not-a-virus:AdWare.NSIS.ExecCmd.d (Kaspersky), Trojan.NSIS.StartPage.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.IEDummy.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, VirTool, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 16f6a1ab6c79f66f9fa26b2f18474e98
SHA1: 48b8fb36a91c9846c3da0b52018ba9ec7ed67b78
SHA256: d21ed7cc23e6dd56bb36752fa546f0c023f970749827cd1338701f6a3bcd3d6f
SSDeep: 6144:bQq7KILUux9Co5C/lydR7YcHcLiEssc8ZQ:pbUgdylyaLi9F8ZQ
Size: 211312 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-06-07 00:41:48
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
FMOlsvr.exe:1564
fmol.exe:1824
%original file name%.exe:1360
FHSev.exe:2476
FHSev.exe:1540
FHSev.exe:360
setup_3386.exe:540
The Trojan injects its code into the following process(es):
FMOlsvr.exe:1644
ntvdm.exe:1248
ntvdm.exe:1520
%original file name%.exe:468
FHSev.exe:2548
BaiduPlayerNetSetup_368.exe:2024
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process FMOlsvr.exe:1644 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\qqtj1[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\qqtj2[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\a35a3ed7\DMSet.Xml (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\qqtj1[1].htm (3 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\qqtj1[1].htm (0 bytes)
The process fmol.exe:1824 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\fmol_201501212023\201501212023\Data\server.ini (1 bytes)
%Program Files%\fmol_201501212023\201501212023\Data\user2.ini (402 bytes)
%Program Files%\fmol_201501212023\201501212023\SysConfig.ini (606 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ver[1].txt (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\a[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1113[1].htm (3 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\a[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1113[1].htm (0 bytes)
The process ntvdm.exe:1248 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\ (4 bytes)
%WinDir%\Temp\scsBA.tmp (33880 bytes)
%Documents and Settings%\%current user%\FAVORITES (4 bytes)
%Documents and Settings%\%current user%\Desktop\Intrenet Explorer.lnk (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\_30863[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\setup_3386[1].exe (3840 bytes)
%Program Files%\Internet Explorer (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (576 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (12317 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp (4 bytes)
%WinDir% (672 bytes)
C:\$Directory (508 bytes)
%System% (8808 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5 (4 bytes)
%Program Files% (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773 (4 bytes)
%System%\config (8 bytes)
%WinDir%\Temp\Perflib_Perfdata_7ac.dat (4 bytes)
%System%\wbem (480 bytes)
%System%\drivers (480 bytes)
%WinDir%\Temp\scsBB.tmp (10145 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (672 bytes)
%Program Files%\Common Files\Adobe\Acrobat\ActiveX (4 bytes)
C:\baidu download\BaiduPlayerNetSetup_368.exe (17787 bytes)
%Documents and Settings%\%current user%\Cookies (96 bytes)
The Trojan deletes the following file(s):
%WinDir%\Temp\scsBA.tmp (0 bytes)
%WinDir%\Temp\scsBB.tmp (0 bytes)
The process ntvdm.exe:1520 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings% (4 bytes)
C:\ (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (388 bytes)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Perflib_Perfdata_2a4.dat (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqB3.tmp (4 bytes)
%Documents and Settings%\All Users (4 bytes)
%WinDir%\REGISTRATION (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_124.dat (100 bytes)
%WinDir% (680 bytes)
%Program Files%\COMMON FILES (4 bytes)
C:\$Directory (1344 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%System% (10920 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5 (4 bytes)
%WinDir%\Temp\scsB8.tmp (33872 bytes)
%Program Files% (4 bytes)
%Documents and Settings%\All Users\Documents (4 bytes)
%WinDir%\Temp\scsB9.tmp (10145 bytes)
%Documents and Settings%\%current user%\My Documents (4 bytes)
%System%\config (8 bytes)
%WinDir%\Temp\Perflib_Perfdata_7ac.dat (4 bytes)
%System%\wbem (1064 bytes)
%System%\drivers (32 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
%Program Files%\Common Files\VMware\Drivers (4 bytes)
%Documents and Settings%\All Users\Application Data (4 bytes)
D: (148 bytes)
%Documents and Settings%\%current user%\Cookies (96 bytes)
The Trojan deletes the following file(s):
%WinDir%\Temp\scsB9.tmp (0 bytes)
%WinDir%\Temp\scsB8.tmp (0 bytes)
The process %original file name%.exe:468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\iplookup[1].htm (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\Inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\BaiduPlayerNetSetup_368[1].exe (68691 bytes)
%Documents and Settings%\%current user%\Desktop\Intrenet Explorer.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\setup_3386[1].exe (249349 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\i.rar (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\setup_3386.exe (249349 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\G0630_s_70886.exe (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\1.jpg (5804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\[1].htm (6 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sina.com[1].txt (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\_30863[1].htm (6 bytes)
%Program Files%\FunshionInstall\uninst.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\yicir_30863.exe (6 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\BaiduPlayerNetSetup_368.exe (68691 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\FunshionInstall\uninst.lnk (745 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\nsProcess.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\SoHuVA_4.3.0.1-c204900003-ng-nti-s-x.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbB5.tmp (0 bytes)
The process %original file name%.exe:1360 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsqB3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqB3.tmp\i.rar (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqB3.tmp\nsProcess.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqB3.tmp\%original file name%.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqB3.tmp\Inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqB3.tmp\1.jpg (5804 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\FunshionInstall\uninst.lnk (745 bytes)
%Program Files%\FunshionInstall\uninst.exe (1281 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsqB3.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqB3.tmp\nszB4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqB3.tmp\1.jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqB3.tmp\%original file name%.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqB3.tmp\Inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqB3.tmp\nsProcess.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqB3.tmp (0 bytes)
The process FHSev.exe:2548 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\Update2[1].rar (1497 bytes)
%Program Files%\fmol_201501212023\201501212023\Data\2024.Tmp (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\fwtj[1].htm (3 bytes)
The Trojan deletes the following file(s):
%Program Files%\fmol_201501212023\201501212023\Data\2024.Tmp (0 bytes)
The process setup_3386.exe:540 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\fmol_201501212023\201501212023\FHSev.exe (11048 bytes)
%Program Files%\fmol_201501212023\201501212023\SysConfig.ini (763 bytes)
%Program Files%\fmol_201501212023\201501212023\fmol.exe (65976 bytes)
%Program Files%\fmol_201501212023\201501212023\favorfm.xml (440 bytes)
%Program Files%\fmol_201501212023\201501212023\source.dll (6584 bytes)
%Program Files%\fmol_201501212023\201501212023\avutil-52.dll (5520 bytes)
%Program Files%\fmol_201501212023\201501212023\avcore.dll (2392 bytes)
%Program Files%\fmol_201501212023\201501212023\Data\setup.ini (110 bytes)
%Program Files%\fmol_201501212023\201501212023\Data\client.ini (36 bytes)
%Program Files%\fmol_201501212023\201501212023\Unins.exe (9608 bytes)
%Program Files%\fmol_201501212023\201501212023\avformat-54.dll (12088 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\fmol\fmol.lnk (880 bytes)
%Program Files%\fmol_201501212023\201501212023\DuiLib.dll (16288 bytes)
| &t | |
| &t | |
| &t | |
| &t | |
><&<<<&>&&&<><&u9FK.<&&&ff&<
<<<>>>
&t
<<<>>>
>&<<<<&W.s.....WP3....v.&>>&<<<&
<<<>>>
&t
>&>&>>>>>&<&<<&<
<<<>>>
<
<<<>>>
<>><>&<&<<>&><<<<<>
<<<>>>
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>“”“”<><>“”“”“”“”<><><><
<<<>>>
&
&
&
&
&
&
&dG6.be
&dG6.be
<.dp>
<.dp>
&
&
&
&
&
&
&
&
&
&
&
&
<.fg>
<.fg>
&
&
&
&
&
&
&
&
&
&
&
&
&r&pd
&r&pd
&id
&id
&rate&songIds
&rate&songIds
&password
&password
&version&user_id
&version&user_id
&version&type
&version&type
&value
&value
&DN
&DN
&
&
&
&
&
&
&
&
&&
&&
&
&
&
&
&rR
&rR
&
&
&vsI
&vsI
&
&
&
&
&rZ
&rZ
&
&
&v
&v
&Error
&Error
&
&