Trojan.Dropper.Agent.UGJ_16712f67f3

by malwarelabrobot on May 22nd, 2015 in Malware Descriptions.

Trojan.Dropper.Agent.UGJ (BitDefender), Worm:Win32/Regul.B (Microsoft), Trojan.Win32.Agent.bkks (Kaspersky), Trojan.Win32.Autorun.dm (v) (VIPRE), Trojan.Click2.51706 (DrWeb), Trojan.Dropper.Agent.UGJ (B) (Emsisoft), W32/Autorun.worm.dq.gen (McAfee), W32.SillyFDC (Symantec), Worm.Win32.FlyStudio (Ikarus), Trojan-Dropper:W32/Peed.gen!A (FSecure), PSW.Lineage.BWF (AVG), Win32:EvilEPL [Cryp] (Avast), WORM_FLYSTUDI.B (TrendMicro), Trojan.Dropper.Agent.UGJ (AdAware), GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Worm, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 16712f67f3e02fb1dfae70d1bdebac4b
SHA1: 798835dba26fa136c58fc5dbedd47dae9323ea32
SHA256: 3335f0eda7150a95709bc836f20ce4eaedcd021533a4995eafebb8e6a50810c9
SSDeep: 24576:5itK0LJ2Jiw EAGXeniVKsg9khYCSeJdxR3RqwnjRNPCDXusLBiYXQgQ:5itKwJ2JiwBAGXhVbOQjJd7hxLC7tViX
Size: 1509591 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1972-12-25 08:33:23
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:1772
XP-29C3EA36.EXE:1472

The Trojan injects its code into the following process(es):

XP-542ADE6B.EXE:1316

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process XP-542ADE6B.EXE:1316 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Start Menu\Programs\Startup\¡¡¡¡¡¡.lnk (1250 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\spec.fne (73 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (196 bytes)
%System%\ul.dll (3856 bytes)
%System%\internet.fne (673 bytes)
%System%\com.run (1425 bytes)
%System%\og.EDT (2008 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\internet.fne (184 bytes)
%System%\og.dll (2728 bytes)
%System%\eAPI.fne (1425 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (788 bytes)
%System%\spec.fne (601 bytes)
%System%\krnln.fnr (7433 bytes)
%System%\dp1.fne (601 bytes)
%System%\XP-29C3EA36.EXE (7972 bytes)
%System%\shell.fne (40 bytes)
%System%\RegEx.fnr (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\RegEx.fnr (217 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (391 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\eAPI.fne (323 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JT3DD67Y\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1SIUOE5J\desktop.ini (0 bytes)
%System%\XP-29C3EA36.EXE (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QV8PGRID\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UL3U2C8V\desktop.ini (0 bytes)

The process %original file name%.exe:1772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\E_4\dp1.fne (114 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\krnln.fnr (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\spec.fne (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\shell.fne (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\internet.fne (184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\com.run (270 bytes)
%System%\XP-542ADE6B.EXE (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JT3DD67Y\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1SIUOE5J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QV8PGRID\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UL3U2C8V\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\RegEx.fnr (217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\eAPI.fne (323 bytes)

The process XP-29C3EA36.EXE:1472 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\E_4\spec.fne (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)

Registry activity

The process XP-542ADE6B.EXE:1316 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 C7 62 CC B4 2C 40 36 51 D7 74 42 2D 2B 93 4B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Internet Explorer\TypedURLs]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 9B 5A 4B 37 DF A4 97 0A CB DC 0A F9 70 0A 57"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process XP-29C3EA36.EXE:1472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D E4 27 43 3C D4 E4 35 06 17 22 8E 6D 2E 8E 75"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XP-542ADE6B" = "%System%\XP-542ADE6B.EXE"

Dropped PE files

MD5 File path
895dd12a54a923789f8f1d8b66bd88e9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\RegEx.fnr
95ebaae66a69f881f2fa08c71952ce72 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\com.run
c57939798d01772689b016fcf3eae47e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\dp1.fne
c23c63a788d8ca38d955f5baebef719f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\eAPI.fne
b0c160001c8e88f403bf03af1059bd38 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\internet.fne
38dccb9d4114a3c2dd0003f6233bac77 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\krnln.fnr
c8208124af35856e0eba72d33620799b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\shell.fne
600e6bb9bdbd8f2f19e123d8e5300718 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\spec.fne
895dd12a54a923789f8f1d8b66bd88e9 c:\WINDOWS\system32\RegEx.fnr
95ebaae66a69f881f2fa08c71952ce72 c:\WINDOWS\system32\com.run
c57939798d01772689b016fcf3eae47e c:\WINDOWS\system32\dp1.fne
c23c63a788d8ca38d955f5baebef719f c:\WINDOWS\system32\eAPI.fne
b0c160001c8e88f403bf03af1059bd38 c:\WINDOWS\system32\internet.fne
38dccb9d4114a3c2dd0003f6233bac77 c:\WINDOWS\system32\krnln.fnr
c8208124af35856e0eba72d33620799b c:\WINDOWS\system32\shell.fne
600e6bb9bdbd8f2f19e123d8e5300718 c:\WINDOWS\system32\spec.fne

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 20924 24576 4.83196 bbe150a2d78b00db8e24969967cc5334
.rdata 28672 2634 4096 2.48317 777ac25ec7bba2eed5c97e65e8a812c4
.data 32768 8024 8192 3.1859 a435036dc64f4384cba8403e29007608
.data 40960 118784 118784 4.7618 567912e2d1b3c953806e669b1bdd6000
.rsrc 159744 1359872 1349847 5.53545 c6f0e357fb886cca85f58b38c5ce7602

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.a.shifen.com/
hxxp://www.baidu.com/ 115.239.211.114


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET / HTTP/1.1
User-Agent: test
Host: VVV.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Wed, 20 May 2015 21:27:08 GMT
Content-Type: text/html
Content-Length: 14613
Last-Modified: Wed, 03 Sep 2014 02:48:32 GMT
Connection: Keep-Alive
Vary: Accept-Encoding
Set-Cookie: BAIDUID=FFEBD06F0E1D361BDE36DE8596EF52C4:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BIDUPSID=FFEBD06F0E1D361BDE36DE8596EF52C4; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BDSVRTM=0; path=/
P3P: CP=" OTI DSP COR IVA OUR IND COM "
Server: BWS/1.1
X-UA-Compatible: IE=Edge,chrome=1
Pragma: no-cache
Cache-control: no-cache
BDPAGETYPE: 1
BDQID: 0xbe8f0d250013d09d
BDUSERID: 0
Accept-Ranges: bytes
<!DOCTYPE html><!--STATUS OK-->..<html>..<head>
;...<meta http-equiv="content-type" content="text/html;charset=utf-
8">...<meta http-equiv="X-UA-Compatible" content="IE=Edge">..
.<link rel="dns-prefetch" href="//s1.bdstatic.com"/>...<link 
rel="dns-prefetch" href="//t1.baidu.com"/>...<link rel="dns-pref
etch" href="//t2.baidu.com"/>...<link rel="dns-prefetch" href="/
/t3.baidu.com"/>...<link rel="dns-prefetch" href="//t10.baidu.co
m"/>...<link rel="dns-prefetch" href="//t11.baidu.com"/>...&l
t;link rel="dns-prefetch" href="//t12.baidu.com"/>...<link rel="
dns-prefetch" href="//b1.bdstatic.com"/>...<title>...........
................</title>...<link href="hXXp://s1.bdstatic.com
/r/www/cache/static/home/css/index.css" rel="stylesheet" type="text/cs
s" />...<!--[if lte IE 8]><style index="index" >#conten
t{height:480px\9}#m{top:260px\9}</style><![endif]-->...<
;!--[if IE 8]><style index="index" >#u1 a.mnav,#u1 a.mnav:vis
ited{font-family:simsun}</style><![endif]-->...<script&
gt;var hashMatch = document.location.href.match(/# (.*wd=[^&]. )/);if 
(hashMatch && hashMatch[0] && hashMatch[1]) {document.location.replace
("hXXp://" location.host "/s?" hashMatch[1]);}var ns_c = function(){};
</script>...<script>function h(obj){obj.style.behavior='ur
l(#default#homepage)';var a = obj.setHomePage('//VVV.baidu.com/');}<
;/script>...<noscript><meta http-equiv="refresh" conte
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

XP-542ADE6B.EXE_1316:

.text
.rdata
@.data
.data
.rsrc
user32.dll
KERNEL32.dll
USER32.dll
GetCPInfo
krnln.fne
krnln.fnr
1.1.3
%System%\XP-542ADE6B.EXE
@@shdocvw.dll
{8856F961-340A-11D0-A96B-00C04FD705A2}##0
2,{34A226E0-DF30-11CF-89A9-00A0C9054129},CommandStateChangeConstants,{},{1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDID,{},{1073741880,1073741879,1073741878,1073741877,1073741876,1073741875,1073741874,1073741873,1073741872,1073741871,1073741870,1073741869,1073741868,1073741867,1073741866,1073741865,1073741864,1073741863,1073741862,1073741861,1073741860,1073741859,1073741858,1073741857,1073741856,1073741855,1073741854,1073741853,1073741852,1073741851,1073741850,1073741849,1073741848,1073741847,1073741846,1073741845,1073741844,1073741843,1073741842,1073741841,1073741840,1073741839,1073741838,1073741837,1073741836,1073741835,1073741834,1073741833,1073741832,1073741831,1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDF,{},{1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDEXECOPT,{},{1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},tagREADYSTATE,{},{1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{65507BE0-91A8-11D3-A845-009027220E6D},SecureLockIconConstants,{},{1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}0,{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B},WebBrowser_V1,{100,101,102,103,104,-550,105,106,200,201,202,203,},{212,211,210,209,208,207,206,205,204,},{100,101,102,108,104,105,106,107,113,200,201,204,103,109,110,111,112,}1,{8856F961-340A-11D0-A96B-00C04FD705A2},WebBrowser,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}0,{0002DF01-0000-0000-C000-000000000046},InternetExplorer,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}2,{F41E6981-28E5-11D0-82B4-00A0C90C29C5},ShellWindowTypeConstants,{},{1073741827,1073741826,1073741825,1073741824,},{}0,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},ShellWindows,{0,-4,},{1610743808,},{200,201,}0,{64AB4BB7-111E-11D1-8F79-00C04FC2FBE1},ShellUIHelper,{4,5,6,7,8,9,10,11,13,},{},{}0,{55136805-B2DE-11D1-B9F2-00A0C98BC547},ShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}0,{2F2F1F96-2BC1-4B1C-BE28-EA3774F4676A},ShellShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}
.cn/ul.htm
hXXp://VVV.
.com/ul.htm
[%s%]
[%f%]
document.all('
document.frames('
.value='';};catch(e){};function a(){};a();
.value='
].selected=true;};catch(e){};function a(){};a();
.options[
.checked='';};catch(e){};function a(){};a();
.checked='checked';};catch(e){};function a(){};a();
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Recycled.exe
ul.dll
og.dll
:\autorun.inf
shellexecute
OLEACC.DLL
keybd_event
WebBrowser
D.mVXxZPZ
V3?=%fm
%u|QR#F/j)L@
mi
KM %s
kEY&H
h~L%7x
5%D=D1
T\P0.EF>
.ojW.,
c7j.oH
{o$y %d
Wo.CF
{r%u]
u.il>
;.dR5
\W.SO
vJ.hG
H.Kf=Fd
zC.Aug
J%fkfbG)%
C.sH\
.uJ,;
-L9n.BU
?qHv`%6s
-kKqdQ}'Z
E,LP!bp%f
QX%8U
%s]Jv
;52%\#>_!
U^.VC
|.MdZp
| .kn)
^>.KQ
.JCH5
-t.rN
".UEiG
q.SZ:
O^.lz
.sg9^w9
p.MB<e
<2Q.bIW
%S3s6
~t.oR
z;.%u
%uI&0
!A}Q
%f.Fh
@G%sBg:A
V%dgd:W
l%.yi
 .KM&
$>.Vv
w7%Ds
-1}</P
.GkFG
|r%X^
%Cs4r
<x.Jt
~%fLt
V4.wN:
ü&~E
E'.Jc5
Kh.NK
.QvaM
t.kP.
rEr.GN
-,,%fq&0>
.qnGg
tnL.Pros
%xFH[K
`y.eR
d*.MgCJ
aLA7.kb%<
&C-.qe
4.Zj!
wTô
Q.vEq
&.io"
8t.Tk
.Dn?"
.NN.X
[4!&0\.&
T%DNy
:.YLec
OM.tV
.shMP
f,.MG
C.ZG3
qp.ew
"n_$.bFXnG
BW.ja
X.RV[
%SWH8
r9|.uo
B{.tQ
1iS%Ft
'.Zz'
.Lyp,
fTp\A
.aMD*8
UÛd
9-%XO
rD-j}
q:.iI
H8%dmb^K
LF%s#^NW
.xFd=~P
z.dV%H
kn.Mk#
22:-d7.Ih
 .-H
#j.YY
|U%CI
%.LN<
5.hx0p#
Q%U{B
D.ijv
bc.vE
bj>.*\%C
q.gi 
]Ql.MQ
..bI-
.sy>I
\/N.Ev]S
\.sN0
.RksS
.su}F
.SSL.
f.Rf6
.hatT

XP-542ADE6B.EXE_1316_rwx_0040A000_0001D000:

@@shdocvw.dll
{8856F961-340A-11D0-A96B-00C04FD705A2}##0
2,{34A226E0-DF30-11CF-89A9-00A0C9054129},CommandStateChangeConstants,{},{1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDID,{},{1073741880,1073741879,1073741878,1073741877,1073741876,1073741875,1073741874,1073741873,1073741872,1073741871,1073741870,1073741869,1073741868,1073741867,1073741866,1073741865,1073741864,1073741863,1073741862,1073741861,1073741860,1073741859,1073741858,1073741857,1073741856,1073741855,1073741854,1073741853,1073741852,1073741851,1073741850,1073741849,1073741848,1073741847,1073741846,1073741845,1073741844,1073741843,1073741842,1073741841,1073741840,1073741839,1073741838,1073741837,1073741836,1073741835,1073741834,1073741833,1073741832,1073741831,1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDF,{},{1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDEXECOPT,{},{1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},tagREADYSTATE,{},{1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{65507BE0-91A8-11D3-A845-009027220E6D},SecureLockIconConstants,{},{1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}0,{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B},WebBrowser_V1,{100,101,102,103,104,-550,105,106,200,201,202,203,},{212,211,210,209,208,207,206,205,204,},{100,101,102,108,104,105,106,107,113,200,201,204,103,109,110,111,112,}1,{8856F961-340A-11D0-A96B-00C04FD705A2},WebBrowser,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}0,{0002DF01-0000-0000-C000-000000000046},InternetExplorer,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}2,{F41E6981-28E5-11D0-82B4-00A0C90C29C5},ShellWindowTypeConstants,{},{1073741827,1073741826,1073741825,1073741824,},{}0,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},ShellWindows,{0,-4,},{1610743808,},{200,201,}0,{64AB4BB7-111E-11D1-8F79-00C04FC2FBE1},ShellUIHelper,{4,5,6,7,8,9,10,11,13,},{},{}0,{55136805-B2DE-11D1-B9F2-00A0C98BC547},ShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}0,{2F2F1F96-2BC1-4B1C-BE28-EA3774F4676A},ShellShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}
.cn/ul.htm
hXXp://VVV.
.com/ul.htm
[%s%]
[%f%]
document.all('
document.frames('
.value='';};catch(e){};function a(){};a();
.value='
].selected=true;};catch(e){};function a(){};a();
.options[
.checked='';};catch(e){};function a(){};a();
.checked='checked';};catch(e){};function a(){};a();
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Recycled.exe
ul.dll
og.dll
:\autorun.inf
shellexecute
OLEACC.DLL
user32.dll
keybd_event
WebBrowser

XP-542ADE6B.EXE_1316_rwx_01551000_00030000:

t.It It
SShH$Y
.tTPV
FTPjK
FtPj;
F.PjRWj
u.WWj
u.VVj

XP-542ADE6B.EXE_1316_rwx_02311000_0000A000:

^}•D

XP-542ADE6B.EXE_1316_rwx_10001000_000C1000:

|$D.tm
~%UVW
L$$SSh
t%SVh
t$(SSh
u$SShe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1772
    XP-29C3EA36.EXE:1472

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\¡¡¡¡¡¡.lnk (1250 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\E_4\spec.fne (73 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (196 bytes)
    %System%\ul.dll (3856 bytes)
    %System%\internet.fne (673 bytes)
    %System%\com.run (1425 bytes)
    %System%\og.EDT (2008 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (74 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\E_4\internet.fne (184 bytes)
    %System%\og.dll (2728 bytes)
    %System%\eAPI.fne (1425 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (788 bytes)
    %System%\spec.fne (601 bytes)
    %System%\krnln.fnr (7433 bytes)
    %System%\dp1.fne (601 bytes)
    %System%\XP-29C3EA36.EXE (7972 bytes)
    %System%\shell.fne (40 bytes)
    %System%\RegEx.fnr (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\E_4\RegEx.fnr (217 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (391 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\E_4\eAPI.fne (323 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\E_4\dp1.fne (114 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\E_4\krnln.fnr (5442 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\E_4\shell.fne (40 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\E_4\com.run (270 bytes)
    %System%\XP-542ADE6B.EXE (7972 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JT3DD67Y\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1SIUOE5J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QV8PGRID\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UL3U2C8V\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "XP-542ADE6B" = "%System%\XP-542ADE6B.EXE"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now