Trojan.Dropper.Agent.UGJ (BitDefender), Worm:Win32/Regul.B (Microsoft), Trojan.Win32.Agent.bkks (Kaspersky), Trojan.Win32.Autorun.dm (v) (VIPRE), Trojan.Click2.51706 (DrWeb), Trojan.Dropper.Agent.UGJ (B) (Emsisoft), W32/Autorun.worm.dq.gen (McAfee), W32.SillyFDC (Symantec), Worm.Win32.FlyStudio (Ikarus), Trojan-Dropper:W32/Peed.gen!A (FSecure), PSW.Lineage.BWF (AVG), Win32:EvilEPL [Cryp] (Avast), WORM_FLYSTUDI.B (TrendMicro), Trojan.Dropper.Agent.UGJ (AdAware), GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 16712f67f3e02fb1dfae70d1bdebac4b
SHA1: 798835dba26fa136c58fc5dbedd47dae9323ea32
SHA256: 3335f0eda7150a95709bc836f20ce4eaedcd021533a4995eafebb8e6a50810c9
SSDeep: 24576:5itK0LJ2Jiw EAGXeniVKsg9khYCSeJdxR3RqwnjRNPCDXusLBiYXQgQ:5itKwJ2JiwBAGXhVbOQjJd7hxLC7tViX
Size: 1509591 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1972-12-25 08:33:23
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1772
XP-29C3EA36.EXE:1472
The Trojan injects its code into the following process(es):
XP-542ADE6B.EXE:1316
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process XP-542ADE6B.EXE:1316 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\¡¡¡¡¡¡.lnk (1250 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\spec.fne (73 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (196 bytes)
%System%\ul.dll (3856 bytes)
%System%\internet.fne (673 bytes)
%System%\com.run (1425 bytes)
%System%\og.EDT (2008 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\internet.fne (184 bytes)
%System%\og.dll (2728 bytes)
%System%\eAPI.fne (1425 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (788 bytes)
%System%\spec.fne (601 bytes)
%System%\krnln.fnr (7433 bytes)
%System%\dp1.fne (601 bytes)
%System%\XP-29C3EA36.EXE (7972 bytes)
%System%\shell.fne (40 bytes)
%System%\RegEx.fnr (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\RegEx.fnr (217 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (391 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\eAPI.fne (323 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JT3DD67Y\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1SIUOE5J\desktop.ini (0 bytes)
%System%\XP-29C3EA36.EXE (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QV8PGRID\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UL3U2C8V\desktop.ini (0 bytes)
The process %original file name%.exe:1772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\dp1.fne (114 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\krnln.fnr (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\spec.fne (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\shell.fne (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\internet.fne (184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\com.run (270 bytes)
%System%\XP-542ADE6B.EXE (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JT3DD67Y\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1SIUOE5J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QV8PGRID\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UL3U2C8V\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\RegEx.fnr (217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\eAPI.fne (323 bytes)
The process XP-29C3EA36.EXE:1472 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\spec.fne (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
Registry activity
The process XP-542ADE6B.EXE:1316 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 C7 62 CC B4 2C 40 36 51 D7 74 42 2D 2B 93 4B"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Internet Explorer\TypedURLs]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:1772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 9B 5A 4B 37 DF A4 97 0A CB DC 0A F9 70 0A 57"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
The process XP-29C3EA36.EXE:1472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D E4 27 43 3C D4 E4 35 06 17 22 8E 6D 2E 8E 75"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XP-542ADE6B" = "%System%\XP-542ADE6B.EXE"
Dropped PE files
| MD5 | File path |
|---|---|
| 895dd12a54a923789f8f1d8b66bd88e9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\RegEx.fnr |
| 95ebaae66a69f881f2fa08c71952ce72 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\com.run |
| c57939798d01772689b016fcf3eae47e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\dp1.fne |
| c23c63a788d8ca38d955f5baebef719f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\eAPI.fne |
| b0c160001c8e88f403bf03af1059bd38 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\internet.fne |
| 38dccb9d4114a3c2dd0003f6233bac77 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\krnln.fnr |
| c8208124af35856e0eba72d33620799b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\shell.fne |
| 600e6bb9bdbd8f2f19e123d8e5300718 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\spec.fne |
| 895dd12a54a923789f8f1d8b66bd88e9 | c:\WINDOWS\system32\RegEx.fnr |
| 95ebaae66a69f881f2fa08c71952ce72 | c:\WINDOWS\system32\com.run |
| c57939798d01772689b016fcf3eae47e | c:\WINDOWS\system32\dp1.fne |
| c23c63a788d8ca38d955f5baebef719f | c:\WINDOWS\system32\eAPI.fne |
| b0c160001c8e88f403bf03af1059bd38 | c:\WINDOWS\system32\internet.fne |
| 38dccb9d4114a3c2dd0003f6233bac77 | c:\WINDOWS\system32\krnln.fnr |
| c8208124af35856e0eba72d33620799b | c:\WINDOWS\system32\shell.fne |
| 600e6bb9bdbd8f2f19e123d8e5300718 | c:\WINDOWS\system32\spec.fne |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1772
XP-29C3EA36.EXE:1472 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\¡¡¡¡¡¡.lnk (1250 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\spec.fne (73 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (196 bytes)
%System%\ul.dll (3856 bytes)
%System%\internet.fne (673 bytes)
%System%\com.run (1425 bytes)
%System%\og.EDT (2008 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\internet.fne (184 bytes)
%System%\og.dll (2728 bytes)
%System%\eAPI.fne (1425 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (788 bytes)
%System%\spec.fne (601 bytes)
%System%\krnln.fnr (7433 bytes)
%System%\dp1.fne (601 bytes)
%System%\XP-29C3EA36.EXE (7972 bytes)
%System%\shell.fne (40 bytes)
%System%\RegEx.fnr (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\RegEx.fnr (217 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (391 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\eAPI.fne (323 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\dp1.fne (114 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\krnln.fnr (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\shell.fne (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\com.run (270 bytes)
%System%\XP-542ADE6B.EXE (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JT3DD67Y\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1SIUOE5J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QV8PGRID\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UL3U2C8V\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XP-542ADE6B" = "%System%\XP-542ADE6B.EXE" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 20924 | 24576 | 4.83196 | bbe150a2d78b00db8e24969967cc5334 |
| .rdata | 28672 | 2634 | 4096 | 2.48317 | 777ac25ec7bba2eed5c97e65e8a812c4 |
| .data | 32768 | 8024 | 8192 | 3.1859 | a435036dc64f4384cba8403e29007608 |
| .data | 40960 | 118784 | 118784 | 4.7618 | 567912e2d1b3c953806e669b1bdd6000 |
| .rsrc | 159744 | 1359872 | 1349847 | 5.53545 | c6f0e357fb886cca85f58b38c5ce7602 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://www.a.shifen.com/ | |
| hxxp://www.baidu.com/ | 115.239.211.114 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET / HTTP/1.1
User-Agent: test
Host: VVV.baidu.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 20 May 2015 21:27:08 GMT
Content-Type: text/html
Content-Length: 14613
Last-Modified: Wed, 03 Sep 2014 02:48:32 GMT
Connection: Keep-Alive
Vary: Accept-Encoding
Set-Cookie: BAIDUID=FFEBD06F0E1D361BDE36DE8596EF52C4:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BIDUPSID=FFEBD06F0E1D361BDE36DE8596EF52C4; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BDSVRTM=0; path=/
P3P: CP=" OTI DSP COR IVA OUR IND COM "
Server: BWS/1.1
X-UA-Compatible: IE=Edge,chrome=1
Pragma: no-cache
Cache-control: no-cache
BDPAGETYPE: 1
BDQID: 0xbe8f0d250013d09d
BDUSERID: 0
Accept-Ranges: bytes
<!DOCTYPE html><!--STATUS OK-->..<html>..<head>...<meta http-equiv="content-type" content="text/html;charset=utf-8">...<meta http-equiv="X-UA-Compatible" content="IE=Edge">...<link rel="dns-prefetch" href="//s1.bdstatic.com"/>...<link rel="dns-prefetch" href="//t1.baidu.com"/>...<link rel="dns-prefetch" href="//t2.baidu.com"/>...<link rel="dns-prefetch" href="//t3.baidu.com"/>...<link rel="dns-prefetch" href="//t10.baidu.com"/>...<link rel="dns-prefetch" href="//t11.baidu.com"/>...<link rel="dns-prefetch" href="//t12.baidu.com"/>...<link rel="dns-prefetch" href="//b1.bdstatic.com"/>...<title>...........................</title>...<link href="hXXp://s1.bdstatic.com/r/www/cache/static/home/css/index.css" rel="stylesheet" type="text/css" />...<!--[if lte IE 8]><style index="index" >#content{height:480px\9}#m{top:260px\9}</style><![endif]-->...<!--[if IE 8]><style index="index" >#u1 a.mnav,#u1 a.mnav:visited{font-family:simsun}</style><![endif]-->...<script>var hashMatch = document.location.href.match(/# (.*wd=[^&]. )/);if (hashMatch && hashMatch[0] && hashMatch[1]) {document.location.replace("hXXp://" location.host "/s?" hashMatch[1]);}var ns_c = function(){};</script>...<script>function h(obj){obj.style.behavior='url(#default#homepage)';var a = obj.setHomePage('//VVV.baidu.com/');}</script>...<noscript><meta http-equiv="refresh" conte
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
XP-542ADE6B.EXE_1316:
.text
.text
.rdata
.rdata
@.data
@.data
.data
.data
.rsrc
.rsrc
user32.dll
user32.dll
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GetCPInfo
GetCPInfo
krnln.fne
krnln.fne
krnln.fnr
krnln.fnr
1.1.3
1.1.3
%System%\XP-542ADE6B.EXE
%System%\XP-542ADE6B.EXE
@@shdocvw.dll
@@shdocvw.dll
{8856F961-340A-11D0-A96B-00C04FD705A2}##0
{8856F961-340A-11D0-A96B-00C04FD705A2}##0
2,{34A226E0-DF30-11CF-89A9-00A0C9054129},CommandStateChangeConstants,{},{1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDID,{},{1073741880,1073741879,1073741878,1073741877,1073741876,1073741875,1073741874,1073741873,1073741872,1073741871,1073741870,1073741869,1073741868,1073741867,1073741866,1073741865,1073741864,1073741863,1073741862,1073741861,1073741860,1073741859,1073741858,1073741857,1073741856,1073741855,1073741854,1073741853,1073741852,1073741851,1073741850,1073741849,1073741848,1073741847,1073741846,1073741845,1073741844,1073741843,1073741842,1073741841,1073741840,1073741839,1073741838,1073741837,1073741836,1073741835,1073741834,1073741833,1073741832,1073741831,1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDF,{},{1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDEXECOPT,{},{1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},tagREADYSTATE,{},{1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{65507BE0-91A8-11D3-A845-009027220E6D},SecureLockIconConstants,{},{1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}0,{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B},WebBrowser_V1,{100,101,102,103,104,-550,105,106,200,201,202,203,},{212,211,210,209,208,207,206,205,204,},{100,101,102,108,104,105,106,107,113,200,201,204,103,109,110,111,112,}1,{8856F961-340A-11D0-A96B-00C04FD705A2},WebBrowser,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}0,{0002DF01-0000-0000-C000-000000000046},InternetExplorer,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}2,{F41E6981-28E5-11D0-82B4-00A0C90C29C5},ShellWindowTypeConstants,{},{1073741827,1073741826,1073741825,1073741824,},{}0,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},ShellWindows,{0,-4,},{1610743808,},{200,201,}0,{64AB4BB7-111E-11D1-8F79-00C04FC2FBE1},ShellUIHelper,{4,5,6,7,8,9,10,11,13,},{},{}0,{55136805-B2DE-11D1-B9F2-00A0C98BC547},ShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}0,{2F2F1F96-2BC1-4B1C-BE28-EA3774F4676A},ShellShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}
2,{34A226E0-DF30-11CF-89A9-00A0C9054129},CommandStateChangeConstants,{},{1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDID,{},{1073741880,1073741879,1073741878,1073741877,1073741876,1073741875,1073741874,1073741873,1073741872,1073741871,1073741870,1073741869,1073741868,1073741867,1073741866,1073741865,1073741864,1073741863,1073741862,1073741861,1073741860,1073741859,1073741858,1073741857,1073741856,1073741855,1073741854,1073741853,1073741852,1073741851,1073741850,1073741849,1073741848,1073741847,1073741846,1073741845,1073741844,1073741843,1073741842,1073741841,1073741840,1073741839,1073741838,1073741837,1073741836,1073741835,1073741834,1073741833,1073741832,1073741831,1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDF,{},{1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDEXECOPT,{},{1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},tagREADYSTATE,{},{1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{65507BE0-91A8-11D3-A845-009027220E6D},SecureLockIconConstants,{},{1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}0,{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B},WebBrowser_V1,{100,101,102,103,104,-550,105,106,200,201,202,203,},{212,211,210,209,208,207,206,205,204,},{100,101,102,108,104,105,106,107,113,200,201,204,103,109,110,111,112,}1,{8856F961-340A-11D0-A96B-00C04FD705A2},WebBrowser,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}0,{0002DF01-0000-0000-C000-000000000046},InternetExplorer,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}2,{F41E6981-28E5-11D0-82B4-00A0C90C29C5},ShellWindowTypeConstants,{},{1073741827,1073741826,1073741825,1073741824,},{}0,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},ShellWindows,{0,-4,},{1610743808,},{200,201,}0,{64AB4BB7-111E-11D1-8F79-00C04FC2FBE1},ShellUIHelper,{4,5,6,7,8,9,10,11,13,},{},{}0,{55136805-B2DE-11D1-B9F2-00A0C98BC547},ShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}0,{2F2F1F96-2BC1-4B1C-BE28-EA3774F4676A},ShellShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}
.cn/ul.htm
.cn/ul.htm
hXXp://VVV.
hXXp://VVV.
.com/ul.htm
.com/ul.htm
[%s%]
[%s%]
[%f%]
[%f%]
document.all('
document.all('
document.frames('
document.frames('
.value='';};catch(e){};function a(){};a();
.value='';};catch(e){};function a(){};a();
.value='
.value='
].selected=true;};catch(e){};function a(){};a();
].selected=true;};catch(e){};function a(){};a();
.options[
.options[
.checked='';};catch(e){};function a(){};a();
.checked='';};catch(e){};function a(){};a();
.checked='checked';};catch(e){};function a(){};a();
.checked='checked';};catch(e){};function a(){};a();
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Recycled.exe
Recycled.exe
ul.dll
ul.dll
og.dll
og.dll
:\autorun.inf
:\autorun.inf
shellexecute
shellexecute
OLEACC.DLL
OLEACC.DLL
keybd_event
keybd_event
WebBrowser
WebBrowser
D.mVXxZPZ
D.mVXxZPZ
V3?=%fm
V3?=%fm
%u|QR#F/j)L@
%u|QR#F/j)L@
mi
mi
KM %s
KM %s
kEY&H
kEY&H
h~L%7x
h~L%7x
5%D=D1
5%D=D1
T\P0.EF>
T\P0.EF>
.ojW.,
.ojW.,
c7j.oH
c7j.oH
{o$y %d
{o$y %d
Wo.CF
Wo.CF
{r%u]
{r%u]
u.il>
u.il>
;.dR5
;.dR5
\W.SO
\W.SO
vJ.hG
vJ.hG
H.Kf=Fd
H.Kf=Fd
zC.Aug
zC.Aug
J%fkfbG)%
J%fkfbG)%
C.sH\
C.sH\
.uJ,;
.uJ,;
-L9n.BU
-L9n.BU
?qHv`%6s
?qHv`%6s
-kKqdQ}'Z
-kKqdQ}'Z
E,LP!bp%f
E,LP!bp%f
QX%8U
QX%8U
%s]Jv
%s]Jv
;52%\#>_!
;52%\#>_!
U^.VC
U^.VC
|.MdZp
|.MdZp
| .kn)
| .kn)
^>.KQ
^>.KQ
.JCH5
.JCH5
-t.rN
-t.rN
".UEiG
".UEiG
q.SZ:
q.SZ:
O^.lz
O^.lz
.sg9^w9
.sg9^w9
p.MB
p.MB
%S3s6
%S3s6
~t.oR
~t.oR
z;.%u
z;.%u
%uI&0
%uI&0
!A}Q
!A}Q
%f.Fh
%f.Fh
@G%sBg:A
@G%sBg:A
V%dgd:W
V%dgd:W
l%.yi
l%.yi
.KM&
.KM&
$>.Vv
$>.Vv
w7%Ds
w7%Ds
-1}
-1}
.GkFG
.GkFG
|r%X^
|r%X^
%Cs4r
%Cs4r
~%fLt
~%fLt
V4.wN:
V4.wN:
ü&~E
ü&~E
E'.Jc5
E'.Jc5
Kh.NK
Kh.NK
.QvaM
.QvaM
t.kP.
t.kP.
rEr.GN
rEr.GN
-,,%fq&0>
-,,%fq&0>
.qnGg
.qnGg
tnL.Pros
tnL.Pros
%xFH[K
%xFH[K
`y.eR
`y.eR
d*.MgCJ
d*.MgCJ
aLA7.kb%
aLA7.kb%
&C-.qe
&C-.qe
4.Zj!
4.Zj!
wTô
wTô
Q.vEq
Q.vEq
&.io"
&.io"
8t.Tk
8t.Tk
.Dn?"
.Dn?"
.NN.X
.NN.X
[4!&0\.&
[4!&0\.&
T%DNy
T%DNy
:.YLec
:.YLec
OM.tV
OM.tV
.shMP
.shMP
f,.MG
f,.MG
C.ZG3
C.ZG3
qp.ew
qp.ew
"n_$.bFXnG
"n_$.bFXnG
BW.ja
BW.ja
X.RV[
X.RV[
%SWH8
%SWH8
r9|.uo
r9|.uo
B{.tQ
B{.tQ
1iS%Ft
1iS%Ft
'.Zz'
'.Zz'
.Lyp,
.Lyp,
fTp\A
fTp\A
.aMD*8
.aMD*8
UÛd
UÛd
9-%XO
9-%XO
rD-j}
rD-j}
q:.iI
q:.iI
H8%dmb^K
H8%dmb^K
LF%s#^NW
LF%s#^NW
.xFd=~P
.xFd=~P
z.dV%H
z.dV%H
kn.Mk#
kn.Mk#
22:-d7.Ih
22:-d7.Ih
.-H
.-H
#j.YY
#j.YY
|U%CI
|U%CI
%.LN
%.LN
5.hx0p#
5.hx0p#
Q%U{B
Q%U{B
D.ijv
D.ijv
bc.vE
bc.vE
bj>.*\%C
bj>.*\%C
q.gi
q.gi
]Ql.MQ
]Ql.MQ
..bI-
..bI-
.sy>I
.sy>I
\/N.Ev]S
\/N.Ev]S
\.sN0
\.sN0
.RksS
.RksS
.su}F
.su}F
.SSL.
.SSL.
f.Rf6
f.Rf6
.hatT
.hatT
XP-542ADE6B.EXE_1316_rwx_0040A000_0001D000:
@@shdocvw.dll
@@shdocvw.dll
{8856F961-340A-11D0-A96B-00C04FD705A2}##0
{8856F961-340A-11D0-A96B-00C04FD705A2}##0
2,{34A226E0-DF30-11CF-89A9-00A0C9054129},CommandStateChangeConstants,{},{1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDID,{},{1073741880,1073741879,1073741878,1073741877,1073741876,1073741875,1073741874,1073741873,1073741872,1073741871,1073741870,1073741869,1073741868,1073741867,1073741866,1073741865,1073741864,1073741863,1073741862,1073741861,1073741860,1073741859,1073741858,1073741857,1073741856,1073741855,1073741854,1073741853,1073741852,1073741851,1073741850,1073741849,1073741848,1073741847,1073741846,1073741845,1073741844,1073741843,1073741842,1073741841,1073741840,1073741839,1073741838,1073741837,1073741836,1073741835,1073741834,1073741833,1073741832,1073741831,1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDF,{},{1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDEXECOPT,{},{1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},tagREADYSTATE,{},{1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{65507BE0-91A8-11D3-A845-009027220E6D},SecureLockIconConstants,{},{1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}0,{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B},WebBrowser_V1,{100,101,102,103,104,-550,105,106,200,201,202,203,},{212,211,210,209,208,207,206,205,204,},{100,101,102,108,104,105,106,107,113,200,201,204,103,109,110,111,112,}1,{8856F961-340A-11D0-A96B-00C04FD705A2},WebBrowser,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}0,{0002DF01-0000-0000-C000-000000000046},InternetExplorer,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}2,{F41E6981-28E5-11D0-82B4-00A0C90C29C5},ShellWindowTypeConstants,{},{1073741827,1073741826,1073741825,1073741824,},{}0,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},ShellWindows,{0,-4,},{1610743808,},{200,201,}0,{64AB4BB7-111E-11D1-8F79-00C04FC2FBE1},ShellUIHelper,{4,5,6,7,8,9,10,11,13,},{},{}0,{55136805-B2DE-11D1-B9F2-00A0C98BC547},ShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}0,{2F2F1F96-2BC1-4B1C-BE28-EA3774F4676A},ShellShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}
2,{34A226E0-DF30-11CF-89A9-00A0C9054129},CommandStateChangeConstants,{},{1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDID,{},{1073741880,1073741879,1073741878,1073741877,1073741876,1073741875,1073741874,1073741873,1073741872,1073741871,1073741870,1073741869,1073741868,1073741867,1073741866,1073741865,1073741864,1073741863,1073741862,1073741861,1073741860,1073741859,1073741858,1073741857,1073741856,1073741855,1073741854,1073741853,1073741852,1073741851,1073741850,1073741849,1073741848,1073741847,1073741846,1073741845,1073741844,1073741843,1073741842,1073741841,1073741840,1073741839,1073741838,1073741837,1073741836,1073741835,1073741834,1073741833,1073741832,1073741831,1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDF,{},{1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDEXECOPT,{},{1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},tagREADYSTATE,{},{1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{65507BE0-91A8-11D3-A845-009027220E6D},SecureLockIconConstants,{},{1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}0,{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B},WebBrowser_V1,{100,101,102,103,104,-550,105,106,200,201,202,203,},{212,211,210,209,208,207,206,205,204,},{100,101,102,108,104,105,106,107,113,200,201,204,103,109,110,111,112,}1,{8856F961-340A-11D0-A96B-00C04FD705A2},WebBrowser,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}0,{0002DF01-0000-0000-C000-000000000046},InternetExplorer,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}2,{F41E6981-28E5-11D0-82B4-00A0C90C29C5},ShellWindowTypeConstants,{},{1073741827,1073741826,1073741825,1073741824,},{}0,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},ShellWindows,{0,-4,},{1610743808,},{200,201,}0,{64AB4BB7-111E-11D1-8F79-00C04FC2FBE1},ShellUIHelper,{4,5,6,7,8,9,10,11,13,},{},{}0,{55136805-B2DE-11D1-B9F2-00A0C98BC547},ShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}0,{2F2F1F96-2BC1-4B1C-BE28-EA3774F4676A},ShellShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}
.cn/ul.htm
.cn/ul.htm
hXXp://VVV.
hXXp://VVV.
.com/ul.htm
.com/ul.htm
[%s%]
[%s%]
[%f%]
[%f%]
document.all('
document.all('
document.frames('
document.frames('
.value='';};catch(e){};function a(){};a();
.value='';};catch(e){};function a(){};a();
.value='
.value='
].selected=true;};catch(e){};function a(){};a();
].selected=true;};catch(e){};function a(){};a();
.options[
.options[
.checked='';};catch(e){};function a(){};a();
.checked='';};catch(e){};function a(){};a();
.checked='checked';};catch(e){};function a(){};a();
.checked='checked';};catch(e){};function a(){};a();
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Recycled.exe
Recycled.exe
ul.dll
ul.dll
og.dll
og.dll
:\autorun.inf
:\autorun.inf
shellexecute
shellexecute
OLEACC.DLL
OLEACC.DLL
user32.dll
user32.dll
keybd_event
keybd_event
WebBrowser
WebBrowser
XP-542ADE6B.EXE_1316_rwx_01551000_00030000:
t.It It
t.It It
SShH$Y
SShH$Y
.tTPV
.tTPV
FTPjK
FTPjK
FtPj;
FtPj;
F.PjRWj
F.PjRWj
u.WWj
u.WWj
u.VVj
u.VVj
XP-542ADE6B.EXE_1316_rwx_02311000_0000A000:
^}•D
^}•D
XP-542ADE6B.EXE_1316_rwx_10001000_000C1000:
|$D.tm
|$D.tm
~%UVW
~%UVW
L$$SSh
L$$SSh
t%SVh
t%SVh
t$(SSh
t$(SSh
u$SShe
u$SShe