..X...*....%Fr.K....h..].....p....KWn..x....p...'..\...
.... ^......#[email protected].......
|....q ..{.....K...te...k..0...'....F......_.........O..............z.
...B.Y_:.....6.........ZP...b(a..n.!......!.8..".h..(..b.0....2.x..8..
..;>...@.._.D.i...&i`..q.1..PF)..P>Y..Db...\....^....Y.Y&.[..&._
....o....r....l.y..|......J....j(.5$...p\..gIzV..p.....f....v.....*...
.j.............".....j..<........... ....k...&....6...MD m...X...8.
...L.....;m.........n....n........ko...................0..$....7....G,
....`...< ........C ...$.l.....2.*[.2./.... ..2.7..3.;.,..<....=
.-t.H..t.L....PG-..TS...Xg...(t.5...$.....I......_....p{..._....(..w.|
....}..w...>.............G....W....d....w.y......].`..80 6.........
....n............../....o|..$..........Q..U...GF0....w...../.....o....
.........3 [email protected]......:......'H..Z.......
<<< skipped >>>

GET /cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=¶m=u1%3Dhttp%253A%252F%252FVVV.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: xui.ptlogin2.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 31 May 2016 21:01:59 GMT

Content-Type: text/html

Content-Length: 5460

Connection: keep-alive

Server: QZHTTP-2.38.20

P3P: CP="CAO PSA OUR"

Cache-Control: max-age=604800

Set-Cookie: pt_local_token=708669680; PATH=/; DOMAIN=ptlogin2.qq.com;

Last-Modified: Thu, 08 Mar 2012 02:04:00 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmln
s="hXXp://VVV.w3.org/1999/xhtml"><head><meta http-equiv="C
ontent-Type" content="text/html; charset=utf-8"><style type="tex
t/css">u{text-decoration:none}body{font-family:Tahoma,Verdana,Arial
,......;font-size:12px;margin:0}.clear{clear:both;font-size:0;line-hei
ght:0;height:0}#login{margin:0 auto;float:none;width:320px;padding:0 0
 10px 50px}.linemid{padding:10px 8px 0 30px;color:gray}.btn_select,.bt
n_gray{border:0;color:#2473a2;width:103px;height:28px;padding-left:2px
;cursor:pointer;font-weight:bold;font-size:14px}.btn_select{background
:url(hXXp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif) no-re
peat -102px -130px}.btn_gray{background:url(hXXp://imgcache.qq.com/ptl
ogin/v4/style/0/images/icons.gif) no-repeat -102px -225px}#login #list
_uin img{padding:7px;background:url(hXXp://imgcache.qq.com/ptlogin/v4/
style/0/images/icons.gif) no-repeat 0 -329px}#list_uin li{list-style:n
one;padding:0 0 0 28px; padding-left:12px;width:270px;word-wrap:break-
word;min-height:20px;clear:both}#list_uin li input{float:left;margin-b
ottom:5px;width:20px}#list_uin label{margin:2px 0 0 4px;float:left;wid
th:220px}#login p{padding:8px 15px 12px 32px;margin:0;font-size:12px;c
olor:#535353}.x_lowLogin{padding:10px 0 0 28px;display:none}</style
><script>var g_begTime=new Date();..(function(){...window.one
rror = function(msg,url,line){....var reportUrl = location.protoco
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.data

.rdata

@.data

.rsrc

t$(SSh

~%UVW

u$SShe

.gy;}

atl.dll

[email protected]

smtp.163.com

[email protected]

[email protected]

hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=¶m=u1%3Dhttp%253A%252F%252FVVV.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0

javascript:for(var C=0;C<q_aUinList.length;C  ){var D=q_aUinList[C];document.write(D.uin "," D.key "[

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

user32.dll

RASAPI32.dll

GetProcessHeap

WinExec

KERNEL32.dll

GetKeyState

USER32.dll

GetViewportOrgEx

GDI32.dll

WINMM.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

ole32.dll

OLEAUT32.dll

COMCTL32.dll

WS2_32.dll

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

RegCreateKeyExA

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

HELO %s

SMTP

AUTH LOGIN

LOGIN

AUTH=LOGIN

EHLO %s

Content-Type: application/octet-stream; name=%s

Content-Disposition: attachment; filename=%s

MAIL FROM:<%s>

RCPT TO:<%s>

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

(*.*)

1.0.0.0

(hXXp://VVV.eyuyan.com)

%original file name%.exe_1332_rwx_00401000_0006B000:

t$(SSh

~%UVW

u$SShe

.gy;}

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\qlogin[1].htm (897 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\xui[1].js (8 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\icons[1].gif (7 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.