MD5: 24b4bc160938e2bf7496b8af1c2b6f50
SHA1: 1a09fc164e92c9620ff18dfcf72a8240c46bb14c
SHA256: 55765a41511849b8c0311d1c330b7c1a255d6035dfb4c30fde19ad521f64190e
SSDeep: 6144:l7jZuE5cWucUzkOpFtW7xEm80tDMEhiofgR5aIMtFT3Phsgiw R:ZZu8LLqK73f4EkoYPaImrhsgiZ
Size: 296960 bytes
File type: DLL
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 2013-05-10 15:24:48
Analyzed on: WindowsXP SP3 32-bit

Summary:

Virus. A program that recursively replicates a possibly evolved copy of itself.

Payload

No specific payload has been found.

Process activity

The Virus creates the following process(es):

regsvr32.exe:1216
hrl1.tmp:944

The Virus injects its code into the following process(es):

wwcqww.exe:248
Explorer.EXE:888

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process wwcqww.exe:248 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%WinDir%\Temp\gma3.tmp (11010 bytes)
%System%\gei33.dll (12 bytes)
%WinDir%\Temp\xma4.tmp (2373 bytes)
C:\RCX5.tmp (23843 bytes)

The Virus deletes the following file(s):

%System%\gei33.dll (0 bytes)

The process regsvr32.exe:1216 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (284 bytes)

The process hrl1.tmp:944 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%System%\wwcqww.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nfa2.tmp (11010 bytes)

Registry activity

The process regsvr32.exe:1216 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D AA 45 77 0D E4 1C A8 F5 31 70 C2 77 7B 5B D9"

The process hrl1.tmp:944 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 86 8D EC 91 54 AC 83 CC 02 F6 A3 1F 0E C1 96"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Virus installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Virus connects to the servers at the folowing location(s):

.text

`.data

.rsrc

msvcrt.dll

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

ole32.dll

regsvr32.pdb

_wcmdln

RegCloseKey

RegOpenKeyExW

Excessive # of DLL's on cmdline

5.1.2600.5512 (xpsp.080413-2105)

REGSVR32.EXE

Windows

Operating System

5.1.2600.5512

Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname

Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall

Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.

LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.

%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.

OleUninitialize failed.["%1" is not an executable file and no registration

wwcqww.exe_248:

`.text

`.rdata

.data

.rsrc

MFC42.DLL

MSVCRT.dll

_acmdln

WinExec

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyExA

RegOpenKeyA

ADVAPI32.dll

WS2_32.dll

WINMM.dll

InternetOpenUrlA

WININET.dll

gei%u.dll

PlusCtrl.dll

ASP.NET State Servicesbga Transaction Coordinator Service

Provides support for out-of-to-processexs Transaction Coordinator Service.

geili.api520.com:1001

bpk%c%c%c%cÌn.exe

kernel32.dll

SOFTWARE.LOG

rat5.100geili.com:11000

rat4.100geili.com:10000

rat3.100geili.com:9000

rat2.100geili.com:8000

%c%c%c%c%c%c.exe

%u MB

%u MHz

SOFTWARE\Microsoft\Windows NT\CurrentVersion

\Program Files\Internet Explorer\iexplore.exe

Mozilla/4.0 (compatible)

hXXp://%s:%d%s

POST %s HTTP/1.1

Referer: hXXp://%s

Host: %s

GET %s HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1;  hXXp://VVV.google.com/bot.html)

Host: %s:%d

%s hXXp://%s:%d%s

%d.%d.%d.%d

192.168.1.244

%c%c%c%c%c%

%c%c%c%c%

%c%c%c%

%c%c%

%c%c%c%c%c%c%

GET %s HTTP/1.1

@.data

@.rsrc

@.reloc

SHELL32.dll

SHLWAPI.dll

lpk.dll

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

-ehM}

Kernel32.dll

Software\Microsoft\Windows\CurrentVersion\Explorer

cmd /c RD /s /q "%s"

"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"

"%s" x "%s" *.exe "%s\"

cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"

rar.exe

wwcqww.exe_248_rwx_00420000_00003000:

Kernel32.dll

ADVAPI32.dll

RegOpenKeyExA

RegCloseKey

Software\Microsoft\Windows\CurrentVersion\Explorer

wwcqww.exe_248_rwx_006B1000_00071000:

UDPSockError

NMUDP

Errmsg

Port

TNMUDP

RemotePort

LocalPort

ReportLevelLkk

0.0.0.0

%d.%d.%d.%d

AutoHotkeys

:].tJ

EInvalidGraphicOperation,0l

EInvalidGraphicOperation

KeyPreview,

WindowState

OnKeyDown

OnKeyPressdzm

OnKeyUp

ssHotTrack

TWindowState

poProportional

TWMKey

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

TDragOperation

TKeyEvent

TKeyPressEvent

crSQLWait

%s (%s)

IMM32.DLL

EInvalidOperation

%s[%d]

%s_%d

USER32.DLL

comctl32.dll

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

kernel32.dll

Portions Copyright (c) 1983,99 Borland

explorer.exe

Software\Microsoft\Windows\CurrentVersion\Explorer

*.TMP

Kernel32.dll

ADVAPI32.dll

RegOpenKeyExA

RegCloseKey

readbook.exe

rundll32.exe

*.exe

*.scr

UdpT

UdpOnDataReceived

xxtype.cpp

derv->tpClass.tpcFlags & CF_HAS_BASES

Inappropriate I/O control operation

Broken pipe

Operation not permitted

%H:%M:%S

%m/%d/%y

%A, %B %d, %Y

d/d/d d:d:d.d

An exception (X) occurred during DllEntryPoint or DllMain in module:

xx.cpp

varType->tpClass.tpcFlags & CF_HAS_DTOR

varType->tpClass.tpcDtorAddr

(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags

memType->tpClass.tpcFlags & CF_HAS_DTOR

varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR

dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR

IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)

elemType->tpClass.tpcFlags & CF_HAS_DTOR

ReportLevel

GetCPInfo

GetProcessHeap

GetWindowsDirectoryA

RegCreateKeyExA

RegFlushKey

SetViewportOrgEx

ActivateKeyboardLayout

EnumThreadWindows

EnumWindows

GetKeyNameTextA

GetKeyState

GetKeyboardLayout

GetKeyboardLayoutList

GetKeyboardState

GetKeyboardType

LoadKeyboardLayoutA

MapVirtualKeyA

MsgWaitForMultipleObjects

SetWindowsHookExA

UnhookWindowsHookEx

VprK|%Ud

€00404

8 @ @ @ @ @

.text

`.data

.idata

@.edata

@.rsrc

@.reloc

70"!(&&$

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Win32 Error. Code: %d.

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

I/O error %d

Integer overflow Invalid floating point operation

Invalid data type for '%s'

Failed to set data for '%s'

Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'

Asynchronous socket error %d

- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value

Alt  Clipboard does not support Icons

!Control '%s' has no parent window

Error reading %s%s%s: %s

Ancestor for '%s' not found

Unsupported clipboard format

Class %s not found

Resource %s not found

List index out of bounds (%d) List capacity out of bounds (%d)

List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name

A class named %s already exists

Cannot assign a %s to a %s

Cannot create file %s

Cannot open file %s

Explorer.EXE_888_rwx_01EA1000_00071000:

UDPSockError

NMUDP

Errmsg

Port

TNMUDP

RemotePort

LocalPort

ReportLevelLk

0.0.0.0

%d.%d.%d.%d

AutoHotkeys

:].tJ

EInvalidGraphicOperation,0

EInvalidGraphicOperation

KeyPreview,

WindowState

OnKeyDown

OnKeyPressdz

OnKeyUp

ssHotTrack

TWindowState

poProportional

TWMKey

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

TDragOperation

TKeyEvent

TKeyPressEvent

crSQLWait

%s (%s)

IMM32.DLL

EInvalidOperation

%s[%d]

%s_%d

USER32.DLL

comctl32.dll

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

kernel32.dll

Portions Copyright (c) 1983,99 Borland

explorer.exe

Software\Microsoft\Windows\CurrentVersion\Explorer

*.TMP

Kernel32.dll

ADVAPI32.dll

RegOpenKeyExA

RegCloseKey

readbook.exe

rundll32.exe

*.exe

*.scr

UdpT

UdpOnDataReceived

xxtype.cpp

derv->tpClass.tpcFlags & CF_HAS_BASES

Inappropriate I/O control operation

Broken pipe

Operation not permitted

%H:%M:%S

%m/%d/%y

%A, %B %d, %Y

d/d/d d:d:d.d

An exception (X) occurred during DllEntryPoint or DllMain in module:

xx.cpp

varType->tpClass.tpcFlags & CF_HAS_DTOR

varType->tpClass.tpcDtorAddr

(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags

memType->tpClass.tpcFlags & CF_HAS_DTOR

varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR

dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR

IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)

elemType->tpClass.tpcFlags & CF_HAS_DTOR

ReportLevel

GetCPInfo

GetProcessHeap

GetWindowsDirectoryA

RegCreateKeyExA

RegFlushKey

SetViewportOrgEx

ActivateKeyboardLayout

EnumThreadWindows

EnumWindows

GetKeyNameTextA

GetKeyState

GetKeyboardLayout

GetKeyboardLayoutList

GetKeyboardState

GetKeyboardType

LoadKeyboardLayoutA

MapVirtualKeyA

MsgWaitForMultipleObjects

SetWindowsHookExA

UnhookWindowsHookEx

VprK|%Ud

€00404

8 @ @ @ @ @

.text

`.data

.idata

@.edata

@.rsrc

@.reloc

70"!(&&$

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Win32 Error. Code: %d.

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

I/O error %d

Integer overflow Invalid floating point operation

Invalid data type for '%s'

Failed to set data for '%s'

Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'

Asynchronous socket error %d

- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value

Alt  Clipboard does not support Icons

!Control '%s' has no parent window

Error reading %s%s%s: %s

Ancestor for '%s' not found

Unsupported clipboard format

Class %s not found

Resource %s not found

List index out of bounds (%d) List capacity out of bounds (%d)

List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name

A class named %s already exists

Cannot assign a %s to a %s

Cannot create file %s

Cannot open file %s

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   regsvr32.exe:1216
   hrl1.tmp:944
   

3. Delete the original Virus file.
   
4. Delete or disinfect the following files created/modified by the Virus:
   

   %WinDir%\Temp\gma3.tmp (11010 bytes)
   %System%\gei33.dll (12 bytes)
   %WinDir%\Temp\xma4.tmp (2373 bytes)
   C:\RCX5.tmp (23843 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (284 bytes)
   %System%\wwcqww.exe (1425 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nfa2.tmp (11010 bytes)

5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.