Trojan.Win32.Patched.or (Kaspersky), Trojan.Crypt.EL (B) (Emsisoft), Trojan.Crypt.EL (AdAware), GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 745aba78fa652fd2f84d4da0a14159b7
SHA1: f957af1ea9bcca0496b3a5f8f59feb03d0a77ec9
SHA256: 87ae62e2aa4b7de716d178f37b42d50415c9014d04a742068d85396dab5d0722
SSDeep: 768:Bo77dHrP/58ByHA/oEraNsNHPkD JIKNMWfb u:BQ7Z358KAAErO4PpIK5qu
Size: 48644 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2008-06-10 11:48:24
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
ipconfig.exe:348
%original file name%.exe:716
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:716 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\mfxixue.bat (100 bytes)
%WinDir%\Tasks\csrss.exe (6588 bytes)
Registry activity
The process ipconfig.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 6A BE E9 E3 B4 4D 70 18 93 8C 80 73 2E AA 72"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
"EventMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"
The process %original file name%.exe:716 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 32 39 8E 1D 4B 78 CF DF BD BA 74 8C 24 7C 7D"
Dropped PE files
MD5 | File path |
---|---|
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\bin\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\eg\IEExamples\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\eg\PerlEx\benchmarks\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\eg\PerlEx\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\eg\Windows Script Components\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\eg\Windows Script Host\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\eg\aspSamples\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\eg\cgi\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\eg\fork\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\eg\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\etc\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\Components\Windows\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\Components\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\bin\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\faq\Windows\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\faq\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\images\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\ActivePerl\DocTools\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\ActivePerl\PPM\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\ActivePerl\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\ActiveState\Config\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\ActiveState\PerlCritic\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\ActiveState\Tkx\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\ActiveState\Win32\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\ActiveState\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Algorithm\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\App\Prove\State\Result\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\App\Prove\State\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\App\Prove\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\App\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Archive\Tar\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Archive\Zip\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Archive\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Attribute\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\B\Lint\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\B\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Bit\Vector\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Bit\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Bundle\DBD\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Bundle\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\CGI\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\CPANPLUS\Backend\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\CPANPLUS\Config\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\CPANPLUS\Dist\Build\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\CPANPLUS\Dist\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\CPANPLUS\Internals\Source\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\CPANPLUS\Internals\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\CPANPLUS\Module\Author\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\CPANPLUS\Module\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\CPANPLUS\Shell\Default\Plugins\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\CPANPLUS\Shell\Default\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\CPANPLUS\Shell\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\CPANPLUS\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\CPAN\API\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\CPAN\Meta\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\CPAN\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Carp\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Class\Accessor\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Class\C3\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Class\Data\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Class\Load\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Class\MOP\Class\Immutable\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Class\MOP\Class\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Class\MOP\Method\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Class\MOP\Mixin\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Class\MOP\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Class\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Compress\Raw\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Compress\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Config\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\DBD\File\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\DBD\Gofer\Policy\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\DBD\Gofer\Transport\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\DBD\Gofer\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\DBD\ODBC\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\DBD\Oracle\Troubleshooting\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\DBD\Oracle\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\DBD\SQLite\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\DBD\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\DBI\Const\GetInfo\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\DBI\Const\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\DBI\DBD\SqlEngine\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\DBI\DBD\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\DBI\Gofer\Serializer\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\DBI\Gofer\Transport\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\DBI\Gofer\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\DBI\ProfileDumper\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\DBI\SQL\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\DBI\Util\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\DBI\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\DBM_Filter\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Data\Dump\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Data\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Date\Calc\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Date\Calendar\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Date\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Devel\NYTProf\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Devel\StackTrace\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Devel\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Digest\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Dist\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Email\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Encode\CN\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Encode\JP\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Encode\KR\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Encode\MIME\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Encode\Unicode\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\Encode\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\autodie\exception\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\autodie\wsock32.dll |
fdd323db7790b0d599ae56b82fc18b1c | c:\Perl\html\lib\encoding\wsock32.dll |
20ad76856c5d4cf967ec4539b8740155 | c:\WINDOWS\Tasks\csrss.exe |
fdd323db7790b0d599ae56b82fc18b1c | c:\WINDOWS\Tasks\wsock32.dll |
20ad76856c5d4cf967ec4539b8740155 | c:\WINDOWS\Tasks\ÂÌ»¯.bat |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 912 bytes in size. The following strings are added to the hosts file listed below:
127.0.0.1 | www.360.cn |
127.0.0.1 | www.360safe.cn |
127.0.0.1 | www.360safe.com |
127.0.0.1 | www.chinakv.com |
127.0.0.1 | www.rising.com.cn |
127.0.0.1 | rising.com.cn |
127.0.0.1 | dl.jiangmin.com |
127.0.0.1 | jiangmin.com |
127.0.0.1 | www.jiangmin.com |
127.0.0.1 | www.duba.net |
127.0.0.1 | www.eset.com.cn |
127.0.0.1 | www.nod32.com |
127.0.0.1 | shadu.duba.net |
127.0.0.1 | union.kingsoft.com |
127.0.0.1 | www.kaspersky.com.cn |
127.0.0.1 | kaspersky.com.cn |
127.0.0.1 | virustotal.com |
127.0.0.1 | www.kaspersky.com |
127.0.0.1 | 60.210.176.251 |
127.0.0.1 | www.cnnod32.cn |
127.0.0.1 | www.lanniao.org |
127.0.0.1 | www.nod32club.com |
127.0.0.1 | www.dswlab.com |
127.0.0.1 | bbs.sucop.com |
127.0.0.1 | www.virustotal.com |
127.0.0.1 | tool.ikaka.com |
127.0.0.0 | 360.qihoo.com |
127.0.0.1 | qihoo.com |
127.0.0.1 | www.qihoo.com |
127.0.0.1 | www.qihoo.cn |
127.0.0.1 | 124.40.51.17 |
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
ipconfig.exe:348
%original file name%.exe:716 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\mfxixue.bat (100 bytes)
%WinDir%\Tasks\csrss.exe (6588 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.data | 4096 | 30860 | 31232 | 3.55926 | da1c74784cfc6198e25b4ea067a912fc |
.rsrc | 36864 | 15968 | 16384 | 2.42805 | 96ac4b5d94006166b95fb41089ee6d8a |
Dropped from:
694f3f0898be7a43b2138e315c6f37d8
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 2
694f3f0898be7a43b2138e315c6f37d8
40a9b037451bb6b42529e3faf5509461
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
csrss.exe_260:
.data
.data
.rsrc
.rsrc
VVV.hacker-sky.cn
VVV.hacker-sky.cn
recycle.{645FF040-5081-101B-9F08-00AA002F954E}\GHOSTBAK.exe
recycle.{645FF040-5081-101B-9F08-00AA002F954E}\GHOSTBAK.exe
hXXp://VVV.54br.cn/arp.exe
hXXp://VVV.54br.cn/arp.exe
hXXp://VVV.54br.cn/wincap.exe
hXXp://VVV.54br.cn/wincap.exe
hXXp://VVV.54br.cn/ct.asp
hXXp://VVV.54br.cn/ct.asp
hXXp://VVV.54br.cn/updatexixue.txt
hXXp://VVV.54br.cn/updatexixue.txt
hXXp://VVV.54br.cn/mm.exe
hXXp://VVV.54br.cn/mm.exe
c:\_default.pif
c:\_default.pif
SOFTWARE\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}
SOFTWARE\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}
FWMon.exe
FWMon.exe
del "%s"
del "%s"
start %s
start %s
c:\mfxixue.bat
c:\mfxixue.bat
%WinDir%\Tasks
%WinDir%\Tasks
AST.exe
AST.exe
360tray.exe
360tray.exe
ast.exe
ast.exe
windows
windows
hXXp://VVV.microsoft.com
hXXp://VVV.microsoft.com
autorun.inf
autorun.inf
\GHOSTBAK.exe
\GHOSTBAK.exe
recycle.{645FF040-5081-101B-9F08-00AA002F954E}
recycle.{645FF040-5081-101B-9F08-00AA002F954E}
%s -idx 0 -ip %s -port 80 -insert "%s"
%s -idx 0 -ip %s -port 80 -insert "%s"
%s\arps.com
%s\arps.com
%d.%d.%d.2-%d.%d.%d.255
%d.%d.%d.2-%d.%d.%d.255
\wincap.exe
\wincap.exe
\arps.com
\arps.com
%d.%d.%d.%d
%d.%d.%d.%d
1314520
1314520
5201314
5201314
12345678
12345678
password
password
at \\%s %d:%d %s
at \\%s %d:%d %s
F:\hackshen.exe
F:\hackshen.exe
\\%s\F$\hackshen.exe
\\%s\F$\hackshen.exe
E:\hackshen.exe
E:\hackshen.exe
\\%s\E$\hackshen.exe
\\%s\E$\hackshen.exe
D:\hackshen.exe
D:\hackshen.exe
\\%s\D$\hackshen.exe
\\%s\D$\hackshen.exe
C:\hackshen.exe
C:\hackshen.exe
\\%s\C$\hackshen.exe
\\%s\C$\hackshen.exe
\\%s\admin$\hackshen.exe
\\%s\admin$\hackshen.exe
\\%s\ipc$
\\%s\ipc$
mpr.dll
mpr.dll
VVV.54br.cn/1.exe
VVV.54br.cn/1.exe
hXXp://VVV.bangsheng-adv.com/eyes4.exe
hXXp://VVV.bangsheng-adv.com/eyes4.exe
%s?mac=%s&ver=2.2
%s?mac=%s&ver=2.2
windows config
windows config
\mfxixue.ini
\mfxixue.ini
%s -ep a "%s" %s
%s -ep a "%s" %s
\WinRAR\Rar.exe
\WinRAR\Rar.exe
\meupdate.ini
\meupdate.ini
127.0.0.0 360.qihoo.com
127.0.0.0 360.qihoo.com
127.0.0.1 qihoo.com
127.0.0.1 qihoo.com
127.0.0.1 VVV.qihoo.com
127.0.0.1 VVV.qihoo.com
127.0.0.1 VVV.qihoo.cn
127.0.0.1 VVV.qihoo.cn
127.0.0.1 124.40.51.17
127.0.0.1 124.40.51.17
127.0.0.1 58.17.236.92
127.0.0.1 58.17.236.92
127.0.0.1 VVV.kaspersky.com
127.0.0.1 VVV.kaspersky.com
127.0.0.1 60.210.176.251
127.0.0.1 60.210.176.251
127.0.0.1 VVV.cnnod32.cn
127.0.0.1 VVV.cnnod32.cn
127.0.0.1 VVV.lanniao.org
127.0.0.1 VVV.lanniao.org
127.0.0.1 VVV.nod32club.com
127.0.0.1 VVV.nod32club.com
127.0.0.1 VVV.dswlab.com
127.0.0.1 VVV.dswlab.com
127.0.0.1 bbs.sucop.com
127.0.0.1 bbs.sucop.com
127.0.0.1 VVV.virustotal.com
127.0.0.1 VVV.virustotal.com
127.0.0.1 tool.ikaka.com
127.0.0.1 tool.ikaka.com
127.0.0.1 VVV.jiangmin.com
127.0.0.1 VVV.jiangmin.com
127.0.0.1 VVV.duba.net
127.0.0.1 VVV.duba.net
127.0.0.1 VVV.eset.com.cn
127.0.0.1 VVV.eset.com.cn
127.0.0.1 VVV.nod32.com
127.0.0.1 VVV.nod32.com
127.0.0.1 shadu.duba.net
127.0.0.1 shadu.duba.net
127.0.0.1 union.kingsoft.com
127.0.0.1 union.kingsoft.com
127.0.0.1 VVV.kaspersky.com.cn
127.0.0.1 VVV.kaspersky.com.cn
127.0.0.1 kaspersky.com.cn
127.0.0.1 kaspersky.com.cn
127.0.0.1 virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 VVV.360.cn
127.0.0.1 VVV.360.cn
127.0.0.1 VVV.360safe.cn
127.0.0.1 VVV.360safe.cn
127.0.0.1 VVV.360safe.com
127.0.0.1 VVV.360safe.com
127.0.0.1 VVV.chinakv.com
127.0.0.1 VVV.chinakv.com
127.0.0.1 VVV.rising.com.cn
127.0.0.1 VVV.rising.com.cn
127.0.0.1 rising.com.cn
127.0.0.1 rising.com.cn
127.0.0.1 dl.jiangmin.com
127.0.0.1 dl.jiangmin.com
127.0.0.1 jiangmin.com
127.0.0.1 jiangmin.com
\svchost.exe
\svchost.exe
ntdll.dll
ntdll.dll
Set rs=createObject("Wscript.shell")
Set rs=createObject("Wscript.shell")
rs.run "%%windir%%\Tasks\csrss.exe",0
rs.run "%%windir%%\Tasks\csrss.exe",0
\Tasks\hackshen.vbs
\Tasks\hackshen.vbs
SOFTWARE\Microsoft\Windows Script Host\Settings
SOFTWARE\Microsoft\Windows Script Host\Settings
%windir%\Tasks\hackshen.vbs
%windir%\Tasks\hackshen.vbs
%Documents and Settings%
%Documents and Settings%
%WinDir%
%WinDir%
%s\%s
%s\%s
%s\*.*
%s\*.*
\Tasks\wsock32.dll
\Tasks\wsock32.dll
\wsock32.dll
\wsock32.dll
%System%\arps.com
%System%\arps.com
%System%\wincap.exe
%System%\wincap.exe
%System%
%System%
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\5EWpIZ4vgl.pif
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\5EWpIZ4vgl.pif
%WinDir%\Tasks\
%WinDir%\Tasks\
%WinDir%\Tasks\csrss.exe
%WinDir%\Tasks\csrss.exe
WinExec
WinExec
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
EnumChildWindows
EnumChildWindows
keybd_event
keybd_event
USER32.dll
USER32.dll
RegDeleteKeyA
RegDeleteKeyA
RegCloseKey
RegCloseKey
RegCreateKeyA
RegCreateKeyA
ADVAPI32.dll
ADVAPI32.dll
MSVCRT.dll
MSVCRT.dll
InternetOpenUrlA
InternetOpenUrlA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
.reloc
.reloc
%s\%s.pif
%s\%s.pif
getservbyport
getservbyport
socket(af:%d,type:%d,proto:%d) rc=%d
socket(af:%d,type:%d,proto:%d) rc=%d
WSAAsyncSelect(s=%d,hWnd,wMsg=%d,lEvent=%ld),rc=%d
WSAAsyncSelect(s=%d,hWnd,wMsg=%d,lEvent=%ld),rc=%d
connect,ip=%s:%d socket=%d
connect,ip=%s:%d socket=%d
WSAGetLastError %d
WSAGetLastError %d
inet_addr(%s)
inet_addr(%s)
getsockname(addr:%s,port:%d)
getsockname(addr:%s,port:%d)
gethostbyname(hostname:%s)
gethostbyname(hostname:%s)
gethostbyname(hostname:%s,addr:%s)
gethostbyname(hostname:%s,addr:%s)
gethostname(hostname:%s)
gethostname(hostname:%s)
accept,ip=%s:%d socket=%d
accept,ip=%s:%d socket=%d
WSASetLastError(%d)
WSASetLastError(%d)
WSARecvEx(len=%d,buf:%s)
WSARecvEx(len=%d,buf:%s)
WSSSh8
WSSSh8
URLDownloadToFileA
URLDownloadToFileA
urlmon.dll
urlmon.dll
wsock32.dll
wsock32.dll
rcmd
rcmd
rexec
rexec
rresvport
rresvport
WSAAsyncGetServByPort
WSAAsyncGetServByPort