Trojan.GenericKD.1971367_0d4cd8d2c5

by malwarelabrobot on December 19th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.GenericKD.1971367 (AdAware), Installer.Win32.InnoSetup.2.FD, Trojan.NSIS.StartPage.FD, Trojan.Win32.FlyStudio.FD, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan, Installer


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 0d4cd8d2c50f2b5e5ce3aa9a3d91d256
SHA1: 377a9c744b71f7f914c6fb48ee6402e3fde26a03
SHA256: 0c20dc464587c220cb91602f101a2e8f4831a809dc94847d1ac67d306413fdd4
SSDeep: 24576:DbEAXL4t jjEgjCMk7 NOympUyfuN4GWBTSrMiEy1fQfkk5l:DbzbnI4k7 DkGN4GWBWrMi3NQMk5l
Size: 1757184 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2013-08-22 07:10:44
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

ˬƬ²¥·ÅÆ÷_7176_1153_hd.tmp:228
Sunshine.exe:440
fyjm_77_1153.exe:1248
ˬƬ²¥·ÅÆ÷_7176_1153_hd.exe:1784
%original file name%.exe:1060
regsvr32.exe:1664

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:

ShimCacheMutex

File activity

The process ˬƬ²¥·ÅÆ÷_7176_1153_hd.tmp:228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-CS3GE.tmp\psvince.dll (36 bytes)
%Program Files%\Sunshine\is-VQJRA.tmp (31213 bytes)
%Program Files%\Sunshine\is-SDHJF.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-CS3GE.tmp\UpdateIcon.dll (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-CS3GE.tmp\App.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-CS3GE.tmp\Uninstall.ico (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-I8D9I.tmp\ˬƬ²¥·ÅÆ÷_7176_1153_hd.tmp (7385 bytes)
%Documents and Settings%\All Users\Desktop\Ñô¹â¸ßÇåÓ°ÊÓ.lnk (682 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-CS3GE.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\Sunshine\is-Q7A57.tmp (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-CS3GE.tmp\_isetup\_RegDLL.tmp (4 bytes)
%Program Files%\Sunshine\is-SSQUV.tmp (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\install.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-I8D9I.tmp\RCXB4.tmp (2566942 bytes)
%Program Files%\Sunshine\unins000.dat (10576 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-CS3GE.tmp\psvince.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-CS3GE.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-CS3GE.tmp\UpdateIcon.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-CS3GE.tmp\App.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-CS3GE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-CS3GE.tmp\Uninstall.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-I8D9I.tmp\ˬƬ²¥·ÅÆ÷_7176_1153_hd.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-CS3GE.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-CS3GE.tmp\_isetup\_RegDLL.tmp (0 bytes)

The process fyjm_77_1153.exe:1248 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\·çÔÆÖ±²¥\·çÔÆÖ±²¥.lnk (678 bytes)
%Program Files%\Fengyun\uninst.exe (789 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiB3.tmp\Inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Desktop\·çÔÆÖ±²¥.lnk (666 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiB3.tmp\Internet.dll (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\·çÔÆÖ±²¥\Website.lnk (683 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiB3.tmp\System.dll (11 bytes)
%Program Files%\Fengyun\fengyun.exe (1568 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\·çÔÆÖ±²¥\Uninstall.lnk (499 bytes)
%Program Files%\Fengyun\·çÔÆÖ±²¥.url (45 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsiB3.tmp\config.txt (0 bytes)
%Program Files%\Fengyun\{E1070104-F404-44CE-B556-0622F9D63EE5} (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB2.tmp (0 bytes)
%Program Files%\Fengyun\File Not Found (404) (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiB3.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiB3.tmp\Inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiB3.tmp\Internet.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiB3.tmp (0 bytes)

The process ˬƬ²¥·ÅÆ÷_7176_1153_hd.exe:1784 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-I8D9I.tmp\ˬƬ²¥·ÅÆ÷_7176_1153_hd.tmp (5442 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-I8D9I.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-I8D9I.tmp\ˬƬ²¥·ÅÆ÷_7176_1153_hd.tmp (0 bytes)

The process %original file name%.exe:1060 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\fyjm_77_1153.exe (107 bytes)
C:\ˬƬ²¥·ÅÆ÷_7176_1153_hd.exe (6343 bytes)

Registry activity

The process ˬƬ²¥·ÅÆ÷_7176_1153_hd.tmp:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CED19FD1-E921-4BD0-A86C-8E29DB42AEA0}_is1]
"NoRepair" = "1"

"DisplayVersion" = "1.06"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CED19FD1-E921-4BD0-A86C-8E29DB42AEA0}_is1]
"Inno Setup: Language" = "chinesesimp"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Sunshine]
"SetHomepage" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CED19FD1-E921-4BD0-A86C-8E29DB42AEA0}_is1]
"Inno Setup: User" = "%CurrentUserName%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CED19FD1-E921-4BD0-A86C-8E29DB42AEA0}_is1]
"InstallLocation" = "%Program Files%\Sunshine\"
"HelpLink" = "http://tv.hfdty.com/"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\is-I8D9I.tmp\ˬƬ²¥·ÅÆ÷_7176_1153_hd.tmp.tmp,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CED19FD1-E921-4BD0-A86C-8E29DB42AEA0}_is1]
"QuietUninstallString" = "%Program Files%\Sunshine\unins000.exe /SILENT"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CED19FD1-E921-4BD0-A86C-8E29DB42AEA0}_is1]
"MajorVersion" = "1"
"MinorVersion" = "6"
"Inno Setup: Icon Group" = "Ñô¹â¸ßÇåÓ°ÊÓ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CED19FD1-E921-4BD0-A86C-8E29DB42AEA0}_is1]
"DisplayName" = "Ñô¹â¸ßÇåÓ°ÊÓ 1.06"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Sunshine]
"Sunshine.exe" = "阳光高清影视"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CED19FD1-E921-4BD0-A86C-8E29DB42AEA0}_is1]
"InstallDate" = "20141218"
"UninstallString" = "%Program Files%\Sunshine\unins000.exe"
"URLUpdateInfo" = "http://tv.hfdty.com/"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CED19FD1-E921-4BD0-A86C-8E29DB42AEA0}_is1]
"Inno Setup: App Path" = "%Program Files%\Sunshine"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Sunshine]
"UserId" = "7176"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 19 FA 19 25 18 0F F9 4C EF 9C 9B AA E6 6C B0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CED19FD1-E921-4BD0-A86C-8E29DB42AEA0}_is1]
"Publisher" = "Ñô¹â¸ßÇåÓ°ÊÓ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CED19FD1-E921-4BD0-A86C-8E29DB42AEA0}_is1]
"UninstallDataFile" = "%Program Files%\Sunshine\unins000.dat"
"NoModify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CED19FD1-E921-4BD0-A86C-8E29DB42AEA0}_is1]
"Inno Setup: Setup Version" = "5.5.1.ee1 (a)"
"URLInfoAbout" = "http://tv.hfdty.com/"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ñô¹â¸ßÇåÓ°ÊÓ" = "%Program Files%\Sunshine\Sunshine.exe /autostart"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Sunshine.exe:440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Sunshine]
"Main" = "131460"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 18 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 02 72 D1 6C 4C E9 22 26 20 9F 89 5C 1B 77 4C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process fyjm_77_1153.exe:1248 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\·çÔÆÖ±²¥]
"DisplayIcon" = "%Program Files%\Fengyun\fengyun.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\·çÔÆÖ±²¥]
"DisplayVersion" = "3.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\·çÔÆÖ±²¥]
"UninstallString" = "%Program Files%\Fengyun\uninst.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 64 82 48 A7 FD B2 C2 08 02 E6 86 7E 6B 37 65"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\·çÔÆÖ±²¥]
"URLInfoAbout" = "http://www.lssen.cn"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\·çÔÆÖ±²¥]
"DisplayName" = "·çÔÆÖ±²¥ 3.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\fengyun.exe]
"(Default)" = "%Program Files%\Fengyun\fengyun.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\·çÔÆÖ±²¥]
"Publisher" = "Î人À×ʤ¿Æ¼¼ÓÐÏÞ¹«Ë¾"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process ˬƬ²¥·ÅÆ÷_7176_1153_hd.exe:1784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 41 B8 5C 34 07 C5 FC 5A 2C D5 94 05 19 51 22"

The process %original file name%.exe:1060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 6D 7E 29 B7 12 49 06 4E 2B 92 76 5B D4 35 E7"

The process regsvr32.exe:1664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E C7 24 42 58 EF 8E 37 E0 8D 99 1F 47 EF A9 35"

[HKCR\CLSID\{46C03A0E-3916-4995-9E8B-50E28D820C3E}\TypeLib]
"(Default)" = "{9EAE63CD-EA66-4F1F-8AC5-41BC42B7819D}"

[HKCR\CLSID\{46C03A0E-3916-4995-9E8B-50E28D820C3E}\ProgID]
"(Default)" = "AppCore.App"

[HKCR\CLSID\{46C03A0E-3916-4995-9E8B-50E28D820C3E}]
"(Default)" = "AppCore.App"

[HKCR\Interface\{F2455580-EA1D-4436-9039-C7A28602D0A5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{9EAE63CD-EA66-4F1F-8AC5-41BC42B7819D}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\AppCore.App\Clsid]
"(Default)" = "{46C03A0E-3916-4995-9E8B-50E28D820C3E}"

[HKCR\TypeLib\{9EAE63CD-EA66-4F1F-8AC5-41BC42B7819D}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\is-CS3GE.tmp"

[HKCR\TypeLib\{9EAE63CD-EA66-4F1F-8AC5-41BC42B7819D}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\is-CS3GE.tmp\App.dll"

[HKCR\Interface\{F2455580-EA1D-4436-9039-C7A28602D0A5}]
"(Default)" = "_App"

[HKCR\Interface\{F2455580-EA1D-4436-9039-C7A28602D0A5}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{46C03A0E-3916-4995-9E8B-50E28D820C3E}\InprocServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\is-CS3GE.tmp\App.dll"

[HKCR\Interface\{F2455580-EA1D-4436-9039-C7A28602D0A5}\TypeLib]
"(Default)" = "{9EAE63CD-EA66-4F1F-8AC5-41BC42B7819D}"

[HKCR\CLSID\{46C03A0E-3916-4995-9E8B-50E28D820C3E}\VERSION]
"(Default)" = "1.0"

[HKCR\TypeLib\{9EAE63CD-EA66-4F1F-8AC5-41BC42B7819D}\1.0]
"(Default)" = "AppCore"

[HKCR\AppCore.App]
"(Default)" = "AppCore.App"

[HKCR\Interface\{F2455580-EA1D-4436-9039-C7A28602D0A5}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

The Trojan deletes the following value(s) in system registry:

[HKCR\CLSID\{46C03A0E-3916-4995-9E8B-50E28D820C3E}\InprocServer32]
"ThreadingModel"

Dropped PE files

MD5 File path
550f3164ec0567954958211f9a8e8c5d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is-CS3GE.tmp\App.dll
31dd01dc34e953e687fb41e0d1e7abd8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is-I8D9I.tmp\ˬƬ²¥·ÅÆ÷_7176_1153_hd.tmp.tmp
4349ac890ffcc82e3e0088a8d7b51a62 c:\Program Files\Fengyun\fengyun.exe
8c16be0e4640292f453e862a40c6e6e1 c:\Program Files\Fengyun\uninst.exe
5e6d5721606f18642bd5a9725d2efc10 c:\Program Files\Sunshine\Sunshine.dll
612e388503cd6c2393226167c96f2d7a c:\Program Files\Sunshine\Sunshine.exe
3cad4a75ce832117775399406e5bef12 c:\Program Files\Sunshine\Update.exe
81aafed7ccbe88c94326a5cd286625fc c:\Program Files\Sunshine\unins000.exe
cb4152501ededc3bccb5acf0be5dff56 c:\fyjm_77_1153.exe
4c8ae035920855bf3ca3a87e599d133c c:\ˬƬ²¥·ÅÆ÷_7176_1153_hd.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ????
Comments: ????
Language: Chinese (Simplified, PRC)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 419214 421888 4.52549 2722ca1fb6d6db3f5b4a3729636237d1
.rdata 425984 1161324 1163264 5.27323 d78c9714475beac0f3c2eecb18586847
.data 1589248 136520 61440 3.3057 453395d767365ce7c66a8fac553dbbc3
.rsrc 1728512 104820 106496 3.63126 2c5a1c12fa9004da1b5335f31c68b840

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://live.64ma.com/tv/index.html?s 162.212.34.71


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /tv/index.html?s HTTP/1.1
Accept: */*
Accept-Language: en-us
If-Modified-Since: 0
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: live.64ma.com
Content-Length: 10
Connection: Keep-Alive
Cache-Control: no-cache

version=8b
HTTP/1.1 200 OK
Cache-Control: private
Date: Thu, 18 Dec 2014 22:06:22 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: m_user=9; domain=64ma.com; path=/
Content-Encoding: gzip
Vary: Accept-Encoding
Transfer-Encoding: chunked
a..............7c2...Y.n....n....  ...9.D.t..M..w....n1"G.c.d..dW.S.-z
...Ng.2../...hk....Y.s.,C.b.W.t.J.u0Xb\.&..n7.....'..y.{J3.|..b.`D.W.C
.Rk./.d.......k??.h ..).`t.'....%,........H.*.'8E....?.v1..Fx.W(...=..
2Z.")q.-.Fh..I..<;M...).0.W...kf.;M{..B./Q./........wq.o.h.....?.}3
......q..t..Q.d1.-.Bm.....P..i.!..6%.l..WI.0.......-*.i..-.(B.......X.
.Y.g...}..y9{..j.k..)p-Ba^Bj)#.....g.{.\.%....?.>.y./.u.xK..![..../
..5f.bn......?.........EWm.TIV0F..<...q.,T.....t......r....Wy.g../.
..-.`.TT...... .uHh)Z..G....6.#...7a..M}^...Ip.K...5.Al./P1....Xca..$.
f!..T.<......6.H.<M"I?0BZ.2.....v..6..x^/....dy......s.O.....'..
qR_..rM..<..{..9...~N......>..}..Q.qL....^Qi...._H..!...L.k.W.4.
.Cr.c.......d.....t.:..?....7...L...|......a.BRS.JD].i.8OX.f.....,....
.x..M.K.(........o...0..`..5".w...d..L~C&.....{...,........|..'....w..
..u_kI....QT.0D.<.tkL;.LK.b..t_ju...........a......'4.|h.,J....2..g
:.o.5.M.S#...U.!......'uOP.......Q........E..x.Y..=...^...<CJA..o3.
.....PQ. ...K....\.c&X...i.T......B.^..b:...'...,.n..i2..*..2I.....5.V
o...........[x..'....[_..l.77........w..~*T-.......{.../..5..T..MGr,.#
...*.GE.....{....L.D...d....w. 7..F..Np#..>T.).t?...H3.h8T..0..s...
[email protected].[.9`...\U.[.T....>.`.V!.n..U......Z.e%..j|Q%U.../ ba....W
....`.*.{..L0..lG. b.>.?....$...u?. .4.hXl....hL.hy..a..-.L. .K.l:s
(.c7.m5.\[email protected]...
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1060:

.text
`.rdata
@.data
.rsrc
t$(SSh
~%UVW
u$SShe
user32.dll
kernel32.dll
EnumWindows
.ndata
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
67899;<====<;:98876
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
zY.fL
!<.AY
!Certification Authority of WoSign0
hXXp://VVV.wosign.com/0
Þe3F
hXXp://ocsp.wosign.com/ca01
%hXXp://aia.wosign.com/class3-code.cer0.
hXXp://crls.wosign.com/ca.crl0;
hXXp://VVV.wosign.com/policy/0
[email protected]
aLimited Liability, see the WoSign Certification Authority Policy at hXXp://VVV.wosign.com/policy/02
!hXXp://crls.wosign.com/code-3.crl0w
%hXXp://ocsp.wosign.com/class3/code/ca04
(hXXp://aia.wosign.com/class3.code.ca.cer0!
"Secure Digital Certificate Signing1)0'
StartCom Certification Authority0
hXXp://ocsp.startssl.com/ca00
$hXXp://aia.startssl.com/certs/ca.crt02
!hXXp://crl.startssl.com/sfsca.crl0
&hXXp://cert.startcom.org/sfsca-crl.crl0 
%hXXp://crl.startcom.org/sfsca-crl.crl0
#hXXp://cert.startcom.org/policy.pdf05
)hXXp://cert.startcom.org/intermediate.pdf0
Limited Liability, read the section *Legal Limitations* of the StartCom Certification Authority Policy available at hXXp://cert.startcom.org/policy.pdf0
)StartCom Free SSL Certification Authority0
CMdE
!Certification Authority of WoSign
C:\fyjm_77_1153.exe
.idata
.rdata
P.reloc
P.rsrc
File I/O error %d
lzmadecompsmall: Compressed data is corrupted (%d)
lzmadecompsmall: %s
LzmaDecode failed (%d)
shell32.dll
/SL5="$%x,%d,%d,
Inno Setup Setup Data (5.5.0)
Inno Setup Messages (5.5.0)
oleaut32.dll
advapi32.dll
MsgWaitForMultipleObjects
comctl32.dll
)   -7987  -*)
name="JR.Inno.Setup"
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
<windowsSettings>
<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
</windowsSettings>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
.nh5v_
-.kc6
1~J%F
\SShA
O.VG*5^w
.Mmsat#
Gq
%d!qw8
I\%C^
.kTIo
,gH.Pdc
NFtp!
-R3}r
Y$:!%f:#
A%x("
6%sec~>
l.NNf
.mQDZ
H9R%C
%fZ#b
 VNC%X"J
N%xl2R4
j.TQlG
V4%F|R
YwX}%D
W\%dQ
{.rb&
.xcXu
F.Tm\r
oS_%X
R%u"7
eu
$%dIG
6D%FI
úTI
.Yng?
.WBj/
.yXN_
.Ts95
.vaW|(@-B
.JG:v
7M%uP
L^=3%d
>m%d]
*.%U`
Zf%u5
M%T%c
cz.dK
Y.HZn
$.YJ5
VNMh$N %j2G.Gd
Thawte Certification1
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
[email protected]
_7176_1153_hd.exe
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
GetProcessHeap
WinExec
GetKeyState
GetViewportOrgEx
WINMM.dll
WINSPOOL.DRV
OLEAUT32.dll
WS2_32.dll
GetCPInfo
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
VVV.lssen.cn
3.0.0.0
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
External exception %x
1.0.6
(*.*)
1.0.0.0

Sunshine.exe_440:

.text
`.data
.rsrc
MSVBVM60.DLL
VB5!6&vb6chs.dll
Sunshine.XhButton
Sunshine.crNewBtn
ieframe.dll
SHDocVwCtl.WebBrowser
WebBrowser
imagehlp.dll
shlwapi.dll
ole32.dll
GdipSetPenLineJoin
GdipGetPenLineJoin
KeyPress
GdipSetCustomLineCapStrokeJoin
GdipGetCustomLineCapStrokeJoin
KeyUp
KeyDown
GdipSetImageAttributesColorKeys
GdipSetStringFormatHotkeyPrefix
C:\Windows\System32\mshtml.tlb
GdipGetStringFormatHotkeyPrefix
ScmdMin
GdiplusShutdown
WebA
%Program Files%\Microsoft Visual Studio\VB98\ieframe.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
cmdClose
WebA_NewWindow
advapi32.dll
RegCloseKey
RegCreateKeyA
RegDeleteKeyA
RegOpenKeyA
cmdRestore_Click
cmdCancel
cmdOK
shell32.dll
ShellExecuteA
cmdMax_Click
3<cmdMax
cmdLive
cmdRestore
cmdNavi
C:\windows\system32\MSVBVM60.DLL\3
GetKeyValue
SetKeyValue
DeleteKey
GetKeysString
EnumSectionKeys
VBA6.DLL
user32.dll
FC:\Windows\system32\stdole2.tlb
gdi32.dll
olepro32.dll
Msimg32.dll
SetCipherKey
SetCipherKeyString
hXXp://5ilrc.com/
[email protected]
**/,-1/07-.3
./4=?E)*.**/127"#'
)   -7987  -*)
cmdMin
cmdMax
sKey
uMsg
KeyCode
KeyAcsii
KeyBits
PassPhrase
t.Hu`
[email protected]
hXXp://tv.hfdty.com/
\pop.ini
.txt?
UrlString
hXXp://c.hzxyg.com/update_23.ini?
\update.ini
MiniUrl
Microsoft.XMLHTTP
application/x-www-form-urlencoded
daohang.html
hdtv.html?
hXXp://live.64ma.com/tv/
hXXp://live.64ma.com/tv/live.html
daohang.html?
hXXp://live.64ma.com/tv/index.html?s
2000/01/01
hXXp://live.64ma.com/tv/tv.asp?pid=
res://Sunshine.dll/PAGE/index.html
feedback.html?Xy
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
\Update.exe
mini.html
No Password
cRijndael.SetCipherKey - Illegal KeyBits Value
cRijndael.ArrayEncrypt - plaintext must be zero based array
cRijndael.ArrayDecrypt - ciphertext must be zero based array
Wrong key or keysize?
1.00.0006
Sunshine.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    ˬƬ²¥·ÅÆ÷_7176_1153_hd.tmp:228
    Sunshine.exe:440
    fyjm_77_1153.exe:1248
    ˬƬ²¥·ÅÆ÷_7176_1153_hd.exe:1784
    %original file name%.exe:1060
    regsvr32.exe:1664

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\is-CS3GE.tmp\psvince.dll (36 bytes)
    %Program Files%\Sunshine\is-VQJRA.tmp (31213 bytes)
    %Program Files%\Sunshine\is-SDHJF.tmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-CS3GE.tmp\UpdateIcon.dll (33 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-CS3GE.tmp\App.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-CS3GE.tmp\Uninstall.ico (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-I8D9I.tmp\ˬƬ²¥·ÅÆ÷_7176_1153_hd.tmp (7385 bytes)
    %Documents and Settings%\All Users\Desktop\Ñô¹â¸ßÇåÓ°ÊÓ.lnk (682 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-CS3GE.tmp\_isetup\_shfoldr.dll (23 bytes)
    %Program Files%\Sunshine\is-Q7A57.tmp (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-CS3GE.tmp\_isetup\_RegDLL.tmp (4 bytes)
    %Program Files%\Sunshine\is-SSQUV.tmp (5873 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\install.xml (0 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-I8D9I.tmp\RCXB4.tmp (2566942 bytes)
    %Program Files%\Sunshine\unins000.dat (10576 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\·çÔÆÖ±²¥\·çÔÆÖ±²¥.lnk (678 bytes)
    %Program Files%\Fengyun\uninst.exe (789 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiB3.tmp\Inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Desktop\·çÔÆÖ±²¥.lnk (666 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiB3.tmp\Internet.dll (4 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\·çÔÆÖ±²¥\Website.lnk (683 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiB3.tmp\System.dll (11 bytes)
    %Program Files%\Fengyun\fengyun.exe (1568 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\·çÔÆÖ±²¥\Uninstall.lnk (499 bytes)
    %Program Files%\Fengyun\·çÔÆÖ±²¥.url (45 bytes)
    C:\fyjm_77_1153.exe (107 bytes)
    C:\ˬƬ²¥·ÅÆ÷_7176_1153_hd.exe (6343 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Ñô¹â¸ßÇåÓ°ÊÓ" = "%Program Files%\Sunshine\Sunshine.exe /autostart"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now