WS.Reputation.1 (Symantec), Win32/Heur (AVG), Packed.Win32.Themida.FD, Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.IEDummy.FD, GenericEmailWorm.YR, GenericInjector.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm, Packed
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: ff48e41b608717a609682f2d4ec4a9bd
SHA1: 53be04f1d4f112647e3fdf89248dfe0398d2f929
SHA256: 1c01950f5be4aa0a2ed81b92715218dfa434d8d56f4e6993f1b1987641882d3b
SSDeep: 49152:VrUrP7wH6CtjpjDW5cOuoZdj6iMPnocUFGn1LHROEwTDK45UnBIJH:VQT7bCtZDWqOSFPEFGn1R3cUnud
Size: 2543616 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, ACProtect141
Company: no certificate found
Created at: 2014-01-27 16:09:56
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:1612
Mutexes
The following mutexes were created/opened:
CTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003ZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutexWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_RasPbFileShimCacheMutex
File activity
The process %original file name%.exe:1612 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\loadConfig_v4298[1].xml (28032 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\service[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\mg1[1].htm (556 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\Strategy[1].xml (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\get_code[1].htm (9 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@xcdf[1].txt (298 bytes)
C:\config.ini (57 bytes)
Registry activity
The process %original file name%.exe:1612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A F1 41 18 3A 37 61 C0 04 7A 20 64 8D 0D 22 3F"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\loadConfig_v4298[1].xml (28032 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\service[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\mg1[1].htm (556 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\Strategy[1].xml (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\get_code[1].htm (9 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@xcdf[1].txt (298 bytes)
C:\config.ini (57 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name: qq??????
Product Version: 17.5.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 17.5.0.0
File Description: qq??????
Comments: qq??????
Language: English (United States)
Company Name: Product Name: qq??????Product Version: 17.5.0.0Legal Copyright: ?????? ????????Legal Trademarks: Original Filename: Internal Name: File Version: 17.5.0.0File Description: qq??????Comments: qq??????Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 2387968 | 942080 | 5.545 | af75ace5f188ec7e6f0ef19d1401775c |
.ups | 2392064 | 1581056 | 1581056 | 5.44903 | 43975525246f622e63ce8caf938c0e11 |
.idata | 3973120 | 4096 | 4096 | 1.2769 | 7f9079c686d0b857a8521daa41177a22 |
.rsrc | 3977216 | 8192 | 8192 | 2.59873 | 4f34aa458bb6badfedc6a187fa49078b |
.ups | 3985408 | 4096 | 4096 | 5.53374 | 6e4d988dd85f05551014cb186903c3c5 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://ad.51pc114.cn/setup/a.html | 122.228.204.12 |
hxxp://ad.51pc114.cn/ad/mg1.htm | 122.228.204.12 |
hxxp://www.7532.com/hao123.htm | 122.224.9.42 |
hxxp://www.7532.com/2345.htm | 122.224.9.42 |
hxxp://meigui.qq.com/Strategy.xml?0.9743528054095805 | 112.90.78.171 |
hxxp://meigui.qq.com/loadConfig_v4298.xml | 112.90.78.171 |
hxxp://u.3393.com/t/?pid=155715&show_t=3 | 121.10.173.29 |
hxxp://u.3393.com/kernel/get_code.php?pid=155715&show_t=3&ti=0&p=u.3393.com/t/&time=0.04522900 1431999583 | 121.10.173.29 |
hxxp://x2.tcdn.qq.com/cdn/swf_0908/ | |
hxxp://u.3393.com/kernel/service.php?token=VWYANVFyBW0JJAIiBmJSdAYLAi4GNAEoBiMHMQIgA3M=&title=QQ猫戮 |