MD5: 8d8a001fab4c7ef0dc29ebbc05da9bfe
SHA1: c48149ba49191a464d62c8f62b1afe8afc3f2171
SHA256: fef0d932978a16e9e0ba839e948d52c8c429250c062eb57ff78651518158b31e
SSDeep: 12288:myR4TTQP0pef9aAwvO0ZfMSgrlKxqc9ZKr:myFP8DAwvZfMSacjUr
Size: 400896 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PECompactV2X, PECompactv20, UPolyXv05_v6
Company:
Created at: 2013-05-18 21:32:49
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1476

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1476 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\empty.exe (9 bytes)

Registry activity

The process %original file name%.exe:1476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF B8 F0 14 88 04 30 E6 F5 6B 79 34 F5 D9 16 DF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Heikl
Product Name: QQ???????
Product Version: 1.0.0.0
Legal Copyright: BY:Heikl QQ 11164118
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ????
Comments: ?????
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://im2.n.shifen.com/heikl/item/42d0616d465737a1c5d249fd
hxxp://im2.n.shifen.com/search/error.html
hxxp://hi.baidu.com/heikl/item/42d0616d465737a1c5d249fd	123.125.114.169
hxxp://im.baidu.com/search/error.html	123.125.114.169

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /heikl/item/42d0616d465737a1c5d249fd HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: hi.baidu.com

Cache-Control: no-cache

HTTP/1.1 302 Found

Date: Sun, 16 Oct 2016 23:04:18 GMT

Server: Apache

Location: hXXp://im.baidu.com/search/error.html

Content-Length: 221

Connection: Keep-Alive

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://im.baidu.com/search/error.html">here</a>.</p&
gt;.</body></html>.HTTP/1.1 302 Found..Date: Sun, 16 Oct 2
016 23:04:18 GMT..Server: Apache..Location: hXXp://im.baidu.com/search
/error.html..Content-Length: 221..Connection: Keep-Alive..Content-Type
: text/html; charset=iso-8859-1..<!DOCTYPE HTML PUBLIC "-//IETF//DT
D HTML 2.0//EN">.<html><head>.<title>302 Found<
;/title>.</head><body>.<h1>Found</h1>.<p
>The document has moved <a href="hXXp://im.baidu.com/search/erro
r.html">here</a>.</p>.</body></html>...

GET /search/error.html HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: im.baidu.com

Cache-Control: no-cache

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sun, 16 Oct 2016 23:04:19 GMT

Server: Apache

Last-Modified: Mon, 07 Dec 2015 10:58:52 GMT

ETag: "a92"

Accept-Ranges: bytes

Content-Length: 2706

Connection: Keep-Alive

Content-Type: text/html
<html>.<head>..<title>....--..............</title
>..<META http-equiv=content-type content="text/html; charset=gb2
312">.<META content="MSHTML 6.00.2462.0" name=GENERATOR></
HEAD>.</head>.<style type="text/css">..p1 {..FONT-SIZE:
 14px; LINE-HEIGHT: 24px; FONT-FAMILY: "....".}...f12 {..FONT-SIZE: 12
px; LINE-HEIGHT: 20px.}..p2 {..FONT-SIZE: 14px; LINE-HEIGHT: 24px; col
or: #333333.}.</style>.<body text=#000000 vLink=#0033cc aLink
=#800080 link=#0033cc bgColor=#ffffff .topMargin=0>.<center>.
<table width=650 border=0 align="center">.  <tr height=60>
.    <td width=139 valign="top" height="66"><a href="hXXps://
VVV.baidu.com"><img src="img/logo.gif" border="0"></a>&
lt;/td>.    <td valign="bottom" width="100%">.      <table
 width="100%" border="0" cellpadding="0" cellspacing="0">.        &
lt;tr bgcolor="#e5ecf9">.          <td height="24"> <
b class="p1">..............</b></td>.         ..

The Trojan connects to the servers at the folowing location(s):

.text

`.rsrc

t%SVh

t$(SSh

~%UVW

u$SShe

user32.dll

gdiplus.dll

kernel32.dll

gdi32.dll

wininet.dll

msimg32.dll

comctl32.dll

COMCTL32.DLL

User32.dll

Wininet.dll

ole32.dll

GdiPlus.dll

Gdiplus.dll

shlwapi.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

GdiplusShutdown

SetWindowsHookExA

UnhookWindowsHookEx

InternetOpenUrlA

GdipSetPenLineJoin

GdipGetPenLineJoin

GdipSetStringFormatHotkeyPrefix

GdipGetStringFormatHotkeyPrefix

?hXXp://wpa.qq.com/msgrd?v=3&uin=11164118

hXXp://check.ptlogin2.qq.com/check?uin=

hXXp://captcha.qq.com/getimage?aid=1003903&r=0.1234567890123456&uin=

&webqq_type=10&remember_uin=1&login2qq=1&aid=1003903&u1=http://web.qq.com/loginproxy.html?login2qq=1&webqq_type=10&h=1&ptredirect=0&ptlang=2052&from_ui=1&pttype=1&dumy=&fp=loginerroralert&action=2-6-7203&mibao_css=m_webqq&t=1&g=1

hXXp://ptlogin2.qq.com/login?u=

ptwebqq=

hXXp://d.web2.qq.com/channel/login2

","psessionid":null}&clientid=

","passwd_sig":"","clientid":"

r={"status":"online","ptwebqq":"

vfwebqq":"

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

http=

HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Content-Type: application/x-www-form-urlencoded

hXXp://

GetPassword

hXXp://s.web2.qq.com/api/modify_my_details2

"}

","vfwebqq":"

","personal":"

","homepage":"

","college":"

","occupation":"

","email":"

","mobile":"

","phone":"

","birthday":"

","birthmonth":"

","birthyear":"

","blood":"

","constel":"

","shengxiao":"

","gender":"

r={"nick":"

`~!@#$%^&*()-_= [{]};:'\|,<.>/?"

hXXp://s.web2.qq.com/api/set_long_nick2

?{B96B3CAF-0728-11D3-9D7B-0000F81EF32E}

\empty.exe

`.data

.rsrc

could not empty working set for process #%d [%s]

could not empty working set for process #%d

USAGE: empty.exe {pid | task-name}

AdjustTokenPrivileges failed with %d

LookupPrivilegeValue failed with %d

OpenProcessToken failed with %d

empty.pdb

KERNEL32.dll

msvcrt.dll

ADVAPI32.dll

CloseWindowStation

SetProcessWindowStation

OpenWindowStationA

GetProcessWindowStation

EnumWindows

EnumWindowStationsA

USER32.dll

ntdll.dll

OLEAUT32.dll

(7),01444

'9=82<.342

hXXp://VVV.52pojie.cn

hXXp://hi.baidu.com/Heikl

var hexcase=1;var b64pad="";var chrsz=8;var mode=32;function md5(A){return hex_md5(A)}function hex_md5(A){return binl2hex(core_md5(str2binl(A),A.length*chrsz))}function str_md5(A){return binl2str(core_md5(str2binl(A),A.length*chrsz))}function hex_hmac_md5(A,B){return binl2hex(core_hmac_md5(A,B))}function b64_hmac_md5(A,B){return binl2b64(core_hmac_md5(A,B))}function str_hmac_md5(A,B){return binl2str(core_hmac_md5(A,B))}function core_md5(K,F){K[F>>5]|=128<<((F)2);K[(((F 64)>>>9)<<4) 14]=F;var J=1732584193;var I=-271733879;var H=-1732584194;var G=271733878;for(var C=0;C<K.length;C =16){var E=J;var D=I;var B=H;var A=G;J=md5_ff(J,I,H,G,K[C 0],7,-680876936);G=md5_ff(G,J,I,H,K[C 1],12,-389564586);H=md5_ff(H,G,J,I,K[C 2],17,606105819);I=md5_ff(I,H,G,J,K[C 3],22,-1044525330);J=md5_ff(J,I,H,G,K[C 4],7,-176418897);G=md5_ff(G,J,I,H,K[C 5],12,1200080426);H=md5_ff(H,G,J,I,K[C 6],17,-1473231341);I=md5_ff(I,H,G,J,K[C 7],22,-45705983);J=md5_ff(J,I,H,G,K[C 8],7,1770035416);G=md5_ff(G,J,I,H,K[C 9],12,-1958414417);H=md5_ff(H,G,J,I,K[C 10],17,-42063);I=md5_ff(I,H,G,J,K[C 11],22,-1990404162);J=md5_ff(J,I,H,G,K[C 12],7,1804603682);G=md5_ff(G,J,I,H,K[C 13],12,-40341101);H=md5_ff(H,G,J,I,K[C 14],17,-1502002290);I=md5_ff(I,H,G,J,K[C 15],22,1236535329);J=md5_gg(J,I,H,G,K[C 1],5,-165796510);G=md5_gg(G,J,I,H,K[C 6],9,-1069501632);H=md5_gg(H,G,J,I,K[C 11],14,643717713);I=md5_gg(I,H,G,J,K[C 0],20,-373897302);J=md5_gg(J,I,H,G,K[C 5],5,-701558691);G=md5_gg(G,J,I,H,K[C 10],9,38016083);H=md5_gg(H,G,J,I,K[C 15],14,-660478335);I=md5_gg(I,H,G,J,K[C 4],20,-405537848);J=md5_gg(J,I,H,G,K[C 9],5,568446438);G=md5_gg(G,J,I,H,K[C 14],9,-1019803690);H=md5_gg(H,G,J,I,K[C 3],14,-187363961);I=md5_gg(I,H,G,J,K[C 8],20,1163531501);J=md5_gg(J,I,H,G,K[C 13],5,-1444681467);G=md5_gg(G,J,I,H,K[C 2],9,-51403784);H=md5_gg(H,G,J,I,K[C 7],14,1735328473);I=md5_gg(I,H,G,J,K[C 12],20,-1926607734);J=md5_hh(J,I,H,G,K[C 5],4,-378558);G=md5_hh(G,J,I,H,K[C 8],11,-2022574463);H=md5_hh(H,G,J,I,K[C 11],16,1839030562);I=md5_hh(I,H,G,J,K[C 14],23,-35309556);J=md5_hh(J,I,H,G,K[C 1],4,-1530992060);G=md5_hh(G,J,I,H,K[C 4],11,1272893353);H=md5_hh(H,G,J,I,K[C 7],16,-155497632);I=md5_hh(I,H,G,J,K[C 10],23,-1094730640);J=md5_hh(J,I,H,G,K[C 13],4,681279174);G=md5_hh(G,J,I,H,K[C 0],11,-358537222);H=md5_hh(H,G,J,I,K[C 3],16,-722521979);I=md5_hh(I,H,G,J,K[C 6],23,76029189);J=md5_hh(J,I,H,G,K[C 9],4,-640364487);G=md5_hh(G,J,I,H,K[C 12],11,-421815835);H=md5_hh(H,G,J,I,K[C 15],16,530742520);I=md5_hh(I,H,G,J,K[C 2],23,-995338651);J=md5_ii(J,I,H,G,K[C 0],6,-198630844);G=md5_ii(G,J,I,H,K[C 7],10,1126891415);H=md5_ii(H,G,J,I,K[C 14],15,-1416354905);I=md5_ii(I,H,G,J,K[C 5],21,-57434055);J=md5_ii(J,I,H,G,K[C 12],6,1700485571);G=md5_ii(G,J,I,H,K[C 3],10,-1894986606);H=md5_ii(H,G,J,I,K[C 10],15,-1051523);I=md5_ii(I,H,G,J,K[C 1],21,-2054922799);J=md5_ii(J,I,H,G,K[C 8],6,1873313359);G=md5_ii(G,J,I,H,K[C 15],10,-30611744);H=md5_ii(H,G,J,I,K[C 6],15,-1560198380);I=md5_ii(I,H,G,J,K[C 13],21,1309151649);J=md5_ii(J,I,H,G,K[C 4],6,-145523070);G=md5_ii(G,J,I,H,K[C 11],10,-1120210379);H=md5_ii(H,G,J,I,K[C 2],15,718787259);I=md5_ii(I,H,G,J,K[C 9],21,-343485551);J=safe_add(J,E);I=safe_add(I,D);H=safe_add(H,B);G=safe_add(G,A)}if(mode==16){return Array(I,H)}else{return Array(J,I,H,G)}}function md5_cmn(F,C,B,A,E,D){return safe_add(bit_rol(safe_add(safe_add(C,F),safe_add(A,D)),E),B)}function md5_ff(C,B,G,F,A,E,D){return md5_cmn((B&G)|((~B)&F),C,B,A,E,D)}function md5_gg(C,B,G,F,A,E,D){return md5_cmn((B&F)|(G&(~F)),C,B,A,E,D)}function md5_hh(C,B,G,F,A,E,D){return md5_cmn(B^G^F,C,B,A,E,D)}function md5_ii(C,B,G,F,A,E,D){return md5_cmn(G^(B|(~F)),C,B,A,E,D)}function core_hmac_md5(C,F){var E=str2binl(C);if(E.length>16){E=core_md5(E,C.length*chrsz)}var A=Array(16),D=Array(16);for(var B=0;B<16;B  ){A[B]=E[B]^909522486;D[B]=E[B]^1549556828}var G=core_md5(A.concat(str2binl(F)),512 F.length*chrsz);return core_md5(D.concat(G),512 128)}function safe_add(A,D){var C=(A&65535) (D&65535);var B=(A>>16) (D>>16) (C>>16);return(B<<16)|(C&65535)}function bit_rol(A,B){return(A<<B)|(A>>>(32-B))}function str2binl(D){var C=Array();var A=(1<<chrsz)-1;for(var B=0;B<D.length*chrsz;B =chrsz){C[B>>5]|=(D.charCodeAt(B/chrsz)&A)<<(B2)}return C}function binl2str(C){var D="";var A=(1<<chrsz)-1;for(var B=0;B<C.length*32;B =chrsz){D =String.fromCharCode((C[B>>5]>>>(B2))&A)}return D}function binl2hex(C){var B=hexcase?"0123456789ABCDEF":"0123456789abcdef";var D="";for(var A=0;A<C.length*4;A  ){D =B.charAt((C[A>>2]>>((A%4)*8 4))&15) B.charAt((C[A>>2]>>((A%4)*8))&15)}return D}function binl2b64(D){var C="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /";var F="";for(var B=0;B<D.length*4;B =3){var E=(((D[B>>2]>>8*(B%4))&255)<<16)|(((D[B 1>>2]>>8*((B 1)%4))&255)<<8)|((D[B 2>>2]>>8*((B 2)%4))&255);for(var A=0;A<4;A  ){if(B*8 A*6>D.length*32){F =b64pad}else{F =C.charAt((E>>6*(3-A))&63)}}}return F}function hexchar2bin(str){var arr=[];for(var i=0;i<str.length;i=i 2){arr.push("\\x" str.substr(i,2))}arr=arr.join("");eval("var temp = '" arr "'");return temp}function GetPassword(pt_uin,p,vc){var I=hexchar2bin(md5(p));var H=md5(I TTescapechar2bin(pt_uin));var G=md5(H vc.toUpperCase());return G}function TTescapechar2bin(str){eval("var temp = '" str "'");return temp}

ID Heikl hXXp://hi.baidu.com/Heikl

hXXp://hi.baidu.com/heikl/item/42d0616d465737a1c5d249fd

C:\gx.tmp

User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)

\ .bat

{B96B3CAB-0728-11D3-9D7B-0000F81EF32E}

hXXp://VVV.52pojie.cn/

hXXp://hi.baidu.com/Heikl

[email protected]

138888888

1986-1-1

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

CCmdTarget

__MSVCRT_HEAP_SELECT

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

RASAPI32.dll

GetProcessHeap

WinExec

GetKeyState

GetViewportOrgEx

GDI32.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

ShellExecuteA

SHELL32.dll

COMCTL32.dll

WSOCK32.dll

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

VVV.dywt.com.cn

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

5.2.3790.0 built by: dnsrv_dev(v-smgum)

empty.exe

Windows

Operating System

5.2.3790.0

(*.*)

1.0.0.0

%original file name%.exe_1476_rwx_00401000_00210000:

t%SVh

t$(SSh

~%UVW

u$SShe

user32.dll

gdiplus.dll

kernel32.dll

gdi32.dll

wininet.dll

msimg32.dll

comctl32.dll

COMCTL32.DLL

User32.dll

Wininet.dll

ole32.dll

GdiPlus.dll

Gdiplus.dll

shlwapi.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

GdiplusShutdown

SetWindowsHookExA

UnhookWindowsHookEx

InternetOpenUrlA

GdipSetPenLineJoin

GdipGetPenLineJoin

GdipSetStringFormatHotkeyPrefix

GdipGetStringFormatHotkeyPrefix

?hXXp://wpa.qq.com/msgrd?v=3&uin=11164118

hXXp://check.ptlogin2.qq.com/check?uin=

hXXp://captcha.qq.com/getimage?aid=1003903&r=0.1234567890123456&uin=

&webqq_type=10&remember_uin=1&login2qq=1&aid=1003903&u1=http://web.qq.com/loginproxy.html?login2qq=1&webqq_type=10&h=1&ptredirect=0&ptlang=2052&from_ui=1&pttype=1&dumy=&fp=loginerroralert&action=2-6-7203&mibao_css=m_webqq&t=1&g=1

hXXp://ptlogin2.qq.com/login?u=

ptwebqq=

hXXp://d.web2.qq.com/channel/login2

","psessionid":null}&clientid=

","passwd_sig":"","clientid":"

r={"status":"online","ptwebqq":"

vfwebqq":"

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

http=

HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Content-Type: application/x-www-form-urlencoded

hXXp://

GetPassword

hXXp://s.web2.qq.com/api/modify_my_details2

"}

","vfwebqq":"

","personal":"

","homepage":"

","college":"

","occupation":"

","email":"

","mobile":"

","phone":"

","birthday":"

","birthmonth":"

","birthyear":"

","blood":"

","constel":"

","shengxiao":"

","gender":"

r={"nick":"

`~!@#$%^&*()-_= [{]};:'\|,<.>/?"

hXXp://s.web2.qq.com/api/set_long_nick2

?{B96B3CAF-0728-11D3-9D7B-0000F81EF32E}

\empty.exe

.text

`.data

.rsrc

could not empty working set for process #%d [%s]

could not empty working set for process #%d

USAGE: empty.exe {pid | task-name}

AdjustTokenPrivileges failed with %d

LookupPrivilegeValue failed with %d

OpenProcessToken failed with %d

empty.pdb

KERNEL32.dll

msvcrt.dll

ADVAPI32.dll

CloseWindowStation

SetProcessWindowStation

OpenWindowStationA

GetProcessWindowStation

EnumWindows

EnumWindowStationsA

USER32.dll

ntdll.dll

OLEAUT32.dll

(7),01444

'9=82<.342

hXXp://VVV.52pojie.cn

hXXp://hi.baidu.com/Heikl

var hexcase=1;var b64pad="";var chrsz=8;var mode=32;function md5(A){return hex_md5(A)}function hex_md5(A){return binl2hex(core_md5(str2binl(A),A.length*chrsz))}function str_md5(A){return binl2str(core_md5(str2binl(A),A.length*chrsz))}function hex_hmac_md5(A,B){return binl2hex(core_hmac_md5(A,B))}function b64_hmac_md5(A,B){return binl2b64(core_hmac_md5(A,B))}function str_hmac_md5(A,B){return binl2str(core_hmac_md5(A,B))}function core_md5(K,F){K[F>>5]|=128<<((F)2);K[(((F 64)>>>9)<<4) 14]=F;var J=1732584193;var I=-271733879;var H=-1732584194;var G=271733878;for(var C=0;C<K.length;C =16){var E=J;var D=I;var B=H;var A=G;J=md5_ff(J,I,H,G,K[C 0],7,-680876936);G=md5_ff(G,J,I,H,K[C 1],12,-389564586);H=md5_ff(H,G,J,I,K[C 2],17,606105819);I=md5_ff(I,H,G,J,K[C 3],22,-1044525330);J=md5_ff(J,I,H,G,K[C 4],7,-176418897);G=md5_ff(G,J,I,H,K[C 5],12,1200080426);H=md5_ff(H,G,J,I,K[C 6],17,-1473231341);I=md5_ff(I,H,G,J,K[C 7],22,-45705983);J=md5_ff(J,I,H,G,K[C 8],7,1770035416);G=md5_ff(G,J,I,H,K[C 9],12,-1958414417);H=md5_ff(H,G,J,I,K[C 10],17,-42063);I=md5_ff(I,H,G,J,K[C 11],22,-1990404162);J=md5_ff(J,I,H,G,K[C 12],7,1804603682);G=md5_ff(G,J,I,H,K[C 13],12,-40341101);H=md5_ff(H,G,J,I,K[C 14],17,-1502002290);I=md5_ff(I,H,G,J,K[C 15],22,1236535329);J=md5_gg(J,I,H,G,K[C 1],5,-165796510);G=md5_gg(G,J,I,H,K[C 6],9,-1069501632);H=md5_gg(H,G,J,I,K[C 11],14,643717713);I=md5_gg(I,H,G,J,K[C 0],20,-373897302);J=md5_gg(J,I,H,G,K[C 5],5,-701558691);G=md5_gg(G,J,I,H,K[C 10],9,38016083);H=md5_gg(H,G,J,I,K[C 15],14,-660478335);I=md5_gg(I,H,G,J,K[C 4],20,-405537848);J=md5_gg(J,I,H,G,K[C 9],5,568446438);G=md5_gg(G,J,I,H,K[C 14],9,-1019803690);H=md5_gg(H,G,J,I,K[C 3],14,-187363961);I=md5_gg(I,H,G,J,K[C 8],20,1163531501);J=md5_gg(J,I,H,G,K[C 13],5,-1444681467);G=md5_gg(G,J,I,H,K[C 2],9,-51403784);H=md5_gg(H,G,J,I,K[C 7],14,1735328473);I=md5_gg(I,H,G,J,K[C 12],20,-1926607734);J=md5_hh(J,I,H,G,K[C 5],4,-378558);G=md5_hh(G,J,I,H,K[C 8],11,-2022574463);H=md5_hh(H,G,J,I,K[C 11],16,1839030562);I=md5_hh(I,H,G,J,K[C 14],23,-35309556);J=md5_hh(J,I,H,G,K[C 1],4,-1530992060);G=md5_hh(G,J,I,H,K[C 4],11,1272893353);H=md5_hh(H,G,J,I,K[C 7],16,-155497632);I=md5_hh(I,H,G,J,K[C 10],23,-1094730640);J=md5_hh(J,I,H,G,K[C 13],4,681279174);G=md5_hh(G,J,I,H,K[C 0],11,-358537222);H=md5_hh(H,G,J,I,K[C 3],16,-722521979);I=md5_hh(I,H,G,J,K[C 6],23,76029189);J=md5_hh(J,I,H,G,K[C 9],4,-640364487);G=md5_hh(G,J,I,H,K[C 12],11,-421815835);H=md5_hh(H,G,J,I,K[C 15],16,530742520);I=md5_hh(I,H,G,J,K[C 2],23,-995338651);J=md5_ii(J,I,H,G,K[C 0],6,-198630844);G=md5_ii(G,J,I,H,K[C 7],10,1126891415);H=md5_ii(H,G,J,I,K[C 14],15,-1416354905);I=md5_ii(I,H,G,J,K[C 5],21,-57434055);J=md5_ii(J,I,H,G,K[C 12],6,1700485571);G=md5_ii(G,J,I,H,K[C 3],10,-1894986606);H=md5_ii(H,G,J,I,K[C 10],15,-1051523);I=md5_ii(I,H,G,J,K[C 1],21,-2054922799);J=md5_ii(J,I,H,G,K[C 8],6,1873313359);G=md5_ii(G,J,I,H,K[C 15],10,-30611744);H=md5_ii(H,G,J,I,K[C 6],15,-1560198380);I=md5_ii(I,H,G,J,K[C 13],21,1309151649);J=md5_ii(J,I,H,G,K[C 4],6,-145523070);G=md5_ii(G,J,I,H,K[C 11],10,-1120210379);H=md5_ii(H,G,J,I,K[C 2],15,718787259);I=md5_ii(I,H,G,J,K[C 9],21,-343485551);J=safe_add(J,E);I=safe_add(I,D);H=safe_add(H,B);G=safe_add(G,A)}if(mode==16){return Array(I,H)}else{return Array(J,I,H,G)}}function md5_cmn(F,C,B,A,E,D){return safe_add(bit_rol(safe_add(safe_add(C,F),safe_add(A,D)),E),B)}function md5_ff(C,B,G,F,A,E,D){return md5_cmn((B&G)|((~B)&F),C,B,A,E,D)}function md5_gg(C,B,G,F,A,E,D){return md5_cmn((B&F)|(G&(~F)),C,B,A,E,D)}function md5_hh(C,B,G,F,A,E,D){return md5_cmn(B^G^F,C,B,A,E,D)}function md5_ii(C,B,G,F,A,E,D){return md5_cmn(G^(B|(~F)),C,B,A,E,D)}function core_hmac_md5(C,F){var E=str2binl(C);if(E.length>16){E=core_md5(E,C.length*chrsz)}var A=Array(16),D=Array(16);for(var B=0;B<16;B  ){A[B]=E[B]^909522486;D[B]=E[B]^1549556828}var G=core_md5(A.concat(str2binl(F)),512 F.length*chrsz);return core_md5(D.concat(G),512 128)}function safe_add(A,D){var C=(A&65535) (D&65535);var B=(A>>16) (D>>16) (C>>16);return(B<<16)|(C&65535)}function bit_rol(A,B){return(A<<B)|(A>>>(32-B))}function str2binl(D){var C=Array();var A=(1<<chrsz)-1;for(var B=0;B<D.length*chrsz;B =chrsz){C[B>>5]|=(D.charCodeAt(B/chrsz)&A)<<(B2)}return C}function binl2str(C){var D="";var A=(1<<chrsz)-1;for(var B=0;B<C.length*32;B =chrsz){D =String.fromCharCode((C[B>>5]>>>(B2))&A)}return D}function binl2hex(C){var B=hexcase?"0123456789ABCDEF":"0123456789abcdef";var D="";for(var A=0;A<C.length*4;A  ){D =B.charAt((C[A>>2]>>((A%4)*8 4))&15) B.charAt((C[A>>2]>>((A%4)*8))&15)}return D}function binl2b64(D){var C="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /";var F="";for(var B=0;B<D.length*4;B =3){var E=(((D[B>>2]>>8*(B%4))&255)<<16)|(((D[B 1>>2]>>8*((B 1)%4))&255)<<8)|((D[B 2>>2]>>8*((B 2)%4))&255);for(var A=0;A<4;A  ){if(B*8 A*6>D.length*32){F =b64pad}else{F =C.charAt((E>>6*(3-A))&63)}}}return F}function hexchar2bin(str){var arr=[];for(var i=0;i<str.length;i=i 2){arr.push("\\x" str.substr(i,2))}arr=arr.join("");eval("var temp = '" arr "'");return temp}function GetPassword(pt_uin,p,vc){var I=hexchar2bin(md5(p));var H=md5(I TTescapechar2bin(pt_uin));var G=md5(H vc.toUpperCase());return G}function TTescapechar2bin(str){eval("var temp = '" str "'");return temp}

ID Heikl hXXp://hi.baidu.com/Heikl

hXXp://hi.baidu.com/heikl/item/42d0616d465737a1c5d249fd

C:\gx.tmp

User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)

\ .bat

{B96B3CAB-0728-11D3-9D7B-0000F81EF32E}

hXXp://VVV.52pojie.cn/

hXXp://hi.baidu.com/Heikl

[email protected]

138888888

1986-1-1

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

CCmdTarget

__MSVCRT_HEAP_SELECT

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

RASAPI32.dll

GetProcessHeap

WinExec

GetKeyState

GetViewportOrgEx

GDI32.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

ShellExecuteA

SHELL32.dll

COMCTL32.dll

WSOCK32.dll

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

VVV.dywt.com.cn

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

5.2.3790.0 built by: dnsrv_dev(v-smgum)

empty.exe

Windows

Operating System

5.2.3790.0

(*.*)

%original file name%.exe_1476_rwx_00612000_00002000:

kernel32.dll

WINMM.dll

WS2_32.dll

RASAPI32.dll

USER32.dll

GDI32.dll

WINSPOOL.DRV

ADVAPI32.dll

RegCloseKey

SHELL32.dll

ShellExecuteA

ole32.dll

OLEAUT32.dll

COMCTL32.dll

WININET.dll

InternetCanonicalizeUrlA

comdlg32.dll

1.0.0.0

%original file name%.exe_1476_rwx_00AE0000_00003000:

The procedure %s could not be located in the DLL %s.

The ordinal %d could not be located in the DLL %s.

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %WinDir%\empty.exe (9 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.