Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericPhysicalDrive0.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: cf12b579c2dd9b0c9bd13fc9ca45af9f
SHA1: f32e843a2b3ceb149aadc4346f73a58d26bba814
SHA256: 8a04bc6d783ceca525e6471ab09d7cb44e4d220818f8c17375a65401c47e595a
SSDeep: 24576:RD8heXvRuP3XAoiQTS4qJBJ86lJM 6gf04:Ye/RmgjQTwv/
Size: 1421312 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-08-19 08:37:18
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:1872
Mutexes
The following mutexes were created/opened:
ZonesLockedCacheCounterMutexZonesCounterMutexZonesCacheCounterMutexWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_RasPbFileShimCacheMutex
File activity
The process %original file name%.exe:1872 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\login[1].htm (14392 bytes)
C:\ÅäÖÃ.ini (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\74_qtw[1].txt (3552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\logout[1].htm (2144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hosts[1].txt (272 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\gg[1].txt (596 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\captcha.png[1].png (2096 bytes)
Registry activity
The process %original file name%.exe:1872 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1020x590x32(BGR 0)" = "31,31,31,31"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 73 D9 90 18 B8 90 64 E7 E2 23 41 5D E6 D5 25"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\login[1].htm (14392 bytes)
C:\ÅäÖÃ.ini (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\74_qtw[1].txt (3552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\logout[1].htm (2144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hosts[1].txt (272 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\gg[1].txt (596 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\captcha.png[1].png (2096 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name: ??b2b?????
Product Version: 3.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3.0.0.0
File Description: ??b2b?????
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral
Company Name: Product Name: ??b2b?????Product Version: 3.0.0.0Legal Copyright: ?????? ????????Legal Trademarks: Original Filename: Internal Name: File Version: 3.0.0.0File Description: ??b2b?????Comments: ??????????(http://www.eyuyan.com)Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 913196 | 913408 | 5.12108 | cefda8c8ae4822150e9a044d1f22f7eb |
| .rdata | 917504 | 293794 | 294912 | 4.34431 | 2a06c1085aebeabdf61b7495b1675430 |
| .data | 1212416 | 466570 | 114688 | 4.30715 | 937595b006a7837e827bc67d31ac2c40 |
| .rsrc | 1679360 | 90620 | 94208 | 4.54415 | 5c4b9e5ac4447ad3ce0917754df09a85 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://www.linanxi.com/soft/hosts.txt | 112.124.59.64 |
| hxxp://www.linanxi.com/soft/74_qtw.txt | 112.124.59.64 |
| hxxp://www.qieta.com/member/logout.php | 203.171.233.91 |
| hxxp://www.qieta.com/member/login.php | 203.171.233.91 |
| hxxp://www.qieta.com/api/captcha.png.php?action=e9f3ba48539aa7ccde90331492422fdc&refresh=0.62083233583538592 | 203.171.233.91 |
| hxxp://www.linanxi.com/soft/gg.txt | 112.124.59.64 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /member/logout.php HTTP/1.1
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: hXXp://VVV.qieta.com/member/logout.php
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: VVV.qieta.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Connection: close
Date: Sat, 06 Sep 2014 15:45:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: PHP/5.2.17
Content-Type:text/html;charset=utf-8
Set-Cookie: qieta010_auth=deleted; expires=Fri, 06-Sep-2013 15:45:25 GMT; path=/; domain=.qieta.com
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />..<title>............ - ............QieTa.com...</title>..<style type="text/css">..*{font-size:12px;color:#2B61BA;}..body{font-family: Verdana, Arial, Helvetica, sans-serif;background:#F0F2F7;margin:0;}..input{color:#333333;}..a:link,a:visited,a:active {color:#ABBBD6;text-decoration:none;}...msg{width:400px;background:#FFFFFF url('hXXp://VVV.qieta.com/skin/default/image/messagebg.gif') repeat-x;margin:auto;}...head{letter-spacing:2px;line-height:29px;height:26px;overflow:hidden;font-weight:bold;}...content{padding:10px 20px 5px 20px;line-height:200%;word-break:break-all;border:#7998B7 1px solid;border-top:none;}...ml{color:#FFFFFF;background:url('hXXp://VVV.qieta.com/skin/default/image/message.gif') no-repeat 0 0;padding-left:10px;}...mr{float:right;background:url('hXXp://VVV.qieta.com/skin/default/image/message.gif') no-repeat 0 -34px;width:4px;font-size:1px;}..</style>..<script type="text/javascript">try {document.execCommand("BackgroundImageCache", false, true);} catch(e) {}</script>..</head>..<body onkeydown="if(event.keyCode==13) window.history.back();">..<table cellpadding="0" cellspacing="0" width="400" align="center">..<tr>..<td height="150"></td>..</tr>..<tr&
<<< skipped >>>
GET /soft/hosts.txt HTTP/1.1
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: hXXp://VVV.linanxi.com/soft/hosts.txt
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: VVV.linanxi.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 272
Content-Type: text/plain
Last-Modified: Sun, 10 Aug 2014 12:18:53 GMT
Accept-Ranges: bytes
ETag: "ec8b1a4095b4cf1:12b8"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 06 Sep 2014 15:46:09 GMT
gvTRNWzwNwpWxQkwW3wB5K639BxKt3zB4KU31BNKl3rvNw1QmvxKxQqvawW3wB5K639BxKt3U3XBxKu3jBNKNQ1v9wxQzBqwqQXvqwmQ9vmwxQzBywxQRBvK429L6Cy2uLSC52VLXCO2mLbWxP9RSCrWlPyRrWpP4RNWSPVLUWSPvLPC429L6Cy2uLSC52VLXCO2mLUWSPmRXWqPpRmWaPVLlWzPURQCW2tL9L6Cy2uLSC52VLXCO2mLlWlPzRTWaPTR5COPVLlWzPUR....
GET /soft/74_qtw.txt HTTP/1.1
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: hXXp://VVV.linanxi.com/soft/74_qtw.txt
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: VVV.linanxi.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 4578
Content-Type: text/plain
Last-Modified: Sat, 30 Aug 2014 04:28:05 GMT
Accept-Ranges: bytes
ETag: "728247cbac4cf1:12b8"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 06 Sep 2014 15:46:09 GMT
kQTRmwXvmWqvSPivu3zBXKkQSBNwqQXvNwOQXvkwW3wBJw4QnvawJQKvKHMQgvyKawB76vkwW3wBJwrQxvpwC7ivXKt31B9KT3XBnKT34BuKnQuf9HB8yfcH48af5FI8HDHFo8bfoFn7SDgvyKrQxvpwC7iveKA3gvUwB7tvUwc3aBnKJQ9L1C42XLxC52dLxC12XLCGJJigKEmJQgcEz2egiEeJygJg0E0JtY8Wx21RoW5P1RbCo2dLhWA2eL8WOP1RoW4P1RhW12uLXC62rL1Co2rL5C62oRtG6ICgxG7J9JuYbGKJWg2ELJrLHEcJjRzCOP1RoW4P1RhWA2eL8WqPpRTWlPc3aBnKJQ4B4Ku3uBSKt3aBSK63uBBf7F97WDoFT3afBNa74DDFs8EDsFC8xfJwV3rvmwlQOvnKc3aBkwW3wBJwuQOvzwmQuvxwOQXvqwC75QOvzwJQ4B4Ku3uBSKt3aBSK63uBKHe8oDoHQ82DzHkQSB9wqQXvqwbQUvTwxQTvnWaPpR1WjPvLPC8WyPxR1WpPBYpWTPpR1WOPpRXWjP9L1C42XLxC52dLxC42cLCGEJ7geEbJcY9EGJmgHEbIDgGEnIUYtGpGFPULVWzPyRrWcPNRqWlPyRmWlPxRhWA2eL8WOP1RTWcPaRaWTPrRhW12uLXC62rL1Co2rLXCn2nQL8QD0FU7yB7FN8fDpFF8ZDZFu7gvyKrQxvpwC7uv9wNQmvkwW3wBJwUQVvaw5Q1v9K13uBkw63XB5K9KT3XBuKT34BoKnQeDIF38qfZFl8cDHF28bDLFn8fDcFkQSBXwSQ6vbwyQuB9K13iveKA3gvuwSQOvXvpw5QivXKt31BtCz2uL6Cz29LtC2IHg7EdIUYdEIJggaGQJWg2ELJjRzCtPzRNWSPmR6WjPvLPCFPNPbRpWTPzR9WjP9L1C42XLxC524LxC12XLCG6IaYLEzIbY9GAJnYaGnJoYzEz2wgnEoJGg8Wx2rRuWrPTPzR9WjPvLPCFPSRqW5P1RaCn2JQ4B4Ku3uBSKt39BSK634BKHb7ufKF17nfyHF8PDoHb86f1FkQSBUvrwaQxvoKd3iveKA3gvNwXQuvOwJQ4B4Ku3uBSKt39BSK631BKHb7ufKF17ID6Ft7af2Fv8KD3FT3e8oDJwV3lvUwbQmvkwW3wBJwrQxvxwK7ivXKt31BtCz2uL6Cz29L1C2IaYtG2JXYHE9JuYbGKJWg2E2Ez2AgnEFPULmWVPSRdWjPvLPCFPTRyWyPaRbCo2dLhW12uLXC62rL1Ct2rLXCo2oREEFJuYtEKJWgdY2Ez2BgHEaI2m8Wx2TRyWyPaRbCo2dLhWA2eL8WUPURuWo2dLbCjP9LXB5K13yB4K53yB5K43Bf9Hb7B8yf2Fu7vDdF672joHb86f1FkQSBVwVQtvnKc3aBkwW3wBJwXQUvOwxQnv5K43aBkw63XB5K13yB4KuKT31B9KnQuf9HB8yf6Hn7GDuHu7dDtH58gvyKXQUvOwxQnv5K43aBkwW3wB
<<< skipped >>>
GET /soft/gg.txt HTTP/1.1
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: hXXp://VVV.linanxi.com/soft/gg.txt
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: VVV.linanxi.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 554
Content-Type: text/plain
Last-Modified: Mon, 26 May 2014 07:39:37 GMT
Accept-Ranges: bytes
ETag: "544e1aa5b578cf1:12b8"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 06 Sep 2014 15:46:16 GMT
8WNwlPxQTRrPyRFRQCW28gwEcIhgBE5J9Y4G0J3gpGdIPggEeJZgHEPJKgrEEJMg7EmI6YqGuIdYeEtJdYskNKa7iDaHfFR81DAF08Bfxw4Q6vtwBQSByKuQbv9wU3zvywxQOvzwB7VvxKTQ1v1wV3XvTwuQuvyKzQOvzwmQovqvSK63uB5KU3UvawVQzveKA3EDRFL8ODdHX8nf1H67MjmH38uB5KY80DWFY8IDKNL8qD8Fb7KD0FH8S8KD3N883gREbJuYhEHJsmp..
GET /api/captcha.png.php?action=e9f3ba48539aa7ccde90331492422fdc&refresh=0.62083233583538592 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: hXXp://VVV.qieta.com/api/captcha.png.php?action=e9f3ba48539aa7ccde90331492422fdc&refresh=0.62083233583538592
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: VVV.qieta.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Connection: close
Date: Sat, 06 Sep 2014 15:45:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: PHP/5.2.17
Set-Cookie: PHPSESSID=5eti50i3703qquijh4jbdvjgt2; path=/; domain=.qieta.com
Cache-Control: must-revalidate, post-check=0, pre-check=0
Pragma: public
Expires: Sat, 06 Sep 2014 15:45:29 GMT
Content-type: image/png
.PNG........IHDR.......(......E=B....IDATx....L.w...O .Z.@...@...a.=..#F;..6...n.m....Knqs:.ln..].l&..1....n.wa.48N.mK..0...............y.?.K[ .p>...}.........&...>....B...... ......r.|..AC2...3G>=...o|u. ..........3..z@Xx6..6.....`..._..r...pk8....-x..w.......0..@..J....q....N......w...m`Yv...iiiOmzj.e..7X....(.......m..}tt.n....... ......&.. .Je2..a.y..........w.....1..x....X.........1S..:..D".9}.;.......$.|>_,....K.....Q...*.*G..R...~.q?l.Q....N%...0%..-J.....=}.4...Hzz..V..L4M..z.;...^SW..w[..|Jq?lP...8~vtwu'^..I.;.|.`4$......(/?O..j.ZZCgeg%&......{{z...".....n....M~R....\....V.Y .CQ..h4..I.Rm.T[.r......"[..1.(0..>..Ex..9....'b..E)...*...............}.....;{K.x'.n.{.1..lu.c..~..... ......bmE~A.F...u.......{OVVVm}m,M.T..u.....S..Ojg.>.r..F.....,.`..H.X^.h.....z.....R.T.Q.&..`^c6.1'Fd2......`ff&......i...z.-c.11.d....>.....t.e...ZZCg.d...r.......s....\W).(R.QV.#......C....o[9Vd*..,.q...GZ.$...u.......?<.r`.i9.K.eC..Rs.......{...c'8..c.).(6..m.........a4..3'S.........2...t..mKLx....G..,].....<7<....au.j.......c.).(6t........i......E....L1..R.U.....T...W... o..7.....J$./..e.rd....k...&............-.|..o. ....7L..l....j..h....E..w....w0..........-...&........_..|h.<.......GL..V.V.......tnb._Sx.^.R....M*..ik...B....z.{..e..]..?;.4ni,ZYte.J.G..P..8^...D.........._...X...mv.I%C...@yEyiY.l[.........srbR..=....(.H$...............pY!.......(aN.oC~A>....R>2qsb.>@QT.o..3..3f...U`<L...z.. .....-U..'.1....o.8.|..K?:...._....J....dUI....2...c.....*Q.o.]....(.. .<W.\....;...d
<<< skipped >>>
GET /member/login.php HTTP/1.1
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: hXXp://VVV.qieta.com/member/login.php
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: VVV.qieta.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Connection: close
Date: Sat, 06 Sep 2014 15:45:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: PHP/5.2.17
Content-Type:text/html;charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>..<title>............ - ............QieTa.com...</title>..<meta name="keywords" content="QieTa,.........,B2B,............,......,......B2B"/>..<meta name="description" content="............QieTa.com...B2B.................................B2B..........................................................................................................................................................................................................................................................................."/>..<meta http-equiv="x-ua-compatible" content="ie=7"/>..<meta name="generator" content="QieTa B2B"/>..<meta name="author" content="VVV.QieTa.com"/>..<meta property="qc:admins" content="10523630176115416375" />..<link rel="shortcut icon" href="hXXp://VVV.qieta.com/favicon.ico"/>..<link rel="bookmark" href="hXXp://VVV.qieta.com/favicon.ico"/>..<link rel="stylesheet" type="text/css" href="hXXp://VVV.qieta.com/skin/default/style.css"/>..<script type="text/javascript" src="hXXp://VVV.qieta.com/lang/zh-cn/lang.js"></script>..<script type="text/javascript" src="hXXp://VVV.qieta.com/file/script/config.js"></script>..<script type="text/javascript" src="hXXp://VVV.qiet
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1872:
.text
.text
.rdata
.rdata
@.data
@.data
.rsrc
.rsrc
t%SVh
t%SVh
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
wininet.dll
wininet.dll
kernel32.dll
kernel32.dll
user32.dll
user32.dll
Kernel32.dll
Kernel32.dll
advapi32.dll
advapi32.dll
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
EnumWindows
EnumWindows
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
ExitWindowsEx
ExitWindowsEx
ShellExecuteA
ShellExecuteA
{E60056EA-07A8-4bf5-B6F0-DF05DE6FAE1F}
{E60056EA-07A8-4bf5-B6F0-DF05DE6FAE1F}
C$%cmb
C$%cmb
.ppM|
.ppM|
aZ.mO
aZ.mO
%-^
%-^
.hk;~
.hk;~
KERNEL32.DLL
KERNEL32.DLL
COMCTL32.dll
COMCTL32.dll
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
MSVCRT.dll
MSVCRT.dll
MSVFW32.dll
MSVFW32.dll
USER32.dll
USER32.dll
SkinH_EL.dll
SkinH_EL.dll
hXXp://VVV.linanxi.com/soft/
hXXp://VVV.linanxi.com/soft/
hXXp://VVV.linanxi.com.cn/soft/
hXXp://VVV.linanxi.com.cn/soft/
hXXp://VVV.linanxi.cn/soft/
hXXp://VVV.linanxi.cn/soft/
hXXp://VVV.linanxi.net/soft/
hXXp://VVV.linanxi.net/soft/
hXXp://VVV.huguorong.com/soft/
hXXp://VVV.huguorong.com/soft/
hXXp://VVV.360kv.com/soft/
hXXp://VVV.360kv.com/soft/
hXXp://
hXXp://
hXXps://
hXXps://
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
http=
http=
HTTP/1.1
HTTP/1.1
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
z>\TEMP.TMP
z>\TEMP.TMP
\*.jpg
\*.jpg
\*.gif
\*.gif
hXXp://VVV.qieta.com/member/
hXXp://VVV.qieta.com/member/
hXXp://VVV.qieta.com/ajax.php
hXXp://ping.baidu.com/ping/RPC2
hXXp://ping.baidu.com/ping/RPC2
weblogUpdates.ping
weblogUpdates.ping
hXXp://VVV.qieta.com/member/logout.php
hXXp://VVV.qieta.com/member/logout.php
hXXp://VVV.qieta.com/member/login.php
hXXp://VVV.qieta.com/member/login.php
hXXp://VVV.qieta.com/api/captcha.png.php?action=
hXXp://VVV.qieta.com/api/captcha.png.php?action=
.iqW>
.iqW>
"3/%F
"3/%F
%du2$"
%du2$"
.unOZ
.unOZ
config.ini
config.ini
\\.\PHYSICALDRIVE
\\.\PHYSICALDRIVE
\\.\SCSI
\\.\SCSI
\\.\SMARTVSD
\\.\SMARTVSD
\\.\PhysicalDrive0
\\.\PhysicalDrive0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
hXXp://VVV.qieta.com/member/my.php
hXXp://VVV.qieta.com/member/my.php
&submit= æ 交
&submit= æ 交
&post[elite]=
&post[elite]=
&post[mycatid]=
&post[mycatid]=
&post[days]=
&post[days]=
&post[amount]=
&post[amount]=
&post[minamount]=
&post[minamount]=
&post[price]=
&post[price]=
&post[totime]=&post[unit]=
&post[totime]=&post[unit]=
&post[thumb2]=
&post[thumb2]=
&post[thumb1]=
&post[thumb1]=
&post[content-bak]={$content-bak}&post[thumb]=
&post[content-bak]={$content-bak}&post[thumb]=
&post[content]=
&post[content]=
&post[brand]=
&post[brand]=
&post[standard]=
&post[standard]=
&post[pid]=0&post[model]=
&post[pid]=0&post[model]=
&style=&post[catid]=
&style=&post[catid]=
&post[title]=
&post[title]=
&post[typeid]=
&post[typeid]=
action=add&mid=5&itemid=0&forward=&post[tag]=
action=add&mid=5&itemid=0&forward=&post[tag]=
hXXp://open.baidu.com/special/time/
hXXp://open.baidu.com/special/time/
window.baidu_time(
window.baidu_time(
`~!@#$%^&*()-_= [{]};:'\|,<.>/?"
`~!@#$%^&*()-_= [{]};:'\|,<.>/?"
hXXp://VVV.qieta.com/member/news.php
hXXp://VVV.qieta.com/member/news.php
&post[addtime]=
&post[addtime]=
&post[style]=&post[content]=
&post[style]=&post[content]=
action=add&post[title]=
action=add&post[title]=
hXXp://VVV.vooec.com/Member/loginout.asp
hXXp://VVV.vooec.com/Member/loginout.asp
hXXp://VVV.qieta.com/member/news.php?action=add
hXXp://VVV.qieta.com/member/news.php?action=add
&q3=&q4=&rn=10&lm=0&ct=0&ft=&q5=&q6=qieta.com&tn=baiduadv
&q3=&q4=&rn=10&lm=0&ct=0&ft=&q5=&q6=qieta.com&tn=baiduadv
hXXp://VVV.baidu.com/s?q1=&q2=
hXXp://VVV.baidu.com/s?q1=&q2=
&q3=&q4=&rn=10&lm=360&ct=0&ft=&q5=&q6=qieta.com&tn=baiduadv
&q3=&q4=&rn=10&lm=360&ct=0&ft=&q5=&q6=qieta.com&tn=baiduadv
&q3=&q4=&rn=10&lm=30&ct=0&ft=&q5=&q6=qieta.com&tn=baiduadv
&q3=&q4=&rn=10&lm=30&ct=0&ft=&q5=&q6=qieta.com&tn=baiduadv
&q3=&q4=&rn=10&lm=7&ct=0&ft=&q5=&q6=qieta.com&tn=baiduadv
&q3=&q4=&rn=10&lm=7&ct=0&ft=&q5=&q6=qieta.com&tn=baiduadv
&q3=&q4=&rn=10&lm=1&ct=0&ft=&q5=&q6=qieta.com&tn=baiduadv
&q3=&q4=&rn=10&lm=1&ct=0&ft=&q5=&q6=qieta.com&tn=baiduadv
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 2Pac; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 2Pac; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
https
https
hXXp://VVV.b2b110.com/member/myb2b110.php?mid=
hXXp://VVV.b2b110.com/member/myb2b110.php?mid=
itemid[]=
itemid[]=
&password=
&password=
forward=http://VVV.qieta.com/member/my.php&option=username&username=
forward=http://VVV.qieta.com/member/my.php&option=username&username=
P@Excel.exe
P@Excel.exe
hXXp://VVV.qieta.com/member/my.php?mid=5&action=add
hXXp://VVV.qieta.com/member/my.php?mid=5&action=add
&ct=0&ft=&q5=&q6=qieta.com&tn=baiduadv
&ct=0&ft=&q5=&q6=qieta.com&tn=baiduadv
hXXp://VVV.qy6.com/myqy6/addimage.php
hXXp://VVV.qy6.com/myqy6/addimage.php
$@wininet.dll
$@wininet.dll
hXXp://VVV.linanxi.com
hXXp://VVV.linanxi.com
my.php?mid=5&page=
my.php?mid=5&page=
news.php?page=
news.php?page=
*.xls|*.xls
*.xls|*.xls
*.jpg|*.jpg|*.gif|*.gif
*.jpg|*.jpg|*.gif|*.gif
*.txt
*.txt
|*.txt
|*.txt
>1.2.18
>1.2.18
A inflate 1.1.3 Copyright 1995-1998 Mark Adler
A inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
AVIFIL32.dll
AVIFIL32.dll
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
MPR.dll
MPR.dll
WINMM.dll
WINMM.dll
WS2_32.dll
WS2_32.dll
VERSION.dll
VERSION.dll
RASAPI32.dll
RASAPI32.dll
GetProcessHeap
GetProcessHeap
WinExec
WinExec
GetWindowsDirectoryA
GetWindowsDirectoryA
GetCPInfo
GetCPInfo
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
GetViewportOrgEx
GetViewportOrgEx
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
WINSPOOL.DRV
WINSPOOL.DRV
comdlg32.dll
comdlg32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
WININET.dll
WININET.dll
.PAVCException@@
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
: %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
\\.\Scsi0:
\\.\Scsi0:
%s:%d
%s:%d
windows
windows
out.prn
out.prn
%d.%d
%d.%d
%d / %d
%d / %d
%d/%d
%d/%d
Bogus message code %d
Bogus message code %d
(%d-%d):
(%d-%d):
%ld%c
%ld%c
1.1.3
1.1.3
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
(*.avi)|*.avi
(*.avi)|*.avi
1.2.18
1.2.18
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.PNG)|*.PNG|BMP
WPFT532.CNV
WPFT532.CNV
WPFT632.CNV
WPFT632.CNV
EXCEL32.CNV
EXCEL32.CNV
write32.wpc
write32.wpc
Windows Write
Windows Write
mswrd632.wpc
mswrd632.wpc
Word for Windows 6.0
Word for Windows 6.0
wword5.cnv
wword5.cnv
Word for Windows 5.0
Word for Windows 5.0
mswrd832.cnv
mswrd832.cnv
mswrd632.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
Word 6.0/95 for Windows & Macintosh
html32.cnv
html32.cnv
NULL row buffer for row %ld, pass %d
NULL row buffer for row %ld, pass %d
libpng error: %s
libpng error: %s
libpng error: %s, offset=%d
libpng error: %s, offset=%d
libpng error no. %s: %s
libpng error no. %s: %s
libpng warning: %s
libpng warning: %s
libpng warning no. %s: %s
libpng warning no. %s: %s
operator
operator
keywords
keywords
Unknown zTXt compression type %d
Unknown zTXt compression type %d
Incomplete compressed datastream in %s chunk
Incomplete compressed datastream in %s chunk
Data error in compressed datastream in %s chunk
Data error in compressed datastream in %s chunk
Buffer error in compressed datastream in %s chunk
Buffer error in compressed datastream in %s chunk
gamma = (%d/100000)
gamma = (%d/100000)
gx=%f, gy=%f, bx=%f, by=%f
gx=%f, gy=%f, bx=%f, by=%f
wx=%f, wy=%f, rx=%f, ry=%f
wx=%f, wy=%f, rx=%f, ry=%f
incorrect gamma=(%d/100000)
incorrect gamma=(%d/100000)
iTXt chunk not supported.
iTXt chunk not supported.
VVV.dywt.com.cn
VVV.dywt.com.cn
Excel.Application
Excel.Application
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
.PAVCOleException@@
.PAVCOleException@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCArchiveException@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
zcÁ
zcÁ
soft/gg.txt
soft/gg.txt
gg.txt
gg.txt
et-Cookie: qieta010_auth=deleted; expires=Fri, 06-Sep-2013 15:45:25 GMT; path=/; domain=.qieta.com
et-Cookie: qieta010_auth=deleted; expires=Fri, 06-Sep-2013 15:45:25 GMT; path=/; domain=.qieta.com
c:\%original file name%.exe
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
1, 0, 6, 6
1, 0, 6, 6
(*.*)
(*.*)
3.0.0.0
3.0.0.0
(hXXp://VVV.eyuyan.com)
(hXXp://VVV.eyuyan.com)
%original file name%.exe_1872_rwx_00401000_000DF000:
t%SVh
t%SVh
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
%original file name%.exe_1872_rwx_10027000_00015000:
msctls_hotkey32
msctls_hotkey32
TVCLHotKey
TVCLHotKey
THotKey
THotKey
\skinh.she
\skinh.she
}uo,x6l5k%x-l h
}uo,x6l5k%x-l h
9p%s m)t4`#b
9p%s m)t4`#b
e"m?c&y1`Ð
e"m?c&y1`Ð
SetViewportOrgEx
SetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
EnumThreadWindows
EnumThreadWindows
EnumChildWindows
EnumChildWindows
`c%US.4/
`c%US.4/
!#$
!#$
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.UPX0
@.UPX0
`.UPX1
`.UPX1
`.reloc
`.reloc
%-^
%-^
.hk;~
.hk;~