Trojan.Win32.FlyStudio_772c731757

by malwarelabrobot on March 16th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Packer.KBySV0.28 (ep) (VIPRE), Virus.Win32.Delf!IK (Emsisoft), GenericEmailWorm.YR, GenericInjector.YR, GenericPhysicalDrive0.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm, Virus


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 772c7317572dcae2cc8d89bbb8e3944a
SHA1: 3711a518db4cfe8ebb95f199f69223c54784f12a
SHA256: 896bb2a65aa394c7ee3714495a6e4d0f75d1c28a09fc390d5dda68bc1573ce02
SSDeep: 49152:yXKCyhhYPAephepP8G/rTuQrVUhvtkCWK4S7qZ:4KC 6oYhsPFjXSW5l
Size: 1610240 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2011-12-31 15:37:21
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1820

File activity

The process %original file name%.exe:1820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\SkinH_EL.dll (88 bytes)
%System%\drivers\etc\hosts (368 bytes)

Registry activity

The process %original file name%.exe:1820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA D5 68 3C 2D 2A E4 D3 6E 17 B3 9A B9 BF 6A AC"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1024x768x32(BGR 0)" = "31,31,31,31"

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 368 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 www.qqtz.com
127.0.0.1 www.tt336.com
127.0.0.1 www.dnfrufeng.com
127.0.0.1 www.xyhai.com
127.0.0.1 xyhai.com
127.0.0.1 WWW.DNFXM2012.COM
127.0.0.1 www.25zm.com
127.0.0.1 www.dnflangqun.com
127.0.0.1 a158421294.9000hk.info
127.0.0.1 nxyq.cccpan.com
127.0.0.1 wg68.cccpan.com


Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\SkinH_EL.dll (88 bytes)
    %System%\drivers\etc\hosts (368 bytes)

  4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now