MD5: 8c67d8a9db9544d5d5aaa809372fd471
SHA1: 2590bf43da5a51c79768c65e13dfe2ad37dcb82e
SHA256: 37db8bda42182fe8791fc60afda7c7f2be4dced79b0a0c0f5720e4e8aefcba7b
SSDeep: 12288:GCHO6aELBqq9YHSjyqgCDEs0SfpZxq6YGKqA2b:FuPu17jy/ufpAGtZ
Size: 521728 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2014-05-20 17:38:58
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

Process activity

The Trojan-PSW creates the following process(es):
No processes have been created.
The Trojan-PSW injects its code into the following process(es):

%original file name%.exe:1280

File activity

The process %original file name%.exe:1280 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2P6DS5M9\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\E10L8H69\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MHG1AHIP\mopet[1].htm (570 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0D6TMNK7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MHG1AHIP\desktop.ini (67 bytes)

Registry activity

The process %original file name%.exe:1280 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 C3 90 6D B4 85 7E 82 2F 21 4E 49 C9 54 16 C5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ??
Product Name: ?????by??
Product Version: 1.0.0.1
Legal Copyright: ???????...
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.1
File Description: ?????by??
Comments: ?????by??
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://u.icache.renren.com/
hxxp://s97.pet.imop.com/re.jsp	60.29.251.193
hxxp://u.icache.renren.com/mopet.html
hxxp://pet.imop.com/	125.39.94.81

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /re.jsp HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: s97.pet.imop.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: Resin/3.1.8

Cache-Control: no-cache

Expires: Thu, 01 Dec 1994 16:00:00 GMT

Set-Cookie: JSESSIONID=abcqMMJGWSLuw5mXVVvzu; path=/

Content-Type: text/html; charset=GBK

Date: Sun, 01 Jun 2014 04:45:18 GMT

Transfer-Encoding: chunked
76....<meta http-equiv="Refresh" content="70;URL=?&1401597918751&"&
gt;..Sun Jun 01 12:45:18 CST 2014<br>..login:false..0..

GET / HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: pet.imop.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.4

Date: Sun, 01 Jun 2014 04:45:16 GMT

Content-Type: text/html; charset=gbk

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Content-Encoding: gzip
bd3.............[.o....,...6.4. ..$E............0..x.$O..}w.-..c.....h
....n.?.......(E.....AQ....u[tv..<.G.rm%.%H..qgvvfvwv.w...|o......f
.........#. ..W.........>..CH.Et.....-..mAXy.C\3.[%A.t:|G.=.!.}E8Ex
I.8....J..M.23].=.rl7.R.H.b....X7...C.d.[Y|.m.k.......G7Z.C...........
2....Pk.dE.9$.>....r...._...t...?x.,....m.k......A ........qA.a...q
...z.:..(oJM.Z .."N.].p.;^.7<G.t........<|phfzf.1p..0......<.
.F8....K.4=?4.!b.....,.h 0|.."[w.m.[.V.u.=.P..]. J.b..._..m..........F
H..d|W.....!v.O.b.kXn.hbc..8D..\.o..7h.....X..VO...1.8........ nczF...
.{...0......A...^./.f.O.Lc.!z..../e:.....q.m..m..[.^n.3......5MR.N#x..
.V.*3sK3.g./.tB........#.W...dt....Iza?3..U..]..s. .ah.. A.K..8..F....
...........!.-M\..}.K...../.....ok..K....9n.8..X..K[...c...`..N!t7....
8.#......!......(..~.z..../o?....9@)..qT.`2W.;H.'.w....~b..2L.l..G.piF
H6..u.U`k.=_...9[).kxn.r.C.(..........@. ..q....`;..\._..7~...J..1v..&
lt;).8..}ZI.;...Aj.....*.YR..K/!..4...)...&.S...dR...,..:2l=...}C6.*..
m.l....>,!Y.j4...k.Z.-.mW`..Im.*J...?..."...U6_-..J.......wg..,W.o.
...-.z.%...?.5..FZQ.(..5(..2...l9....n....|.K\......h.m.......$.!r...2
[email protected].(.].*..a...C.2D~.._.!.!C....;..
....{..b..q...^.......F9{.{_.....;I.E......G..$.>..v..;.[R.z.....[_
.a.......o..._..,.;..p....{...=3....$..i......>..w...O9.....3TX:..^
.Yv..SXs.=.RH.qj..W.....I.}..A3..$...i..7..e..._.j.g....8R9...\.......
.........1.9.....I.....T....TPvUc..:Ua..z7|.......D....H.;...j.?..$.NU
XO.d...p..F..>.!.....B.6P..H...|.;,.i...<Q...9fa....-..>.
<<< skipped >>>

The Trojan-PSW connects to the servers at the folowing location(s):

`.rsrc

t$(SSh

~%UVW

u$SShe

wininet.dll

ole32.dll

kernel32.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

action.jsp

action=inputCommand&inputCommand=/JingJiChang extraTiaoZhan&chatChannel=&talkToId=-1&input=&itemname=&itemindex=&itemtype=

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

http=

https

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

https://

http://

action=inputCommand&inputCommand=/go 

jingjichang/jingjichang.jsp

jingJiChangObj.attack\(([0-9]{1,})\)#

action=inputCommand&inputCommand=/docompete 

http://s97.pet.imop.com/re.jsp

http://pet.imop.com/

mopet.html

@action=inputCommand&inputCommand=/fetchtimeprize&chatChannel=&talkToId=-1&input=&itemname=&itemindex=&itemtype=

jingJiChangObj.attack\([0-9]{1,}\)#

VBScript.RegExp

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

user32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

(*.htm;*.html)|*.htm;*.html

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

msctls_hotkey32

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

zcÁ

login:false

c:\%original file name%.exe

GetCPInfo

WinExec

GetProcessHeap

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

GetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

ShellExecuteA

CreateDialogIndirectParamA

EnumChildWindows

EnumThreadWindows

UnhookWindowsHookEx

SetWindowsHookExA

GetKeyState

InternetCrackUrlA

InternetCanonicalizeUrlA

.text

.rdata

@.data

.rsrc

Viewport

EscapR%X

~2wUrl$

.rsrcs

#include "l.chs\afxres.rc" // Standard components

KERNEL32.DLL

ADVAPI32.dll

COMCTL32.dll

comdlg32.dll

GDI32.dll

MSIMG32.dll

OLEAUT32.dll

oledlg.dll

RASAPI32.dll

SHELL32.dll

USER32.dll

WININET.dll

WINMM.dll

WINSPOOL.DRV

WS2_32.dll

(*.*)

1.0.0.1

%original file name%.exe_1280_rwx_00401000_000DA000:

t$(SSh

~%UVW

u$SShe

wininet.dll

ole32.dll

kernel32.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

action.jsp

action=inputCommand&inputCommand=/JingJiChang extraTiaoZhan&chatChannel=&talkToId=-1&input=&itemname=&itemindex=&itemtype=

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

http=

https

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

https://

http://

action=inputCommand&inputCommand=/go 

jingjichang/jingjichang.jsp

jingJiChangObj.attack\(([0-9]{1,})\)#

action=inputCommand&inputCommand=/docompete 

http://s97.pet.imop.com/re.jsp

http://pet.imop.com/

mopet.html

@action=inputCommand&inputCommand=/fetchtimeprize&chatChannel=&talkToId=-1&input=&itemname=&itemindex=&itemtype=

jingJiChangObj.attack\([0-9]{1,}\)#

VBScript.RegExp

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

user32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

(*.htm;*.html)|*.htm;*.html

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

msctls_hotkey32

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

zcÁ

login:false

c:\%original file name%.exe

GetCPInfo

WinExec

GetProcessHeap

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

GetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

ShellExecuteA

CreateDialogIndirectParamA

EnumChildWindows

EnumThreadWindows

UnhookWindowsHookEx

SetWindowsHookExA

GetKeyState

InternetCrackUrlA

InternetCanonicalizeUrlA

.text

.rdata

@.data

.rsrc

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan-PSW file.
   
3. Delete or disinfect the following files created/modified by the Trojan-PSW:
   

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2P6DS5M9\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\E10L8H69\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MHG1AHIP\mopet[1].htm (570 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0D6TMNK7\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MHG1AHIP\desktop.ini (67 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.