Trojan.Win32.Badur.hbyw_1c5c2a1ffb
Trojan.Win32.Badur.hbyw (Kaspersky), Trojan.Win32.Generic!SB.0 (VIPRE), Artemis!1C5C2A1FFBAF (McAfee), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 1c5c2a1ffbaf8f49cdddf9bff10be16b
SHA1: 0ac2f631ebc99ce8658811877352c12e4e54180a
SHA256: ada837217fcbacf92444f2b9847ce9a2693f3b7d2c0834435488e6e7875cdd0b
SSDeep: 1536:3RYpHXbpdF1XJfHM3S0DamJUkquGlrafQPZPipMnR0u2mP08rYsqP3T:hY3dFNJPmDamJUkqHl4G0bmPnr4T
Size: 95589 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Beorfd Software Coregion
Created at: 2009-02-05 03:59:54
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
ogqyacg_30656.exe:3228
zhtray.exe:1208
ZhiHui2.3.exe:2016
setup_3128.exe:276
pczh_100_1.exe:3024
YYMusic.exe:3128
The Trojan injects its code into the following process(es):
%original file name%.exe:3340
YYSpeed.exe:3200
File activity
The process ogqyacg_30656.exe:3228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\dl.dll (65930 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp (162199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDMDownload.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\hu.dll (3312 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDLogicUtils.dll (30968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDMNet.dll.bdl (48076 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (1115 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\n.exe.bdl (197437 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Desktop\Global.db (16 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\tmpvfmtk9.dll (87814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\res\onlineWnd.zip (6360 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDMNetGetInfo.dll (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDMReport.dll.bdl (36511 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDMSkin.dll (38495 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (0 bytes)
The process zhtray.exe:1208 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\ZhiHui2420143\set.ini (7 bytes)
%Documents and Settings%\%current user%\Application Data\ZhiHui2420143\set2420143\Setzh2420143.ini (23 bytes)
%Documents and Settings%\%current user%\Application Data\ZhiHui2420143\min.ini (14 bytes)
The process %original file name%.exe:3340 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp\xID.dll (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp\z.ini (662 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_3128.exe (354959 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ogqyacg_30656.exe (156554 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\-8531_1_mm.rar (38758 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pczh_100_1.exe (40033 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp\Md5dll.dll (8 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp\z.ini.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr1.tmp (0 bytes)
The process ZhiHui2.3.exe:2016 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\stat[1].php (1121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\zhibo2[1].htm (699 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\fyminiloader-min[1].js (660 bytes)
The process setup_3128.exe:276 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\YYMusic2\20140324065726\avutil-52.dll (5520 bytes)
%Program Files%\YYMusic2\20140324065726\Skin\mainframeshadow.png (4992 bytes)
%Program Files%\YYMusic2\20140324065726\channels.xml (784 bytes)
%Program Files%\YYMusic2\20140324065726\avcodec-54.dll (23936 bytes)
%Program Files%\YYMusic2\20140324065726\favorfm.xml (440 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\YYMusic2\ÅäÖù¤¾ß\öÃâ€ÃƒËœYYMusic2.lnk (858 bytes)
%Program Files%\YYMusic2\20140324065726\avcore.dll (2392 bytes)
%Program Files%\YYMusic2\20140324065726\avformat-54.dll (12536 bytes)
%Program Files%\YYMusic2\20140324065726\SysConfig.ini (255 bytes)
%Program Files%\YYMusic2\20140324065726\Data\dh.ini (56 bytes)
%Program Files%\YYMusic2\20140324065726\Data\setup.ini (110 bytes)
%Program Files%\YYMusic2\20140324065726\YYMusic.exe (32784 bytes)
%Program Files%\YYMusic2\20140324065726\Data\version.ini (32 bytes)
%Program Files%\YYMusic2\20140324065726\DuiLib.dll (16288 bytes)
%Program Files%\YYMusic2\20140324065726\pthreadGC2.dll (3616 bytes)
%Program Files%\YYMusic2\20140324065726\Data\user2.ini (15 bytes)
%Program Files%\YYMusic2\20140324065726\audio.dll (3616 bytes)
%Program Files%\YYMusic2\20140324065726\source.dll (6584 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\YYMusic2\¹Ù·½Ö÷Ò³.lnk (334 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\YYMusic2\YYMusic2.lnk (856 bytes)
%Program Files%\YYMusic2\20140324065726\Data\client.ini (36 bytes)
%Program Files%\YYMusic2\20140324065726\libav.dll (6360 bytes)
%Program Files%\YYMusic2\20140324065726\Unins.exe (9608 bytes)
%Program Files%\YYMusic2\20140324065726\YYSpeed.exe (22552 bytes)
%Program Files%\YYMusic2\20140324065726\Skin\hotkeytipbk.png (1 bytes)
%Program Files%\YYMusic2\20140324065726\Skin.rs (29608 bytes)
%Program Files%\YYMusic2\20140324065726\Skin\progresstooltip.png (3 bytes)
%Program Files%\YYMusic2\20140324065726\swresample-0.dll (3312 bytes)
The Trojan deletes the following file(s):
C:\ (0 bytes)
The process pczh_100_1.exe:3024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsh8.tmp\tj.html (89 bytes)
%Program Files%\azh2.3\uninstall.exe (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh8.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Desktop\°®Çé.ÖÇ»Û2.3.lnk (671 bytes)
%Program Files%\azh2.3\Zhihui2.3.exe (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\tj[1].htm (89 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh8.tmp\Inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh8.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh8.tmp\Math.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh8.tmp\Base64.dll (4 bytes)
%Program Files%\azh2.3\zhtray.exe (5520 bytes)
%Program Files%\azh2.3\ToolZhSrv.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr7.tmp (23866 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\°®Çé.ÖÇ»Û2.3\°®Çé.ÖÇ»Û2.3.lnk (1366 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\°®Çé.ÖÇ»Û2.3\öÃâ€ÃƒËœ.lnk (1366 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh8.tmp\md5dll.dll (8 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsh8.tmp\tj.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh8.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh8.tmp\Math.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh8.tmp\Base64.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh8.tmp\Inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh8.tmp\md5dll.dll (0 bytes)
The process YYMusic.exe:3128 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\d29e_appcompat.txt (10320 bytes)
Registry activity
The process ogqyacg_30656.exe:3228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 2D F5 AA 69 DE A8 E4 66 08 5C AB 0E 5E FD B3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\metnsd\clsid]
"SequenceID" = "DE 0B D2 6A 51 7A D0 4C B5 3F 41 4B F2 6C 36 1B"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"ogqyacg_30656.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\ogqyacg_30656.exe:*:Enabled:百度æ€毒在线安装程åºÂ"
The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"ogqyacg_30656.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\ogqyacg_30656.exe:*:Enabled:百度æ€毒在线安装程åºÂ"
The process zhtray.exe:1208 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 68 B1 7B E9 F6 DF 4D B8 F2 20 7F 28 C0 26 F6"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 42 00 00 00 01 00 00 00 00 00 00 00"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:3340 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 D9 06 A6 80 86 E3 48 69 8D E8 61 80 FF 66 A8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\53326_1758253739760]
"DisplayName" = "53326_1758253739760 1.0.2.4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.pz100.pw"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\53326_1758253739760]
"Publisher" = "53326_1758253739760"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.pz100.pw"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\53326_1758253739760]
"DisplayVersion" = "1.0.2.4"
The process ZhiHui2.3.exe:2016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 25 F0 FA B3 4A 1A 04 E1 9C BC 3B 58 7C 36 DD"
[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Size" = "10"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Internet Explorer\International]
"W2KLpk" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"InitHits" = "100"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 44 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Factor" = "20"
"Enable" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process setup_3128.exe:276 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\YYMusic2]
"Rd" = "_20140324065726"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÒôÀÖFM]
"DisplayName" = "YYMusic2"
"Publisher" = "YYMusic2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÒôÀÖFM]
"DisplayVersion" = "1.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 CA 5E FE A8 48 80 24 5C D8 1E B6 5B 80 9D 5E"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÒôÀÖFM]
"UninstallString" = "%Program Files%\YYMusic2\20140324065726\Unins.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÒôÀÖFM]
"DisplayIcon" = "%Program Files%\YYMusic2\20140324065726\Unins.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YyfmPlay"
"YYMusic2_News"
"YYMusic2"
"BoxNews"
The process YYSpeed.exe:3200 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 10 DC 2E 76 B9 FB 21 8C 1E B5 26 0C 2F A7 4B"
The process pczh_100_1.exe:3024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\°®ÇéÖÇ»Û]
"DisplayName" = "°®ÇéÖÇ»Û"
[HKLM\SOFTWARE\Inzhuii]
"install" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\°®ÇéÖÇ»Û]
"DisplayVersion" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\°®ÇéÖÇ»Û]
"DisplayIcon" = "%Program Files%\azh2.3\uninstall.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Templates" = "%Documents and Settings%\%current user%\Templates"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\zhbar]
"EN" = "pczh_100_1.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\zhbar]
"ED" = "100"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKLM\SOFTWARE\zhbar]
"ET" = "2420143"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 A0 0C 6B 0E E7 2A EA 9E EF 04 50 A7 A8 81 3C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\°®ÇéÖÇ»Û]
"UninstallString" = "%Program Files%\azh2.3\uninstall.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Zhihui2.3.exe]
"(Default)" = "%Program Files%\azh2.3\Zhihui2.3.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process YYMusic.exe:3128 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 26 1E 81 D8 99 4D 64 A5 6E 05 3D C4 31 4C 4B"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://hi.petj.org/setup/?name=%original file name%.exe&mac=00-0C-29-3B-DF-2F&md5=cd1bf5c8668f31abd345f75407391ed8&ini=z.ini&v=1.0.2.4 |  14.17.69.51 |
| hxxp://shadu.n.shifen.com/index/minidownload/30656 | |
| hxxp://baidubrs.dlmix.glb0.lxdns.com/qdmn/cgxndto_30656.exe | |
| hxxp://117.21.189.53/dl1sw.baidu.com/qdmn/cgxndto_30656.exe?wsiphost=local | |
| hxxp://hw.mg.china-glb.net/new/pczh_100_1.txt |  |
| hxxp://pxsw.n.shifen.com/ | |
| hxxp://bcs.jomodns.com/sw-search-shadu/client/dllv4/BDMReport.dll (ET POLICY PE EXE or DLL Windows file download , Malicious) | |
| hxxp://hw.mg.china-glb.net/up_13.html?03240656 | |
| hxxp://dx5.3525.com/tj.php?mac=000C293BDF2F&st=1&exez=pczh_100_1.exe&exef=%original file name%.exe&pass=3a553692ab6116c7c079136d21b41bec&url1=ya.tu&url2=hxxp://google.com/ | |
| hxxp://hw.mg.china-glb.net/zhibo2.html?id=pczh_100_1.exe&en=2420143&go= | |
| hxxp://c.split.cnzz.com/stat.php?id=2701879&web_id=2701879 | |
| hxxp://sxcdn.fengyunzhibo.com/support/mini/fyminiloader-min.js | |
| hxxp://dx5.3525.com/xin/?ver=131 | |
| hxxp://bcs.jomodns.com/sw-search-shadu/client/dllv4/BDMNet.dll (ET POLICY PE EXE or DLL Windows file download , Malicious) | |
| hxxp://baidubrs.dlmix.glb0.lxdns.com/client/new_v1196/0321/Baidusd_Setup_1.0.448.145_Sid_10001_Silent_Defense.exe | |
| hxxp://117.21.189.50/dl1sw.baidu.com/client/new_v1196/0321/Baidusd_Setup_1.0.448.145_Sid_10001_Silent_Defense.exe?wsiphost=local | |
| hxxp://117.21.189.52/dl1sw.baidu.com/client/new_v1196/0321/Baidusd_Setup_1.0.448.145_Sid_10001_Silent_Defense.exe?wsiphost=local | |
| hxxp://117.21.189.55/dl1sw.baidu.com/client/new_v1196/0321/Baidusd_Setup_1.0.448.145_Sid_10001_Silent_Defense.exe?wsiphost=local | |
| jp.download.iyuntian.com | 123.125.65.154 |
| tk.download.iyuntian.com | 123.125.69.209 |
| rc.download.iyuntian.com | 123.125.65.153 |
| s6.cnzz.com |  1.99.192.15 |
| tv.aiqingzhihui.com | 173.208.179.99 |
| dlsw.baidu.com | 61.155.165.27 |
| update.aiqingzhihui.com | 173.208.179.100 |
| dtrp.download.iyuntian.com | 123.125.65.150 |
| dl1sw.baidu.com | 117.21.189.102 |
| cfg.download.iyuntian.com | 123.125.65.132 |
| res.download.iyuntian.com | 123.125.65.129 |
| shadu.baidu.com | 123.125.65.162 |
| en.zjcg.org | 222.186.60.12 |
| tj.aiqingzhihui.com | 222.186.130.92 |
| p.x.baidu.com | 123.125.65.152 |
| utk.download.iyuntian.com | 123.125.65.147 |
| static.m0dlcdn.kukuplay.com | 223.82.254.40 |
| down.begrp.org | 222.186.60.12 |
| xz.fuzhicheng.com | 173.208.179.99 |
| res2.download.iyuntian.com |  Unresolvable |
| qr.download.iyuntian.com | Unresolvable |
| res3.download.iyuntian.com | Unresolvable |
| sn.download.iyuntian.com | Unresolvable |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
ogqyacg_30656.exe:3228
zhtray.exe:1208
ZhiHui2.3.exe:2016
setup_3128.exe:276
pczh_100_1.exe:3024
YYMusic.exe:3128 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\dl.dll (65930 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp (162199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDMDownload.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\hu.dll (3312 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDLogicUtils.dll (30968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDMNet.dll.bdl (48076 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\n.exe.bdl (197437 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Desktop\Global.db (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\tmpvfmtk9.dll (87814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\res\onlineWnd.zip (6360 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDMNetGetInfo.dll (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDMReport.dll.bdl (36511 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDMSkin.dll (38495 bytes)
%Documents and Settings%\%current user%\Application Data\ZhiHui2420143\set.ini (7 bytes)
%Documents and Settings%\%current user%\Application Data\ZhiHui2420143\set2420143\Setzh2420143.ini (23 bytes)
%Documents and Settings%\%current user%\Application Data\ZhiHui2420143\min.ini (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp\xID.dll (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp\z.ini (662 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_3128.exe (354959 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ogqyacg_30656.exe (156554 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\-8531_1_mm.rar (38758 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pczh_100_1.exe (40033 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp\Md5dll.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\stat[1].php (1121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\zhibo2[1].htm (699 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\fyminiloader-min[1].js (660 bytes)
%Program Files%\YYMusic2\20140324065726\avutil-52.dll (5520 bytes)
%Program Files%\YYMusic2\20140324065726\Skin\mainframeshadow.png (4992 bytes)
%Program Files%\YYMusic2\20140324065726\channels.xml (784 bytes)
%Program Files%\YYMusic2\20140324065726\avcodec-54.dll (23936 bytes)
%Program Files%\YYMusic2\20140324065726\favorfm.xml (440 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\YYMusic2\ÅäÖù¤¾ß\öÃâ€ÃƒËœYYMusic2.lnk (858 bytes)
%Program Files%\YYMusic2\20140324065726\avcore.dll (2392 bytes)
%Program Files%\YYMusic2\20140324065726\avformat-54.dll (12536 bytes)
%Program Files%\YYMusic2\20140324065726\SysConfig.ini (255 bytes)
%Program Files%\YYMusic2\20140324065726\Data\dh.ini (56 bytes)
%Program Files%\YYMusic2\20140324065726\Data\setup.ini (110 bytes)
%Program Files%\YYMusic2\20140324065726\YYMusic.exe (32784 bytes)
%Program Files%\YYMusic2\20140324065726\Data\version.ini (32 bytes)
%Program Files%\YYMusic2\20140324065726\DuiLib.dll (16288 bytes)
%Program Files%\YYMusic2\20140324065726\pthreadGC2.dll (3616 bytes)
%Program Files%\YYMusic2\20140324065726\Data\user2.ini (15 bytes)
%Program Files%\YYMusic2\20140324065726\audio.dll (3616 bytes)
%Program Files%\YYMusic2\20140324065726\source.dll (6584 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\YYMusic2\¹Ù·½Ö÷Ò³.lnk (334 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\YYMusic2\YYMusic2.lnk (856 bytes)
%Program Files%\YYMusic2\20140324065726\Data\client.ini (36 bytes)
%Program Files%\YYMusic2\20140324065726\libav.dll (6360 bytes)
%Program Files%\YYMusic2\20140324065726\Unins.exe (9608 bytes)
%Program Files%\YYMusic2\20140324065726\YYSpeed.exe (22552 bytes)
%Program Files%\YYMusic2\20140324065726\Skin\hotkeytipbk.png (1 bytes)
%Program Files%\YYMusic2\20140324065726\Skin.rs (29608 bytes)
%Program Files%\YYMusic2\20140324065726\Skin\progresstooltip.png (3 bytes)
%Program Files%\YYMusic2\20140324065726\swresample-0.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh8.tmp\tj.html (89 bytes)
%Program Files%\azh2.3\uninstall.exe (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh8.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Desktop\°®Çé.ÖÇ»Û2.3.lnk (671 bytes)
%Program Files%\azh2.3\Zhihui2.3.exe (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\tj[1].htm (89 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh8.tmp\Inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh8.tmp\Math.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh8.tmp\Base64.dll (4 bytes)
%Program Files%\azh2.3\zhtray.exe (5520 bytes)
%Program Files%\azh2.3\ToolZhSrv.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr7.tmp (23866 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\°®Çé.ÖÇ»Û2.3\°®Çé.ÖÇ»Û2.3.lnk (1366 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\°®Çé.ÖÇ»Û2.3\öÃâ€ÃƒËœ.lnk (1366 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh8.tmp\md5dll.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d29e_appcompat.txt (10320 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
