Gen.Variant.Mikey.10993_c3199e6062 – Adaware

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):

%original file name%.exe:1332

Mutexes

The following mutexes were created/opened:

CTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003ZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutexWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_RasPbFileShimCacheMutex

File activity

The process %original file name%.exe:1332 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\qlogin[1].htm (897 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\xui[1].js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\icons[1].gif (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

Registry activity

The process %original file name%.exe:1332 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 48 09 44 BE 2A 9C 87 EC 42 52 F8 6C 8E AD F2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\qlogin[1].htm (897 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\xui[1].js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\icons[1].gif (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral

Company Name: Product Name: ?????Product Version: 1.0.0.0Legal Copyright: ?????? ????????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ?????Comments: ??????????(http://www.eyuyan.com)Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.data	4096	437552	438272	5.16794	99dff01e7ff4629b1b39e81ff4afed30
.rdata	442368	68046	69632	2.89351	920285cabfd0600f3b8249d93ef5bc0b
.data	512000	187496	61440	4.25007	43752c00e6af341d9d023c4dd0ae3fab
.rsrc	700416	33500	36864	3.59791	0ef646c3c025eb989e2cac38f8147249

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://ui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=&param=u1%3Dhttp%253A%252F%252Fwww.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0
hxxp://imgcache.qq.com.cdngc.net/ptlogin/ver/10159/js/xui.js?v=10007	174.35.71.28
hxxp://imgcache.qq.com.cdngc.net/ptlogin/v4/style/0/images/icons.gif	174.35.71.28
hxxp://imgcache.qq.com/ptlogin/ver/10159/js/xui.js?v=10007	174.35.71.28
hxxp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=&param=u1%3Dhttp%253A%252F%252Fwww.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0	163.177.72.188
hxxp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif	174.35.71.28

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /ptlogin/ver/10159/js/xui.js?v=10007 HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=&param=u1%3Dhttp%253A%252F%252FVVV.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: imgcache.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 31 May 2016 21:02:06 GMT

Server: PWS/8.1.36.0005

X-Px: ms h0-s1210.p11-fra ( h0-s1214.p11-fra), rf-ht h0-s1214.p11-fra ( h0-s1022.p7-icn), ht h0-s1022.p7-icn.cdngp.net

ETag: "574d2c38-21f8"

Cache-Control: max-age=600

Expires: Tue, 31 May 2016 21:07:31 GMT

Age: 276

Content-Length: 3459

Content-Type: application/x-javascript

Content-Encoding: gzip

Vary: Accept-Encoding

Last-Modified: Tue, 31 May 2016 06:16:24 GMT

Connection: keep-alive

....8,MW...Z.w.... X....,..i..qR'..........#.....w........O.i.#''.F..43..4.2.m.......s.D...E`'....0q.2..n}....2..E.g..oD$G.....=.Ca..w.j..M...F5F@.-..v...O\...z.@...f...]R.m6.....zr~u.K.8}wv.K....H5........LWj...X.\..=5.>:...:9$....S......?V.*v.....vG...`.{..t...v.....<.".N.:.(.b.G....:....:..g.............1...r.......9H..cT.._.....Z.n.p.....&...8t.0P......C....LN........._..;G.j.@s...15q.K...9......._...^....Fdbq.LI..na...p......X...F.r.....2...6.q..8..H.B....;j .......-.....fs.j.Q .......?..Kb&H........>h.|.......e>...*...H..J<.E?..Uv.,.@77W.O...C.]O...,.....Co.,.z.1*..W....j..J.\..s=...`.....*.../Dma.....t.p.0...~......1$m3...;F~>n&_f?_\}<..]^..._.&>..T.<..".S....b.......;...f...IL..E.Q...U>..P..iZ..B*V....V..../....|....&......|.....)........[l..!..N..........R=. dZ.X...x........_,...!."t.~_...-.....g!....1..S.#..J.~...p .q..q...

GET /ptlogin/v4/style/0/images/icons.gif HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=&param=u1%3Dhttp%253A%252F%252FVVV.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: imgcache.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 31 May 2016 21:02:06 GMT

Server: PWS/8.1.36.0005

X-Px: ms h0-s1210.p11-fra ( h0-s1214.p11-fra), ht h0-s1214.p11-fra.cdngp.net

ETag: "5506987c-1ede"

Cache-Control: max-age=7200

Expires: Tue, 31 May 2016 22:03:54 GMT

Age: 3492

Content-Length: 7902

Content-Type: image/gif

Last-Modified: Mon, 16 Mar 2015 08:46:52 GMT

Connection: keep-alive

GIF89as.r.................................................^....A...................! ............B.....}....................1)-t....................j...........................................................c..>..p[E............z...........q.....u.....j.........................................Z.................b..................................................^................................!.......,....s.r.....'..........X......'...............................X.............................X......................................)....Fz%.K.1.......*\......#J.H.....3".........I.....'K.S..e..0..\).&..-m...RgO.3w..94(..F..T.t...P.J.J.*..X...*....%Fr.K....h..].....p....KWn..x....p...'..\....... ^......#K.L.....3C..w..................@...c.....k..g....v.......|....q ..{.....K...te...k..0...'....F......_.........O..............z....B.Y_:.....6.........ZP...b(a..n.!......!.8..".h..(..b.0....2.x..8....;>...@.._.D.i...&i`..q.1..PF)..P>Y..Db...\....^....Y.Y&.[..&._....o....r....l.y..|......J....j(.5$...p\..gIzV..p.....f....v.....*....j.............".....j..<........... ....k...&....6...MD m...X...8....L.....;m.........n....n........ko...................0..$....7....G,....`...< ........C ...$.l.....2.*[.2./.... ..2.7..3.;.,..<....=.-t.H..t.L....PG-..TS...Xg...(t.5...$.....I......_....p{..._....(..w.|....}..w...>.............G....W....d....w.y......].`..80 6.............n............../....o|..$..........Q..U...GF0....w...../.....o.............3 ....a..X.!A!K.....0...@......L......:......'H..Z.......

<<< skipped >>>

GET /cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=&param=u1%3Dhttp%253A%252F%252FVVV.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: xui.ptlogin2.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 31 May 2016 21:01:59 GMT

Content-Type: text/html

Content-Length: 5460

Connection: keep-alive

Server: QZHTTP-2.38.20

P3P: CP="CAO PSA OUR"

Cache-Control: max-age=604800

Set-Cookie: pt_local_token=708669680; PATH=/; DOMAIN=ptlogin2.qq.com;

Last-Modified: Thu, 08 Mar 2012 02:04:00 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="hXXp://VVV.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><style type="text/css">u{text-decoration:none}body{font-family:Tahoma,Verdana,Arial,......;font-size:12px;margin:0}.clear{clear:both;font-size:0;line-height:0;height:0}#login{margin:0 auto;float:none;width:320px;padding:0 0 10px 50px}.linemid{padding:10px 8px 0 30px;color:gray}.btn_select,.btn_gray{border:0;color:#2473a2;width:103px;height:28px;padding-left:2px;cursor:pointer;font-weight:bold;font-size:14px}.btn_select{background:url(hXXp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif) no-repeat -102px -130px}.btn_gray{background:url(hXXp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif) no-repeat -102px -225px}#login #list_uin img{padding:7px;background:url(hXXp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif) no-repeat 0 -329px}#list_uin li{list-style:none;padding:0 0 0 28px; padding-left:12px;width:270px;word-wrap:break-word;min-height:20px;clear:both}#list_uin li input{float:left;margin-bottom:5px;width:20px}#list_uin label{margin:2px 0 0 4px;float:left;width:220px}#login p{padding:8px 15px 12px 32px;margin:0;font-size:12px;color:#535353}.x_lowLogin{padding:10px 0 0 28px;display:none}</style><script>var g_begTime=new Date();..(function(){...window.onerror = function(msg,url,line){....var reportUrl = location.protoco

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1332:

.data

.rdata

@.data

.rsrc

t$(SSh

~%UVW

u$SShe

.gy;}

atl.dll

13348808547@163.com

smtp.163.com

2060576533@qq.com

284874056@qq.com

hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=&param=u1%3Dhttp%253A%252F%252FVVV.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0

javascript:for(var C=0;C

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

user32.dll

RASAPI32.dll

GetProcessHeap

WinExec

KERNEL32.dll

GetKeyState

USER32.dll

GetViewportOrgEx

GDI32.dll

WINMM.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

ole32.dll

OLEAUT32.dll

COMCTL32.dll

WS2_32.dll

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

RegCreateKeyExA

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

%s

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

HELO %s

SMTP

AUTH LOGIN

LOGIN

AUTH=LOGIN

EHLO %s

Content-Type: application/octet-stream; name=%s

Content-Disposition: attachment; filename=%s

MAIL FROM:

RCPT TO:

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÃ

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

(*.*)

1.0.0.0

(hXXp://VVV.eyuyan.com)

%original file name%.exe_1332_rwx_00401000_0006B000:

t$(SSh

~%UVW

u$SShe

.gy;}

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps