Skip to main content

Trojan.Crypt.EL_745aba78fa


Trojan.Win32.Patched.or (Kaspersky), Trojan.Crypt.EL (B) (Emsisoft), Trojan.Crypt.EL (AdAware), GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 745aba78fa652fd2f84d4da0a14159b7

SHA1: f957af1ea9bcca0496b3a5f8f59feb03d0a77ec9

SHA256: 87ae62e2aa4b7de716d178f37b42d50415c9014d04a742068d85396dab5d0722

SSDeep: 768:Bo77dHrP/58ByHA/oEraNsNHPkD JIKNMWfb u:BQ7Z358KAAErO4PpIK5qu

Size: 48644 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6

Company: no certificate found

Created at: 2008-06-10 11:48:24

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour Description
WormAutorunA worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

ipconfig.exe:348
%original file name%.exe:716

The Trojan injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:716 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\mfxixue.bat (100 bytes)
%WinDir%\Tasks\csrss.exe (6588 bytes)

Registry activity

The process ipconfig.exe:348 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 6A BE E9 E3 B4 4D 70 18 93 8C 80 73 2E AA 72"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

The process %original file name%.exe:716 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 32 39 8E 1D 4B 78 CF DF BD BA 74 8C 24 7C 7D"

Dropped PE files

MD5 File path
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\bin\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\eg\IEExamples\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\eg\PerlEx\benchmarks\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\eg\PerlEx\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\eg\Windows Script Components\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\eg\Windows Script Host\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\eg\aspSamples\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\eg\cgi\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\eg\fork\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\eg\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\etc\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\Components\Windows\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\Components\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\bin\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\faq\Windows\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\faq\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\images\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\ActivePerl\DocTools\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\ActivePerl\PPM\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\ActivePerl\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\ActiveState\Config\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\ActiveState\PerlCritic\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\ActiveState\Tkx\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\ActiveState\Win32\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\ActiveState\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Algorithm\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\App\Prove\State\Result\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\App\Prove\State\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\App\Prove\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\App\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Archive\Tar\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Archive\Zip\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Archive\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Attribute\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\B\Lint\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\B\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Bit\Vector\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Bit\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Bundle\DBD\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Bundle\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\CGI\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\CPANPLUS\Backend\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\CPANPLUS\Config\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\CPANPLUS\Dist\Build\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\CPANPLUS\Dist\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\CPANPLUS\Internals\Source\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\CPANPLUS\Internals\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\CPANPLUS\Module\Author\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\CPANPLUS\Module\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\CPANPLUS\Shell\Default\Plugins\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\CPANPLUS\Shell\Default\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\CPANPLUS\Shell\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\CPANPLUS\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\CPAN\API\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\CPAN\Meta\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\CPAN\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Carp\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Class\Accessor\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Class\C3\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Class\Data\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Class\Load\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Class\MOP\Class\Immutable\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Class\MOP\Class\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Class\MOP\Method\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Class\MOP\Mixin\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Class\MOP\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Class\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Compress\Raw\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Compress\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Config\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\DBD\File\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\DBD\Gofer\Policy\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\DBD\Gofer\Transport\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\DBD\Gofer\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\DBD\ODBC\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\DBD\Oracle\Troubleshooting\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\DBD\Oracle\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\DBD\SQLite\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\DBD\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\DBI\Const\GetInfo\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\DBI\Const\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\DBI\DBD\SqlEngine\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\DBI\DBD\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\DBI\Gofer\Serializer\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\DBI\Gofer\Transport\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\DBI\Gofer\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\DBI\ProfileDumper\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\DBI\SQL\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\DBI\Util\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\DBI\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\DBM_Filter\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Data\Dump\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Data\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Date\Calc\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Date\Calendar\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Date\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Devel\NYTProf\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Devel\StackTrace\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Devel\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Digest\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Dist\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Email\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Encode\CN\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Encode\JP\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Encode\KR\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Encode\MIME\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Encode\Unicode\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\Encode\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\autodie\exception\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\autodie\wsock32.dll
fdd323db7790b0d599ae56b82fc18b1cc:\Perl\html\lib\encoding\wsock32.dll
20ad76856c5d4cf967ec4539b8740155c:\WINDOWS\Tasks\csrss.exe
fdd323db7790b0d599ae56b82fc18b1cc:\WINDOWS\Tasks\wsock32.dll
20ad76856c5d4cf967ec4539b8740155c:\WINDOWS\Tasks\ÂÌ»¯.bat

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 912 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1www.360.cn
127.0.0.1www.360safe.cn
127.0.0.1www.360safe.com
127.0.0.1www.chinakv.com
127.0.0.1www.rising.com.cn
127.0.0.1rising.com.cn
127.0.0.1dl.jiangmin.com
127.0.0.1jiangmin.com
127.0.0.1www.jiangmin.com
127.0.0.1www.duba.net
127.0.0.1www.eset.com.cn
127.0.0.1www.nod32.com
127.0.0.1shadu.duba.net
127.0.0.1union.kingsoft.com
127.0.0.1www.kaspersky.com.cn
127.0.0.1kaspersky.com.cn
127.0.0.1virustotal.com
127.0.0.1www.kaspersky.com
127.0.0.160.210.176.251
127.0.0.1www.cnnod32.cn
127.0.0.1www.lanniao.org
127.0.0.1www.nod32club.com
127.0.0.1www.dswlab.com
127.0.0.1bbs.sucop.com
127.0.0.1www.virustotal.com
127.0.0.1tool.ikaka.com
127.0.0.0360.qihoo.com
127.0.0.1qihoo.com
127.0.0.1www.qihoo.com
127.0.0.1www.qihoo.cn
127.0.0.1124.40.51.17


Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    ipconfig.exe:348
    %original file name%.exe:716

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\mfxixue.bat (100 bytes)
    %WinDir%\Tasks\csrss.exe (6588 bytes)

  4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.data409630860312323.55926da1c74784cfc6198e25b4ea067a912fc
.rsrc3686415968163842.4280596ac4b5d94006166b95fb41089ee6d8a

Dropped from:

694f3f0898be7a43b2138e315c6f37d8

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 2
694f3f0898be7a43b2138e315c6f37d8
40a9b037451bb6b42529e3faf5509461

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

csrss.exe_260:

.data

.data

.rsrc

.rsrc

VVV.hacker-sky.cn

VVV.hacker-sky.cn

recycle.{645FF040-5081-101B-9F08-00AA002F954E}\GHOSTBAK.exe

recycle.{645FF040-5081-101B-9F08-00AA002F954E}\GHOSTBAK.exe

hXXp://VVV.54br.cn/arp.exe

hXXp://VVV.54br.cn/arp.exe

hXXp://VVV.54br.cn/wincap.exe

hXXp://VVV.54br.cn/wincap.exe

hXXp://VVV.54br.cn/ct.asp

hXXp://VVV.54br.cn/ct.asp

hXXp://VVV.54br.cn/updatexixue.txt

hXXp://VVV.54br.cn/updatexixue.txt

hXXp://VVV.54br.cn/mm.exe

hXXp://VVV.54br.cn/mm.exe

c:\_default.pif

c:\_default.pif

SOFTWARE\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}

SOFTWARE\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}

FWMon.exe

FWMon.exe

del "%s"

del "%s"

start %s

start %s

c:\mfxixue.bat

c:\mfxixue.bat

%WinDir%\Tasks

%WinDir%\Tasks

AST.exe

AST.exe

360tray.exe

360tray.exe

ast.exe

ast.exe

windows

windows

hXXp://VVV.microsoft.com

hXXp://VVV.microsoft.com

autorun.inf

autorun.inf

\GHOSTBAK.exe

\GHOSTBAK.exe

recycle.{645FF040-5081-101B-9F08-00AA002F954E}

recycle.{645FF040-5081-101B-9F08-00AA002F954E}

%s -idx 0 -ip %s -port 80 -insert "%s"

%s -idx 0 -ip %s -port 80 -insert "%s"

%s\arps.com

%s\arps.com

%d.%d.%d.2-%d.%d.%d.255

%d.%d.%d.2-%d.%d.%d.255

\wincap.exe

\wincap.exe

\arps.com

\arps.com

%d.%d.%d.%d

%d.%d.%d.%d

1314520

1314520

5201314

5201314

12345678

12345678

password

password

at \\%s %d:%d %s

at \\%s %d:%d %s

F:\hackshen.exe

F:\hackshen.exe

\\%s\F$\hackshen.exe

\\%s\F$\hackshen.exe

E:\hackshen.exe

E:\hackshen.exe

\\%s\E$\hackshen.exe

\\%s\E$\hackshen.exe

D:\hackshen.exe

D:\hackshen.exe

\\%s\D$\hackshen.exe

\\%s\D$\hackshen.exe

C:\hackshen.exe

C:\hackshen.exe

\\%s\C$\hackshen.exe

\\%s\C$\hackshen.exe

\\%s\admin$\hackshen.exe

\\%s\admin$\hackshen.exe

\\%s\ipc$

\\%s\ipc$

mpr.dll

mpr.dll

VVV.54br.cn/1.exe

VVV.54br.cn/1.exe

hXXp://VVV.bangsheng-adv.com/eyes4.exe

hXXp://VVV.bangsheng-adv.com/eyes4.exe

%s?mac=%s&ver=2.2

%s?mac=%s&ver=2.2

windows config

windows config

\mfxixue.ini

\mfxixue.ini

%s -ep a "%s" %s

%s -ep a "%s" %s

\WinRAR\Rar.exe

\WinRAR\Rar.exe

\meupdate.ini

\meupdate.ini

127.0.0.0 360.qihoo.com

127.0.0.0 360.qihoo.com

127.0.0.1 qihoo.com

127.0.0.1 qihoo.com

127.0.0.1 VVV.qihoo.com

127.0.0.1 VVV.qihoo.com

127.0.0.1 VVV.qihoo.cn

127.0.0.1 VVV.qihoo.cn

127.0.0.1 124.40.51.17

127.0.0.1 124.40.51.17

127.0.0.1 58.17.236.92

127.0.0.1 58.17.236.92

127.0.0.1 VVV.kaspersky.com

127.0.0.1 VVV.kaspersky.com

127.0.0.1 60.210.176.251

127.0.0.1 60.210.176.251

127.0.0.1 VVV.cnnod32.cn

127.0.0.1 VVV.cnnod32.cn

127.0.0.1 VVV.lanniao.org

127.0.0.1 VVV.lanniao.org

127.0.0.1 VVV.nod32club.com

127.0.0.1 VVV.nod32club.com

127.0.0.1 VVV.dswlab.com

127.0.0.1 VVV.dswlab.com

127.0.0.1 bbs.sucop.com

127.0.0.1 bbs.sucop.com

127.0.0.1 VVV.virustotal.com

127.0.0.1 VVV.virustotal.com

127.0.0.1 tool.ikaka.com

127.0.0.1 tool.ikaka.com

127.0.0.1 VVV.jiangmin.com

127.0.0.1 VVV.jiangmin.com

127.0.0.1 VVV.duba.net

127.0.0.1 VVV.duba.net

127.0.0.1 VVV.eset.com.cn

127.0.0.1 VVV.eset.com.cn

127.0.0.1 VVV.nod32.com

127.0.0.1 VVV.nod32.com

127.0.0.1 shadu.duba.net

127.0.0.1 shadu.duba.net

127.0.0.1 union.kingsoft.com

127.0.0.1 union.kingsoft.com

127.0.0.1 VVV.kaspersky.com.cn

127.0.0.1 VVV.kaspersky.com.cn

127.0.0.1 kaspersky.com.cn

127.0.0.1 kaspersky.com.cn

127.0.0.1 virustotal.com

127.0.0.1 virustotal.com

127.0.0.1 VVV.360.cn

127.0.0.1 VVV.360.cn

127.0.0.1 VVV.360safe.cn

127.0.0.1 VVV.360safe.cn

127.0.0.1 VVV.360safe.com

127.0.0.1 VVV.360safe.com

127.0.0.1 VVV.chinakv.com

127.0.0.1 VVV.chinakv.com

127.0.0.1 VVV.rising.com.cn

127.0.0.1 VVV.rising.com.cn

127.0.0.1 rising.com.cn

127.0.0.1 rising.com.cn

127.0.0.1 dl.jiangmin.com

127.0.0.1 dl.jiangmin.com

127.0.0.1 jiangmin.com

127.0.0.1 jiangmin.com

\svchost.exe

\svchost.exe

ntdll.dll

ntdll.dll

Set rs=createObject("Wscript.shell")

Set rs=createObject("Wscript.shell")

rs.run "%%windir%%\Tasks\csrss.exe",0

rs.run "%%windir%%\Tasks\csrss.exe",0

\Tasks\hackshen.vbs

\Tasks\hackshen.vbs

SOFTWARE\Microsoft\Windows Script Host\Settings

SOFTWARE\Microsoft\Windows Script Host\Settings

%windir%\Tasks\hackshen.vbs

%windir%\Tasks\hackshen.vbs

%Documents and Settings%

%Documents and Settings%

%WinDir%

%WinDir%

%s\%s

%s\%s

%s\*.*

%s\*.*

\Tasks\wsock32.dll

\Tasks\wsock32.dll

\wsock32.dll

\wsock32.dll

%System%\arps.com

%System%\arps.com

%System%\wincap.exe

%System%\wincap.exe

%System%

%System%

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\5EWpIZ4vgl.pif

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\5EWpIZ4vgl.pif

%WinDir%\Tasks\

%WinDir%\Tasks\

%WinDir%\Tasks\csrss.exe

%WinDir%\Tasks\csrss.exe

WinExec

WinExec

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

EnumChildWindows

EnumChildWindows

keybd_event

keybd_event

USER32.dll

USER32.dll

RegDeleteKeyA

RegDeleteKeyA

RegCloseKey

RegCloseKey

RegCreateKeyA

RegCreateKeyA

ADVAPI32.dll

ADVAPI32.dll

MSVCRT.dll

MSVCRT.dll

InternetOpenUrlA

InternetOpenUrlA

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

.reloc

.reloc

%s\%s.pif

%s\%s.pif

getservbyport

getservbyport

socket(af:%d,type:%d,proto:%d) rc=%d

socket(af:%d,type:%d,proto:%d) rc=%d

WSAAsyncSelect(s=%d,hWnd,wMsg=%d,lEvent=%ld),rc=%d

WSAAsyncSelect(s=%d,hWnd,wMsg=%d,lEvent=%ld),rc=%d

connect,ip=%s:%d socket=%d

connect,ip=%s:%d socket=%d

WSAGetLastError %d

WSAGetLastError %d

inet_addr(%s)

inet_addr(%s)

getsockname(addr:%s,port:%d)

getsockname(addr:%s,port:%d)

gethostbyname(hostname:%s)

gethostbyname(hostname:%s)

gethostbyname(hostname:%s,addr:%s)

gethostbyname(hostname:%s,addr:%s)

gethostname(hostname:%s)

gethostname(hostname:%s)

accept,ip=%s:%d socket=%d

accept,ip=%s:%d socket=%d

WSASetLastError(%d)

WSASetLastError(%d)

WSARecvEx(len=%d,buf:%s)

WSARecvEx(len=%d,buf:%s)

WSSSh8

WSSSh8

URLDownloadToFileA

URLDownloadToFileA

urlmon.dll

urlmon.dll

wsock32.dll

wsock32.dll

rcmd

rcmd

rexec

rexec

rresvport

rresvport

WSAAsyncGetServByPort

WSAAsyncGetServByPort