Skip to main content

Trojan.Win32.FlyStudio_c243834396


Gen:Variant.Strictor.56002 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.IEDummy.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: c2438343963277712a9450eb3d69f267

SHA1: 95de1f6e2280bbf398a0de0e09a07203be0b5d30

SHA256: 5b83d288759b90b4937ff29f7426907def9430aeab0cc76842f1a33a314eac66

SSDeep: 12288:h1PDz t9w4SPnufjaSFQsi2s78aApwfuGsNGOimJbEldxIlsoTrrH2MyrhNBSscU:LAi4SPnufjayimaswj5ODJEtQssWvhWk

Size: 783847 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: MEW11SEv12, MEW11SEv11, UPolyXv05_v6, Mew11SEv12Eng

Company: no certificate found

Created at: 1970-01-01 03:00:00

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour Description
EmailWormWorm can send e-mails.


Process activity

The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):

%original file name%.exe:392

File activity

The process %original file name%.exe:392 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\promimg[1].htm (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\index[1].html (502 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\level_MIN_12.04[1].css (1443 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\AClick[1].aspx (372 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pixel[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\b744ef7cf7616402b9cd75cd3b296755[1].jpg (3536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\idx_share_mood_v1[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1013v1400493293416348850[2].jpg (916 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1013v1401084571894271838[1].jpg (916 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\dd4a181d99e9ef08ab7d0a6475f7d97f[2].jpg (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1013v1401446314925913930[1].jpg (916 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.myzwqwe12[1].txt (491 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CA01Q30P.htm (976 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\promimg[1] (621 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\6[2] (7838 bytes)
%System%\drivers\etc\hosts (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\level_MIN_12.04[1].css (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[3].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1013v1401447060362197786[1].jpg (2068 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bd5463690a93c57a1039c47e11ab0f97[1].jpg (2876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\a7e7de85243a438ba91ea4d3d8a017b2[1].jpg (4108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\firstpay[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\base_MIN_11.05[2].css (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CA6R4L2I.htm (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\index[1].htm (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\135960371121375988[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.cfmogu[1].txt (642 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[2].txt (205 bytes)
%Documents and Settings%\%current user%\Application Data\E_UIEngine\90afea1eeb37be7a93471c36152ab43a\90afea1eeb37be7a93471c36152ab43a.jpg.data (28 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.myzwqwe12[2].txt (644 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (205 bytes)
%Documents and Settings%\%current user%\Application Data\E_UIEngine\90afea1eeb37be7a93471c36152ab43a\90afea1eeb37be7a93471c36152ab43a.jpg (676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CA63OHCV.htm (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\index_MIN_11.99[1].css (2613 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1013v1401369311257246325[2].jpg (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ab7b8d4601229526cb46e315af28c9db[2].jpg (5596 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\AClick[2].aspx (372 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@z.myzwqwe12[1].txt (346 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\975b51f2ce89d444e33414de976c88a0[1].jpg (916 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\AClick[1].aspx (744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\LAB_0.1[1].js (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\LAB_0.1[1].js (6 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.cfmogu[2].txt (642 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (16868 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1013v1395126094590286213[1].jpg (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\index_MIN_11.99[1].css (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\base_MIN_11.05[2].css (1698 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@z.myzwqwe12[2].txt (165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\logo[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\6[1].htm (7444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\eca1e2f901a17103ab05f7b46c358f6e[1].jpg (3988 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\eca1e2f901a17103ab05f7b46c358f6e[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\index[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\AClick[1].aspx (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1013v1401447060362197786[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\base_MIN_11.05[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\6[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\LAB_0.1[2].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\level_MIN_12.04[2].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\index_MIN_11.99[2].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\LAB_0.1[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.myzwqwe12[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1013v1395126094590286213[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\level_MIN_12.04[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\dd4a181d99e9ef08ab7d0a6475f7d97f[2].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1013v1401446314925913930[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CA6R4L2I.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\base_MIN_11.05[2].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\LAB_0.1[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.cfmogu[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.myzwqwe12[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ab7b8d4601229526cb46e315af28c9db[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\firstpay[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\logo[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\promimg[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\AClick[2].aspx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bd5463690a93c57a1039c47e11ab0f97[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@z.myzwqwe12[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\AClick[1].aspx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\LAB_0.1[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\6[2] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\idx_share_mood_v1[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\a7e7de85243a438ba91ea4d3d8a017b2[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.cfmogu[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\index_MIN_11.99[1].css (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@z.myzwqwe12[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ab7b8d4601229526cb46e315af28c9db[2].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\975b51f2ce89d444e33414de976c88a0[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\b744ef7cf7616402b9cd75cd3b296755[1].jpg (0 bytes)

Registry activity

The process %original file name%.exe:392 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D E6 0E 6D 87 F5 46 25 F1 5F D1 9C 14 41 A5 2A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\MediaPlayer\Health\{12C8B8B5-8085-4512-AAE9-007203359F62}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 1248 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1www.cfyuanji.com
127.0.0.1www.cfyuanji.net
127.0.0.1www.cfyuanji.cc
127.0.0.1cfyuanji.com
127.0.0.1cfyuanji.net
127.0.0.1cfyuanji.cc
127.0.0.1www.cfyalan.com
127.0.0.1www.cfyalan.net
127.0.0.1www.cfyalan.cc
127.0.0.1yy.cfyalan.com
127.0.0.1cc.cfyalan.com
127.0.0.1cfyalan.com
127.0.0.1cfyalan.net
127.0.0.1cfyalan.cc
127.0.0.1www.cftianyue.com
127.0.0.1www.cftianyue.net
127.0.0.1www.cftianyue.cc
127.0.0.1cftianyue.com
127.0.0.1cftianyue.net


Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\promimg[1].htm (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\index[1].html (502 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\level_MIN_12.04[1].css (1443 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\AClick[1].aspx (372 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[2].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pixel[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\b744ef7cf7616402b9cd75cd3b296755[1].jpg (3536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\idx_share_mood_v1[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1013v1400493293416348850[2].jpg (916 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1013v1401084571894271838[1].jpg (916 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\dd4a181d99e9ef08ab7d0a6475f7d97f[2].jpg (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1013v1401446314925913930[1].jpg (916 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@c.myzwqwe12[1].txt (491 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CA01Q30P.htm (976 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\promimg[1] (621 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\6[2] (7838 bytes)
    %System%\drivers\etc\hosts (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\level_MIN_12.04[1].css (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[3].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1013v1401447060362197786[1].jpg (2068 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bd5463690a93c57a1039c47e11ab0f97[1].jpg (2876 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\a7e7de85243a438ba91ea4d3d8a017b2[1].jpg (4108 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\firstpay[1].jpg (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\base_MIN_11.05[2].css (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CA6R4L2I.htm (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\index[1].htm (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\135960371121375988[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@www.cfmogu[1].txt (642 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[2].txt (205 bytes)
    %Documents and Settings%\%current user%\Application Data\E_UIEngine\90afea1eeb37be7a93471c36152ab43a\90afea1eeb37be7a93471c36152ab43a.jpg.data (28 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@c.myzwqwe12[2].txt (644 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (205 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CA63OHCV.htm (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\index_MIN_11.99[1].css (2613 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1013v1401369311257246325[2].jpg (532 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ab7b8d4601229526cb46e315af28c9db[2].jpg (5596 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\AClick[2].aspx (372 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@z.myzwqwe12[1].txt (346 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\975b51f2ce89d444e33414de976c88a0[1].jpg (916 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\AClick[1].aspx (744 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\LAB_0.1[1].js (2 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (165 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\LAB_0.1[1].js (6 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@www.cfmogu[2].txt (642 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (16868 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1013v1395126094590286213[1].jpg (532 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\index_MIN_11.99[1].css (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\base_MIN_11.05[2].css (1698 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@z.myzwqwe12[2].txt (165 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\logo[1].jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\6[1].htm (7444 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\eca1e2f901a17103ab05f7b46c358f6e[1].jpg (3988 bytes)

  4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
MEW4096314982400d41d8cd98f00b204e9800998ecf8427e
31539208437767833355.43238f6e72da3b8bcbed48e6d65f201bb3fd7

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://foshan.zcxsf.com/
hxxp://foshan.zcxsf.com/index.html
hxxp://c.myzwqwe12.com/AShow.aspx?AID=9842115.236.16.240
hxxp://c.myzwqwe12.com/AShow.aspx?AID=9756115.236.16.240
&uid
&height&SCUrl&gourl&PID&Auth&Url
&cna
&height&SCUrl&gourl&PID&Auth&Url
&r&lg&ntime&repeatip&rtime&cnzz_eid&showp&st&sin&t&rnd
&rnd
&WebID&DomainID&APID&Auth&Url&referer
&Auth&referer&utz
&Auth&referer&utz
&oid&dirtype&sid&site_id&p
&Auth&referer&utz
&show&t
&rnd
&idu
&game&dirtype
&r&lg&ntime&repeatip&rtime&cnzz_eid&showp&st&sin&t&rnd
&r&lg&ntime&repeatip&rtime&cnzz_eid&showp&st&sin&t&rnd
&Auth&referer&utz
&WebID&DomainID&APID&Auth&Url&referer
&game&dirtype
&Auth&referer&utz
&r&lg&ntime&repeatip&rtime&cnzz_eid&showp&st&sin&t&rnd
&rnd
&referer&browser&flash&msr&uid&pro&stamp
&KEY
&show&t
&oid&game
&rnd
&rnd
&rnd
&r&lg&ntime&repeatip&rtime&cnzz_eid&showp&st&sin&t&rnd
&show
&WebID&DomainID&APID&Auth&Url&referer

&uid

>><<&&<<

<<

<<<>>>

&uid

<&&gsKM&&y>

<<

<<<>>>

>&><><><&vC.o<&>&><><

<<

<<<>>>

<<<<>>><<&>&a.V..><&K....n.........D.2<<

<<

<<<>>>

<<&>>>>&i.nk><<><><<

<<

<<<>>>

&r..i...NU9.v:.cB..........yPt..X<&E..&><>&D....l.C.D..>

&KEY

<><><><><><><><><><><><>

>>>>&y....<>>>>>><

<<

<<<>>>

>&>&g...3.:O...i.u....7.<<

&<&>>>&x.&N.<

<<

<<<>>>

<<><><><><><><><><>&

<<

<<<>>>

<<><><><><><><><><>>><

<<

<<<>>>

<<<<><

<<

<<<>>>

&cna

&cna

&ntime&cnzz_a&sin&ltime

&<&Uq.37.....mH...H.H_9&&>>>&&>>&w...><&<<

<<

<<<>>>

&ntime&cnzz_a&sin&ltime

>&&&>&&f............0......C..>&>&

<<

<<<>>>

&ntime&cnzz_a&sin&ltime

><><<&<&&<<>&P...<&&>>&O...7.....7.T.<<<<

<<

<<<>>>

<><><><><><><><><><<

<<

<<<>>>

<><<<&&&>><>>

<<

<<<>>>

<<><><><><><><><><>&

&r&lg&ntime&repeatip&rtime&cnzz_eid&showp&st&sin&t&rnd

&WebID&DomainID&APID&Auth&Url&referer

&>>

&Auth&referer&utz

&KEY

<><><><><><><><&><><><><>

&Auth&referer&utz

<><><><><><><><><><><><>

&Auth&referer&utz

<><><><><><><><><><><><>

&Auth&referer&utz

<><><><><><><><><><><><>

&Auth&referer&utz

&uid

<><><><><><><><&><><><><>

&Auth&referer&utz

<><><><><><><><><><><><>

&referer&browser&flash&msr&uid&pro&stamp

>&<&<&>&<>&<&j..l.VV.T6....j6I..lB....7.....<><<>&<<<

<<

<<<>>>

&r&lg&ntime&repeatip&rtime&cnzz_eid&showp&st&sin&t&rnd

<<<&&&>&&

<<

<<<>>>

&uid

&&&&lq_aid&lq_placeid&lq_placeid<><><><>

&lq_aid&lq_placeid

&uid

&oid&dirtype&sid&site_id&p

&>>&<&<<>&<<>&kg..b.d.....&G.q..>&&&>&

<<

<<<>>>

&>>>>&Dot...>>>>>>>&><&x......<><

<<

<<<>>>

&>>>>&Dot...>>>>>>>&><&x......<><

<<

<<<>>>

&><>&><<<>>>>&m..Z0....GO..<>>&Ve...G..........Bp.H&

<<

<<<>>>

&><><<>&&m..l.S.Q..>><>&>><>>

<<

<<<>>>

<&&<><<<<>>&&

<<

<<<>>>

<><<>>><&>>>&q<><&

<<

<<<>>>

>&>&<&<>&><<&&<

<<

<<<>>>

<&>><>><>&&<&<<>&&&<>>&&>>

<<

<<<>>>

&P......wF.....m.....r..._..U.>&&<&<<>&<>>&&>&<<

<<

<<<>>>

&height&SCUrl&gourl&PID&Auth&Url

&<<>&<&&<<>>&><>

<<

<<<>>>

&cna

&cna

<&<>>>>>&<&<&&>&m.&&<

<<

<<<>>>

&show

&<&&

<<

<<<>>>

<><><><><><><><><>&&><

<<

<<<>>>

&>&<<<><<<<<><><<<<<>&&>

<<

<<<>>>

&r&lg&ntime&repeatip&rtime&cnzz_eid&showp&st&sin&t&rnd

&rnd

&cna

<><<<&&&>><>>

<<

<<<>>>

&sid&ref

<><><><><><><><><><<&C.6.Q.u.....J

<<

<<<>>>

<><><><><><><><><>&&<&<

<<

<<<>>>

&show&t

站长统计&&&n.callRequest&&<><><><><>

&show&t

站长统计&&&n.callRequest&&<><><><><>站长统计&&&n.callRequest

<<

<<<>>>

<&&&><>&<&<<&xK...O.

<<

<<<>>>

<><><><><><><><><><<&C.6.Q.u.....J

<<

<<<>>>

&>>>>&Dot...>>>>>>>&><&x......<><

<<

<<<>>>

&>>>>&Dot...>>>>>>>&><&x......<><

<<

<<<>>>

&><><<>&&m..l.S.Q..>><>&>><>>

<<

<<<>>>

&><<<>><<>>>>&m..Z0....GO..<>>&Ve...G..........Bp.H&

<<

<<<>>>

<&e.fv.......................><&><<><&a.&

<<

<<<>>>

<<<&&<<><<><&&O

<<

<<<>>>

<&e.fv.......................><&><<><&&&

<<

<<<>>>

&idu

>>&z....3.....>>>><><<<&<<<<

<<

<<<>>>

&r&lg&ntime&repeatip&rtime&cnzz_eid&showp&st&sin&t&rnd

>&<&c....B......<<<<

<><<>><<&><<&>&<&>&>&><><&&<<<<

<<

<<<>>>

&<&&><&y.:<<&<<<<&&<&&E.2.U.n.4....<&&><

<<

<<<>>>

<<<>>&<>><<&&<

<<

<<<>>>

&r&lg&ntime&repeatip&rtime&cnzz_eid&showp&st&sin&t&rnd

&oid&dirtype&sid&site_id&p

&

&&

&>>>>&Dot...>>>>>>>&><&x......<><

<<

<<<>>>

&><>&><<<>>>>&m..Z0....GO..<>>&Ve...G..........Bp.H&

<<

<<<>>>

<><><><><><><><><>&&<&<

<<

<<<>>>

<&&>>><<>>><<&<<><<><<>

<<

<<<>>>

<&&>&<<&D....&E...-.z..<

<<

<<<>>>

&cna

&cna

&cna

&<<<

<<

<<<>>>

&rnd

&cna

&rnd

&cna

<&&&><>&<&<<&xK...O.

<<

<<<>>>

&height&SCUrl&gourl&PID&Auth&Url

&<<>&<&&<<>>&><>

<<

<<<>>>

&height&SCUrl&gourl&PID&Auth&Url

&<<>&<&&<<>>&><>

<<

<<<>>>

<>><

>&<&W.>><><&&>&>&><>

<<

<<<>>>

<><><><><><><><><>&&EF.<>

<<

<<<>>>

><<<<>>><<<&<>><&>>

<<

<<<>>>

<><><><><><><><><>&&><

<<

<<<>>>

>>&<><<><&

<<><><><><><><><><>&Adobe.d...............V....P......Z.............................................................................................................................................&>

<<

<<<>>>

<<><><><><><><><><>&Adobe.d...................>

<<

<<<>>>

&&&J.&&R.....<<

<<><><><><><><><><>>><&<&><

<<

<<<>>>

<><><><><><><><><>&&>

<<

<<<>>>

<>&>>>>&&<&>>>&<<<<&g

<<

<<<>>>

<<<>&Q....><<><><>&&>&f..y.

<<

<<<>>>

<><><><><><><><><>&<&

<<

<<<>>>

&oid&game

&oid&dirtype&sid&p

&game&dirtype

&oid&dirtype&sid&site_id&p

&game&dirtype

&oid&dirtype&sid&site_id&p

<&&&&<<&<<&><>&>

<<

<<<>>>

<><><><><><><><><>&&EF.<>

<<

<<<>>>

<><><><><><><><><><><><><><

<<

<<<>>>

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>“”“”<><>“”“”“”“”<><><>&lt

<<

<<<>>>

&r&lg&ntime&repeatip&rtime&cnzz_eid&showp&st&sin&t&rnd

&r&lg&ntime&repeatip&rtime&cnzz_eid&showp&st&sin&t&rnd

&height&SCUrl&gourl&PID&Auth&Url

&<<>&<&&<<>>&><>

<<

<<<>>>

>&>&><>><<<

<<

<<<>>>

&WebID&DomainID&APID&Auth&Url&referer

&>>

&WebID&DomainID&APID&Auth&Url&referer

&>>

&rnd

&cna

&rnd

&cna

<>&>><<><<&>&&n...V..5....A.Wu...W.V...g........a...o...5v.z..:.......8l.k.Z2<

<<

<<<>>>

<><><><><><><><><><<

<<

<<<>>>

<><><><><><><><><><><><><><

<<

<<<>>>

&ntime&cnzz_a&ltime

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>“”“”<><>“”“”“”“”<><><>&lt

<<

<<<>>>

&ntime&cnzz_a&ltime

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>“”“”<><>“”“”“”“”<><><>&lt

<<

<<<>>>

&ntime&cnzz_a&ltime

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>“”“”<><>“”“”“”“”<><><>&lt

<<

<<<>>>

&WebID&DomainID&APID&Auth&Url&referer

&>>

&WebID&DomainID&APID&Auth&Url&referer

&>>

<><><><><><><><><>&&>

<<

<<<>>>

>&>&><>><<<

<<

<<<>>>

<><><><><><><><><>&<&

<<

<<<>>>

&&><<<>>>>>

<<

<<<>>>

<&&>&<<&D....&E...-.z..<

<<

<<<>>>

&<<<

<<

<<<>>>

&&

&show

&<&&

<<

<<<>>>

<&<>>>>>&<&<&&>&m.&&<

<<

<<<>>>

<&<>>>>>&<&<&&>

<<

<<<>>>

<&&&&<<&<<&><>&>

<<

<<<>>>

&r&lg&ntime&repeatip&rtime&cnzz_eid&showp&st&sin&t&rnd

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>

<<

<<<>>>

<<

<<<>>>

<

<<&ZdDd.>&

<&><><&<&>

<<

<<<>>>

&height&SCUrl&gourl

&&<<<><><><><

<<

<<<>>>

<&e..i.v.b.C>&>><><>&&>>><&>

<<

<<<>>>

><<<<>>><<<&<>><&>>

<<

<<<>>>

<><>><&&<&Q..W..........q...P....NU.>>>>&>><>&

<<

<<<>>>

&height&SCUrl&gourl&PID&Auth&Url

&ntime&cnzz_a&ltime

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>“”“”<><>“”“”“”“”<><><>&lt

<<

<<<>>>

&ntime&cnzz_a&ltime

&rnd

&cna

&rnd

&cna

&oid&dirtype&sid&site_id&p

>&T...a&<&<&<&&qpj..9...L.&uU..I.....JH.1......<><<

<<

<<<>>>

&oid&dirtype&sid&p

>&T...a&<&<&<&&qpj..9...L.&uU..I.....JH.1......<><<

<<

<<<>>>

&ntime&cnzz_a&sin&ltime

><&><&<<&>><<<

<<

<<<>>>

&ntime&cnzz_a&sin&ltime

<<>&gv&&&LF6V......L<&&&&&>&za.<<&D..&W......bc..Vobs..S.....2t.....P.............

<<

<<<>>>

&ntime&cnzz_a&sin&ltime

<<<>>>

<<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>"<><><><>><><><><><><><><><><><><><><><><><><><><><><><<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>&<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>Á<><>""<><>>>>><><><><><><><><><><><><><><><><><><><><><<><>"<><><><><<<<><<><><><><><>&<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>""<><><><><><><><><><><><><><>""""<><>""<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>>&<><>Ü<><><><><""""><><><><><><><><<><><<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>&<><>><><><><><><><><><><><><><><><><>"<><><><><><><><><><>&<><><><><><><><>&<><><><><><>&<><><><><><><><><><><><><><><><>&<><><><><><><><>"<><><><><><><><><><><><>>&<><><><><><><><><><><><><><>><><><><><><>&"<><><><><><>><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>"<><>"<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>