MD5: 488609db6b673b66eebf4f458677fac9
SHA1: 7be9f5a0505d4fa38c0fced4e11e918d48cde946
SHA256: f717877a0c7b066ae06a81132c61d97638c8f723688e3a75022e24714efcf3d0
SSDeep: 49152:Ef tGBwL772T6jbct7AaZ4SQ 0c0RSG /V8Z jMgc8wDG/p:Q gwL3w6jbE7AuQ LGSG 2Z jtp
Size: 2543616 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2014-11-26 12:01:10
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1068

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1068 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (1085 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (1575 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.she (13 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4820 bytes)
C:\hrttp.dll (94 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)

Registry activity

The process %original file name%.exe:1068 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 CA 43 C8 94 45 99 A0 2A 3F D3 38 89 55 BC 92"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://db1caad761e1c4e78a0afe7bdbd774bb.360wzb.cn/thread-301809-1-1.html
hxxp://www.52pojie.cn/thread-301809-1-1.html	125.88.190.42

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /thread-301809-1-1.html HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.52pojie.cn

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Tue, 02 Jun 2015 20:07:16 GMT

Content-Type: text/html; charset=gbk

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By-360WZB: wangzhan.360.cn

Vary: Accept-Encoding

Set-Cookie: htVI_2132_saltkey=I22sedKJ; expires=Thu, 02-Jul-2015 20:07:15 GMT; Max-Age=2592000; path=/; httponly

Set-Cookie: htVI_2132_lastvisit=1433272035; expires=Thu, 02-Jul-2015 20:07:15 GMT; Max-Age=2592000; path=/

Set-Cookie: htVI_2132_sid=y22N22; expires=Wed, 03-Jun-2015 20:07:15 GMT; Max-Age=86400; path=/

Set-Cookie: htVI_2132_lastact=1433275635	forum.php	viewthread; expires=Wed, 03-Jun-2015 20:07:15 GMT; Max-Age=86400; path=/

Set-Cookie: htVI_2132_st_p=0|1433275635|7f39451d00f0dc1b3326b264d0eb7672; path=/

Set-Cookie: htVI_2132_visitedfid=2; expires=Thu, 02-Jul-2015 20:07:15 GMT; Max-Age=2592000; path=/

Set-Cookie: htVI_2132_viewid=tid_301809; path=/

Set-Cookie: htVI_2132_sid=y22N22; expires=Wed, 03-Jun-2015 20:07:15 GMT; Max-Age=86400; path=/

Vary: Accept-Encoding
7c57.....<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional/
/EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..&l
t;html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<met
a http-equiv="Content-Type" content="text/html; charset=gbk" />..&l
t;title>............1.0 ............1.3......11-14...... - ........
......  - ............ - LCG - LSG |........|........|........|VVV.52p
ojie.cn</title>..<link href="hXXp://VVV.52pojie.cn/thread-301
809-1-1.html" rel="canonical" />..<meta name="keywords" content=
"............1.0 ............1.3......11-14......" />..<meta nam
e="description" content=" ............1.0 ............1.3......11-14..
.... ,............ - LCG - LSG |........|........|........|VVV.52pojie
.cn" />..<meta name="generator" content="Discuz! X3.2" />..&l
t;meta name="author" content="Discuz! Team and Comsenz UI Team" />.
.<meta name="copyright" content="2001-2013 Comsenz Inc." />..<
;meta name="MSSmartTagsPreventParsing" content="True" />..<meta 
http-equiv="MSThemeCompatible" content="Yes" />..<base href="htt
p://VVV.52pojie.cn/" /><link rel="stylesheet" type="text/css" hr
ef="data/cache/style_1_common.css?md9" /><link rel="stylesheet" 
type="text/css" href="data/cache/style_1_forum_viewthread.css?md9" /&g
t;<link rel="stylesheet" id="css_extstyle" type="text/css" href="./
template/default/style/t5/style.css" /><script type="text/javasc
ript">var STYLEID = '1', STATICURL = 'static/', IMGDIR = 'stati
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

u$SShe

kernel32.dll

ole32.dll

hrttp.dll

shlwapi.dll

dbghelp.dll

wininet.dll

GetProcessHeap

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

\hrttp.dll

=%f*b

05  %fQ

4].em$ (f<

$UDp0

QZ^&\key

%drmG

%Dx!\

[email protected]

%xh`U0X

?hotkeyScrol;r[MD

%x-l h

9p%s m)t4`#

&y1`Ð<

`c%US.j

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

SkinH_EL.dll

(*.xls)|*.xls

(*.xlsx)|*.xlsx

hXXp://s.toocle.com/search/index.php?_d=company&_a=company_s_search&f=search&terms=

.xlsx

hXXp://user.qzone.qq.com/442830589/main

1.she

fJ.WM_

%s;7*

0%x@w

%C^L:

CX%xm

Õ6m*

n.BjCw

.TY3F

kEY94

.nyBK

wN%U/

4.Ky%t

.h.fO

.TK$N

%dRB:W

[I9%f

%s T5

]E4%F(

.Funr

.yyw'

%sX@:`

J|.jv

p4%xcEm

.Jr1Z

7.YT"

.Uf!0

!a%U}

0'.Ll

[I(3/#N0.bd

j"%u=w

q%Xn`

@|H.NI

.wdd!

S|%u4

-.Mdl

\-A}=3K

Y:.akpS

$.Zcqn

.WE= T!N

#?%s(C(

u.Jck~

zx/%FN[

LY.eo

%s=\RI

}j%c%Y)

Rx.GR

4o#.dM

IeS`%C

[n 4\.UY 

,4.qO,

gQ'.Io

%cLur?

s%DHB

]I%%X

I %d)

.aEd(

5r.US

:mD].tB

fTpe

.LLbX

f%fUZ

.fOuV12

*_.dC

&-N}<

({?.cQm

.Cqx~c

.`.Qw

.Onwj

Tn&.hL

**.dU

!n]%x

%X,Cr

/%c=M

<%C:,

?_.Cn

;{(W%f

*.Ea]S

Q.CGo

tn!ay%F

2.kKX

Avi.CT

xhZ_6%U

%SY!8i

&.PFy{xh

.um ZZE7L

/^p%u$

I.NoQY

zu.ew

D/.nT

R>o2.YN>

fb%FN

.QS.3

.FGtg

.nJ7O_

$JA.hy

k.KVp

]>.KrV

t.vim

hXXp://VVV.52pojie.cn/thread-301809-1-1.html

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

VBScript.RegExp

application/x-www-form-urlencoded

hXXps://

HTTP/1.1

hXXp://

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

user32.dll

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

RASAPI32.dll

WinExec

GetWindowsDirectoryA

KERNEL32.dll

GetKeyState

GetViewportOrgEx

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

OLEAUT32.dll

WSOCK32.dll

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

Excel.Application

VVV.dywt.com.cn

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

zcÁ

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

1, 0, 6, 6

(*.*)

%original file name%.exe_1068_rwx_10001000_00039000:

L$(h%f

SSh0j

msctls_hotkey32

TVCLHotKey

THotKey

\skinh.she

}uo,x6l5k%x-l h

9p%s m)t4`#b

e"m?c&y1`Ð<

SetViewportOrgEx

SetViewportExtEx

SetWindowsHookExA

UnhookWindowsHookEx

EnumThreadWindows

EnumChildWindows

`c%US.4/

!#$<#$#=

.text

`.rdata

@.data

.rsrc

@.UPX0

`.UPX1

`.reloc

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Cookies\[email protected][2].txt (1085 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (1575 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\1.she (13 bytes)
   %Documents and Settings%\%current user%\Cookies\index.dat (4820 bytes)
   C:\hrttp.dll (94 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.