Trojan.Win32.FlyStudio_529116e09f

by malwarelabrobot on July 29th, 2016 in Malware Descriptions.

Trojan.Win32.Generic!BT (VIPRE), Artemis!529116E09F7B (McAfee), Virus.Win32.OnLineGames (Ikarus), Win32:Malware-gen (Avast), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm, Virus, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 529116e09f7b2e2c0b7242b6d798d205
SHA1: 14315bad1859a85c6d7340cd85f42bf0bfdc18d6
SHA256: 67bd1e0d56968e84026e272fd5faad04d7d6922b7563e5c704da0c29ca97a6c1
SSDeep: 24576:BDtEWapJwJnUQJxGTHjuoCYMYd7/RowlG4UCKiX2emT8j2n8J9gj4SG3:BRJnlGn4Yj7/3lG4UK2UJXgj4S
Size: 1540096 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2011-08-06 10:48:22
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:468

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\satdata_temp\ready.tmp (7 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)

Registry activity

The process %original file name%.exe:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E 04 8E 34 74 6F 0C 42 A9 91 6F B4 7B 13 D0 2E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ????
Product Name: ???
Product Version: 1.0.1.0
Legal Copyright: ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.1.0
File Description: ???
Comments: ???
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 1083603 1085440 4.50503 dc244b2ae58e071a4bf72b918915d13b
.rdata 1089536 296212 299008 3.98144 81afb045172fce170713fa342db1aea7
.data 1388544 358664 110592 4.04259 a63f574b261eae6b5555961f6a8dd68b
.rsrc 1748992 38820 40960 3.70387 627e7faba634338adc95c7443e4f3f32

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://data1.tvro6.cn/dv.htm


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /dv.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: data1.tvro6.cn
Cache-Control: no-cache


HTTP/1.1 400 Bad Request
Content-Type: text/html
Date: Wed, 27 Jul 2016 22:32:10 GMT
Connection: close
Content-Length: 39
<h1>Bad Request (Invalid Hostname)</h1>..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_468:

.text
`.rdata
@.data
.rsrc
t%SVh
t$(SSh
|$D.tm
~%UVW
u$SShe
{B6F7542F-B8FE-46a8-9605-98856A687097}
news.htm
hXXp://bbs.tvro6.com/
nch.htm
\nch.str
sng.htm
\sng.str
\satdata.str
N\satdata.tmp
tvro6.com
\tvro6.tmp
hXXp://VVV.tvro6.cn/ge/
hXXp://VVV.tvro6.cn
trade.htm
\trade.htm
\bbs.htm
hXXp://bbs.tvro6.com/ready1.htm
1\satdata.str
1\nch.str
1\sng.str
2\tvro6.exe
2\tvro6_updata_89858656.exe
2\file.tmp
\satdata.sta
2\tvro6_updata_69656858.exe
1\satdata.tmp
1\*.*
\home.htm
\news.htm
\tyro.htm
\datum.htm
forum-7-1.html
forum-6-1.html
forum-8-1.html
forum-9-1.html
\city.tmp
city.dat
.pf$C
|hm%X
'Mj%C
Gm%x`8
city.datPK
\ready.tmp
/sv.htm
/su.htm
(tvro6.com)
hXXp://VVV.tvro6.cn/cqt/
satdata_temp\satdata.tmp
satdata_temp\city.dat
tvro6_updata_89858656.exe
tvro6_updata_69656858.exe
FK%dG
;hXXp://data1.tvro6.cn
hXXp://data1.tvro6.com
hXXp://data2.tvro6.cn
/dv.htm
/du.htm
[email protected]
.exe|.rar|.zip|.gif|.jpg|.mp3|.rm
---0, >7,>=<
R%SjT'6
9.hr%$
lz%sq
hXXp://VVV.tvro6.com
hXXp://bbs.tvro6.com
>1.2.18
A inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSWHEEL_ROLLMSG
ole32.dll
__MSVCRT_HEAP_SELECT
user32.dll
KERNEL32.DLL
ADVAPI32.dll
AVIFIL32.dll
COMCTL32.dll
comdlg32.dll
GDI32.dll
MSIMG32.dll
MSVFW32.dll
OLEAUT32.dll
oledlg.dll
RASAPI32.dll
SHELL32.dll
USER32.dll
WININET.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
GetCPInfo
GetWindowsDirectoryA
WinExec
GetProcessHeap
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportOrgEx
ShellExecuteA
CreateDialogIndirectParamA
EnumThreadWindows
EnumChildWindows
UnhookWindowsHookEx
SetWindowsHookExA
GetKeyState
InternetCanonicalizeUrlA
InternetCrackUrlA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
1234567
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
(*.htm;*.html)|*.htm;*.html
select * from %s order by %s
%Y-%m-%d %H:%M:%S
FADODB.Connection
;Jet OLEDB:Database Password=
Provider=Microsoft.Jet.OLEDB.4.0; Data Source=
Description: %s
State: %s, Native: %d, Source: %s
FADODB.Recordset
(*.avi)|*.avi
1.2.18
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
1.1.3
NULL row buffer for row %ld, pass %d
libpng error: %s
libpng error: %s, offset=%d
libpng error no. %s: %s
libpng warning: %s
libpng warning no. %s: %s
operator
keywords
Unknown zTXt compression type %d
Incomplete compressed datastream in %s chunk
Data error in compressed datastream in %s chunk
Buffer error in compressed datastream in %s chunk
gamma = (%d/100000)
gx=%f, gy=%f, bx=%f, by=%f
wx=%f, wy=%f, rx=%f, ry=%f
incorrect gamma=(%d/100000)
iTXt chunk not supported.
[%s:%d]
Range: bytes=%s-
[%s:%d]
PASS %s
PASS ******
USER %s
E:\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp
SIZE %s
PORT
User-Agent: %s
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Referer: %s
Host: %s
GET %s HTTP/1.1
HTTP/1.0
HTTP/1.1
hXXp://
Cookie: %s
%d, %s
\\192.168.0.129\TCP\1037
NSPlayer/9.0.0.2980; {%s}; Host: %s
rmff_fix_header: assuming data.size=%i
rmff_fix_header: assuming data.num_packets=%i
rmff_fix_header: assuming prop.num_packets=%i
rmff_fix_header: setting prop.data_offset from %i to %i
rmff_fix_header: correcting prop.num_streams from %i to %i
rmff_fix_header: correcting prop.size from %i to %i
%s %s %s
Session: %s
Cseq: %u
%*s %s
%*s %u
CSeq: %u
rtsp://%s:%i
rtsp://%s:%i/%s
ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586
GUID: 00000000-0000-0000-0000-000000000000
[%s:%d]
User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)
Range: npt=%s-
%s/streamid=1
%s/streamid=0
Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play
If-Match: %s
RealChallenge2: %s, sd=%s
Title: %s
Copyright: %s
Author: %s
real: Content-length for description too big (> %uMB)!
Require: com.real.retain-entity-for-setup
SupportsMaximumASMBandwidth: 1
Bandwidth: %u
Challenge1: %s
hash output: %x %x %x %x
hash input: %x %x %x %x
stream=%u;rule=%u,
Illegal character '%c' in input.
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
msctls_hotkey32
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCOleDispatchException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
==@==,@@@=
(*.*)
1.0.1.0


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:468

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\satdata_temp\ready.tmp (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now