HEUR:Trojan.Win32.StartPage (Kaspersky), Gen:Variant.Graftor.116828 (B) (Emsisoft), Gen:Variant.Strictor.67842 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: fb2b563a4437270fbd75575dd95e8d6f
SHA1: 2591b4543fffb6cd68c249dc578cb3e509f98b18
SHA256: 7713f4c574a5ee20592ae039e5cfc03027c37ebd7525d6ea03d4d92a7e31b67e
SSDeep: 24576:c7qGJdxghoZImXm3qNSQKR5 T4lXP43q63 zUcL47ilj1:cwhRlXPKHUl
Size: 1384448 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2014-11-09 15:54:26
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:3756
Mutexes
The following mutexes were created/opened:
!PrivacIE!SharedMemory!MutexZonesLockedCacheCounterMutexZoneAttributeCacheCounterMutexZonesCacheCounterMutexZonesCounterMutexWininetConnectionMutexWininetProxyRegistryMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_!IETld!MutexCTF.TimListCache.FMPDefaultS-1-5-21-796845957-1563985344-1801674531-1003MUTEX.DefaultS-1-5-21-796845957-1563985344-1801674531-1003CTF.TMD.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003CTF.Layouts.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003CTF.Asm.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003CTF.Compart.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003CTF.LBES.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003RasPbFileShimCacheMutex
File activity
The process %original file name%.exe:3756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\2345_com[1].txt (13463 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\PastqvLMY.sys (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
The Trojan deletes the following file(s):
%System%\PastqvLMY.sys (0 bytes)
Registry activity
The process %original file name%.exe:3756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Size" = "10"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\fb2b563a4437270fbd75575dd95e8d6f\DEBUG]
"Trace Level" = ""
[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"InitHits" = "100"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"
[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Enable" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Internet Explorer\International]
"W2KLpk" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED AC 14 CC 75 EB 24 19 1E 1F C5 88 51 1B 5A 87"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.lolwaigua.com/"
[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Factor" = "20"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\fb2b563a4437270fbd75575dd95e8d6f\DEBUG]
"Trace Level"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\2345_com[1].txt (13463 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\PastqvLMY.sys (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: kongdao
Product Name: c
Product Version: 2.0.0.0
Legal Copyright: Microsoft???????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.0.0.0
File Description: Microsoft Visual C
Comments: ??????????(http://www.eyuyan.com)
Language: Swedish (Sweden)
Company Name: kongdaoProduct Name: c Product Version: 2.0.0.0Legal Copyright: Microsoft???????Legal Trademarks: Original Filename: Internal Name: File Version: 2.0.0.0File Description: Microsoft Visual C Comments: ??????????(http://www.eyuyan.com)Language: Swedish (Sweden)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 940859 | 942080 | 4.50159 | e442ca90198c5ca1b07ec8722bb0d6a9 |
| .rdata | 946176 | 313792 | 315392 | 4.48965 | 4ee4126888201141733d7cb97d31446e |
| .data | 1261568 | 324586 | 90112 | 3.79659 | ee4c7dbf1403f159627138b11efff7a9 |
| .rsrc | 1589248 | 29704 | 32768 | 4.06171 | 27a1d287179213980b92ff2356ce24dd |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://www.2345.com/?k787008202 | 42.62.30.180 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /?k787008202 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)
Host: VVV.2345.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Tue, 16 Dec 2014 11:26:18 GMT
Server: Apache
Last-Modified: Tue, 16 Dec 2014 10:30:27 GMT
ETag: "1cc70-50a52d8f3b6c0"
Accept-Ranges: bytes
Cache-Control: max-age=21600
Expires: Tue, 16 Dec 2014 17:26:18 GMT
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 32151
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=gb2312
............yw...0......0f...H....@=$Ej#%J.$J.~8.`....pf@...~....c..6j1./.Dm..%.c...gq..8...vu..3.,$...K.$0.]]]]]]]]U.....T...d.B....Y.....\...x.C.T...*........E.{..ic..[.M. ....0.,' ...$|~...x..Lt..........<.j.`l.P.s*.e0\.zAL.y....*T..(.85V....|....x.n.?.t'.B......X.F^I....b.....y...._?==w...O........}|qq..Ux.....~..KO...t.........~....w..v..{.<.............Q......P.._n.=w..#w>9....O......n....n|~.w.?B.P...x.....|......{..kg......O..n...o\...G.............=8..G....>...On.:.:M9.U.;....n...).M{r.l=:.p.,.....y.fQ.Ve......y..cd>.k.$...*...n!..U..^...}.0............K..bF...j...1.i..;..:y.....G?.......^.....'..................Cj"./uw.......6".nB.....'...7ZK..BW/...X........^_.'......."........E.~.....{.$.Q.....i..=..>...G...hJ.e.W..J..I7*.2l....u.'%p..P.....J.....P..[)2..J.9...'w..}.i.J\q....."...'.D1....$M.......>.......3*'g..o.'.\1..#...UF[(&.i.<E.AN..<IE....b1....o.e...............R...E.3.9D.`.hF..........FO..TR.j.W.<...p......jb\..^.....d.......lbb.....L.~.......... z..Pr.0..3......c.....]x.:C..T...^_.T....W....9.HU...T.........g....VrB.....O........(.$.J../.jy<......`....:W.....f..S5.........H..cI....n.. <T[.q..{o]...e..Z..y...L.?0xA...W..u...S...s..U[*)..@@\....Z@....|...x..?.{........Go.)..<.x..z)P...BA......x&...UH.v.yk........#]*.y.....C.\=.....xJ.y.P......@A..h.......RT.....c.(.."..=f...,(......`.%..GHw.*.....F.W_U.n.bn<.v.;..P.|)..f;..*..!7^.zcht.....N..H).8..i...k...s....Y...A......~...w......"..4B.E(t.r...*...YD.d..56.......k..............y....yNQ..X...@...&H...
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_3756:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
gdiplus.dll
gdiplus.dll
kernel32.dll
kernel32.dll
GdiPlus.dll
GdiPlus.dll
user32.dll
user32.dll
Kernel32.dll
Kernel32.dll
Ole32.dll
Ole32.dll
User32.dll
User32.dll
atl.dll
atl.dll
wininet.dll
wininet.dll
gdi32.dll
gdi32.dll
Gdi32.dll
Gdi32.dll
dwmapi.dll
dwmapi.dll
Gdiplus.dll
Gdiplus.dll
ole32.dll
ole32.dll
shell32.dll
shell32.dll
ntdll.dll
ntdll.dll
advapi32.dll
advapi32.dll
GetProcessHeap
GetProcessHeap
ShellExecuteA
ShellExecuteA
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetAsyncKeyState
GetAsyncKeyState
GdipGetStringFormatHotkeyPrefix
GdipGetStringFormatHotkeyPrefix
GdipSetStringFormatHotkeyPrefix
GdipSetStringFormatHotkeyPrefix
10/05/12
10/05/12
\.YVV
\.YVV
Ã[H
Ã[H
L
@.tmp
hXXp://VVV.lolwaigua.com/
iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> j
.ve*s
5\]HKEY
ey.vjX
>.So~
VJÞ
Ãj[*
" id="W5M0MpCehiHzreSzNTczkc9d"?> 4
" id="W5M0MpCehiHzreSzNTczkc9d"?> }
.IDATx
R.iGo
\espi.tmp
\ESPI11.dll
ESPI11.dll
rez\rf068.rez
rez\rf002.rez
rez\rf004.rez.b
rez\rf004.rez
rez\rf916.rez
rez\rf016.rez
BugTrap2.dll
BugTrap.dll
CShell.dll.yx
CShell.dll
\cfyuexia.ms.patch
\cfyuexia.ms.patch.1
\cfyuexia.ms.patch.2
\cfyuexia.ms.patch.3
\cfyuexia.ms.patch.4
\cfyuexia.ms.patch.5
\cfyuexia.ms.patch.6
\cfyuexia.ms.patch.7
hXXp://cfdl.qq.com/crossfire/version_chn_
hXXp://cfdl.qq.com/crossfire/verifier_chn_
.\cfyuexia\crossfire\cfxml2.htm
hXXp://cfdl.qq.com/crossfire/cfxml2.htm
.\cfyuexia\crossfire\version_chn_99.ini
hXXp://cfdl.qq.com/crossfire/version_chn_99.ini
.\cfyuexia\crossfire\cfxml3.htm
hXXp://cfdl.qq.com/crossfire/verifier_chn_99.ini
.\cfyuexia\crossfire\verifier_chn_99.ini
\xl.tmp
hXXps://
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
hXXp://
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
127.0.0.1 cfdl.qq.com
The requested URL [
HTTP/1.1 404 Not Found
HTTP/1.1 200 OK
TCLS\Client.exe
crossfire.exe
WScript.Shell
HotKey
WindowStyle
.reloc
hXXp://VVV.kongdaots.com\\
hXXp://VVV.kongdaots.com
C:\Windows\services.exe
MFC42.DLL
MSVCRT.dll
_acmdln
WinExec
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
WS2_32.dll
iphlpapi.dll
%%%c%c%%%c%c
self.location=
%s %s%s %s
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
Host: %s
jdfwkey
%s %s %s
%s %s:%d
%s %s
User-Agent:Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.0; MyIE 3.01)
HTTP/1.1
GET %s HTTP/1.1
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
%d.%d.%d.%d
%d Mbps
%d Gbps
%u MB
%d*%u%s
SOFTWARE\Microsoft\Windows NT\CurrentVersion
118.123.19.76:8080
urlmon.dll
RegCreateKeyExA
C:\Users\Administrator\Desktop\
MFC Test\Test Mfc\Release\Cache.pdb
hXXp://VVV.lolwaigua.com/images/xg.png
hXXp://VVV.lolwaigua.com/
hXXp://VVV.lolwaigua.com/images/toushi.png S4
hXXp://VVV.kongdaots.com/
hXXp://VVV.kongdaots.com/ver.js
Ex_DirectUI_MsgBox
07/08/13
09/27/12
iexplore.exe
C:\Windows\KINSTALLERS_66_45113.exe
hXXp://VVV.123woz.com/KINSTALLERS_66_45113.exe
:125564297@qq.com
&keyindex=9&pt_aid=549000912&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone
&clientkey=
hXXp://ptlogin2.qq.com/jump?clientuin=
hXXp://qzs.qq.com/qzone/v5/loginsucc.html?para=izone
skey
&secverifykey=28Q12062209183668_2209183668
">