DeepScan.Generic.Malware.SBVQg.A3B7958E_dfde49d04a – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The DeepScan creates the following process(es):

comine.exe:1948
ping.exe:968
%original file name%.exe:1812
seo5266.exe:1108
awx5266.exe:1188
dh5266.exe:524
cccccc.exe:844
ll5266.exe:840

The DeepScan injects its code into the following process(es):

conime5266.exe:260
spolsv.exe:196

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process spolsv.exe:196 makes changes in the file system.

The DeepScan creates and/or writes to the following file(s):

%WinDir%\Help\dh5266.exe (3013 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\seo5266[1].exe (9917 bytes)
%WinDir%\Help\conime5266.exe (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\dh5266[1].exe (16893 bytes)
%WinDir%\Help\ll5266.exe (24 bytes)
%System%\drivers\etc\hosts (402 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ll5266[1].exe (2907 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\conime5266[1].exe (7551 bytes)
%WinDir%\Help\awx5266.exe (9995 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\awx5266[1].exe (15682 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%WinDir%\Help\seo5266.exe (2692 bytes)

The DeepScan deletes the following file(s):

%System%\drivers\etc\hosts (0 bytes)

The process %original file name%.exe:1812 makes changes in the file system.

The DeepScan creates and/or writes to the following file(s):

%WinDir%\spolsv.exe (601 bytes)

The process awx5266.exe:1188 makes changes in the file system.

The DeepScan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\iplookup[1].htm (175 bytes)

The process dh5266.exe:524 makes changes in the file system.

The DeepScan creates and/or writes to the following file(s):

The process cccccc.exe:844 makes changes in the file system.

The DeepScan creates and/or writes to the following file(s):

%Program Files%\Windows Media Player\comine.exe (61 bytes)

The DeepScan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DF266.tmp (0 bytes)

Registry activity

The process conime5266.exe:260 makes changes in the system registry.

The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC 39 E7 45 E0 C3 26 18 9F 98 97 E4 4D C9 F9 6F"

The process comine.exe:1948 makes changes in the system registry.

The DeepScan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"NetHood" = "%Documents and Settings%\%current user%\NetHood"
"Fonts" = "%WinDir%\Fonts"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\yali]
"ID" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCR\yali]
"mac" = "fd:a4:da:fb:d2:94"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKCR\yali]
"(Default)" = "daohang"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 21 AC 59 E0 6D 3C 00 60 50 A4 6F AD 76 E1 16"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

The process ping.exe:968 makes changes in the system registry.

The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C A1 2F 16 BD DD 32 8C 06 DD 41 49 48 AB B3 F9"

The process spolsv.exe:196 makes changes in the system registry.

The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B FF D0 C5 79 9C E0 FD 22 A5 94 C6 84 24 EF B6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The DeepScan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The DeepScan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the DeepScan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"conime" = "%WinDir%\spolsv.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The DeepScan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The DeepScan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1812 makes changes in the system registry.

The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 39 69 E8 96 F5 8D C6 C7 C2 2C 42 CA 30 50 F4"

The process seo5266.exe:1108 makes changes in the system registry.

The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A 98 80 AE F8 97 E8 92 B1 9E 3E EA D6 AC 36 48"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The DeepScan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The DeepScan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The DeepScan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process awx5266.exe:1188 makes changes in the system registry.

The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 7F 00 5A CA EE F5 74 62 84 A0 36 0F 44 D4 9B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The DeepScan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The DeepScan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The DeepScan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The DeepScan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process dh5266.exe:524 makes changes in the system registry.

The DeepScan deletes the following value(s) in system registry:

The DeepScan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows"

The process cccccc.exe:844 makes changes in the system registry.

The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B A3 8B 6D 06 D8 2A 13 EC D9 83 E9 35 5E 9E DC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Windows Media Player]
"comine.exe" = "comine"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The DeepScan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The DeepScan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The DeepScan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the DeepScan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows" = "%Program Files%\Windows Media Player\comine.exe"

The process ll5266.exe:840 makes changes in the system registry.

The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 DC 6F 89 2A EC E1 6A 0A 06 9E 3D 36 80 A8 D8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

Dropped PE files

MD5	File path
57a20c291ac47a75e0274d52a2aab36b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\conime5266[1].exe
433a350a9c531e431fe5ffa91e3c0d3c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ll5266[1].exe
e415565ea9d7f3936c07aee187396f26	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\awx5266[1].exe
391545ec6af518ed54a155b5e544c8c8	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\dh5266[1].exe
e6fdd746e4d611e4d41f8a1504577768	c:\Program Files\Windows Media Player\comine.exe
e415565ea9d7f3936c07aee187396f26	c:\WINDOWS\Help\awx5266.exe
57a20c291ac47a75e0274d52a2aab36b	c:\WINDOWS\Help\conime5266.exe
391545ec6af518ed54a155b5e544c8c8	c:\WINDOWS\Help\dh5266.exe
433a350a9c531e431fe5ffa91e3c0d3c	c:\WINDOWS\Help\ll5266.exe

HOSTS file anomalies

The DeepScan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 402 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1	www.360.cn
127.0.0.1	www.kaspersky.com.cn
127.0.0.1	www.ijinshan.com
127.0.0.1	www.rising.com.cn
127.0.0.1	cn.trendmicro.com
127.0.0.1	www.symantec.com
127.0.0.1	sd.360.cn
127.0.0.1	www.eset.com.cn
127.0.0.1	www.avast.com
127.0.0.1	www.micropoint.com.cn
127.0.0.1	www.avira.com
127.0.0.1	www.avg.com
127.0.0.1	www.jiangmin.com
127.0.0.1	www.ggsafe.com
127.0.0.1	guanjia.qq.com

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
comine.exe:1948
ping.exe:968
%original file name%.exe:1812
seo5266.exe:1108
awx5266.exe:1188
dh5266.exe:524
cccccc.exe:844
ll5266.exe:840
Delete the original DeepScan file.
Delete or disinfect the following files created/modified by the DeepScan:
%WinDir%\Help\dh5266.exe (3013 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\seo5266[1].exe (9917 bytes)
%WinDir%\Help\conime5266.exe (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\dh5266[1].exe (16893 bytes)
%WinDir%\Help\ll5266.exe (24 bytes)
%System%\drivers\etc\hosts (402 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ll5266[1].exe (2907 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\conime5266[1].exe (7551 bytes)
%WinDir%\Help\awx5266.exe (9995 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\awx5266[1].exe (15682 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%WinDir%\Help\seo5266.exe (2692 bytes)
%WinDir%\spolsv.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\iplookup[1].htm (175 bytes)
%Program Files%\Windows Media Player\comine.exe (61 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"conime" = "%WinDir%\spolsv.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows" = "%Program Files%\Windows Media Player\comine.exe"
Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	40960	40960	4.50415	a193aee8354e1c1131872d2d0db70b6c
.rdata	45056	5028	8192	2.43557	ae167dac5cd7096a69a89a3fb1a988ed
.data	53248	49152	43906	4.19458	baac239c9d0728c6e100aa8942910c82

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://int.dpool.sina.com.cn/iplookup/iplookup.php?format=js&t=17431.14	180.149.136.250
hxxp://www.it885.com.cn/num3.html	124.248.254.82
hxxp://www.it885.com.cn/num3_51la.asp	124.248.254.82
hxxp://www.it885.com.cn/web/get_ad3.asp?type=loadall&machinename=XP1-A8A67A25&cr=yes	124.248.254.82
dk.23145.com	124.232.141.61

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /web/get_ad3.asp?type=loadall&machinename=XP1-A8A67A25&cr=yes HTTP/1.1

Accept: */*

Referer:

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215)

Host: VVV.it885.com.cn

Connection: Keep-Alive

Cookie:

HTTP/1.1 200 OK

Cache-Control: no-cache

Pragma: no-cache

Content-Length: 8

Content-Type: text/html

Expires: Sat, 07 Feb 2015 02:50:31 GMT

Server: Microsoft-IIS/7.5

Set-Cookie: ASPSESSIONIDSCTDQARB=OIBAIJGCEEOCJADDGLHPPMOG; path=/

X-Powered-By: ASP.NET

Date: Sat, 07 Feb 2015 02:51:30 GMT

No China..

GET /iplookup/iplookup.php?format=js&t=17431.14 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: int.dpool.sina.com.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 07 Feb 2015 02:51:18 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: close

Vary: Accept-Encoding

DPOOL_HEADER: skuld38

Content-Encoding: gzip

SINA-LB:aGEuMjE3LmczLnlmLmxiLnNpbmFub2RlLmNvbQ==

SINA-TS:ZDc5MjljY2UgMCAwIDAgMTEgMAo=

9a............5....0...W)..2..D....|.....a..4-.....^.....Z6..(8Q.(<....0..].Y,..J.~..%..0.Xz..XN]?o.|....J.......jn.k...fi.....2V.<ear..t..v..p...6}/?..........0..

GET /num3.html HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.it885.com.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html

Last-Modified: Mon, 15 Dec 2014 07:59:55 GMT

Accept-Ranges: bytes

ETag: "90466b1d3d18d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Sat, 07 Feb 2015 02:51:10 GMT

Content-Length: 37

GET /num3_51la.asp HTTP/1.1

Accept: */*

Referer: hXXp://VVV.it885.com.cn/num3.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.it885.com.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 0

Content-Type: text/html

Server: Microsoft-IIS/7.5

Set-Cookie: ASPSESSIONIDSCTDQARB=KFOPHJGCJFPNOOHOKLGFBOCN; path=/

X-Powered-By: ASP.NET

Date: Sat, 07 Feb 2015 02:51:10 GMT

GET /num3.html HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Mon, 15 Dec 2014 07:59:55 GMT

If-None-Match: "90466b1d3d18d01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.it885.com.cn

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Date: Sat, 07 Feb 2015 02:51:31 GMT

Etag: "90466b1d3d18d01:0"

....

GET /num3_51la.asp HTTP/1.1

Accept: */*

Referer: hXXp://VVV.it885.com.cn/num3.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.it885.com.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 0

Content-Type: text/html

Server: Microsoft-IIS/7.5

Set-Cookie: ASPSESSIONIDSCTDQARB=PMBAIJGCNEPJOMINHBIDLEKF; path=/

X-Powered-By: ASP.NET

Date: Sat, 07 Feb 2015 02:51:32 GMT

Map

The DeepScan connects to the servers at the folowing location(s):

Strings from Dumps

spolsv.exe_196:

.text

.rdata

@.data

__MSVCRT_HEAP_SELECT

user32.dll

WinExec

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

InternetOpenUrlA

FindCloseUrlCache

FindNextUrlCacheEntryA

DeleteUrlCacheEntry

FindFirstUrlCacheEntryA

WININET.dll

URLDownloadToFileA

urlmon.dll

GetCPInfo

Software\Microsoft\Windows\CurrentVersion\Run

127.0.0.1 VVV.360.cn

127.0.0.1 VVV.kaspersky.com.cn

127.0.0.1 VVV.ijinshan.com

127.0.0.1 VVV.rising.com.cn

127.0.0.1 cn.trendmicro.com

127.0.0.1 VVV.symantec.com

127.0.0.1 sd.360.cn

127.0.0.1 VVV.eset.com.cn

127.0.0.1 VVV.avast.com

127.0.0.1 VVV.micropoint.com.cn

127.0.0.1 VVV.avira.com

127.0.0.1 VVV.avg.com

127.0.0.1 VVV.jiangmin.com

127.0.0.1 VVV.ggsafe.com

127.0.0.1 guanjia.qq.com

hXXp://192.253.233.21:8914/test/shua.txt

hXXp://192.253.233.21:8914/test/down.txt

%Program Files%\Internet Explorer\iexplore.exe

del "%s"

if exist "%s" goto nimei

del_.bat

hXXp://

spolsv.exe

\spolsv.exe

conime.exe

%WinDir%\spolsv.exe

spolsv.exe_196_rwx_0040D000_00001000:

Software\Microsoft\Windows\CurrentVersion\Run

127.0.0.1 VVV.360.cn

127.0.0.1 VVV.kaspersky.com.cn

127.0.0.1 VVV.ijinshan.com

127.0.0.1 VVV.rising.com.cn

127.0.0.1 cn.trendmicro.com

127.0.0.1 VVV.symantec.com

127.0.0.1 sd.360.cn

127.0.0.1 VVV.eset.com.cn

127.0.0.1 VVV.avast.com

127.0.0.1 VVV.micropoint.com.cn

127.0.0.1 VVV.avira.com

127.0.0.1 VVV.avg.com

127.0.0.1 VVV.jiangmin.com

127.0.0.1 VVV.ggsafe.com

127.0.0.1 guanjia.qq.com

hXXp://192.253.233.21:8914/test/shua.txt

hXXp://192.253.233.21:8914/test/down.txt

%Program Files%\Internet Explorer\iexplore.exe

del "%s"

if exist "%s" goto nimei

del_.bat

hXXp://

spolsv.exe

\spolsv.exe

conime.exe

spolsv.exe_196_rwx_0040F000_00003000:

%WinDir%\spolsv.exe

conime5266.exe_260:

.text

`.rdata

@.data

__MSVCRT_HEAP_SELECT

user32.dll

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyExA

ADVAPI32.dll

WS2_32.dll

GetCPInfo

.rsrc

GET %s HTTP/1.1

Referer: %s

Accept-Language: %s

User-Agent: %s

Host: %s

Cookie: %s

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215)

hXXp://192.253.234.50/toopu.png

Applications\iexplore.exe\shell\open\command

%s "%s"

hXXp://VVV.it885.com.cn/num3.html

%WinDir%\Help\conime5266.exe

comine.exe_1948:

.text

`.data

.rsrc

MSVBVM60.DLL

vb6chs.dll

d:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB

psapi.dll

kernel32.dll

NTDLL.DLL

shell32.dll

SHFileOperationA

ShellExecuteA

VBA6.DLL

1.vbp

hXXp://VVV.hao12338.com/?index

%Program Files%\Windows Media Player

%Program Files%

explorer.exe

WScript.Shell

Iexplore.exe

wscript.shell

cmd /c ping 127.0.0.1 -n 2&del

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows

%Program Files%\Windows Media Player\comine.exe

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page

%Program Files%\Internet Explorer\iexplore.exe

WindowStyle

Hotkey

serv.dat

ll5266.exe_840:

.text

`.rdata

@.data

KERNEL32.dll

EnumWindows

USER32.dll

RegCloseKey

RegOpenKeyExA

ADVAPI32.dll

WS2_32.dll

MSVCP60.dll

MSVCRT.dll

DeleteUrlCacheEntry

WININET.dll

URLDownloadToFileA

urlmon.dll

hXXp://623968.6600.org:99/3.htm

201411261939

124.232.158.160

dk.23145.com

Applications\iexplore.exe\SHELL\OPEN\COMMAND

%s?%c%c%c%c%c

%s%c%c%c%c%c.htm

124.232.141.61

seo5266.exe_1108:

.text

.data

.rsrc

.aspack

.adata

2014919

ieframe.dll

SHDocVwCtl.WebBrowser

WebBrowser

shell32.dll

ShellExecuteA

wininet.dll

RegisterHotKey

UnregisterHotKey

VBA6.DLL

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

!Web1

%System%\ieframe.oca

cmdStop

Webdata

cmdMana

lblURL

urlmon.dll

UrlMkSetSessionOption

user32.dll

GetWindowsDirectoryA

winmm.dll

keybd_event

MapVirtualKeyA

EnumWindows

FindFirstUrlCacheEntryA

FindNextUrlCacheEntryA

FindCloseUrlCache

DeleteUrlCacheEntryA

advapi32.dll

RegCloseKey

RegCreateKeyExA

RegOpenKeyExA

advapi32.dll

RegDeleteKeyA

vurl

MSVBVM60.DLL

kernel32.dll

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

msvbvm60.dll

@isual Studio\VB98\C2.EXE

@isual Studio\VB98\C2.EXE.Manif

@ual Studio\VB98\C2.EXE.Manifes

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

wscript.shell

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\

hXXp://60.173.26.44:6666/Getnews.asp?t=

hXXp://

window.alert=null;

window.confirm=null;

window.showModalDialog=null;

window.open=null;

hXXp://VVV.baidu.com/

hXXp://VVV.so.com/

http=

Software\Microsoft\Windows\CurrentVersion\Internet Settings\

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\

hXXp://VVV.51proxied.com/http_non_anonymous.html

8.00.0002

2014919.exe

iexplore.exe_1628:

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.fg>

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

8888880

8887080

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps