Trojan.Crypt.CG_d4c4e765ef

by malwarelabrobot on October 9th, 2014 in Malware Descriptions.

Trojan-Dropper.Win32.Agent.exc (Kaspersky), Trojan.Crypt.CG (B) (Emsisoft), Trojan.Crypt.CG (AdAware), Trojan.Win32.FlyStudio.FD, mzpefinder_pcap_file.YR, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: d4c4e765ef2c4719f077a488cc99cbcf
SHA1: 70dd12b0a5b550e776c4a9e43c925d93d2e77c2a
SHA256: 4128e10fdec092cef762d5245b693f74e46e2d669a0e9215d618bff8cf661ad8
SSDeep: 49152:QqlmPEnfLzijNedPWZgUscGeJ6SnjIxpR74cdLD/OiYzOKJ gfQU:QUgEzzcgWCUzE/d4cdLD/7YEa
Size: 2425345 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Digital Pine, LLC
Created at: 2007-04-26 09:56:30
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

svhost.exe:1220
ws.exe:1716
%original file name%.exe:948
regsvr32.exe:1756

The Trojan injects its code into the following process(es):

CFÅ®Éñ͸ÊÓ¸¨Öú0912.exe:1720
dl.exe:1860

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process CFÅ®Éñ͸ÊÓ¸¨Öú0912.exe:1720 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\dm.dll (3902 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SkinH_EL.dll (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q9JK3VWX\xbb1[1].txt (28 bytes)

The process svhost.exe:1220 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TOJWX4Z\lpk.dll (601 bytes)
C:\RCXB4.tmp (7876 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\lpk.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\lpk.dll (601 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Reader\9.3\ARM\lpk.dll (601 bytes)
%System%\hra33.dll (7 bytes)
C:\lpk.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lpk.dll (601 bytes)

The Trojan deletes the following file(s):

%System%\hra33.dll (0 bytes)

The process ws.exe:1716 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\svhost.exe (601 bytes)

The process %original file name%.exe:948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CFÅ®Éñ͸ÊÓ¸¨Öú0912.exe (15801 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dl.exe (32 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\opeB3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\opeB2.tmp (0 bytes)

The process dl.exe:1860 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TOJWX4Z\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q9JK3VWX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q9JK3VWX\y[1].txt (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJT3DEFP\tj[1].htm (314 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TOJWX4Z\ws[1].exe (11258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJT3DEFP\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ws.exe (73 bytes)

Registry activity

The process CFÅ®Éñ͸ÊÓ¸¨Öú0912.exe:1720 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1024x768x32(BGR 0)" = "31,31,31,31"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 13 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D6 81 AF 68 F2 89 F3 84 3E 13 0A 82 83 CD 8E 47"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process svhost.exe:1220 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 67 FB 35 03 55 5A 43 48 72 E8 67 11 62 67 D7"

The process ws.exe:1716 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 36 5F BB 68 58 CD A7 09 BE 52 DA 5C A6 1F 08"

[HKLM\System\CurrentControlSet\Services\Pleases Input Sarvice Nqdl]
"Description" = "Please Input Service Descrcg Transaction Coordinator Service."

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SOFTWARE.LOG,"

The process %original file name%.exe:948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 3B E0 93 64 0E BE 37 DA 7D F9 8C A6 B8 74 24"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"CFÅ®Éñ͸ÊÓ¸¨Öú0912.exe" = "易语言程序"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"dl.exe" = "dl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process regsvr32.exe:1756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 57 9B 7B 31 D0 47 9B 33 06 EE E6 F5 00 E8 BC"

[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"

[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib]
"(Default)" = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}"

[HKCR\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR]
"(Default)" = "%System%\"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"

[HKCR\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"

[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}]
"(Default)" = "Idmsoft"

[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"

[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32]
"(Default)" = "%System%\dm.dll"

[HKCR\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0]
"(Default)" = "Dm"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "%System%\dm.dll"

[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib]
"Version" = "1.0"

The process dl.exe:1860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"NetHood" = "%Documents and Settings%\%current user%\NetHood"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Templates" = "%Documents and Settings%\%current user%\Templates"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"SendTo" = "%Documents and Settings%\%current user%\SendTo"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 12 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Fonts" = "%WinDir%\Fonts"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 32 F2 EA 7D 67 FB 8A DD D0 55 01 84 FD D0 33"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
e4fa79941009de83aba232520419c6c0 c:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\lpk.dll
e4fa79941009de83aba232520419c6c0 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\lpk.dll
e4fa79941009de83aba232520419c6c0 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\lpk.dll
54cb695091be4a0194d61f1eeda9a474 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\CFÅ®Éñ͸ÊÓ¸¨Öú0912.exe
d0a47f3a10fe3c452783b24c9327fe07 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SOFTWARE.LOG
147127382e001f495d1842ee7a9e7912 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SkinH_EL.dll
aced796f88cbc02297c0b71d53ba37a7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\dl.exe
e4fa79941009de83aba232520419c6c0 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\lpk.dll
e4fa79941009de83aba232520419c6c0 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4TOJWX4Z\lpk.dll
d0a47f3a10fe3c452783b24c9327fe07 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4TOJWX4Z\ws[1].exe
e4fa79941009de83aba232520419c6c0 c:\Perl\bin\lpk.dll
e8889a55641fa57bcb588571f5bcbc63 c:\WINDOWS\system32\dm.dll
e4fa79941009de83aba232520419c6c0 c:\WINDOWS\system32\hra33.dll
d0a47f3a10fe3c452783b24c9327fe07 c:\WINDOWS\system32\svhost.exe
e4fa79941009de83aba232520419c6c0 c:\lpk.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
SEC 4096 3608 1536 3.61824 e913d9de28e67698bd4ffb7b7baf2475
.rsrc 8192 2423297 2423297 5.44395 87f198d68f3c5d5606ef668351a7d603

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://117.21.191.223/17048312.js
chinaljndk.3322.org 58.221.60.133


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

CFÅ®Éñ͸ÊÓ¸¨Öú0912.exe_1720:

.text
`.rdata
@.data
.rsrc
t$(SSh
~%UVW
.tTPV
FTPjK
FtPj;
F.PjRWj
u.WWj
u.VVj
u$SShe
wininet.dll
SkinH_EL.dll
psapi.dll
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
hXXp://VVV.wei235.com/fuzhu/xixi/9.12.0.txt
hXXp://VVV.wei235.com/xbb1.txt
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
http=
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
hXXp://
%s;7*
0%x@w
%C^L:
%s T5
]E4%F(
.Funr
k%UPp
fg.VG
%C',@
>Ùd
0'.Ll
[I(3/#N0.bd
j"%u=w
q%Xn`
@|H.NI
.wdd!
S|%u4
*.Ea]S
Q.CGo
fTpe
.LLbX
-.Mdl
\-A}=3K
Y:.akpS
$.Zcqn
u.Jck~
zx/%FN[
ce_%D
%C@0H
%s=\RI
}j%c%Y)
Rx.GR
4o#.dM
IeS`%C
[n 4\.UY 
,4.qO,
gQ'.Io
%cLur?
s%DHB
]I%%X
5r.US
:mD].tB
f%fUZ
.fOuV12
*_.dC
&-N}<
({?.cQm
.Cqx~c
.`.Qw
**.dU
!n]%x
%X,Cr
&.PFy{xh
.um ZZE7L
/^p%u$
I.NoQY
zu.ew
D/.nT
q.7.qE
W>^T%S
%XiR^
1%SqlnD
U[5%u
.OW74
"E.jV
c T.Om
*U%XOd
D%FW@
.gM>$slt
B.iR%
vv#%sY7x
.TY3F
kEY94
.nyBK
wN%U/
4.Ky%t
.h.fO
.TK$N
%dRB:W
[I9%f
8o%sx
.WE= T!N
#?%s(C(
Rd.hYp
.TX=6
,%x)E
R%X4C (
$7.Gs
d,.bw p
o .Kb
KOz-%c Rd
zkey0
=.Lw/Ch
!c%SGd
A.YA'
`.yV8
.qL8d0{
m>[So;.yd] 
_ÎW,
%UZtQ
.Fu:#
SShXuy@
f.kz"
@o.Ns
i.IK(
9rBÀ
.nm[&
.DDU0
%f$8C
\SkinH_EL.dll
C$%cmb
.ppM|
 aZ.mO
%-^
.hk;~
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
\dm.dll
!!"#$%&'()) 
ll%X`$Y\
%Cr#l$rQ2$d%$
.nu':
M_%UHI=
;<.dJ
Am%Xx
D<\$ %XQ&
dlSQL
M CmD$L
((;|$ #(`
uF.BH:
t4u-4Z}>T
wQ.Bq
.AC:%
J.rE\j
%f; )c=
dE.Nn
TSSWPc.Th`
.xL$d
7z.tu
&%9SD
.VA`D
jY.kl
o8%dV
VGz%FrE
uù u
.BNFq{
-hO}]QV:
456789:;<=
!"#$%&'()* ,-./0123
deflate 1.2.3 C
en executed
p out of range,W %s
I>support g
X:
UxTheme.dll
?HttpCli
%scode,
3,%s,%d
?.PAVCExcepS,(N
' %d.
.1.2600.441~
PSAPI.DLLU%fW
88.185.3
P129.6.15.29
202.120.
\\.\%c
<%s>!
~g%s#$A
[%d]G
./*.bmp
log.tx
32778cpublic.inject.
d8 keypad
ck.ap
.=.minmax
x.cfake`!K
km.prot
hreaD%s
on.Leve
wKeyboard
Scsi%d:
1.2.24
.Fe(H;
: %s6
= (%d/
gx=%f, gy
%ld, pass G
orm.de6
O%dhx%dv qV
D=%u, "
z %4u
%ld%c$HV
 -t.SSSj
MSVCRT
ntoskrnl.exQ
8)939@9|9
%cGpS
.Hs;0E<
#6.BN
PI.DLLK04e
Ä!w
%c-1IY
ÈA/
Ë!b
.FLd{
%DxMr
úC~
.K.kn
.LP.,
;.0%U
n%cp,
.p.lMp
-17x3}hv
n.vg(
.os)H
-.rl2Ql
.NSx#
.QB-N
/i.Kn
.wCdn
&SÓ
2r.Qn
O,0.lmq
appingUWindowsDir
.Increm^
BkÝPtoLP
;Gw.one
ran%s
.PoDAttachnCp
.DJ-?O8
7G#V%F
(.text\
'@.tp0
{43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A} = s 'Dm'
'Dm.EXE'
val AppID = s {43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A}
dm.dmsoft = s 'dm.dmsoft'
CLSID = s '{26037A0E-7CBD-4FFF-9C63-56F2D0770214}'
CurVer = s 'dm.dmsoft'
ForceRemove {26037A0E-7CBD-4FFF-9C63-56F2D0770214} = s 'dm.dmsoft'
ProgID = s 'dm.dmsoft'
stdole2.tlbWWW
~cmdWd
KeyPress
.aKeyDownWd
MKeyUpWWWd
ShowScrMsgWW
msgWd
SetShowErrorMsgW
>SGetWindowStateWW
U@SetWindowSizeWWWd
SetWindowStateWWd
iRSetKeypadDelayWWd
BkeypadWW
SetExportDictWWWd
keyWd
FindWindowSuperW
qHKeyDownCharW
pOkey_strWd
KeyUpCharWWWd
KeyPressChard
KeyPressStrWd
EnableKeypadPatchWWWd
=PEnableKeypadSyncd
EnableRealKeypadd
GetKeyStateWd
[.ReadFiled
WaitKeyW
!key_coded
joEnumWindowSuperW
urlW
=EnableKeypadMsgWd
EnableMouseMsgWWd
method KeyPressWWW
method KeyDown
method KeyUpWW
method ShowScrMsgW
method SetShowErrorMsg
method GetWindowStateW
method SetWindowSizeWW
method SetWindowStateW
method SetKeypadDelayW
method SetExportDictWW
method FindWindowSuper
method KeyDownChar
method KeyUpCharWW
method KeyPressCharWWW
method KeyPressStr
method EnableKeypadPatchWW
method EnableKeypadSyncWWW
method EnableRealKeypadWWW
method GetKeyState
method WaitKey
method EnumWindowSuper
method EnableKeypadMsg
method EnableMouseMsgW
ADVAPI32.dll
IMM32.dll
MFC42.DLL
ole32.dll
OLEAUT32.dll
SHELL32.dll
VERSION.dll
WINMM.dll
WS2_32.dll
RegCloseKey
dm.dll
\dm.dll /s
[email protected]
QQ [email protected]
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
user32.dll
portuguese-brazilian
iphlpapi.dll
SHLWAPI.dll
MPR.dll
RASAPI32.dll
GetProcessHeap
WinExec
GetWindowsDirectoryA
GetCPInfo
KERNEL32.dll
GetKeyState
GetKeyboardLayout
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
WINSPOOL.DRV
comdlg32.dll
RegOpenKeyExA
RegCreateKeyExA
ShellExecuteA
WSOCK32.dll
WININET.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
VVV.dywt.com.cn
Service Pack %d
Windows 2003
Windows XP
Windows 2000
Windows NT
Windows ??
Windows Millenium Edition
Windows 98 Second Edition
Windows 98 SP1
Windows 98
Windows 95 OSR2
Windows 95 SP1
Windows 95
Windows CE
Windows
Microsoft Windows Me
Microsoft Windows 98
Microsoft Windows 95
Microsoft Windows 2003
Microsoft Windows XP
Microsoft Windows 2000
Microsoft Windows NT
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
VVV.wei235.com
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CF
0912.exe
#include "l.chs\afxres.rc" // Standard components
1, 0, 6, 6
3, 1227, 0, 0
(*.*)
10.1.0.0
(hXXp://VVV.eyuyan.com)

CFÅ®Éñ͸ÊÓ¸¨Öú0912.exe_1720_rwx_10001000_00039000:

L$(h%f
SSh0j
msctls_hotkey32
TVCLHotKey
THotKey
\skinh.she
}uo,x6l5k%x-l h
9p%s m)t4`#b
e"m?c&y1`Ð<
SetViewportOrgEx
SetViewportExtEx
SetWindowsHookExA
UnhookWindowsHookEx
EnumThreadWindows
EnumChildWindows
`c%US.4/
!#$<#$#=
.text
`.rdata
@.data
.rsrc
@.UPX0
`.UPX1
`.reloc

dl.exe_1860:

.text
`.data
.rsrc
MSVBVM60.DLL
#vb6chs.dll
1111111
ieframe.dll
SHDocVwCtl.WebBrowser
WebBrowser
E:\VB
\VB6.OLB
C:\Windows\SysWOW64\ieframe.oca
VBA6.DLL
hXXp://uu.cn170.com/y.txt
hXXp://zw.cn170.com/tj.html
1.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\
%Documents and Settings%\All Users\
Scripting.FileSystemObject
WScript.Shell
1111111.exe

svhost.exe_1220:

.Buffer
`.Ddos
`.text
`.Breakth
`.Socket
`.SocketB
`.Attack
`.rdata
@.data
.rsrc
WinExec
KERNEL32.dll
ExitWindowsEx
USER32.dll
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
MSVCRT.dll
_acmdln
WS2_32.dll
WINMM.dll
iphlpapi.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion
t Explorer\iexplore.exe
#0%s!
%s/%s
GET %s?=%d HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0;  hXXp://VVV.baidu.com/search/spider.html)
Host: %s
GET / HTTP/1.1
Host: %s:%d
GET %s HTTP/1.1
User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0
Host: %sContent-Type: text/html
User-Agent:Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.0; MyIE 3.01;Baiduspider/2.0;  hXXp://VVV.baidu.com/search/spider.html)
%s %s%s
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
Referer: hXXp://%s
User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0;  hXXp://VVV.baidu.com/search/spider.html)
%d.%d.%d.%d
192.168.1.244
chinaljndk.3322.org:9999
994175033994175033
InternetOpenUrlA
hra%u.dll
%d.exe
SOFTWARE.LOG
kernel32.dll
ddd
dwNumEntries = %u
.rdata
@.reloc
SHELL32.dll
SHLWAPI.dll
lpk.addon
lpk.dll
7"7'737?7


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    svhost.exe:1220
    ws.exe:1716
    %original file name%.exe:948
    regsvr32.exe:1756

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %System%\dm.dll (3902 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SkinH_EL.dll (88 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q9JK3VWX\xbb1[1].txt (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TOJWX4Z\lpk.dll (601 bytes)
    C:\RCXB4.tmp (7876 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\lpk.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\lpk.dll (601 bytes)
    %Documents and Settings%\All Users\Application Data\Adobe\Reader\9.3\ARM\lpk.dll (601 bytes)
    %System%\hra33.dll (7 bytes)
    C:\lpk.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\lpk.dll (601 bytes)
    %System%\svhost.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CFÅ®Éñ͸ÊÓ¸¨Öú0912.exe (15801 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dl.exe (32 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TOJWX4Z\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q9JK3VWX\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q9JK3VWX\y[1].txt (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJT3DEFP\tj[1].htm (314 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TOJWX4Z\ws[1].exe (11258 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJT3DEFP\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ws.exe (73 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now