MD5: b424ada5b95a26a68ae20111fafda4e3
SHA1: f4163bad2be514b7b1b66cf322932c4bdfe32c62
SHA256: 0b4592d12bc8cf17b02875d353e826767261a464b40a43d054008f6bccc35bc1
SSDeep: 49152:xQWWWWWWWWWWWWWWWWWWWWWWCWWWWWWWWWWWWWWWWWWWWWW4BEDXXzFAvE83W6Wd:uWWWWWWWWWWWWWWWWWWWWWWCWWWWWWWb
Size: 2252800 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-07-04 21:46:32
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1660

File activity

The process %original file name%.exe:1660 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SPE38PAB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\c4869.tmp (3361 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (198 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\drivers\oOkqgAlNacFa.sys (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GXEROL6B\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\E_UIEngine\90afea1eeb37be7a93471c36152ab43a\90afea1eeb37be7a93471c36152ab43a.jpg.data (28 bytes)
%Program Files%\Common Files\ysz.ini (479 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\c4907.tmp (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NN05OJX8\desktop.ini (67 bytes)
%System%\time1.dll (192 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\c4694.tmp (4545 bytes)
%Documents and Settings%\%current user%\Application Data\E_UIEngine\90afea1eeb37be7a93471c36152ab43a\90afea1eeb37be7a93471c36152ab43a.jpg (676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7TJDBR9R\desktop.ini (67 bytes)
%System%\drivers\etc\hosts (232 bytes)
%System%\time.ime (53 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\c4869.tmp (0 bytes)
%Program Files%\Common Files\ysz.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\c4694.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\c4907.tmp (0 bytes)
%System%\drivers\oOkqgAlNacFa.sys (0 bytes)

Registry activity

The process %original file name%.exe:1660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804]
"Layout File" = "kbdus.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804]
"Ime File" = "TIME.IME"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1024x768x32(BGR 0)" = "31,31,31,31"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804]
"Layout Text" = "Windows±ê×¼ÊäÈë·¨À©Õ¹·þÎñ"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 13 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F FE C9 9A 05 F6 F7 54 76 F3 CE D4 9D 88 4D 19"

[HKCU\Software\Super-EC\½ûÖ¹Öظ´ÔËÐÐ]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Keyboard Layout\Preload]
"2" = "E0200804"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 232 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.vmp0

.vmp1

.reloc

t$(SSh

~%UVW

u$SShe

gdiplus.dll

kernel32.dll

user32.dll

shlwapi.dll

advapi32.dll

ntdll.dll

Shlwapi.dll

gdi32.dll

ole32.dll

GdiPlus.dll

dwmapi.dll

shell32.dll

ShellExecuteA

GetAsyncKeyState

GetKeyState

EnumWindows

RegOpenKeyExA

MsgWaitForMultipleObjects

GetKeyboardLayout

UnloadKeyboardLayout

GetKeyboardLayoutList

ActivateKeyboardLayout

GetKeyboardLayoutNameA

RegOpenKeyA

RegDeleteKeyA

RegCloseKey

RegCreateKeyA

RegFlushKey

LoadKeyboardLayoutA

MapVirtualKeyExA

GdipSetImageAttributesColorKeys

GdipSetPenLineJoin

GdipGetPenLineJoin

GdipSetStringFormatHotkeyPrefix

GdipGetStringFormatHotkeyPrefix

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\

[email protected]

.data

{B96B3CAE-0728-11D3-9D7B-0000F81EF32E}

@crossfire.exe

C:\CFLog

%System%\TesSafe.sys

\time.ime

\time1.dll

.rdata

.shoooo

22222222022

    13447756

FFGm@AB^777R$$%C

2%c-r

g%UR_

.Un{"

:A.td

/.FbH

x7Sql

h;.ptG.(

R`&.UV

6liR%C?s

;%S9!

SYD.ai

%Documents and Settings%\Administrator\svchost.exe

software\microsoft\windows\CurrentVersion\Run\

.yM<=

o.OM -

*.mO]@-.

@_ // >8

.Ml/0

>.mO> >

.OMO?o//

`@@=^=- .

->|.\/-/

"!@0>]-<

11`.?>?>.>?00

2000_/..?.

" 0@0@>@

0/ /0 ./ /

1 @ 00?/

www.9dcc.com

iexplore.exe

http://www.9dcc.com/po.txt

SOFTWARE\Microsoft\windows\currentversion\run

abcdabcdabcdabcdabcdhttp://zhu.wujidasaobi.com:9099/img.jpg

cdefcdefcdefcdefcdefhttp://qq.3tsf.com:9999/img.jpg

ghfighfighfighfighfiwww.fod.com

hellohellohellohellohttp://zhu.wujidasaobi.com:9099/t/count.asp

kennekennekennekennehttp://qq.3tsf.com:9999/t/count.asp

XXXXXX000000000000

%System%

%System%\xvhost.sb

{00000103-0000-0010-8000-00AA006D2EA4}

{00000101-0000-0010-8000-00AA006D2EA4}

?uid=%s&address=%s&p=%d&a=%d

NETAPI32.dll

MFC42.DLL

MSVCRT.dll

_acmdln

WinExec

KERNEL32.dll

USER32.dll

ADVAPI32.dll

InternetOpenUrlA

WININET.dll

PSAPI.DLL

imm32.dll

%Documents and Settings%\Administrator\Local Settings\Temporary Internet Files\360.dat

.vmp0

`.vmp1

.vmp2

_x.OV

%u@;o

%DTn#

%u:oEc

G%uckm2

J.PQ9Q

The ordinal %u could not be located in the dynamic link library %s

:}zZB>.tp

2]X%u!

=.UND

|;/\%F

WINMM.dll

!.Psa

3(@Ej%f'IU

'7%d!*`

_.okn\^F

f .oi

'y.Go

PGl~Z%sF

k..yAjm=

?.vKh

g%~keY

Kftp6

.vsQ;T:GpOW

The procedure entry point %s could not be located in the dynamic link library %s

GDI32.dll

L.fUx

SHELL32.dll

COMCTL32.dll

@.reloc

^}•D

__MSVCRT_HEAP_SELECT

IMM32.dll

GetCPInfo

imehost.dll

ImeProcessKey

Windows

:):3:9:|:

= =$=(=,=0=4=8=

? ?$?(?,?

|Protected.Now

http://www.9dcc.com/shiguang1.html

174.139.113.251 qltea.com

174.139.113.251 www.qltea.com

174.139.113.251 cfwgw.org

174.139.113.251 www.cfwgw.org

174.139.113.251 cfwg520.com

174.139.113.251 www.cfwg520.com

174.139.113.251 9369.org

174.139.113.251 www.9369.org

http://hi.baidu.com/zhangsanysq/blog/item/1ae7324c39cc68c19d8204c7.html

www.9dcc.com

QQLogin.exe

CFSelWorld.exe

\1.jpg

smtp.163.com

[email protected]

C$%cmb

.ppM|

 aZ.mO

%-^

.hk;~

KERNEL32.DLL

MSIMG32.dll

MSVFW32.dll

SkinH_EL.dll

(7),01444

'9=82<.342

8e;S÷

urlTEXT

MsgeTEXT

2008:05:14 09:43:11

2008:05:14 09:43:57

2008:05:14 09:44:21

2008:05:14 09:44:39

2008:05:14 09:44:58

2008:05:14 09:46:15

2008:05:14 09:46:36

1=3487638

2=3487639

3=3487640

4=3422105

5=3422106

6=3422363

7=3356828

8=3356829

9=3356830

10=3291295

11=3291551

12=3291552

13=3291553

14=3291554

15=3226018

16=3226019

17=3226020

18=3226276

19=3226277

20=3160741

21=3160742

22=3160743

23=3160744

24=3095209

25=3095467

26=3029932

27=3030190

28=2964654

29=2964657

30=2899379

31=2833847

32=2768567

33=2703293

34=2637760

35=2507206

36=2310861

37=2114775

38=1918687

39=1787880

40=1526514%Program Files%\Common Files\ysz.ini

EAD_PORT

$1(14181

C:\Windows\System32\Drivers\etc\hostshttp://www.super-ec.cnhttp://wghai.com/echttp://qsyou.com/echttp://www.wghai.comhttp://bbs.wghai.com/forum-17-1.html/forum-12-1.html/memcp.php/ip.asp/time.asp/gonggao.txt/ec-user6.php/ec-bd.php/ec-jh.php

http://www.super-ec.cn

" class="txt" />Function Getcpuid()

Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")

getcpuid=cpu.ProcessorId

%S~-D

Kernel32.dll

cmd.exe /c del

\\.\PhysicalDrive

Keyboard Layout

Keyboard Layout\Preload

.frH^w

F#Y.Ai[

ZV0.FqT

<*.zzd

,,**)))...###

@89899899:

89899899<

898998999

888888888

898998998

998998998

'''*'''%F

''**'***

''**'**'

''**''''

%#()-.00

%%xB0

[email protected] )

http://www.9dcc.com

www.meitu.com

1111111

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

JOIN

iphlpapi.dll

SHLWAPI.dll

MPR.dll

VERSION.dll

v%sms

WSOCK32.dll

%x.tmp

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

BDGetColSQLType

%Y-%m-%d %H:%M:%S

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

www.dywt.com.cn

USER32.DLL

(*.htm;*.html)|*.htm;*.html

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

HELO %s

SMTP

AUTH LOGIN

LOGIN

AUTH=LOGIN

EHLO %s

Content-Type: application/octet-stream; name=%s

Content-Disposition: attachment; filename=%s

MAIL FROM:<%s>

RCPT TO:<%s>

ExecuteSql

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

.PAVCOleDispatchException@@

.PAVCDBException@@

zcÁ

a68ae20111fafda4e3.exe

wmiprvse.exe

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

h].uP

WKERNEL32.dll

rWINSPOOL.DRV

.ADVAPI32.dll

umGDI32.dll

IAA

comdlg32.dll

InternetCanonicalizeUrlA

N-4.Me^0/

.GI-&

.op<'

'F.qz

?!o%s

{!.SR

.qPXD

p.ld)C

Q*.By

.Spuv}T)

süb[

.tZpX

j5.xw

-Yc}%

BRsql

I|GQ-brX}

mR#Yf.GW}3

X"BT%u

.oC=g

WS2_32.dll

Goledlg.dll

OLEAUT32.dll

B*-q}

.cY*S

y.kj!

U1.ZQ

R.qua

9$2.Zh

%d~Avsj

-T.lC

%9SAn

eRf.QjK

_h%u4

``T

h%x/ij-

aV%XVA[

.ACe{

[.Ny^w

.Hd-`

`c_y:%Sm

|s%cR$

y@%f"

.tQG,

*W!%Sg

ye].Ro

j%d{^G]

7W.xb]

31/- )'%8#

ÊT%

U%0XT

.PkTqh

@weBO

.iR=Y=g

c%FK|

)%FoX

.Lf(Z

'g.aJ

Z.lRA'

\^.JA

!k%Fg

)v.wz

sQ3.VBr"1

eN%u\

C.zGo

E!<\%F

,"RASAPI32.dll

.Kkl;

'WINMM.dll

ODBC32.dll

e.GZ(

{/.UH,

F,..Um

_*.Vsz?

#Tc.Yy

.mSFmby}

"%d|SaE

1, 0, 0, 1

gameupdate.EXE

imedllhost09.ime

1, 0, 6, 6

(*.*)

%original file name%.exe_1660_rwx_005C3000_00007000:

(7),01444

'9=82<.342

1=3487638

2=3487639

3=3487640

4=3422105

5=3422106

6=3422363

7=3356828

8=3356829

9=3356830

10=3291295

11=3291551

12=3291552

13=3291553

14=3291554

15=3226018

16=3226019

17=3226020

18=3226276

19=3226277

20=3160741

21=3160742

22=3160743

23=3160744

24=3095209

25=3095467

26=3029932

27=3030190

28=2964654

29=2964657

30=2899379

31=2833847

32=2768567

33=2703293

34=2637760

35=2507206

36=2310861

37=2114775

38=1918687

39=1787880

%original file name%.exe_1660_rwx_00B34000_00032000:

h].uP

%original file name%.exe_1660_rwx_00B67000_00001000:

rWINSPOOL.DRV

%original file name%.exe_1660_rwx_10027000_00015000:

msctls_hotkey32

TVCLHotKey

THotKey

\skinh.she

}uo,x6l5k%x-l h

9p%s m)t4`#b

e"m?c&y1`Ð<

SetViewportOrgEx

SetViewportExtEx

SetWindowsHookExA

UnhookWindowsHookEx

EnumThreadWindows

EnumChildWindows

`c%US.4/

!#$<#$#=

.text

`.rdata

@.data

.rsrc

@.UPX0

`.UPX1

`.reloc

%-^

.hk;~

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SPE38PAB\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\c4869.tmp (3361 bytes)
   %Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (198 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %System%\drivers\oOkqgAlNacFa.sys (9 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GXEROL6B\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Application Data\E_UIEngine\90afea1eeb37be7a93471c36152ab43a\90afea1eeb37be7a93471c36152ab43a.jpg.data (28 bytes)
   %Program Files%\Common Files\ysz.ini (479 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\c4907.tmp (1425 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NN05OJX8\desktop.ini (67 bytes)
   %System%\time1.dll (192 bytes)
   %Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\c4694.tmp (4545 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7TJDBR9R\desktop.ini (67 bytes)
   %System%\drivers\etc\hosts (232 bytes)
   %System%\time.ime (53 bytes)

4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.