MD5: 0c01828e1137e19faa87acca9cd58169
SHA1: 592799d25f082bb2b55a3f8e25c2788ccd526648
SHA256: da9cfde9cbb9e8faf688ff4c6ff7f4889ad8fdf7a730d89325e8d788414d48ef
SSDeep: 12288:Gt535MfkV4kHMWmP0JgiXUixMXdIiBKHhfqQWB80LwrR5nWFpPoSO9lznG3Mug:GtB5Mgs0GiEiodRBKHV30LwabslznG3K
Size: 1105920 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2014-05-06 04:13:24
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1504

Mutexes

The following mutexes were created/opened:

ZonesLockedCacheCounterMutex
ZonesCounterMutex
ZonesCacheCounterMutex
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
RasPbFile
ShimCacheMutex

File activity

The process %original file name%.exe:1504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\jedata.dll (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\Ƥ·ô.she (7 bytes)

Registry activity

The process %original file name%.exe:1504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1024x768x32(BGR 0)" = "31,31,31,31"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 8A 54 3F 9A 40 9F FD BE B0 DD 70 BF 38 DC B2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: Chinese (Simplified, PRC)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://xiaoguai007.tk/a123/netdb.asp?C=4	195.20.44.123
hxxp://xiaoguai007.tk/a123/netdb.asp?C=3	195.20.44.123

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET CURRENT_EVENTS DNS Query to a .tk domain - Likely Hostile
ET POLICY Unsupported/Fake Windows NT Version 5.0
ET CURRENT_EVENTS HTTP Request to a *.tk domain

Traffic

GET /a123/netdb.asp?C=4 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Referer: hXXp://xiaoguai007.tk/a123/netdb.asp?C=4

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Host: xiaoguai007.tk

Cache-Control: no-cache

HTTP/1.0 203 Non-Authoritative Information

Date: Thu, 18 Dec 2014 15:35:11 GMT

Server: nginx/1.6.2

Cache-Control: no-cache

Content-Type: text/html;charset=UTF-8

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Pragma: no-cache

X-Server: 55ba8cb8e560

Content-Length: 748

Set-Cookie: JSESSIONID=16D1B138FB2B288E4B9973E46B69008A; Path=/; HttpOnly

Vary: Accept-Encoding

Connection: close
<html> .  <head>.    <title>xiaoguai007.tk</title
>.    <meta http-equiv="refresh" content="1; URL=hXXp://domain.d
ot.tk/p/?d=XIAOGUAI007.TK&i="%local server IP%"&c=2001&ro=0&ref=http:/%2
Fxiaoguai007.tk/a123/netdb.asp?C=4&_=1418916911698"/>.    &
lt;script type="text/javascript">.    <!--.      function redir(
){ var $fwd = 'hXXp://domain.dot.tk/p/?d=XIAOGUAI007.TK&i=184.107.38.3
8&c=2001&ro=0&ref=http://xiaoguai007.tk/a123/netdb.asp?C%3
D4&_=1418916911698'; if(window.parent){ window.parent.location=$fwd; }
else{ window.location=$fwd; }}.    //-->.    </script>.  <
/head>.  <body onload="redir()">.    <script language="tex
t/javascript">.    <!--.      window.setTimeout('redir();', 50 *
 1);.    //-->.    </script>.  </body>.</html>...

GET /a123/netdb.asp?C=3 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Referer: hXXp://xiaoguai007.tk/a123/netdb.asp?C=3

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Host: xiaoguai007.tk

Cache-Control: no-cache

Cookie: JSESSIONID=16D1B138FB2B288E4B9973E46B69008A

HTTP/1.0 203 Non-Authoritative Information

Date: Thu, 18 Dec 2014 15:35:11 GMT

Server: nginx/1.6.2

Cache-Control: no-cache

Content-Type: text/html;charset=UTF-8

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Pragma: no-cache

X-Server: 07b82bdab66d

Content-Length: 748

Set-Cookie: JSESSIONID=C8747339E9F284061590404D1F7CD4C7; Path=/; HttpOnly

Vary: Accept-Encoding

Conn

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

u$SShe

kernel32.dll

WinINet.dll

wininet.dll

user32.dll

advapi32.dll

jedata.dll

MsgWaitForMultipleObjects

HttpOpenRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpQueryInfoA

tencent://message/?uin=992284136&Site= hXXp://VVV.axyz.cn&Menu=yes

netdb.asp

hXXp://xiaoguai007.tk/a123/

\\.\PhysicalDrive0

http=

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Content-Type: application/x-www-form-urlencoded

hXXp://

temp.bat

temp.bat "

cmd /c

\jedata.dll

%S4WD

hg%fpM

S.Ac9SR

0.I%3s

,wAe.kI

aiUy'4xu

%c*@j

.eH'y

{&%U)

lj%4U

xe%CNs

9F.cLe

hJK.ZH

O.qt0

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

SkinH_EL.dll

\temp.html

temp.html

1970-01-01 08:00:00

' and pass='

INSERT INTO users (`user`,`pass`,`key`,`ip`,`dq`) VALUES ('

update users set `pass`='

hXXp://xiaoguai007.tk/qq.asp

hXXp://VVV.pctowap.com/air/ebook12.3g.qq.com/user/usecard?sid=

&g_ut=1/air/ebook12.3g.qq.com/user/recieveAllGifts?

hXXp://VVV.pctowap.com/air/ebook12.3g.qq.com/user/recieveAllGifts?sid=

hXXp://pt.3g.qq.com/s?aid=nLogin3gqq

hXXp://pt.3g.qq.com/psw3gqqLogin?r=

&bid_code=3GQQ&toQQchat=true&login_url=http://pt.3g.qq.com/s?aid=nLoginnew&q_from=3GQQ&q_from=&modifySKey=0&loginType=1&aid=nLoginHandle&go_url=http://info.3g.qq.com/g/s?aid=index&login=false&sid=AT9g_bDsFg4VxdRdwiLPSoC7&rand=270871

&qqpassword=

,`key`='

,`key`='',`reg`='' where id=

LU>\W-

1.2.18

inflate 1.1.3 Copyright 1995-1998 Mark Adler

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

MSWHEEL_ROLLMSG

ole32.dll

__MSVCRT_HEAP_SELECT

RASAPI32.dll

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

AVIFIL32.dll

GetProcessHeap

WinExec

GetWindowsDirectoryA

GetCPInfo

KERNEL32.dll

GetKeyState

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

GetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

WINSPOOL.DRV

comdlg32.dll

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

OLEAUT32.dll

oledlg.dll

WSOCK32.dll

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

(*.htm;*.html)|*.htm;*.html

1.1.3

;3 #>6.&

'2, / 0&7!4-)1#

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

VVV.dywt.com.cn

(*.avi)|*.avi

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

zcÁ

?C=3&_=1418916911948"/>

function redir(){ var $fwd = 'hXXp://domain.dot.tk/p/?d=XIAOGUAI007.TK&i="%local server IP%"&c=2001&ro=0&ref=http://xiaoguai007.tk/a123/netdb.asp?C=3&_=1418916911948'; if(window.parent){ window.parent.locatio

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

1, 0, 6, 6

- Skin.dll

=123456789%

(*.*)

1.0.0.0

VVV.lvcode.com

(hXXp://VVV.eyuyan.com)

%original file name%.exe_1504_rwx_10001000_00039000:

L$(h%f

SSh0j

msctls_hotkey32

TVCLHotKey

THotKey

\skinh.she

}uo,x6l5k%x-l h

9p%s m)t4`#b

e"m?c&y1`Ð<

SetViewportOrgEx

SetViewportExtEx

SetWindowsHookExA

UnhookWindowsHookEx

EnumThreadWindows

EnumChildWindows

`c%US.4/

!#$<#$#=

.text

`.rdata

@.data

.rsrc

@.UPX0

`.UPX1

`.reloc

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\jedata.dll (88 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   C:\Ƥ·ô.she (7 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.