MD5: f6a9067b84f9a7ed3f9f62624c851637
SHA1: 2b14ef6009ef5e5fb9b78de568977cd086777c95
SHA256: 9841eff4ff41e829192cca2d2124a499ca2efaad41404b1790cf6fb489e09955
SSDeep: 49152:xn2 752oQNf7d5cU32Fsefyp6ano1RYsj4Eh5SLiGT:x2 7Yo 7ncU32GFp6FYskEhiT
Size: 2297856 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2016-03-21 17:56:58
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2016

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:

ZonesLockedCacheCounterMutex
ZonesCounterMutex
ZonesCacheCounterMutex
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
RasPbFile
ShimCacheMutex

File activity

The process %original file name%.exe:2016 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GXI3G1IV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7PT78354\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8SQQDUG6\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UZOJ2VC7\desktop.ini (67 bytes)

Registry activity

The process %original file name%.exe:2016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 45 19 47 D3 4F 8E 68 01 D2 04 FF 28 9F 48 AD"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://www.hywp.pw/lyb.php?pid=51825	137.175.66.113

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /lyb.php?pid=51825 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.hywp.pw

Cache-Control: no-cache

HTTP/1.1 200 OK

Connection: close

Date: Fri, 08 Apr 2016 22:50:15 GMT

Server: WWW Server/1.1

X-Powered-By: PHP/5.2.17

Set-Cookie: user=deleted; expires=Thu, 09-Apr-2015 22:50:14 GMT

Content-type: text/html; charset=GBK

X-Safe-Firewall: zhuji.360.cn 1.0.9.47 F1W1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xm
lns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-eq
uiv="Content-Type" content="text/html; charset=gb2312" />..<titl
e>................ - ......</title>......</head>..<b
ody>..<style type="text/css">..body{margin:0px;..OVERFLOW-X: 
hidden; }..</style>..    ...... ..<SCRIPT LANGUAGE="JavaScrip
t"> ..Image1= new Image(100,50) ..Image1.src = "img/180945356341.pn
g" ....</SCRIPT> ....<script src="hXXp://libs.baidu.com/jquer
y/2.0.0/jquery.min.js" type="text/javascript"></script> ..<
;link rel="stylesheet" href="css/tipso.min.css">......<script>
;..$(function(){ ..  $(window).scroll(function() {.. if($(window).scro
llTop()>=100){..  $(".nav").addClass("fixedNav");.. }else{..  $(".n
av").removeClass("fixedNav");.. } ..  });..});..</script>....<
;style type="text/css">.......fixedNav{.. position:fixed;.. top:0px
;.. left:0px;.. width:100%;.. z-index:100000;.. _position:absolute;.. 
_top:expression(eval(document.documentElement.scrollTop));..}..a{...te
xt-decoration: none;..}...xx a{...color: #FFFFFF;...text-decoration: n
one;..}...xx {..height: 63px;..width: 100%;..  padding-top: 1px;..    
background: url(img/18711.png);..border-bottom: 1px solid #224879;..}.
..jz{..margin:0 auto; ..width:1024px;..height:63px;..}...logo{..width:
190px;..margin-right:40px;..height:75px; ..margin-left: 68px;..mar
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

t$(SSh

H%dKb

~%UVW

u$SShe

hXXp://VVV.hywp.pw/lyb.php?pid=51825

3.21.exe

1 !!-.!;

@.rmnet

kernel32.dll

c:\kss.ini

password

.idata

.edata

P.vmp0

`.vmp1

.reloc

P.rsrc

version.dll

user32.dll

shell32.dll

1e.ro4A

oleaut32.dll

H0.gW

comctl32.dll

advapi32.dll

gdi32.dll

d.jF/"

r#'%C

6.Xdp

g|$^.Cn

>.bM8

>Z.Ye

w4R`$p%s*

f.zo~L^

wsock32.dll

ntdll.dll

Ë.L@

l.sQ{

c-t{.FF

b#I".wM

e.ENZ

xip.tu

@>.vO

%FX2Fsi

qKT.jLka

3.LD7

Uq

G,.gd

<.cFF=j

&8.XMj

$~O.Ba

)].Wd

/_{M%U

Q%s6|

lVfeVg

 !%uO

mh.ud

m%Csn%

kq84.QaI

)f%fg

.SuDYw

K)`p.frC

*%s!%

aR.dDb&<y

.xk 4g

ShellExecuteA

RegCloseKey

)%S{.

'U}.Ue

l%S(8x$!(

1L%UJ

.vtbw

.iA5N

yyhKa%S

d.Zd=#R

x0r%F{

.IPi)

Vj.jH

>M%X9

/8[<{~@ 

bc.lTk

ks_GetMsg

kssPlugin.dll

tole32.dll

crossfire.exe

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

RASAPI32.dll

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

GetProcessHeap

WinExec

KERNEL32.dll

GetKeyState

USER32.dll

GetViewportOrgEx

GDI32.dll

WINSPOOL.DRV

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

COMCTL32.dll

WSOCK32.dll

HttpQueryInfoA

HttpSendRequestA

HttpOpenRequestA

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

#include "l.chs\afxres.rc" // Standard components

Srv.exe

.jcUj

jb%F 

i,.bo

GetWindowsDirectoryA

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

VVV.dywt.com.cn

c:\%original file name%.exe

9.5.25.212

(*.*)

1.0.0.0

(hXXp://VVV.eyuyan.com)

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:2016

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GXI3G1IV\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7PT78354\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8SQQDUG6\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UZOJ2VC7\desktop.ini (67 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.