MD5: 939b733c2ca3df546421a90ce81697af
SHA1: a71e015164e28bd81d3e85ef4bb428ac588c0f53
SHA256: abc1ed62cdd34a1a4cc696c984c5ecbf5f245d97b3386e692530cb1d9f9c91dd
SSDeep: 49152:Krenk9SjqYMXxMONyo9tkdT fz2wxmSR6Q61BdN Sxwax:K6WbhMeTZ7cz1BuQTx
Size: 2397696 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: NsPacKV37, PolyEnE001byLennartHedlund, UPolyXv05_v6
Company: no certificate found
Created at: 2013-07-23 00:05:04
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1904

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1904 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\SkinH_EL.dll (88 bytes)

Registry activity

The process %original file name%.exe:1904 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1024x768x32(BGR 0)" = "31,31,31,31"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 27 34 4F 99 BA 99 6C CA B5 7F 2F 52 07 46 DB"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ??QQ:1811122232
Product Name: QQ??????-????
Product Version: 2.6.0.0
Legal Copyright:
* ????????,?????????????????;???,????????,????!

Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.6.0.0
File Description: QQ??????-????QQ:1811122232
????:http://qq1811122232.ys168.com/
Comments: ????
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://wpa.qq.com/pa?p=1:1811122232:13	112.90.83.87
hxxp://p21.tcdn.qq.com/qconn/wpa/button/button_old_131.gif
hxxp://pub.idqqimg.com/qconn/wpa/button/button_old_131.gif	203.205.136.141

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /pa?p=1:1811122232:13 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: wpa.qq.com

Cache-Control: no-cache

HTTP/1.1 301 Moved Permanently

Server: tws

Date: Tue, 16 Dec 2014 08:05:53 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: close

Location: hXXp://pub.idqqimg.com/qconn/wpa/button/button_old_131.gif

Pragma: no-cache

Cache-Control: no-cache; must-revalidate
0..

GET /qconn/wpa/button/button_old_131.gif HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: pub.idqqimg.com

Cache-Control: no-cache

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: X2S_Platform

Connection: keep-alive

Cache-Control: max-age=259200

Last-Modified: Fri, 11 Jun 2010 10:44:10 GMT

Content-Type: image/gif

Content-Length: 2693

Keep-Alive: timeout=60

X-Cache-Lookup: Hit From MemCache

X-Cache-Lookup: Hit From Inner Cluster 
GIF89a......................Yr..............<G..... i.1......r.....
......tz....Rs....&0:/9C......$g.......Lj~............................
t...........u. ..'..)../..!z.!y.3..-..6..&|. ~.>..F..1..H..N..J..T.
.W..9u._..`..g..X..j..J..o..t..w..p..~...........l...........z.._.....
.........j..............V..Ot.?k.....Pe.FP8bi.../VVk.....)33......HLL.
...!......>...................y.....e.ocG............zZ.x]8.......z
..C..[!.N"....9.......................................................
......................................................................
......................................................................
....~~~{{{wwwvvvuuussspppooonnnkkkfffeeebbbaaa^^^]]]ZZZYYYWWWUUUSSSP..

The Trojan connects to the servers at the folowing location(s):

KERNEL32.DLL

WINMM.DLL

WS2_32.DLL

RASAPI32.DLL

MSVFW32.DLL

AVIFIL32.DLL

USER32.DLL

GDI32.DLL

WINSPOOL.DRV

COMDLG32.DLL

ADVAPI32.DLL

SHELL32.DLL

OLE32.DLL

OLEAUT32.DLL

COMCTL32.DLL

OLEDLG.DLL

WININET.DLL

RegCreateKeyExA

ShellExecuteA

t$(SSh

~%UVW

u$SShe

SkinH_EL.dll

ole32.dll

kernel32.dll

GdiPlus.dll

wininet.dll

WinINet.dll

user32.dll

Ole32.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

MsgWaitForMultipleObjects

O$$%x1g

.fMa#

Zk%x4q

(Dl!A.TP

2;'7';?/

x.NUi

;.sU75

.Gpx>

U/.mD

(%xTpV

).an"

" Û"

2 -*-?'.

?f

.zZy9

pa%cL~

%X"PL

B%5U_Fr

6F%UZ

1fu%C

%2sjVeK`HRNH\

.DA2]

Tp*)%X

%z%FR

r#^I0%X

T2.PaubW

 N.Lw

%x(=S!

*O5.sV

OUDp

T.Go^

W.CdL4

o@\SkinH_EL.dll

.rsrc

C$%cmb

.ppM|

 aZ.mO

%-^

.hk;~

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

fJ.WM_

CX%xm

Õ6m*

n.BjCw

%s;7*

0%x@w

%C^L:

%s T5

]E4%F(

.Funr

k%UPp

fg.VG

%C',@

>Ùd

0'.Ll

[I(3/#N0.bd

j"%u=w

q%Xn`

@|H.NI

.wdd!

S|%u4

*.Ea]S

Q.CGo

fTpe

.LLbX

-.Mdl

\-A}=3K

Y:.akpS

$.Zcqn

.WE= T!N

#?%s(C(

u.Jck~

zx/%FN[

%s=\RI

}j%c%Y)

Rx.GR

4o#.dM

IeS`%C

[n 4\.UY 

,4.qO,

gQ'.Io

%cLur?

s%DHB

]I%%X

5r.US

:mD].tB

f%fUZ

.fOuV12

*_.dC

&-N}<

({?.cQm

.Cqx~c

.`.Qw

**.dU

!n]%x

%X,Cr

&.PFy{xh

.um ZZE7L

/^p%u$

I.NoQY

zu.ew

D/.nT

{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}

&Submit2=²é ѯ

hXXp://app.dnf.qq.com/cgi-bin/act/a20080630fh/showinfo.cgi

GameApp.exe

Y@&get_nick=1

hXXp://base.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

http=

HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Content-Type: application/x-www-form-urlencoded

hXXp://

hXXp://q.qlogo.cn/headimg_dl?dst_uin=

hXXps://

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

hXXp://qq1811122232.ys168.com/

hXXp://qq1811122232.ys168.com

:qq1811122232.ys168.com

:hXXp://qq1811122232.ys168.com/

hXXp://wpa.qq.com/pa?p=1:1811122232:13

hXXp://user.qzone.qq.com/1811122232#!app=4&via=QZ.HashRefresh

1811122232

hXXp://qq1811122232.ys168.com/

$8!%.fF_a

.EZCif`

hXXp://qq1811122232.ys168.com/

1811122232

e(c.FE

Q%d 5*

xTz.hy

wð[

<B.WR

U%S/vc

{ae{Ó

0.uSa

p\.QZ

ó~/`

w %xoB

(#.Gy

.tetB

.ra3U

.TiP-

T*S%c

.TL8L

".TTM

X|C%x\%

.tR0@

O[u<.Rm

rj.ONNRUlUhUUgniVSj[fnfYpno

.hL}AA

F.kAU

&(' .1.2..312.*1/023.686

6f.sThc

'FY%XYT

%&&*-3.2..423-)1/133-676

>8.Nh  

.LDmR

%&% -2.2..433-(1.143-677

pd.hh

%SL<@3

ö1Zp

RsT.Bh

.wX K

k6-q.CC

.qYh\n

ye8LMLT[d\a\Zfmg[Qc]cmdVppp

.WZq Th

@A.Yz

%.F9 d

.DB$`

d%u2%$

%UR(B

.RGK8

^{})UMSG

=4RJ%U

mN.si

%'7%S"3Q

UZ'.UC

U%FL#IY

X.Yg^

%U)HKzR

.eX4a

{nwPfF%u[[

000...xxx

1.2.18

inflate 1.1.3 Copyright 1995-1998 Mark Adler

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

CCmdTarget

MSWHEEL_ROLLMSG

__MSVCRT_HEAP_SELECT

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

RASAPI32.dll

AVIFIL32.dll

GetProcessHeap

WinExec

GetCPInfo

KERNEL32.dll

GetKeyState

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

GetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

RegCloseKey

RegOpenKeyExA

ADVAPI32.dll

SHELL32.dll

OLEAUT32.dll

oledlg.dll

WSOCK32.dll

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

\\.\Scsi0:

\\.\PhysicalDrive0

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

VVV.dywt.com.cn

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

(*.avi)|*.avi

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

(*.htm;*.html)|*.htm;*.html

its:%s::%s

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

.PAVCOleDispatchException@@

zcÁ

c:\%original file name%.exe

GetTimeZoneInformationGetVersionFileTimeToSystemTimeInterlockedIncrementInterlockedDecrementWideCharToMultiByteLocalFreeFormatMessageAFileTimeToLocalFileTimelstrcpynADuplicateHandleFlushFileBuffersLockFileUnlockFileSetEndOfFileGetThreadLocalelstrcmpiAGlobalDeleteAtomGlobalFindAtomAGlobalAddAtomAGlobalGetAtomNameAlstrcmpALocalAllocTlsAllocGlobalHandleTlsFreeTlsSetValueLocalReAllocTlsGetValueGetFileTimeGetCurrentThreadGlobalFlagsSetErrorModeGetProcessVersionGetCPInfoGetOEMCPGetStartupInfoARtlUnwindGetSystemTimeGetLocalTimeRaiseExceptionHeapSizeGetACPSetStdHandleGetFileTypeUnhandledExceptionFilterFreeEnvironmentStringsAFreeEnvironmentStringsWGetEnvironmentStringsGetEnvironmentStringsWSetHandleCountGetStdHandleGetEnvironmentVariableAHeapDestroyHeapCreateVirtualFreeSetEnvironmentVariableALCMapStringALCMapStringWVirtualAllocIsBadWritePtrSetUnhandledExceptionFilterGetStringTypeAGetStringTypeWCompareStringACompareStringWIsBadReadPtrIsBadCodePtrSetLastErrorMultiByteToWideCharTerminateProcessGetCurrentProcessGetFileSizeSetFilePointerCreateSemaphoreAResumeThreadReleaseSemaphoreEnterCriticalSectionLeaveCriticalSectionGetProfileStringAWriteFileReadFileGetLastErrorWaitForMultipleObjectsCreateFileADeviceIoControlSetEventFindResourceALoadResourceLockResourceGetModuleFileNameAGetCurrentThreadIdExitProcessGlobalSizeGlobalFreeDeleteCriticalSectionInitializeCriticalSectionlstrcatAWinExeclstrcpyAFindNextFileAGlobalReAllocHeapFreeHeapReAllocGetProcessHeapHeapAllocGetFullPathNameAFreeLibraryLoadLibraryAlstrlenAGetVersionExAWritePrivateProfileStringACreateThreadCreateEventASleepGlobalAllocGlobalLockGlobalUnlockFindFirstFileAFindCloseSetFileAttributesAGetFileAttributesASetCurrentDirectoryAGetVolumeInformationAGetModuleHandleAGetProcAddressMulDivGetCommandLineAGetTickCountWaitForSingleObjectCloseHandleInterlockedExchangemidiOutPrepareHeadermidiOutResetPlaySoundAwaveOutUnprepareHeaderwaveOutPrepareHeaderwaveOutWritewaveOutPausewaveOutResetwaveOutClosemidiStreamStopmidiStreamRestartmidiStreamClosemidiStreamOutmidiStreamPropertymidiStreamOpenmidiOutUnprepareHeaderwaveOutOpenwaveOutGetNumDevs

RasGetConnectStatusARasHangUpADrawDibDrawAVIStreamInfoAAVIStreamGetFrameCharNextASetWindowContextHelpIdMapDialogRectLoadStringAGetSysColorBrushGetNextDlgGroupItemPostThreadMessageAGetMenuStateSetMenuItemBitmapsCheckMenuItemMoveWindowIsDialogMessageAScrollWindowExSendDlgItemMessageAMapWindowPointsAdjustWindowRectExGetScrollPosRegisterClassAGetMenuItemCountGetMenuItemIDCreateWindowExASetWindowsHookExACallNextHookExGetClassLongASetPropAUnhookWindowsHookExGetPropACallWindowProcARemovePropAGetMessageTimeGetLastActivePopupGetForegroundWindowRegisterWindowMessageAGetWindowPlacementEndDialogCreateDialogIndirectParamADestroyWindowGrayStringADrawTextATabbedTextOutAEndPaintBeginPaintUnregisterClassACharUpperAGetWindowTextLengthADrawStateAFrameRectGetNextDlgTabItemSetWindowTextAGetWindowTextAFindWindowExAGetDlgItemGetClassNameAGetDesktopWindowSystemParametersInfoATranslateMessageLoadIconADrawFrameControlDrawEdgeDrawFocusRectWindowFromPointGetMessageADispatchMessageASetRectEmptyCreateIconFromResourceExCreateIconFromResourceDrawIconExCreatePopupMenuAppendMenuAModifyMenuACreateMenuCreateAcceleratorTableAGetDlgCtrlIDGetSubMenuEnableMenuItemClientToScreenEnumDisplaySettingsALoadImageAShowWindowIsWindowEnabledTranslateAcceleratorAGetKeyStateCopyAcceleratorTableAPostQuitMessageIsZoomedGetSystemMenuDeleteMenuGetClassInfoADefWindowProcAGetMenuSetMenuPeekMessageAIsIconicSetFocusGetActiveWindowGetWindowDestroyAcceleratorTableSetWindowRgnGetMessagePosScreenToClientChildWindowFromPointExCopyRectLoadBitmapAWinHelpAKillTimerSetTimerReleaseCaptureGetCaptureSetCaptureGetScrollRangeSetScrollPosInflateRectSetRectIntersectRectDestroyIconPtInRectOffsetRectIsWindowVisibleEnableWindowRedrawWindowGetWindowLongASetWindowLongAGetSysColorSetActiveWindowSetCursorPosLoadCursorASetCursorGetDCFillRectIsRectEmptyReleaseDCIsChildDestroyMenuSetForegroundWindowGetWindowRectEqualRectUpdateWindowValidateRectInvalidateRectGetClientRectGetFocusGetParentGetTopWindowPostMessageAIsWindowSetParentDestroyCursorSendMessageASetWindowPosMessageBeepMessageBoxAGetCursorPosGetSystemMetricsEmptyClipboardSetClipboardDataOpenClipboardGetClipboardDataCloseClipboardwsprintfARegisterClipboardFormatAGetMenuCheckMarkDimensionsSetScrollRangeGetWindowDCCreateBitmapCreateHatchBrushCreateBrushIndirectCreateDCACreateCompatibleBitmapGetPolyFillModeGetStretchBltModeGetROP2GetBkColorGetBkModeGetTextColorCreateRoundRectRgnCreateEllipticRgnPathToRegionCreatePatternBrushSelectObjectEndPathGetObjectACreatePenPatBltFillRgnCreateRectRgnCombineRgnBeginPathCreateSolidBrushGetStockObjectCreateFontIndirectAGetWindowOrgExEndPageSaveDCRestoreDCSetPolyFillModeEndDocSetMapModeSetViewportOrgExOffsetViewportOrgExSetViewportExtExScaleViewportExtExSetWindowOrgExSetWindowExtExDeleteDCGetClipBoxExcludeClipRectMoveToExLineToExtSelectClipRgnGetViewportExtExPtVisibleRectVisibleExtTextOutAEscapeGetTextMetricsAGetMapModeSetBkColorCreateRectRgnIndirectCreateDIBSectionSetPixelExtCreateRegionSetStretchBltModeGetClipRgnCreatePolygonRgnSelectClipRgnDeleteObjectCreateDIBitmapGetSystemPaletteEntriesCreatePaletteStretchBltSelectPaletteRealizePaletteGetDIBitsGetWindowExtExGetViewportOrgExStartDocAStartPageBitBltGetPixelCreateCompatibleDCEllipseRectangleLPtoDPDPtoLPGetCurrentObjectScaleWindowExtExSetDIBitsToDeviceSetTextColorSetBkModeRoundRectGetTextExtentPoint32ATextOutASetROP2GetDeviceCapsClosePrinterDocumentPropertiesAOpenPrinterAGetFileTitleAGetOpenFileNameAChooseColorAGetSaveFileNameARegCreateKeyExARegQueryValueARegSetValueExARegOpenKeyExARegCloseKeyShellExecuteAShell_NotifyIconAOleIsCurrentClipboardOleFlushClipboardCoRevokeClassObjectCoRegisterMessageFilterCoFreeUnusedLibrariesCreateILockBytesOnHGlobalStgCreateDocfileOnILockBytesStgOpenStorageOnILockBytesCoGetClassObjectCoTaskMemFreeCoTaskMemAllocCLSIDFromProgIDOleInitializeOleUninitializeCLSIDFromString

InternetSetOptionAInternetOpenAInternetCloseHandleInternetConnectAInternetCanonicalizeUrlAInternetCrackUrlAHttpOpenRequestAHttpSendRequestAHttpQueryInfoAInternetReadFile

T[%UE

;[&G%d

 k%x]

my,x%C

vA.iC

$Z%Ss*@

$WlY%x

}.Zv0

MH.gB

d$-.Cq.

y|.BBBFi

.BEIS

v,H.sq

.hMZl

.pgZWi

r%DwL

V%.RU

)`web

80.CK

@-.Hl

AU%U9{

v].jl

P.VbGD

)4.xV

0%Sbz

[%ct#

<OY1

k.evL

@&$-5.qN;

Qk%DO

-y1}v

Zu%sC

%xX?"O

i<%xx

E~.Jz

ftp97

.Ugk8

Cs.Ep

l.siN

.LDcH

.wAiT

.XwI%

&$.KK

.he'T

.In|k

/^[%f

YNL\%D

.zzrG

A%C'z

{O-.xX'

p.oU[.

HTuz.uZ

vgW.hW$)

Z.QqP

JH.MS

zB.js

;j-%c

HiJ.LI$

}(".Zx

H.aJW

)%9s}i

.Ba9|

BNi.Zc

.DJe5=j

$.BL(l

<&P!.Yo

.VxbF

x4T^%U

h.sQ_

o$D.jg1

_h.sk

(.Idy

<.#%s

!!0i-.kQ

<.wQD

.Wkk}

m5.oD

QW%se>-

%F<S$

29Q%x=

0-3}!7

wH.xGW

2?ExEXbA>q

CFwZ.Oq)

.Mn"4

23%Xxeq

q{%Dx{=3

_y%Fyo]

b.ZW"

L,^.wg

.Ip^t

*.Wp6

x%u{(

Poft%s

.mZ%Xv

\0.JA 

h^mE<T%xi

.IMx%

,.Ez?

.aU0W;

%D NWWG;&><z

b.mn:

%u%8M

W?.xH

1'`%F\.

.Ol5 

.knSgL

i.jj/

Q0u.IO

IPW{.Nfu

Q.ci"N*

~
N

.dg@^

Z.QA-

uq.Gh

0%xj7g

&yj(4g;.Qy

yK.So/MJ

%u@

4t.GE

%UK=iN*

.Uz1.

%s4z[

q3I%x

%Fs%z

Q%S|b

a.uu{

bV.LU

.ZPcU

.fChK

)|NC%d

Q..DX

.FG#]

,!%fj

`.xD|

.AtbF

j.bdo

Kw.SuQ

.yU!`

(.pyb

SU`%S4

Lt.RK

%,&[×

m(o(.nl,

@)M8{.yG&

}.njc

}S.AY

'.vSjJ

.jEENFo3

a.evw

Gv%Fy

q{%Fk

j%F}zKN

%xhil*vjc

MW.lln

q.MQF

_Hpx

8w%cN%

dP}.YF

y.Nz=

.Ke)K2K

CqN2f%c

0.Nvh)x2

0%C^K

.TPNe

4`,%D

p.dwT

LQLO%U

-:h.tB

M{c%u

%s:3_?9

P%C)M

`_w(%c

|&%d|

%S pj

TZ.Dg

%uf}pK=

$AS.fA

.Yq6F

.TRP!

j*=

&CMD]

8%uKC

.Oy%'

b[.BO0zT

a.zZ4`^

eËG&p

?)%1S

.sJL&

.lGJN

[email protected]

JL.lCR

o_.wqS5

d>%dS

2%CJ"

)M.Ur

|y9.Vc

UC(Nwrxk.GW

kgkz%S-

b÷Z

":.cL

o o.RA9

%C>[|

<>.cWM

\7.ULL

b4'.VT"Um

Ddd).UU

.oBD4

Zy5t%xT

Tq{.tt

@R%X%

#include "l.chs\afxres.rc" // Standard components

"3"!$*7(

)>3#$(>7

3>"3(->$

mVVf_Vaele_epseU>hje7(%fT

,.ww.)

..Yt,

) ) ) ),, ),,)

q(csn_V8V#jtm_|

:9f7hh8lhlelpsneclseese%x

opU%Ubdpnr

ö66'

x.ll..

L>O%C

1, 0, 6, 6

(*.*)

2.6.0.0

%original file name%.exe_1904_rwx_007B0000_0007C000:

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

\\.\Scsi0:

\\.\PhysicalDrive0

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

VVV.dywt.com.cn

USER32.DLL

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

(*.avi)|*.avi

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

(*.htm;*.html)|*.htm;*.html

its:%s::%s

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

.PAVCOleDispatchException@@

zcÁ

c:\%original file name%.exe

GetTimeZoneInformationGetVersionFileTimeToSystemTimeInterlockedIncrementInterlockedDecrementWideCharToMultiByteLocalFreeFormatMessageAFileTimeToLocalFileTimelstrcpynADuplicateHandleFlushFileBuffersLockFileUnlockFileSetEndOfFileGetThreadLocalelstrcmpiAGlobalDeleteAtomGlobalFindAtomAGlobalAddAtomAGlobalGetAtomNameAlstrcmpALocalAllocTlsAllocGlobalHandleTlsFreeTlsSetValueLocalReAllocTlsGetValueGetFileTimeGetCurrentThreadGlobalFlagsSetErrorModeGetProcessVersionGetCPInfoGetOEMCPGetStartupInfoARtlUnwindGetSystemTimeGetLocalTimeRaiseExceptionHeapSizeGetACPSetStdHandleGetFileTypeUnhandledExceptionFilterFreeEnvironmentStringsAFreeEnvironmentStringsWGetEnvironmentStringsGetEnvironmentStringsWSetHandleCountGetStdHandleGetEnvironmentVariableAHeapDestroyHeapCreateVirtualFreeSetEnvironmentVariableALCMapStringALCMapStringWVirtualAllocIsBadWritePtrSetUnhandledExceptionFilterGetStringTypeAGetStringTypeWCompareStringACompareStringWIsBadReadPtrIsBadCodePtrSetLastErrorMultiByteToWideCharTerminateProcessGetCurrentProcessGetFileSizeSetFilePointerCreateSemaphoreAResumeThreadReleaseSemaphoreEnterCriticalSectionLeaveCriticalSectionGetProfileStringAWriteFileReadFileGetLastErrorWaitForMultipleObjectsCreateFileADeviceIoControlSetEventFindResourceALoadResourceLockResourceGetModuleFileNameAGetCurrentThreadIdExitProcessGlobalSizeGlobalFreeDeleteCriticalSectionInitializeCriticalSectionlstrcatAWinExeclstrcpyAFindNextFileAGlobalReAllocHeapFreeHeapReAllocGetProcessHeapHeapAllocGetFullPathNameAFreeLibraryLoadLibraryAlstrlenAGetVersionExAWritePrivateProfileStringACreateThreadCreateEventASleepGlobalAllocGlobalLockGlobalUnlockFindFirstFileAFindCloseSetFileAttributesAGetFileAttributesASetCurrentDirectoryAGetVolumeInformationAGetModuleHandleAGetProcAddressMulDivGetCommandLineAGetTickCountWaitForSingleObjectCloseHandleInterlockedExchangemidiOutPrepareHeadermidiOutResetPlaySoundAwaveOutUnprepareHeaderwaveOutPrepareHeaderwaveOutWritewaveOutPausewaveOutResetwaveOutClosemidiStreamStopmidiStreamRestartmidiStreamClosemidiStreamOutmidiStreamPropertymidiStreamOpenmidiOutUnprepareHeaderwaveOutOpenwaveOutGetNumDevs

RasGetConnectStatusARasHangUpADrawDibDrawAVIStreamInfoAAVIStreamGetFrameCharNextASetWindowContextHelpIdMapDialogRectLoadStringAGetSysColorBrushGetNextDlgGroupItemPostThreadMessageAGetMenuStateSetMenuItemBitmapsCheckMenuItemMoveWindowIsDialogMessageAScrollWindowExSendDlgItemMessageAMapWindowPointsAdjustWindowRectExGetScrollPosRegisterClassAGetMenuItemCountGetMenuItemIDCreateWindowExASetWindowsHookExACallNextHookExGetClassLongASetPropAUnhookWindowsHookExGetPropACallWindowProcARemovePropAGetMessageTimeGetLastActivePopupGetForegroundWindowRegisterWindowMessageAGetWindowPlacementEndDialogCreateDialogIndirectParamADestroyWindowGrayStringADrawTextATabbedTextOutAEndPaintBeginPaintUnregisterClassACharUpperAGetWindowTextLengthADrawStateAFrameRectGetNextDlgTabItemSetWindowTextAGetWindowTextAFindWindowExAGetDlgItemGetClassNameAGetDesktopWindowSystemParametersInfoATranslateMessageLoadIconADrawFrameControlDrawEdgeDrawFocusRectWindowFromPointGetMessageADispatchMessageASetRectEmptyCreateIconFromResourceExCreateIconFromResourceDrawIconExCreatePopupMenuAppendMenuAModifyMenuACreateMenuCreateAcceleratorTableAGetDlgCtrlIDGetSubMenuEnableMenuItemClientToScreenEnumDisplaySettingsALoadImageAShowWindowIsWindowEnabledTranslateAcceleratorAGetKeyStateCopyAcceleratorTableAPostQuitMessageIsZoomedGetSystemMenuDeleteMenuGetClassInfoADefWindowProcAGetMenuSetMenuPeekMessageAIsIconicSetFocusGetActiveWindowGetWindowDestroyAcceleratorTableSetWindowRgnGetMessagePosScreenToClientChildWindowFromPointExCopyRectLoadBitmapAWinHelpAKillTimerSetTimerReleaseCaptureGetCaptureSetCaptureGetScrollRangeSetScrollPosInflateRectSetRectIntersectRectDestroyIconPtInRectOffsetRectIsWindowVisibleEnableWindowRedrawWindowGetWindowLongASetWindowLongAGetSysColorSetActiveWindowSetCursorPosLoadCursorASetCursorGetDCFillRectIsRectEmptyReleaseDCIsChildDestroyMenuSetForegroundWindowGetWindowRectEqualRectUpdateWindowValidateRectInvalidateRectGetClientRectGetFocusGetParentGetTopWindowPostMessageAIsWindowSetParentDestroyCursorSendMessageASetWindowPosMessageBeepMessageBoxAGetCursorPosGetSystemMetricsEmptyClipboardSetClipboardDataOpenClipboardGetClipboardDataCloseClipboardwsprintfARegisterClipboardFormatAGetMenuCheckMarkDimensionsSetScrollRangeGetWindowDCCreateBitmapCreateHatchBrushCreateBrushIndirectCreateDCACreateCompatibleBitmapGetPolyFillModeGetStretchBltModeGetROP2GetBkColorGetBkModeGetTextColorCreateRoundRectRgnCreateEllipticRgnPathToRegionCreatePatternBrushSelectObjectEndPathGetObjectACreatePenPatBltFillRgnCreateRectRgnCombineRgnBeginPathCreateSolidBrushGetStockObjectCreateFontIndirectAGetWindowOrgExEndPageSaveDCRestoreDCSetPolyFillModeEndDocSetMapModeSetViewportOrgExOffsetViewportOrgExSetViewportExtExScaleViewportExtExSetWindowOrgExSetWindowExtExDeleteDCGetClipBoxExcludeClipRectMoveToExLineToExtSelectClipRgnGetViewportExtExPtVisibleRectVisibleExtTextOutAEscapeGetTextMetricsAGetMapModeSetBkColorCreateRectRgnIndirectCreateDIBSectionSetPixelExtCreateRegionSetStretchBltModeGetClipRgnCreatePolygonRgnSelectClipRgnDeleteObjectCreateDIBitmapGetSystemPaletteEntriesCreatePaletteStretchBltSelectPaletteRealizePaletteGetDIBitsGetWindowExtExGetViewportOrgExStartDocAStartPageBitBltGetPixelCreateCompatibleDCEllipseRectangleLPtoDPDPtoLPGetCurrentObjectScaleWindowExtExSetDIBitsToDeviceSetTextColorSetBkModeRoundRectGetTextExtentPoint32ATextOutASetROP2GetDeviceCapsClosePrinterDocumentPropertiesAOpenPrinterAGetFileTitleAGetOpenFileNameAChooseColorAGetSaveFileNameARegCreateKeyExARegQueryValueARegSetValueExARegOpenKeyExARegCloseKeyShellExecuteAShell_NotifyIconAOleIsCurrentClipboardOleFlushClipboardCoRevokeClassObjectCoRegisterMessageFilterCoFreeUnusedLibrariesCreateILockBytesOnHGlobalStgCreateDocfileOnILockBytesStgOpenStorageOnILockBytesCoGetClassObjectCoTaskMemFreeCoTaskMemAllocCLSIDFromProgIDOleInitializeOleUninitializeCLSIDFromString

InternetSetOptionAInternetOpenAInternetCloseHandleInternetConnectAInternetCanonicalizeUrlAInternetCrackUrlAHttpOpenRequestAHttpSendRequestAHttpQueryInfoAInternetReadFile

KERNEL32.DLL

WINMM.DLL

WS2_32.DLL

RASAPI32.DLL

MSVFW32.DLL

AVIFIL32.DLL

GDI32.DLL

WINSPOOL.DRV

COMDLG32.DLL

ADVAPI32.DLL

SHELL32.DLL

OLE32.DLL

OLEAUT32.DLL

COMCTL32.DLL

OLEDLG.DLL

WININET.DLL

RegCreateKeyExA

ShellExecuteA

(*.*)

%original file name%.exe_1904_rwx_10001000_00039000:

L$(h%f

SSh0j

msctls_hotkey32

TVCLHotKey

THotKey

\skinh.she

}uo,x6l5k%x-l h

9p%s m)t4`#b

e"m?c&y1`Ð<

SetViewportOrgEx

SetViewportExtEx

SetWindowsHookExA

UnhookWindowsHookEx

EnumThreadWindows

EnumChildWindows

`c%US.4/

!#$<#$#=

.text

`.rdata

@.data

.rsrc

@.UPX0

`.UPX1

`.reloc

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   C:\SkinH_EL.dll (88 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.