Susp_Dropper (Kaspersky), Dropped:Worm.Generic.245219 (B) (Emsisoft), Dropped:Worm.Generic.245219 (AdAware), Backdoor.Win32.PcClient.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Backdoor, Worm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 56b9c593a71e65951f29a483742b23ac
SHA1: a298eb83afb78aca078aa8bc84b0b657ca35d3c7
SHA256: 92c93c6abba3b6d09ddc344f3943458c86aa4efa14b6f12b8a7e4cf181be190b
SSDeep: 49152:2OnWer29dfvVrxyfRBdustaR4N3PPjun3FW8Y:2OWKKd3Vqust04tPPg8
Size: 1717248 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, MicrosoftVisualCv60SPx, UPolyXv05_v6
Company: no certificate found
Created at: 2003-03-25 09:08:18
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Dropped creates the following process(es):
QVODÖØ~1.EXE:1756
regsvr32.exe:1136
Rundll32.exe:320
Rundll32.exe:1952
minibrowser.exe:1908
x5s32.exe:368
%original file name%.exe:1832
The Dropped injects its code into the following process(es):
QvodSetupPlus3.exe:936
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process QVODÖØ~1.EXE:1756 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%System%\syste9.dll (35 bytes)
The process regsvr32.exe:1136 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%Program Files%\2c109a7d17.dat (294 bytes)
%System%\8aa20ab617.dat (13 bytes)
The process QvodSetupPlus3.exe:936 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\qd.ini (144 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\QvodSetupPlus.exe.!qd (1740037 bytes)
The process Rundll32.exe:320 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%System%\drivers\Drver.sys (6 bytes)
C:\Driver.sys (5 bytes)
%System%\syste2.dll (11 bytes)
The Dropped deletes the following file(s):
C:\Driver.sys (0 bytes)
The process Rundll32.exe:1952 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
C:\AutoRun.vbs (109 bytes)
C:\system.exe (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\474953.tmp (4545 bytes)
C:\AutoRun.inf (73 bytes)
The process minibrowser.exe:1908 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPINGDQB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5NTS3QTJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\INL042XV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W0B1UWYR\desktop.ini (67 bytes)
The process x5s32.exe:368 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%Program Files%\ȤÃÂÂæÓÎ÷\Msvcp71.dll (13536 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\SocketModule.dll (16 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\ȤÃÂÂæÃÂÂø.lnk (1 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\logo.ico (29 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\images\loading-s.gif (13 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\QvodSetupPlus3.exe (3785 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\DownLoad.dll (20 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\SkinControls.dll (6559 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\Mfc71.dll (21237 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ȤÃÂÂæÓÎ÷\ȤÃÂÂæÓÎ÷.url (49 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ȤÃÂÂæÓÎ÷\ȤÃÂÂæÓÎ÷.lnk (1 bytes)
%System%\drivers\etc\hosts (3 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\qvod.dll (15756 bytes)
%System%\qvod.dll (4185 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\hosts (3 bytes)
%Documents and Settings%\%current user%\Desktop\ȤÃÂÂæÃÂÂø.lnk (1 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\images\bg.jpg (492 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\images\platformbg.jpg (1 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\offlinel.html (518 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\offline.html (469 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\images\loading.gif (16 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\17Wan.exe (15305 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\Msvcr71.dll (8763 bytes)
%Documents and Settings%\%current user%\Desktop\ȤÃÂÂæÓÎ÷.lnk (1 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\minibrowser.exe (1574 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\ComService.dll (1568 bytes)
The Dropped deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsl1.tmp (0 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\qvod.dll (0 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\hosts (0 bytes)
The process %original file name%.exe:1832 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\x5s32.exe (23546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\QVODÖØ~1.EXE (1568 bytes)
The Dropped deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\x5s32.exe (0 bytes)
Registry activity
The process Rundll32.exe:320 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 91 D7 81 5C A7 B0 3D 5F 98 FB 2C 7D 52 88 4B"
The process %original file name%.exe:1832 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 AC C5 42 C1 0A B0 23 44 FD 04 A2 B2 27 25 DD"
To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
Dropped PE files
| MD5 | File path |
|---|---|
| 7a4f775abb2f1c97def3e73afa2faedd | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\474953.tmp |
| 748cd3313d92ef381d204e09a0d37145 | c:\Program Files\ȤÃÂæÓÎ÷\17Wan.exe |
| 4ca946f6ea00a6922612dd17ab87e3e9 | c:\Program Files\ȤÃÂæÓÎ÷\ComService.dll |
| 674f75516ce7f19e6111ada2f274905b | c:\Program Files\ȤÃÂæÓÎ÷\DownLoad.dll |
| f35a584e947a5b401feb0fe01db4a0d7 | c:\Program Files\ȤÃÂæÓÎ÷\Mfc71.dll |
| 561fa2abb31dfa8fab762145f81667c2 | c:\Program Files\ȤÃÂæÓÎ÷\Msvcp71.dll |
| 86f1895ae8c5e8b17d99ece768a70732 | c:\Program Files\ȤÃÂæÓÎ÷\Msvcr71.dll |
| 242d9bed8e115ae06217705e0f27ffd3 | c:\Program Files\ȤÃÂæÓÎ÷\QvodSetupPlus3.exe |
| 71adc1e0e485eca9e399024536961d45 | c:\Program Files\ȤÃÂæÓÎ÷\SkinControls.dll |
| e533b5bc5a678b29664418ed7dfd25d7 | c:\Program Files\ȤÃÂæÓÎ÷\SocketModule.dll |
| cc07bff1675b25d98936bf8b62a0bc16 | c:\Program Files\ȤÃÂæÓÎ÷\minibrowser.exe |
| 1de5bb188fcc4012be969f9279db16af | c:\WINDOWS\system32\drivers\Drver.sys |
| b0ae386171f45cb35639111012237a40 | c:\WINDOWS\system32\qvod.dll |
| 498f237e682209db04427da65dec44ac | c:\WINDOWS\system32\syste2.dll |
| d168ded5760a83c1ef58f6120239e224 | c:\WINDOWS\system32\syste9.dll |
| caf0a8a50c71ae2cabc03e9bb1745e41 | c:\WINDOWS\system32\system.exe |
| caf0a8a50c71ae2cabc03e9bb1745e41 | c:\system.exe |
HOSTS file anomalies
The Dropped modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 3957 bytes in size. The following strings are added to the hosts file listed below:
| 222.189.239.213 | www.hao123.com |
| 222.189.239.213 | ma.baidu.com |
| 222.189.239.213 | www.4399.com |
| 222.189.239.213 | www.9348.cn |
| 222.189.239.213 | www.7k7k.com |
| 222.189.239.213 | www.kaixin001.com |
| 222.189.239.213 | www.readnovel.com |
| 222.189.239.213 | www.7999.com |
| 222.189.239.213 | www.zhaodao123.com |
| 222.189.239.213 | www.2345.com |
| 222.189.239.213 | hao.360.cn |
| 222.189.239.213 | www.xunlei.com |
| 222.189.239.213 | www.dd360.com |
| 222.189.239.213 | hao123.com |
| 222.189.239.213 | www.265.com |
| 222.189.239.213 | www.1616.net |
| 222.189.239.213 | www.qqjia.com |
| 222.189.239.213 | www.9ku.com |
| 222.189.239.213 | www.zhulang.com |
| 222.189.239.213 | www.51mole.com |
| 222.189.239.213 | xiaonei.com |
| 222.189.239.213 | www.duowan.com |
| 222.189.239.213 | www.cococ.com |
| 222.189.239.213 | www.i4455.com |
| 222.189.239.213 | www.hao123.cn |
| 222.189.239.213 | www.5566.net |
| 222.189.239.213 | www.9991.com |
| 222.189.239.213 | text-ad.qvod.com |
| 222.189.239.213 | abc.qq.com |
| 222.189.239.213 | site.baidu,com |
| 222.189.239.213 | www.kuku123.com |
| 222.189.239.213 | www.v2233.com |
| 222.189.239.213 | www.hao222.com |
| 222.189.239.213 | www.go2000.cn |
| 222.189.239.213 | www.163.com |
| 222.189.239.213 | www.sina.com |
| 222.189.239.213 | www.sina.com.cn |
| 222.189.239.213 | www.sohu.com |
| 222.189.239.213 | www.kk8000.com |
| 222.189.239.213 | www.th123.com |
| 222.189.239.213 | www.tt98.com |
| 222.189.239.213 | www.1166.com |
| 222.189.239.213 | www.6700.cn |
| 222.189.239.213 | www.7345.com |
| 222.189.239.213 | daohang.google.cn |
| 222.189.239.213 | www.369.com |
| 222.189.239.213 | www.haokan123.com |
| 222.189.239.213 | www.qq5.com |
| 222.189.239.213 | www.568.com |
| 222.189.238.40 | mag.xunlei.com |
| 222.189.238.40 | www.yxnpc.com |
| 222.189.238.40 | bbs1.qq.com |
| 222.189.238.40 | www2.im.alisoft.com |
| 222.189.238.40 | minigame.qq.com |
| 222.189.238.40 | ic.qzone.qq.com |
| 222.189.238.40 | adsview.qq.com |
| 222.189.238.40 | adsfile.qq.com |
| 222.189.238.40 | adsclick.qq.com |
| 222.189.238.40 | music.qq.com |
| 222.189.238.40 | hallcenter.ourgame.com |
| 222.189.238.40 | minix.soso.com |
| 222.189.239.213 | www.97398.com |
| 222.189.239.213 | www.7241.cn |
| 222.189.239.213 | www.365j.com |
| 222.189.239.213 | www.1188.com |
| 222.189.239.213 | www.114la.com |
| 222.189.239.213 | www.1122.com |
| 222.189.239.213 | www.265h.com |
| 222.189.239.213 | www.9223.com |
| 222.189.239.213 | 5snow.com |
| 222.189.239.213 | www.hao123.net |
| 222.189.239.213 | www.kz189.com |
| 222.189.239.213 | www.537.com |
| 222.189.239.213 | www.930930.com |
| 222.189.239.213 | www.6655.com |
| 222.189.239.213 | www.6661.net |
| 222.189.239.213 | vid.atm.youku.com |
| 222.189.239.213 | sina.allyes.com |
| 222.189.239.213 | freeadp.tensynad.com |
| 222.189.239.213 | sohu.ad-plus.cn |
| 222.189.239.213 | cknum.sandai.net |
| 222.189.239.213 | 123.sogou.com |
| 222.189.239.213 | www.9249.com |
| 222.189.239.213 | www.4135.com |
| 222.189.239.213 | www.8420.cn |
| 222.189.239.213 | www.go2000.com |
| 222.189.239.213 | www.99499.com |
| 222.189.239.213 | www.i8866.com |
| 222.189.239.213 | www.hh361.com |
| 222.189.239.213 | daohang.118114.cn |
| 222.189.239.213 | www.7241.cn |
| 222.189.239.213 | www.5060.cn |
| 222.189.239.213 | www.37021.com |
| 222.189.239.213 | www.521521.com |
| 222.189.239.213 | www.jjol.cn |
| 222.189.239.213 | www.baimin.com |
| 222.189.239.213 | www.wu123.com |
| 222.189.239.213 | www.200.net |
| 222.189.239.213 | ring.kugou.com |
| 222.189.239.213 | image5.kugou.com |
| 222.189.239.213 | links.kugoo.com |
| 222.189.239.213 | comment.ku6.com |
Rootkit activity
The Dropped installs the following kernel-mode hooks:
ZwCreateProcessEx
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
QVODÖØ~1.EXE:1756
regsvr32.exe:1136
Rundll32.exe:320
Rundll32.exe:1952
minibrowser.exe:1908
x5s32.exe:368
%original file name%.exe:1832 - Delete the original Dropped file.
- Delete or disinfect the following files created/modified by the Dropped:
%System%\syste9.dll (35 bytes)
%Program Files%\2c109a7d17.dat (294 bytes)
%System%\8aa20ab617.dat (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qd.ini (144 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\QvodSetupPlus.exe.!qd (1740037 bytes)
%System%\drivers\Drver.sys (6 bytes)
C:\Driver.sys (5 bytes)
%System%\syste2.dll (11 bytes)
C:\AutoRun.vbs (109 bytes)
C:\system.exe (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\474953.tmp (4545 bytes)
C:\AutoRun.inf (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPINGDQB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5NTS3QTJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\INL042XV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W0B1UWYR\desktop.ini (67 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\Msvcp71.dll (13536 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\SocketModule.dll (16 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\ȤÃÂÂæÃÂÂø.lnk (1 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\logo.ico (29 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\images\loading-s.gif (13 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\QvodSetupPlus3.exe (3785 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\DownLoad.dll (20 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\SkinControls.dll (6559 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\Mfc71.dll (21237 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ȤÃÂÂæÓÎ÷\ȤÃÂÂæÓÎ÷.url (49 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ȤÃÂÂæÓÎ÷\ȤÃÂÂæÓÎ÷.lnk (1 bytes)
%System%\drivers\etc\hosts (3 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\qvod.dll (15756 bytes)
%System%\qvod.dll (4185 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\hosts (3 bytes)
%Documents and Settings%\%current user%\Desktop\ȤÃÂÂæÃÂÂø.lnk (1 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\images\bg.jpg (492 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\images\platformbg.jpg (1 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\offlinel.html (518 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\offline.html (469 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\images\loading.gif (16 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\17Wan.exe (15305 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\Msvcr71.dll (8763 bytes)
%Documents and Settings%\%current user%\Desktop\ȤÃÂÂæÓÎ÷.lnk (1 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\minibrowser.exe (1574 bytes)
%Program Files%\ȤÃÂÂæÓÎ÷\ComService.dll (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\x5s32.exe (23546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\QVODÖØ~1.EXE (1568 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Microsoft Corporation
Product Name: Microsoft(R) Windows(R) Operating System
Product Version: 6.00.3790.0
Legal Copyright: (C) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE
Internal Name: Wextract
File Version: 6.00.3790.0 (srv03_rtm.030324-2048)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: English (United States)
Company Name: Microsoft CorporationProduct Name: Microsoft(R) Windows(R) Operating SystemProduct Version: 6.00.3790.0Legal Copyright: (C) Microsoft Corporation. All rights reserved.Legal Trademarks: Original Filename: WEXTRACT.EXE Internal Name: Wextract File Version: 6.00.3790.0 (srv03_rtm.030324-2048)File Description: Win32 Cabinet Self-Extractor Comments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 36724 | 36864 | 4.58776 | 73496f9f311f72c1541cbbb3b311f2d4 |
| .data | 40960 | 7148 | 1024 | 2.94452 | b67e6b028734fe3692a3080d8ebfe3b1 |
| .rsrc | 49152 | 1679360 | 1678336 | 5.54194 | 3b9c0a608ee4b9e024c5e23643412a65 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://b2.st.dns.kuaibo.com/qd.jpg | |
| hxxp://b2.st.dns.kuaibo.com/QvodSetupPlus5_5.0.72_for_35.exe | |
| hxxp://qd.qvod.com/QvodSetupPlus5_5.0.72_for_35.exe | 115.231.216.36 |
| hxxp://update.qvod.com/qd.jpg | 115.231.216.36 |
| agent.qvod.com | 222.186.3.142 |
| stun.qvod.com | 115.231.216.13 |
| track.qvod.com | 222.186.3.165 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /qd.jpg HTTP/1.1
Accept: application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: QvodDown
Host: update.qvod.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Tue, 16 Aug 2016 17:36:25 GMT
Content-Type: image/jpeg
Content-Length: 144
Connection: keep-alive
Server: nginx
Last-Modified: Tue, 06 Sep 2011 11:14:58 GMT
ETag: "4e6600b2-90"
Accept-Ranges: bytes
[QVODDOWN]..Name=QvodSetupPlus.exe..Hash=14109F1A7EDB0375DB868071287D19C0D1EDFA45..Httpurl=hXXp://qd.qvod.com/QvodSetupPlus5_5.0.72_for_35.exe....
GET /QvodSetupPlus5_5.0.72_for_35.exe HTTP/1.1
Accept: */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)
Host: qd.qvod.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Tue, 16 Aug 2016 17:36:27 GMT
Content-Type: application/octet-stream
Content-Length: 28536664
Connection: keep-alive
Server: nginx
Last-Modified: Tue, 06 Sep 2011 10:48:50 GMT
ETag: "4e65fa92-1b36f58"
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1H..u)..u)..u)...&..w)..u)...)...&..d)...6...).../..t)..Richu)..........PE..L.....:J.................\...........2.......p....@.................................@........................................s...........b...........W...............................................................p...............................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data...x............r..............@....ndata...@...@...........................rsrc....b.......d...v..............@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..X...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e..9}...Dp@........FP.VT........ M............U....M....3...3..FQ......3..NU.....M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...e....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F..
<<< skipped >>>
Map
The Dropped connects to the servers at the folowing location(s):
Strings from Dumps
Rundll32.exe_1952:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
IMAGEHLP.dll
IMAGEHLP.dll
rundll32.pdb
rundll32.pdb
.....eZXnnnnnnnnnnnn3
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
O3$dS7"%U9
.manifest
.manifest
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
RUNDLL.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
YThere is not enough memory to run the file %s.
YThere is not enough memory to run the file %s.
Please close other windows and try again.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Error in %s
Missing entry:%s
Missing entry:%s
Error loading %s
Error loading %s
minibrowser.exe_1908:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
MFC42.DLL
MFC42.DLL
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
KERNEL32.dll
KERNEL32.dll
RegisterHotKey
RegisterHotKey
UnregisterHotKey
UnregisterHotKey
USER32.dll
USER32.dll
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
targeturl
targeturl
hXXp://sns.178bfg.com/minibrowser.php?url=
hXXp://sns.178bfg.com/minibrowser.php?url=
%s - %s
%s - %s
if hellocyf@gmail.com
if hellocyf@gmail.com
1, 0, 0, 1
1, 0, 0, 1
minibrowser.EXE
minibrowser.EXE
Minibrowser.Document
Minibrowser.Document
VVV.google.cn
VVV.google.cn
QvodSetupPlus3.exe_936:
`.rsrc
`.rsrc
.tTPV
.tTPV
u.hH.C
u.hH.C
FTPjK
FTPjK
FtPj;
FtPj;
F.PjRWj
F.PjRWj
u.WWj
u.WWj
u.VVj
u.VVj
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
user32.dll
user32.dll
portuguese-brazilian
portuguese-brazilian
GET /%s HTTP/1.1
GET /%s HTTP/1.1
Accept: application/vnd.ms-powerpoint, application/msword, */*
Accept: application/vnd.ms-powerpoint, application/msword, */*
Host: %s
Host: %s
%s (%s)
%s (%s)
Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.
Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.
%s %.2f GB
%s %.2f GB
%s %.2f MB
%s %.2f MB
%s %I64d KB
%s %I64d KB
%s %I64d Byte
%s %I64d Byte
Httpurl
Httpurl
hXXp://update.qvod.com/qd.jpg
hXXp://update.qvod.com/qd.jpg
%s\qd.ini
%s\qd.ini
%s\%s
%s\%s
%s_1.%s
%s_1.%s
QvodSetupPlus.exe
QvodSetupPlus.exe
hXXp://
hXXp://
QVODd2I64X
QVODd2I64X
tcp connecting limit is %d
tcp connecting limit is %d
\drivers\tcpip.sys
\drivers\tcpip.sys
stun01.sipphone.com
stun01.sipphone.com
stun.qvod.com
stun.qvod.com
61.139.219.200
61.139.219.200
track.qvod.com
track.qvod.com
TCP Port
TCP Port
61.139.219.203
61.139.219.203
221.194.134.216
221.194.134.216
agent.qvod.com
agent.qvod.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)
Range: bytes=%u-
Range: bytes=%u-
Port Restricted Nat
Port Restricted Nat
, random port
, random port
, preserves ports
, preserves ports
PWindowsFirewallAppIsEnabled failed: 0xlx
PWindowsFirewallAppIsEnabled failed: 0xlx
M-SEARCH * HTTP/1.1
M-SEARCH * HTTP/1.1
HOST: 239.255.255.250:1900
HOST: 239.255.255.250:1900
controlURL
controlURL
URLBase
URLBase
HTTP/1.1
HTTP/1.1
s:encodingStyle="hXXp://schemas.xmlsoap.org/soap/encoding/">
s:encodingStyle="hXXp://schemas.xmlsoap.org/soap/encoding/">
xmlns:s="hXXp://schemas.xmlsoap.org/soap/envelope/"
xmlns:s="hXXp://schemas.xmlsoap.org/soap/envelope/"
AddPortMapping
AddPortMapping
NewPortMappingDescription
NewPortMappingDescription
NewInternalPort
NewInternalPort
NewExternalPort
NewExternalPort
DeletePortMapping
DeletePortMapping
External NAT port in use
External NAT port in use
External NAT port in use: Too many retries
External NAT port in use: Too many retries
Port mapping not owned by this class
Port mapping not owned by this class
Error getting StaticPortMappingCollection
Error getting StaticPortMappingCollection
problem parsing Password
problem parsing Password
Password =
Password =
ipv6 not supported
ipv6 not supported
HMAC with password:
HMAC with password:
Encoding Password:
Encoding Password:
About to send msg of len
About to send msg of len
Some problem opening port/interface to send on
Some problem opening port/interface to send on
POST /service HTTP/1.1
POST /service HTTP/1.1
Content-Length: %d
Content-Length: %d
Host: %s:%d
Host: %s:%d
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)
127.0.0.1
127.0.0.1
recv %d
recv %d
Opened port
Opened port
Port
Port
for receiving UDP is in use
for receiving UDP is in use
Could not bind UDP receive port
Could not bind UDP receive port
Could not create a UDP socket:
Could not create a UDP socket:
err EAFNOSUPPORT in send
err EAFNOSUPPORT in send
zcÃ
zcÃ
%Program Files%\
%Program Files%\
\QvodSetupPlus3.exe
\QvodSetupPlus3.exe
GetCPInfo
GetCPInfo
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.MNe|
@.MNe|
version="5.1.0.0"
version="5.1.0.0"
name="test.exe"/>
name="test.exe"/>
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
KERNEL32.DLL
KERNEL32.DLL
COMCTL32.dll
COMCTL32.dll
GDI32.dll
GDI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHELL32.dll
SHELL32.dll
USER32.dll
USER32.dll
VERSION.dll
VERSION.dll
WS2_32.dll
WS2_32.dll
.torrent
.torrent
: %d K/S
: %d K/S
%s ...
%s ...
%s...
%s...
3, 0, 0, 0
3, 0, 0, 0
QvodInstall.exe
QvodInstall.exe
QvodSetupPlus3.exe_936_rwx_00401000_0004A000:
.tTPV
.tTPV
u.hH.C
u.hH.C
FTPjK
FTPjK
FtPj;
FtPj;
F.PjRWj
F.PjRWj
u.WWj
u.WWj
u.VVj
u.VVj
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
user32.dll
user32.dll
portuguese-brazilian
portuguese-brazilian
GET /%s HTTP/1.1
GET /%s HTTP/1.1
Accept: application/vnd.ms-powerpoint, application/msword, */*
Accept: application/vnd.ms-powerpoint, application/msword, */*
Host: %s
Host: %s
%s (%s)
%s (%s)
Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.
Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.
%s %.2f GB
%s %.2f GB
%s %.2f MB
%s %.2f MB
%s %I64d KB
%s %I64d KB
%s %I64d Byte
%s %I64d Byte
Httpurl
Httpurl
hXXp://update.qvod.com/qd.jpg
hXXp://update.qvod.com/qd.jpg
%s\qd.ini
%s\qd.ini
%s\%s
%s\%s
%s_1.%s
%s_1.%s
QvodSetupPlus.exe
QvodSetupPlus.exe
hXXp://
hXXp://
QVODd2I64X
QVODd2I64X
tcp connecting limit is %d
tcp connecting limit is %d
\drivers\tcpip.sys
\drivers\tcpip.sys
stun01.sipphone.com
stun01.sipphone.com
stun.qvod.com
stun.qvod.com
61.139.219.200
61.139.219.200
track.qvod.com
track.qvod.com
TCP Port
TCP Port
61.139.219.203
61.139.219.203
221.194.134.216
221.194.134.216
agent.qvod.com
agent.qvod.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)
Range: bytes=%u-
Range: bytes=%u-
Port Restricted Nat
Port Restricted Nat
, random port
, random port
, preserves ports
, preserves ports
PWindowsFirewallAppIsEnabled failed: 0xlx
PWindowsFirewallAppIsEnabled failed: 0xlx
M-SEARCH * HTTP/1.1
M-SEARCH * HTTP/1.1
HOST: 239.255.255.250:1900
HOST: 239.255.255.250:1900
controlURL
controlURL
URLBase
URLBase
HTTP/1.1
HTTP/1.1
s:encodingStyle="hXXp://schemas.xmlsoap.org/soap/encoding/">
s:encodingStyle="hXXp://schemas.xmlsoap.org/soap/encoding/">
xmlns:s="hXXp://schemas.xmlsoap.org/soap/envelope/"
xmlns:s="hXXp://schemas.xmlsoap.org/soap/envelope/"
AddPortMapping
AddPortMapping
NewPortMappingDescription
NewPortMappingDescription
NewInternalPort
NewInternalPort
NewExternalPort
NewExternalPort
DeletePortMapping
DeletePortMapping
External NAT port in use
External NAT port in use
External NAT port in use: Too many retries
External NAT port in use: Too many retries
Port mapping not owned by this class
Port mapping not owned by this class
Error getting StaticPortMappingCollection
Error getting StaticPortMappingCollection
problem parsing Password
problem parsing Password
Password =
Password =
ipv6 not supported
ipv6 not supported
HMAC with password:
HMAC with password:
Encoding Password:
Encoding Password:
About to send msg of len
About to send msg of len
Some problem opening port/interface to send on
Some problem opening port/interface to send on
POST /service HTTP/1.1
POST /service HTTP/1.1
Content-Length: %d
Content-Length: %d
Host: %s:%d
Host: %s:%d
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)
127.0.0.1
127.0.0.1
recv %d
recv %d
Opened port
Opened port
Port
Port
for receiving UDP is in use
for receiving UDP is in use
Could not bind UDP receive port
Could not bind UDP receive port
Could not create a UDP socket:
Could not create a UDP socket:
err EAFNOSUPPORT in send
err EAFNOSUPPORT in send
zcÃ
zcÃ
%Program Files%\
%Program Files%\
\QvodSetupPlus3.exe
\QvodSetupPlus3.exe
GetCPInfo
GetCPInfo
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
.torrent
.torrent
: %d K/S
: %d K/S
%s ...
%s ...
%s...
%s...