MD5: 59a4faf8d54dd1b207da5a8db671d764
SHA1: 31c202ebc98fb790599dd6802dc4f98e1c242b2b
SHA256: 39bed433fcc2e92589b3e0b43d41135ee419cee66f2e3d6baf18a6b366aa6150
SSDeep: 6144:adI4gRyHjl6lGvyD/SjUqvBTOEAfcD1IbYstD HVE1Z3tDA:adIyl60N1OJcD1Ics9uE1p9
Size: 283136 bytes
File type: DLL
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-06-08 12:59:36
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

regsvr32.exe:1628
hrlB2.tmp:1188

The Trojan injects its code into the following process(es):

vqbbms.exe:984

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process regsvr32.exe:1628 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hrlB2.tmp (275 bytes)

The process vqbbms.exe:984 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\RCXB3.tmp (16844 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\lpk.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\lpk.dll (1425 bytes)
%System%\hra33.dll (7 bytes)

The Trojan deletes the following file(s):

%System%\hra33.dll (0 bytes)

The process hrlB2.tmp:1188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\vqbbms.exe (1425 bytes)

Registry activity

The process regsvr32.exe:1628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 0E 6D DF CA 99 55 A4 B3 1E 78 76 F0 B8 6E A1"

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

msvcrt.dll

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

ole32.dll

regsvr32.pdb

_wcmdln

RegCloseKey

RegOpenKeyExW

Excessive # of DLL's on cmdline

5.1.2600.5512 (xpsp.080413-2105)

REGSVR32.EXE

Windows

Operating System

5.1.2600.5512

Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname

Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall

Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.

LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.

%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.

OleUninitialize failed.["%1" is not an executable file and no registration

vqbbms.exe_984:

.text

`.rdata

@.data

.rsrc

USER32.dll

ADVAPI32.dll

SHELL32.dll

WS2_32.dll

WINMM.dll

GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm

RegCloseKey

RegOpenKeyExA

RegOpenKeyA

ShellExecuteA

MFC42.DLL

MSVCRT.dll

_acmdln

WinExec

KERNEL32.dll

fei9988.3322.org:8080

564528578564528578

%u.%u.%u.%u

hra%u.dll

iexplore.exe

stf%c%c%c%c%c.exe

PlusCtrl.dll

kernel32.dll

SOFTWARE.LOG

%c%c%c%c%c%c.exe

%u MB

%u MHz

Windows NT

Windows 7

Windows 2008

Windows Vista

Windows 2003

Windows XP

Windows 2000

SOFTWARE\Microsoft\Windows NT\CurrentVersion

\Program Files\Internet Explorer\iexplore.exe

#0%s!

%s/%s

GET %s HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)

Host: %s:%d

Host: %s

User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0

Referer: hXXp://%s:80/hXXp://%s

%s %s%s

User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)

User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

%d.%d.%d.%d

192.168.1.244

@.reloc

SHLWAPI.dll

lpk.dll

{1.PD^

x%Fo>

@D.qKy

Vp/0%d

.rtib4x

%xBTPt

n .sh

fJd.RpxR

,pDB.pD

UaQ.kr

nd%xy

cmd /c RD /s /q "%s"

"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"

"%s" x "%s" *.exe "%s\"

cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"

rar.exe

1, 0, 0, 1

server.EXE

vqbbms.exe_984_rwx_0040C000_00001000:

1, 0, 0, 1

server.EXE

vqbbms.exe_984_rwx_00419000_00001000:

.rtib4x

vqbbms.exe_984_rwx_00426000_00002000:

fJd.RpxR

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   regsvr32.exe:1628
   hrlB2.tmp:1188

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\hrlB2.tmp (275 bytes)
   C:\RCXB3.tmp (16844 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\lpk.dll (1425 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\lpk.dll (1425 bytes)
   %System%\hra33.dll (7 bytes)
   %System%\vqbbms.exe (1425 bytes)

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.