Skip to main content

Trojan.Win32.Delphi_1031f90b56


Gen:Variant.Graftor.121661 (BitDefender), Trojan-Downloader.Win32.Genome.fmxz (Kaspersky), Gen:Variant.Graftor.121661 (B) (Emsisoft), Win32/DH{QSAjJVdO} (AVG), Trojan.Win32.Delphi.FD, Trojan.Win32.Iconomon.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, Worm, EmailWorm, VirTool

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 1031f90b5664fcc57190458a8a418120

SHA1: e9fbf7c5a99fadcd2c68f4397eb8b3536fd3cae0

SHA256: 84d52b3d321e1e9d9d1310165665be666fcb5c3d39a75648e2a5918be4ec3d92

SSDeep: 192:qE0isr1BEd7ADos0VChdgApI6jW bpYHhUlPKgP1oyLwBDt1yIrAQHsoNR:qE03BBEuDos0VwZjq bpT1lwP1xHs

Size: 24576 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: MicrosoftWindowsShortcutfile, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, UPolyXv05_v6, Armadillov171

Company: WinterSoft

Created at: 2013-11-16 11:45:51

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour Description
EmailWormWorm can send e-mails.


Process activity

The Trojan creates the following process(es):

643b.exe:2884
wan.exe:1580
kaka13_kaka13.exe:1516
%original file name%.exe:1268
02ef.exe:1972
wangame.exe:1280

The Trojan injects its code into the following process(es):

4da3.exe:2720

File activity

The process 4da3.exe:2720 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\tj2[2].htm (630 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\15972107[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\tj2[3].htm (315 bytes)
%Documents and Settings%\%current user%\Cookies\5V3VK2OH.txt (241 bytes)
%Documents and Settings%\%current user%\Cookies\AFY1AXXA.txt (243 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\tj2[1].htm (315 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\tj2[2].htm (945 bytes)
%WinDir%\Update.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\tj2[1].htm (945 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\tj2[1].htm (1575 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\tj2[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\tj2[3].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\AFY1AXXA.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\tj2[2].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\OBT4T7O6.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\tj2[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\15972107[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\tj2[1].htm (0 bytes)

The process wan.exe:1580 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%System%\drivers\operyuae.sys (102 bytes)

The process kaka13_kaka13.exe:1516 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files%\wangame\skin\toolbar_hover.png (2 bytes)
%Program Files%\wangame\skin\ÃÀÅ®Ö÷²¥.png (9 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÍæÍ汦ºÐ\ÍæÍ汦ºÐ.lnk (1181 bytes)
%Program Files%\wangame\skin\SubWnd.png (703 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp\inetc.dll (20 bytes)
%Program Files%\wangame\webzm.exe (7750 bytes)
%Program Files%\wangame\skin\y.bmp (486 bytes)
%Program Files%\wangame\wan.exe (6700 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÍæÍ汦ºÐ\жÔØ ÍæÍ汦ºÐ.lnk (499 bytes)
%Program Files%\wangame\ubo.ub (278 bytes)
%Program Files%\wangame\ico.ico (1568 bytes)
%Program Files%\wangame\skin\left.jpg (11 bytes)
%Program Files%\wangame\skin\ÍøÒ³ÓÎÏ·.png (5 bytes)
%Program Files%\wangame\skin\bj.jpg (1 bytes)
%Program Files%\wangame\skin\±³¾°.png (3 bytes)
%Program Files%\wangame\skin\center.jpg (10 bytes)
%Program Files%\wangame\update.exe (6405 bytes)
%Program Files%\wangame\uninst.exe (2718 bytes)
%Documents and Settings%\%current user%\Desktop\ÍæÍ汦ºÐ.lnk (666 bytes)
%Program Files%\wangame\skin\ÐÝÏÐÓÎÏ·.png (6 bytes)
%Program Files%\wangame\wangame.exe (7662 bytes)
%Program Files%\wangame\skin\line.bmp (1 bytes)
%Program Files%\wangame\Config.ini (24 bytes)
%Program Files%\wangame\skin\line1.bmp (1 bytes)
%Program Files%\wangame\skin\z.bmp (1 bytes)
%Program Files%\wangame\skin\line2.bmp (3 bytes)
%Program Files%\wangame\skin\ÓéÀÖ°ËØÔ.png (7 bytes)
%Program Files%\wangame\skin\right.jpg (7 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp\reply.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn1.tmp (0 bytes)
%Program Files%\wangame\VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp\System.dll (0 bytes)

The process %original file name%.exe:1268 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4da3.exe (1668 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\02ef.exe (66 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\41ac.exe (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\643b.exe (66 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\tj2[1].htm (400 bytes)
%Documents and Settings%\%current user%\Cookies\2UHU3K0P.txt (81 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\40f8.exe (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\OBT4T7O6.txt (243 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013112420131125\index.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\15972107[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\icon_9[1].gif (893 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\80326_al.exe (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kaka13_kaka13.exe (3691 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013040820130415 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041520130416\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013040820130415\index.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\2UHU3K0P.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041520130416 (0 bytes)

The process wangame.exe:1280 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\54510[1].jpg (5713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\54531[1].jpg (4136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\userLevel_v30[1].png (2509 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\mmListIco_v3[1].png (407 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\87102[1].jpg (7721 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\104036[1].jpg (16749 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\83937[1].jpg (15349 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\88243[1].jpg (15033 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\hz_haomm_com[1].htm (16147 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\54627[1].jpg (9641 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\imageshow[1].swf (2900 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\bg[1].jpg (19009 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\51142[1].jpg (24989 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\55017[1].jpg (4688 bytes)
%Program Files%\wangame\ubo.ub (275 bytes)
%Documents and Settings%\%current user%\Cookies\OUZRPSEW.txt (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\83003[1].jpg (23761 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\87927[1].jpg (11264 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\jquery.tmpl.min[1].js (635 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\83994[1].jpg (25329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\images[1].xml (642 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\jquery.tmplPlus.min[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\82995[1].jpg (2876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\90356[1].jpg (16864 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\setting2[1].txt (275 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\tongji[1].js (7345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\103140[1].jpg (22789 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\88650[1].jpg (27637 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\86490[1].jpg (9181 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\jquery[1].js (51097 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\87604[1].jpg (22249 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\86220[1].jpg (24989 bytes)
%Documents and Settings%\%current user%\Cookies\2ZKSJG3I.txt (95 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\54911[1].jpg (6735 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\55037[1].jpg (8442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\rev_sprite[1].gif (693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\94877[1].jpg (17149 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\54546[1].jpg (10061 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\hmmBox[1].css (2941 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\pixel[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\107038[1].jpg (28141 bytes)

Registry activity

The process 643b.exe:2884 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 45 2A EE 97 30 63 CA 15 C4 47 94 52 E2 99 2B"

The process 4da3.exe:2720 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 2A 0A 28 94 CF 5B 61 64 6C CC B3 DE 24 2F 15"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"shell" = "Explorer.exe %WinDir%\\Update.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Internet Explorer\Main\WindowsSearch]
"Version" = "WS not installed"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 45 00 00 00 01 00 00 00 00 00 00 00"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iedop.exe" = "%WinDir%\\Update.exe"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process wan.exe:1580 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 E1 67 72 F4 D6 38 88 C4 A4 45 E3 E8 01 18 97"

The process kaka13_kaka13.exe:1516 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÍæÍ汦ºÐ]
"Publisher" = "ÍæÍ汦ºÐ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÍæÍ汦ºÐ]
"DisplayIcon" = "%Program Files%\wangame\wangame.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wangame.exe]
"(Default)" = "%Program Files%\wangame\wangame.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÍæÍ汦ºÐ]
"DisplayName" = "ÍæÍ汦ºÐ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÍæÍ汦ºÐ]
"UninstallString" = "%Program Files%\wangame\ÍæÍ汦ºÐ\uninst.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÍæÍ汦ºÐ]
"DisplayVersion" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 30 DA 4E 9A 27 04 3D 77 1F 5E 33 E5 2B B5 05"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wangame" = "%Program Files%\wangame\webzm.exe"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1268 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Internet Explorer\Main\WindowsSearch]
"Version" = "WS not installed"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013112420131125]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012013112420131125"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013112420131125]
"CachePrefix" = ":2013112420131125:"
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013112420131125]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 D1 78 A6 7F CE 4C 0C 86 AE B2 32 EF BD CA A8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013112420131125]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013041520130416]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013040820130415]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 02ef.exe:1972 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 C5 37 F0 B3 6E 3B 76 E1 50 A8 B1 9D F5 93 B5"

The process wangame.exe:1280 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 A1 DE B2 6A DA 3A 82 B9 7B 4E 85 DC A2 CC 2E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
"VerCache" = "00 0D CA DA A6 B1 C6 01 00 0D CA DA A6 B1 C6 01"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1380985189"
"Name" = "wangame.exe"

[HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication]
"Name" = "wangame.exe"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Network activity (URLs)

URL IP
hxxp://js.users.51.la/15972107.js117.21.191.223
hxxp://icon.ajiang.net/icon_9.gif125.46.49.200
hxxp://count.9511.com/tongjiGateway.php?id=B0-67-1D-D6-8F-6E&tgid=kaka13&khd=kaka13&ver=4.0122.226.223.36
hxxp://count.9511.com/tongjiGateway.php?id=00-0C-29-3B-DF-2F&tgid=kaka13&khd=kaka13&ver=4.0
hxxp://ncloud.sfppp.com/down/setup.xml121.12.123.75
hxxp://count.9511.com/setting2.txt
hxxp://hz.haomm.com/61.130.146.103
hxxp://www.rybao.com/myfile/2227921967/Pack/taobaoshua1.jpg117.21.160.10
hxxp://hz.haomm.com/js/jquery.js
hxxp://www.rybao.com/myfile/2227921967/Pack/779.jpg
hxxp://www.rybao.com/myfile/2227921967/Pack/qqq.jpg
hxxp://163.xdwscache.glb0.lxdns.com/ziMyJqmPVbX4Wce6znYgzw==/6597712980960620449.jpg
hxxp://hz.haomm.com/js/jquery.tmpl.min.js
hxxp://hz.haomm.com/js/jquery.tmplPlus.min.js
hxxp://hz.haomm.com/hmmBox/hmmBox.css
hxxp://hz.haomm.com/images/bg.jpg
hxxp://hz.haomm.com/imageshow.swf
hxxp://count37.51yes.com/sa.htm?id=372356607&refe=&location=test&color=32x&resolution=1024*768&returning=0&language=zh-cn&ua=drivers61.147.67.212
hxxp://ncloud.sfppp.com/rujia520/setup1.xml
hxxp://taurus.danuoyi.tbcache.com/3296853/tongji.js
hxxp://www.rybao.com/myfile/2227921967/Pack/c03-1.jpg
hxxp://hz.haomm.com/images/rev_sprite.gif
hxxp://hz.haomm.com/xml/images.xml
hxxp://hz.haomm.com/images/mmListIco_v3.png
hxxp://dt.tongji.linezing.com/tongji.do?unit_id=3296853&uv_id=2339120901613402543&uv_new=1&cna=&cg=&mid=&mmland=&ade=&adtm=&sttm=&cpa=&ss_id=1388213249&ss_no=0&ec=1&ref=&url=http://hz.haomm.com/&title=%u597D%u7F8E%u7709%u76D2%u5B50&charset=utf-8&domain=haomm.com&hashval=895&filtered=0&app=Microsoft Internet Explorer&agent=Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)&color=32-bit&screen=1176x885&lg=en-us&je=1&fv=6.0&st=1385328088&vc=dda3f635&ut=0&url_id=0&cnu=0.5129425905390432110.75.80.118
hxxp://hz.haomm.com/images/userLevel_v30.png
hxxp://cc00087.f.cncssr.chinacache.net/imges/pixel.gif
hxxp://haomm.com/img/room/avatar/87604.jpg121.12.175.254
hxxp://haomm.com/img/room/avatar/104036.jpg
hxxp://23.106.214.24/tj2/
hxxp://haomm.com/img/room/avatar/88243.jpg
hxxp://haomm.com/img/room/avatar/88650.jpg
hxxp://haomm.com/img/room/avatar/54531.jpg
hxxp://haomm.com/img/room/avatar/87927.jpg
hxxp://haomm.com/img/room/avatar/83003.jpg
hxxp://haomm.com/img/room/avatar/94877.jpg
hxxp://haomm.com/img/room/avatar/82995.jpg
hxxp://haomm.com/img/room/avatar/83994.jpg
hxxp://haomm.com/img/room/avatar/55017.jpg
hxxp://haomm.com/img/room/avatar/90356.jpg
hxxp://haomm.com/img/room/avatar/86490.jpg
hxxp://haomm.com/img/room/avatar/54546.jpg
hxxp://a.16cy.cn/a.php183.61.138.64
hxxp://haomm.com/img/room/avatar/51142.jpg
hxxp://haomm.com/img/room/avatar/55037.jpg
hxxp://haomm.com/img/room/avatar/86220.jpg
hxxp://haomm.com/img/room/avatar/107038.jpg
hxxp://a.16cy.cn/c.php?b=Opera.exe
hxxp://haomm.com/img/room/avatar/103140.jpg
hxxp://haomm.com/img/room/avatar/87102.jpg
hxxp://haomm.com/img/room/avatar/54627.jpg
hxxp://haomm.com/img/room/avatar/83937.jpg
hxxp://haomm.com/img/room/avatar/54510.jpg
hxxp://haomm.com/img/room/avatar/54911.jpg
hxxp://a.16cy.cn/count.php?u=c03_643b&n=CSEKFZGWCFDNGUGHBUEJGEFYCGEMFZGJCS&r=Opera.exe&m=CSEKFZGWCFDNGUGHBUEJGEFYCGEMFZGJCS&a=c03&t=3&v=1
hxxp://www.rybao.com/myfile/2227921967/Pack/80326_al.jpg
hxxp://a.16cy.cn/count.php?u=c03_02ef&n=CDDUFZGECODNGCGEBUDTGXFYCAEHFZGFCT&r=Opera.exe&m=CDDUFZGECODNGCGEBUDTGXFYCAEHFZGFCT&a=c03&t=3&v=1
hxxp://ncloud.sfppp.com/rujia520/cloud1.jpg
hxxp://count37.51yes.com/sa.htm?id=372808883&refe=&location=test&color=32x&resolution=1024*768&returning=0&language=zh-cn&ua=drivers
vr0.6.cn218.59.215.194
www.haomm.com121.12.175.254
cloud.rujia520.com121.12.123.75
www.baidu.com180.76.3.151
web1.51.la222.187.223.75
js.tongji.linezing.com195.27.31.250
img1.ph.126.net113.107.76.19


HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    643b.exe:2884
    wan.exe:1580
    kaka13_kaka13.exe:1516
    %original file name%.exe:1268
    02ef.exe:1972
    wangame.exe:1280

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\tj2[2].htm (630 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\15972107[1].js (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\tj2[3].htm (315 bytes)
    %Documents and Settings%\%current user%\Cookies\5V3VK2OH.txt (241 bytes)
    %Documents and Settings%\%current user%\Cookies\AFY1AXXA.txt (243 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\tj2[1].htm (315 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\tj2[2].htm (945 bytes)
    %WinDir%\Update.exe (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\tj2[1].htm (945 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\tj2[1].htm (1575 bytes)
    %System%\drivers\operyuae.sys (102 bytes)
    %Program Files%\wangame\skin\toolbar_hover.png (2 bytes)
    %Program Files%\wangame\skin\ÃÀÅ®Ö÷²¥.png (9 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\ÍæÍ汦ºÐ\ÍæÍ汦ºÐ.lnk (1181 bytes)
    %Program Files%\wangame\skin\SubWnd.png (703 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp\inetc.dll (20 bytes)
    %Program Files%\wangame\webzm.exe (7750 bytes)
    %Program Files%\wangame\skin\y.bmp (486 bytes)
    %Program Files%\wangame\wan.exe (6700 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\ÍæÍ汦ºÐ\жÔØ ÍæÍ汦ºÐ.lnk (499 bytes)
    %Program Files%\wangame\ubo.ub (278 bytes)
    %Program Files%\wangame\ico.ico (1568 bytes)
    %Program Files%\wangame\skin\left.jpg (11 bytes)
    %Program Files%\wangame\skin\ÍøÒ³ÓÎÏ·.png (5 bytes)
    %Program Files%\wangame\skin\bj.jpg (1 bytes)
    %Program Files%\wangame\skin\±³¾°.png (3 bytes)
    %Program Files%\wangame\skin\center.jpg (10 bytes)
    %Program Files%\wangame\update.exe (6405 bytes)
    %Program Files%\wangame\uninst.exe (2718 bytes)
    %Documents and Settings%\%current user%\Desktop\ÍæÍ汦ºÐ.lnk (666 bytes)
    %Program Files%\wangame\skin\ÐÝÏÐÓÎÏ·.png (6 bytes)
    %Program Files%\wangame\wangame.exe (7662 bytes)
    %Program Files%\wangame\skin\line.bmp (1 bytes)
    %Program Files%\wangame\Config.ini (24 bytes)
    %Program Files%\wangame\skin\line1.bmp (1 bytes)
    %Program Files%\wangame\skin\z.bmp (1 bytes)
    %Program Files%\wangame\skin\line2.bmp (3 bytes)
    %Program Files%\wangame\skin\ÓéÀÖ°ËØÔ.png (7 bytes)
    %Program Files%\wangame\skin\right.jpg (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\4da3.exe (1668 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\02ef.exe (66 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\41ac.exe (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\643b.exe (66 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\tj2[1].htm (400 bytes)
    %Documents and Settings%\%current user%\Cookies\2UHU3K0P.txt (81 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\40f8.exe (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\OBT4T7O6.txt (243 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013112420131125\index.dat (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\15972107[1].js (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\icon_9[1].gif (893 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\80326_al.exe (5442 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kaka13_kaka13.exe (3691 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\54510[1].jpg (5713 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\54531[1].jpg (4136 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\userLevel_v30[1].png (2509 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\mmListIco_v3[1].png (407 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\87102[1].jpg (7721 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\104036[1].jpg (16749 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\83937[1].jpg (15349 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\88243[1].jpg (15033 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\hz_haomm_com[1].htm (16147 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\54627[1].jpg (9641 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\imageshow[1].swf (2900 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\bg[1].jpg (19009 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\51142[1].jpg (24989 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\55017[1].jpg (4688 bytes)
    %Documents and Settings%\%current user%\Cookies\OUZRPSEW.txt (94 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\83003[1].jpg (23761 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\87927[1].jpg (11264 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\jquery.tmpl.min[1].js (635 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\83994[1].jpg (25329 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\images[1].xml (642 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\jquery.tmplPlus.min[1].js (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\82995[1].jpg (2876 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\90356[1].jpg (16864 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\setting2[1].txt (275 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\tongji[1].js (7345 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\103140[1].jpg (22789 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\88650[1].jpg (27637 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\86490[1].jpg (9181 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\jquery[1].js (51097 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\87604[1].jpg (22249 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\86220[1].jpg (24989 bytes)
    %Documents and Settings%\%current user%\Cookies\2ZKSJG3I.txt (95 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\54911[1].jpg (6735 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\55037[1].jpg (8442 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\rev_sprite[1].gif (693 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\94877[1].jpg (17149 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\54546[1].jpg (10061 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\hmmBox[1].css (2941 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\pixel[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\107038[1].jpg (28141 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "iedop.exe" = "%WinDir%\\Update.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "wangame" = "%Program Files%\wangame\webzm.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps