Trojan.Win32.FlyStudio_cf12b579c2

by malwarelabrobot on September 7th, 2014 in Malware Descriptions.

Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericPhysicalDrive0.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: cf12b579c2dd9b0c9bd13fc9ca45af9f
SHA1: f32e843a2b3ceb149aadc4346f73a58d26bba814
SHA256: 8a04bc6d783ceca525e6471ab09d7cb44e4d220818f8c17375a65401c47e595a
SSDeep: 24576:RD8heXvRuP3XAoiQTS4qJBJ86lJM 6gf04:Ye/RmgjQTwv/
Size: 1421312 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-08-19 08:37:18
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1872

Mutexes

The following mutexes were created/opened:

ZonesLockedCacheCounterMutex
ZonesCounterMutex
ZonesCacheCounterMutex
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
RasPbFile
ShimCacheMutex

File activity

The process %original file name%.exe:1872 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\login[1].htm (14392 bytes)
C:\ÅäÖÃ.ini (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\74_qtw[1].txt (3552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\logout[1].htm (2144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hosts[1].txt (272 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\gg[1].txt (596 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\captcha.png[1].png (2096 bytes)

Registry activity

The process %original file name%.exe:1872 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1020x590x32(BGR 0)" = "31,31,31,31"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 73 D9 90 18 B8 90 64 E7 E2 23 41 5D E6 D5 25"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: ??b2b?????
Product Version: 3.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3.0.0.0
File Description: ??b2b?????
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 913196 913408 5.12108 cefda8c8ae4822150e9a044d1f22f7eb
.rdata 917504 293794 294912 4.34431 2a06c1085aebeabdf61b7495b1675430
.data 1212416 466570 114688 4.30715 937595b006a7837e827bc67d31ac2c40
.rsrc 1679360 90620 94208 4.54415 5c4b9e5ac4447ad3ce0917754df09a85

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.linanxi.com/soft/hosts.txt 112.124.59.64
hxxp://www.linanxi.com/soft/74_qtw.txt 112.124.59.64
hxxp://www.qieta.com/member/logout.php 203.171.233.91
hxxp://www.qieta.com/member/login.php 203.171.233.91
hxxp://www.qieta.com/api/captcha.png.php?action=e9f3ba48539aa7ccde90331492422fdc&refresh=0.62083233583538592 203.171.233.91
hxxp://www.linanxi.com/soft/gg.txt 112.124.59.64


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /member/logout.php HTTP/1.1
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: hXXp://VVV.qieta.com/member/logout.php
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: VVV.qieta.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Connection: close
Date: Sat, 06 Sep 2014 15:45:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: PHP/5.2.17
Content-Type:text/html;charset=utf-8
Set-Cookie: qieta010_auth=deleted; expires=Fri, 06-Sep-2013 15:45:25 GMT; path=/; domain=.qieta.com
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xm
lns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-eq
uiv="Content-Type" content="text/html;charset=utf-8" />..<title&
gt;............ - ............QieTa.com...</title>..<style ty
pe="text/css">..*{font-size:12px;color:#2B61BA;}..body{font-family:
 Verdana, Arial, Helvetica, sans-serif;background:#F0F2F7;margin:0;}..
input{color:#333333;}..a:link,a:visited,a:active {color:#ABBBD6;text-d
ecoration:none;}...msg{width:400px;background:#FFFFFF url('hXXp://VVV.
qieta.com/skin/default/image/messagebg.gif') repeat-x;margin:auto;}...
head{letter-spacing:2px;line-height:29px;height:26px;overflow:hidden;f
ont-weight:bold;}...content{padding:10px 20px 5px 20px;line-height:200
%;word-break:break-all;border:#7998B7 1px solid;border-top:none;}...ml
{color:#FFFFFF;background:url('hXXp://VVV.qieta.com/skin/default/image
/message.gif') no-repeat 0 0;padding-left:10px;}...mr{float:right;back
ground:url('hXXp://VVV.qieta.com/skin/default/image/message.gif') no-r
epeat 0 -34px;width:4px;font-size:1px;}..</style>..<script ty
pe="text/javascript">try {document.execCommand("BackgroundImageCach
e", false, true);} catch(e) {}</script>..</head>..<body
 onkeydown="if(event.keyCode==13) window.history.back();">..<tab
le cellpadding="0" cellspacing="0" width="400"  align="center">..&l
t;tr>..<td height="150"></td>..</tr>..<tr&
<<< skipped >>>


GET /soft/hosts.txt HTTP/1.1
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: hXXp://VVV.linanxi.com/soft/hosts.txt
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: VVV.linanxi.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Length: 272
Content-Type: text/plain
Last-Modified: Sun, 10 Aug 2014 12:18:53 GMT
Accept-Ranges: bytes
ETag: "ec8b1a4095b4cf1:12b8"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 06 Sep 2014 15:46:09 GMT
gvTRNWzwNwpWxQkwW3wB5K639BxKt3zB4KU31BNKl3rvNw1QmvxKxQqvawW3wB5K639BxK
t3U3XBxKu3jBNKNQ1v9wxQzBqwqQXvqwmQ9vmwxQzBywxQRBvK429L6Cy2uLSC52VLXCO2
mLbWxP9RSCrWlPyRrWpP4RNWSPVLUWSPvLPC429L6Cy2uLSC52VLXCO2mLUWSPmRXWqPpR
mWaPVLlWzPURQCW2tL9L6Cy2uLSC52VLXCO2mLlWlPzRTWaPTR5COPVLlWzPUR.
...


GET /soft/74_qtw.txt HTTP/1.1


Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: hXXp://VVV.linanxi.com/soft/74_qtw.txt
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: VVV.linanxi.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Length: 4578
Content-Type: text/plain
Last-Modified: Sat, 30 Aug 2014 04:28:05 GMT
Accept-Ranges: bytes
ETag: "728247cbac4cf1:12b8"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 06 Sep 2014 15:46:09 GMT
kQTRmwXvmWqvSPivu3zBXKkQSBNwqQXvNwOQXvkwW3wBJw4QnvawJQKvKHMQgvyKawB76v
kwW3wBJwrQxvpwC7ivXKt31B9KT3XBnKT34BuKnQuf9HB8yfcH48af5FI8HDHFo8bfoFn7
SDgvyKrQxvpwC7iveKA3gvUwB7tvUwc3aBnKJQ9L1C42XLxC52dLxC12XLCGJJigKEmJQg
cEz2egiEeJygJg0E0JtY8Wx21RoW5P1RbCo2dLhWA2eL8WOP1RoW4P1RhW12uLXC62rL1C
o2rL5C62oRtG6ICgxG7J9JuYbGKJWg2ELJrLHEcJjRzCOP1RoW4P1RhWA2eL8WqPpRTWlP
c3aBnKJQ4B4Ku3uBSKt3aBSK63uBBf7F97WDoFT3afBNa74DDFs8EDsFC8xfJwV3rvmwlQ
OvnKc3aBkwW3wBJwuQOvzwmQuvxwOQXvqwC75QOvzwJQ4B4Ku3uBSKt3aBSK63uBKHe8oD
oHQ82DzHkQSB9wqQXvqwbQUvTwxQTvnWaPpR1WjPvLPC8WyPxR1WpPBYpWTPpR1WOPpRXW
jP9L1C42XLxC52dLxC42cLCGEJ7geEbJcY9EGJmgHEbIDgGEnIUYtGpGFPULVWzPyRrWcP
NRqWlPyRmWlPxRhWA2eL8WOP1RTWcPaRaWTPrRhW12uLXC62rL1Co2rLXCn2nQL8QD0FU7
yB7FN8fDpFF8ZDZFu7gvyKrQxvpwC7uv9wNQmvkwW3wBJwUQVvaw5Q1v9K13uBkw63XB5K
9KT3XBuKT34BoKnQeDIF38qfZFl8cDHF28bDLFn8fDcFkQSBXwSQ6vbwyQuB9K13iveKA3
gvuwSQOvXvpw5QivXKt31BtCz2uL6Cz29LtC2IHg7EdIUYdEIJggaGQJWg2ELJjRzCtPzR
NWSPmR6WjPvLPCFPNPbRpWTPzR9WjP9L1C42XLxC524LxC12XLCG6IaYLEzIbY9GAJnYaG
nJoYzEz2wgnEoJGg8Wx2rRuWrPTPzR9WjPvLPCFPSRqW5P1RaCn2JQ4B4Ku3uBSKt39BSK
634BKHb7ufKF17nfyHF8PDoHb86f1FkQSBUvrwaQxvoKd3iveKA3gvNwXQuvOwJQ4B4Ku3
uBSKt39BSK631BKHb7ufKF17ID6Ft7af2Fv8KD3FT3e8oDJwV3lvUwbQmvkwW3wBJwrQxv
xwK7ivXKt31BtCz2uL6Cz29L1C2IaYtG2JXYHE9JuYbGKJWg2E2Ez2AgnEFPULmWVPSRdW
jPvLPCFPTRyWyPaRbCo2dLhW12uLXC62rL1Ct2rLXCo2oREEFJuYtEKJWgdY2Ez2BgHEaI
2m8Wx2TRyWyPaRbCo2dLhWA2eL8WUPURuWo2dLbCjP9LXB5K13yB4K53yB5K43Bf9Hb7B8
yf2Fu7vDdF672joHb86f1FkQSBVwVQtvnKc3aBkwW3wBJwXQUvOwxQnv5K43aBkw63XB5K
13yB4KuKT31B9KnQuf9HB8yf6Hn7GDuHu7dDtH58gvyKXQUvOwxQnv5K43aBkwW3wB
<<< skipped >>>

GET /soft/gg.txt HTTP/1.1


Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: hXXp://VVV.linanxi.com/soft/gg.txt
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: VVV.linanxi.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Length: 554
Content-Type: text/plain
Last-Modified: Mon, 26 May 2014 07:39:37 GMT
Accept-Ranges: bytes
ETag: "544e1aa5b578cf1:12b8"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 06 Sep 2014 15:46:16 GMT
8WNwlPxQTRrPyRFRQCW28gwEcIhgBE5J9Y4G0J3gpGdIPggEeJZgHEPJKgrEEJMg7EmI6Y
qGuIdYeEtJdYskNKa7iDaHfFR81DAF08Bfxw4Q6vtwBQSByKuQbv9wU3zvywxQOvzwB7Vv
xKTQ1v1wV3XvTwuQuvyKzQOvzwmQovqvSK63uB5KU3UvawVQzveKA3EDRFL8ODdHX8nf1H
67MjmH38uB5KY80DWFY8IDKNL8qD8Fb7KD0FH8S8KD3N883gREbJuYhEHJsmp..



GET /api/captcha.png.php?action=e9f3ba48539aa7ccde90331492422fdc&refresh=0.62083233583538592 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: hXXp://VVV.qieta.com/api/captcha.png.php?action=e9f3ba48539aa7ccde90331492422fdc&refresh=0.62083233583538592
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: VVV.qieta.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Connection: close
Date: Sat, 06 Sep 2014 15:45:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: PHP/5.2.17
Set-Cookie: PHPSESSID=5eti50i3703qquijh4jbdvjgt2; path=/; domain=.qieta.com
Cache-Control: must-revalidate, post-check=0, pre-check=0
Pragma: public
Expires: Sat, 06 Sep 2014 15:45:29 GMT
Content-type: image/png
.PNG........IHDR.......(......E=B....IDATx....L.w...O .Z.@[email protected].=..
#F;..6...n.m....Knqs:.ln..].l&..1....n.wa.48N.mK..0...............y.?.
K[ .p>...}.........&...>....B...... ......r.|..AC2...3G>=...o
|u. [email protected].....`[email protected]...
.q....N......w...m`Yv...iiiOmzj.e..7X....(.......m..}tt.n....... .....
.&.. .Je2..a.y..........w.....1..x....X.........1S..:..D".9}.;.......$
.|>_,....K.....Q...*.*G..R...~.q?l.Q....N%...0%..-J.....=}.4...Hzz.
.V..L4M..z.;...^SW..w[..|Jq?lP...8~vtwu'^..I.;.|.`4$......(/?O..j.ZZCg
eg%&......{{z...".....n....M~R....\....V.Y .CQ..h4..I.Rm.T[.r......"[.
.1.(0..>..Ex..9....'b..E)...*...............}.....;{K.x'.n.{.1..lu.
c..~.....  ......bmE~A.F...u.......{OVVVm}m,M.T..u.....S..Ojg.>.r..
F.....,.`..H.X^.h.....z.....R.T.Q.&..`^c6.1'Fd2......`ff&......i...z.-
c.11.d....>.....t.e...ZZCg.d...r.......s....\W).(R.QV.#......C....o
[9Vd*..,.q...GZ.$...u.......?<.r`.i9.K.eC..Rs.......{...c'8..c.).(6
..m.........a4..3'S.........2...t..mKLx....G..,].....<7<....au.j
.......c.).(6t........i......E....L1..R.U.....T...W... o..7.....J$./..
e.rd....k...&............-.|..o. ....7L..l....j..h....E..w....w0......
....-...&........_..|h.<.......GL..V.V.......tnb._Sx.^.R....M*..ik.
..B....z.{..e..]..?;.4ni,ZYte.J.G..P..8^...D.........._...X...mv.I%C..
[email protected][.........srbR..=....(.H$...............pY!.......(aN.oC~A>
;....R>2qsb.>@QT.o..3..3f...U`<L...z.. .....-U..'.1....o.8.|.
.K?:...._....J....dUI....2...c.....*Q.o.]....(.. .<W.\....;...d
<<< skipped >>>


GET /member/login.php HTTP/1.1
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: hXXp://VVV.qieta.com/member/login.php
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: VVV.qieta.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Connection: close
Date: Sat, 06 Sep 2014 15:45:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: PHP/5.2.17
Content-Type:text/html;charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xm
lns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-eq
uiv="Content-Type" content="text/html;charset=utf-8"/>..<title&g
t;............ - ............QieTa.com...</title>..<meta name
="keywords" content="QieTa,.........,B2B,............,......,......B2B
"/>..<meta name="description" content="............QieTa.com...B
2B.................................B2B................................
......................................................................
......................................................................
......................................................................
........................."/>..<meta http-equiv="x-ua-compatible"
 content="ie=7"/>..<meta name="generator" content="QieTa B2B"/&g
t;..<meta name="author" content="VVV.QieTa.com"/>..<meta prop
erty="qc:admins" content="10523630176115416375" />..<link rel="s
hortcut icon" href="hXXp://VVV.qieta.com/favicon.ico"/>..<link r
el="bookmark" href="hXXp://VVV.qieta.com/favicon.ico"/>..<link r
el="stylesheet" type="text/css" href="hXXp://VVV.qieta.com/skin/defaul
t/style.css"/>..<script type="text/javascript" src="hXXp://VVV.q
ieta.com/lang/zh-cn/lang.js"></script>..<script type="text
/javascript" src="hXXp://VVV.qieta.com/file/script/config.js"></
script>..<script type="text/javascript" src="hXXp://VVV.qiet
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1872:

.text
.rdata
@.data
.rsrc
t%SVh
t$(SSh
~%UVW
u$SShe
wininet.dll
kernel32.dll
user32.dll
Kernel32.dll
advapi32.dll
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
EnumWindows
MsgWaitForMultipleObjects
ExitWindowsEx
ShellExecuteA
{E60056EA-07A8-4bf5-B6F0-DF05DE6FAE1F}
C$%cmb
.ppM|
 aZ.mO
%-^
.hk;~
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
SkinH_EL.dll
hXXp://VVV.linanxi.com/soft/
hXXp://VVV.linanxi.com.cn/soft/
hXXp://VVV.linanxi.cn/soft/
hXXp://VVV.linanxi.net/soft/
hXXp://VVV.huguorong.com/soft/
hXXp://VVV.360kv.com/soft/
hXXp://
hXXps://
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
http=
HTTP/1.1
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
z>\TEMP.TMP
\*.jpg
\*.gif
hXXp://VVV.qieta.com/member/
<tr onmouseover="this.className='on';
 <a href="hXXp://
hXXp://VVV.qieta.com/ajax.php
hXXp://ping.baidu.com/ping/RPC2
<methodName>weblogUpdates.ping</methodName>
hXXp://VVV.qieta.com/member/logout.php
hXXp://VVV.qieta.com/member/login.php
hXXp://VVV.qieta.com/api/captcha.png.php?action=
.iqW>
"3/%F
%du2$"
.unOZ
config.ini
\\.\PHYSICALDRIVE
\\.\SCSI
\\.\SMARTVSD
\\.\PhysicalDrive0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
hXXp://VVV.qieta.com/member/my.php
&submit= 提 交 
&post[elite]=
&post[mycatid]=
&post[days]=
&post[amount]=
&post[minamount]=
&post[price]=
&post[totime]=&post[unit]=
&post[thumb2]=
&post[thumb1]=
&post[content-bak]={$content-bak}&post[thumb]=
&post[content]=
&post[brand]=
&post[standard]=
&post[pid]=0&post[model]=
&style=&post[catid]=
&post[title]=
&post[typeid]=
action=add&mid=5&itemid=0&forward=&post[tag]=
hXXp://open.baidu.com/special/time/
window.baidu_time(
`~!@#$%^&*()-_= [{]};:'\|,<.>/?"
hXXp://VVV.qieta.com/member/news.php
&post[addtime]=
&post[style]=&post[content]=
action=add&post[title]=
hXXp://VVV.vooec.com/Member/loginout.asp
hXXp://VVV.qieta.com/member/news.php?action=add
&q3=&q4=&rn=10&lm=0&ct=0&ft=&q5=&q6=qieta.com&tn=baiduadv
hXXp://VVV.baidu.com/s?q1=&q2=
&q3=&q4=&rn=10&lm=360&ct=0&ft=&q5=&q6=qieta.com&tn=baiduadv
&q3=&q4=&rn=10&lm=30&ct=0&ft=&q5=&q6=qieta.com&tn=baiduadv
&q3=&q4=&rn=10&lm=7&ct=0&ft=&q5=&q6=qieta.com&tn=baiduadv
&q3=&q4=&rn=10&lm=1&ct=0&ft=&q5=&q6=qieta.com&tn=baiduadv
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 2Pac; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
https
hXXp://VVV.b2b110.com/member/myb2b110.php?mid=
itemid[]=
&password=
forward=http://VVV.qieta.com/member/my.php&option=username&username=
[email protected]
hXXp://VVV.qieta.com/member/my.php?mid=5&action=add
&ct=0&ft=&q5=&q6=qieta.com&tn=baiduadv
hXXp://VVV.qy6.com/myqy6/addimage.php
[email protected]
hXXp://VVV.linanxi.com
my.php?mid=5&page=
news.php?page=
*.xls|*.xls
*.jpg|*.jpg|*.gif|*.gif
*.txt
|*.txt
>1.2.18
A inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
AVIFIL32.dll
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
RASAPI32.dll
GetProcessHeap
WinExec
GetWindowsDirectoryA
GetCPInfo
KERNEL32.dll
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
WINSPOOL.DRV
comdlg32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
\\.\Scsi0:
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
1.1.3
;3 #>6.&
'2, / 0&7!4-)1#
(*.avi)|*.avi
1.2.18
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
NULL row buffer for row %ld, pass %d
libpng error: %s
libpng error: %s, offset=%d
libpng error no. %s: %s
libpng warning: %s
libpng warning no. %s: %s
operator
keywords
Unknown zTXt compression type %d
Incomplete compressed datastream in %s chunk
Data error in compressed datastream in %s chunk
Buffer error in compressed datastream in %s chunk
gamma = (%d/100000)
gx=%f, gy=%f, bx=%f, by=%f
wx=%f, wy=%f, rx=%f, ry=%f
incorrect gamma=(%d/100000)
iTXt chunk not supported.
VVV.dywt.com.cn
Excel.Application
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCOleDispatchException@@
zcÁ
soft/gg.txt
gg.txt
et-Cookie: qieta010_auth=deleted; expires=Fri, 06-Sep-2013 15:45:25 GMT; path=/; domain=.qieta.com
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
1, 0, 6, 6
(*.*)
3.0.0.0
(hXXp://VVV.eyuyan.com)

%original file name%.exe_1872_rwx_00401000_000DF000:

t%SVh
t$(SSh
~%UVW
u$SShe

%original file name%.exe_1872_rwx_10027000_00015000:

msctls_hotkey32
TVCLHotKey
THotKey
\skinh.she
}uo,x6l5k%x-l h
9p%s m)t4`#b
e"m?c&y1`Ð<
SetViewportOrgEx
SetViewportExtEx
SetWindowsHookExA
UnhookWindowsHookEx
EnumThreadWindows
EnumChildWindows
`c%US.4/
!#$<#$#=
.text
`.rdata
@.data
.rsrc
@.UPX0
`.UPX1
`.reloc
%-^
.hk;~


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\login[1].htm (14392 bytes)
    C:\ÅäÖÃ.ini (46 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\74_qtw[1].txt (3552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\logout[1].htm (2144 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hosts[1].txt (272 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\gg[1].txt (596 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\captcha.png[1].png (2096 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now