Trojan.GenericKD.3222235_c0ba640c5e

by malwarelabrobot on August 11th, 2016 in Malware Descriptions.

Trojan.GenericKD.3222235 (BitDefender), not-a-virus:RiskTool.Win32.FlyStudio.dsn (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.GenericKD.3222235 (B) (Emsisoft), Artemis!C0BA640C5ED3 (McAfee), Heur.AdvML.B (Symantec), Win32.SuspectCrc (Ikarus), Trojan:W32/DelfInject.R (FSecure), Win32:Malware-gen (Avast), TROJ_GEN.R02SC0GFQ16 (TrendMicro), Trojan.GenericKD.3222235 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: c0ba640c5ed35be275f2f72c12ecfff2
SHA1: ea405d355d53f8319858e56bbbda91898d33fd1a
SHA256: 3ae3201fc054fa2dc6e2d69830fd108b00bb8eb61e9bf4570eac2958305f0bce
SSDeep: 12288:Fhn6OJ4yKwRL7kmbmaLK0wE77w788STCXkwehPlUNm/SMZoSexVHqZ:Fhu/wF7VbrLK0wE77w78KilcMr
Size: 1073152 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2013-02-06 05:44:24
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:228

Mutexes

The following mutexes were created/opened:

ZonesLockedCacheCounterMutex
ZonesCounterMutex
ZonesCacheCounterMutex
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
RasPbFile
ShimCacheMutex

File activity

The process %original file name%.exe:228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ADSQWDZ1\error[1].htm (2704 bytes)

Registry activity

The process %original file name%.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 CC 80 D8 B3 84 BD F9 F8 8D 0A E9 63 E8 83 D2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ????
Product Name: ????
Product Version: 1.0.0.0
Legal Copyright: ????(C)????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ??Yy32112 ??????9ixk.com
Comments: ??Yy32112 ??????9ixk.com
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 701291 704512 4.50884 6c396f5b7baa3d4547fddd83e579ff88
.rdata 708608 251950 253952 4.33303 0d1b29c384a68e7d5d1644adcdabc8f6
.data 962560 395883 69632 3.6897 3fa71d18a40e08d2c306623621114f08
.rsrc 1359872 38464 40960 4.46369 eed704a310c89f92878dfaa3ccc7e5c5

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://im2.n.shifen.com/new/xkgxbb
hxxp://im2.n.shifen.com/search/error.html
hxxp://im.baidu.com/search/error.html 123.125.114.169
hxxp://hi.baidu.com/new/xkgxbb 123.125.114.169


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /search/error.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: hXXp://hi.baidu.com/new/xkgxbb
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: im.baidu.com
Cache-Control: no-cache
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 10 Aug 2016 09:47:59 GMT
Server: Apache
Last-Modified: Mon, 07 Dec 2015 10:58:51 GMT
ETag: "a92"
Accept-Ranges: bytes
Content-Length: 2706
Connection: Keep-Alive
Content-Type: text/html
<html>.<head>..<title>....--..............</title
>..<META http-equiv=content-type content="text/html; charset=gb2
312">.<META content="MSHTML 6.00.2462.0" name=GENERATOR></
HEAD>.</head>.<style type="text/css">..p1 {..FONT-SIZE:
 14px; LINE-HEIGHT: 24px; FONT..



GET /new/xkgxbb HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: hXXp://hi.baidu.com/new/xkgxbb
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: hi.baidu.com
Cache-Control: no-cache


HTTP/1.1 302 Found
Date: Wed, 10 Aug 2016 09:47:57 GMT
Server: Apache
Location: hXXp://im.baidu.com/search/error.html
Content-Length: 221
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://im.baidu.com/search/error.html">here</a>.</p&
gt;.</body></html>.HTTP/1.1 302 Found..Date: Wed, 10 Aug 2
016 09:47:57 GMT..Server: Apache..Location: hXXp://im.baidu.com/search
/error.html..Content-Length: 221..Connection: Keep-Alive..Content-Type
: text/html; charset=iso-8859-1..<!DOCTYPE HTML PUBLIC "-//IETF//DT
D HTML 2.0//EN">.<html><head>.<title>302 Found<
;/title>.</head><body>.<h1>Found</h1>.<p
>The document has moved <a href="hXXp://im.baidu.com/search/erro
r.html">here</a>.</p>.</body></html>...

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_228:

.text
`.rdata
@.data
.rsrc
t$(SSh
~%UVW
u$SShe
ws2_32.dll
kernel32.dll
Wininet.dll
wininet.dll
ntdll.dll
MsgWaitForMultipleObjects
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
FindCloseUrlCache
DeleteUrlCacheEntryA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
{B6F7542F-B8FE-46a8-9605-98856A687097}
hXXp://play.aobi.com/play.html
~*#||-@_|@!!)^)^|_!_|?@&~&#|~(|)|)~.! |!   _ = = __~?-?^|-@_|@!!~&#?|~@#! !=
|-#?~#@ ~~#=~!|#
YY.exe
   _ = = _
!=|#~^|=~^@=|)?||^@!!=|@!=!=? ~#~@|*~#?#|-!(|_||?-?!!=!_~^|=~^@=~#?#|@~^~~#(|-@!_?|.!#~^@!||##_~|.!#~^|=~^@=_~~^|=~^@=?(|)|)~ ~-# ? |)? ?.!=! 
C$%cmb
.ppM|
 aZ.mO
%-^
.hk;~
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
SkinH_EL.dll
2u.eKITFBp
(&*-*-*. !_@_@(&(^_#(_(=(^(-*)_#( (@(?_@(#()**_@*&(|(**&(_(_
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
http=
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
hXXp://
)||.#(|=|#)?
)|_@|.#(|=|#)?
|*!_~@?(?.~_|.#(|=|#! |!
_.|)|=~*|.|.#(|=|#! |!
~&#*|^@|?.~_|.#(|=|#|_|||(?-| ~(~*#||)|?|&!&?(@!|^?^|*|?~@~_?-?&?*##?.~_|.#(|=|#_. ^(^*&(|_#( (@(?
||@_?)?@|)|?~^|=~^@=|)?||^@!|^?^|*|?)^*^~(|)|)~.~@~_?-?&?*##?.~_|.#(|=|#
|*!_~@?(?.~_|.#(|=|#~*#||&@~?.~_
hXXp://ucbug.com
WS2_32.DLL
wsock32.dll
58002724
(&*-*-*. !_@_@ ^(^*&(|_#( (@(?
yylauncher.exe
|#!@|&#( !~#|-|?@&~&#|~^|=~^@=|)?||^@!~?#=~?#=~(|)|)~.   _ = = __.| ~~?.@_|?!|?*?-|(!@|^?&|=?)_=_=_=
~#|-|?@&~&#|~?#=~?#=~(|)|)~.   _ = = _
@ws2_32.dll
9ixk.com
9ixk.com
hXXp://ar444.com/Ar/kuku.html
:9ixk.com|
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
ole32.dll
__MSVCRT_HEAP_SELECT
user32.dll
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
RASAPI32.dll
GetProcessHeap
WinExec
KERNEL32.dll
GetKeyState
SetWindowsHookExA
UnhookWindowsHookEx
EnumChildWindows
EnumWindows
GetViewportOrgEx
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
OLEAUT32.dll
oledlg.dll
WSOCK32.dll
WININET.dll
GetCPInfo
CreateDialogIndirectParamA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
(*.htm;*.html)|*.htm;*.html
VVV.dywt.com.cn
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCOleDispatchException@@
zcÁ
right-curly-bracket
left-curly-bracket
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
K%uA#p>"p>"
123456789
 .=_ -)(*&^~!@#|?
1, 0, 6, 6
(*.*)
1.0.0.0
9ixk.com

%original file name%.exe_228_rwx_10027000_00015000:

msctls_hotkey32
TVCLHotKey
THotKey
\skinh.she
}uo,x6l5k%x-l h
9p%s m)t4`#b
e"m?c&y1`Ð<
SetViewportOrgEx
SetViewportExtEx
SetWindowsHookExA
UnhookWindowsHookEx
EnumThreadWindows
EnumChildWindows
`c%US.4/
!#$<#$#=
.text
`.rdata
@.data
.rsrc
@.UPX0
`.UPX1
`.reloc
%-^
.hk;~


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ADSQWDZ1\error[1].htm (2704 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now