Skip to main content

TrojanDropper.Win32.Vtimrun_4733c34a7c

  • Updated

Trojan-Downloader.Win32.Genome.haaz (Kaspersky), Dropped:Trojan.Generic.11313659 (AdAware), Trojan.NSIS.StartPage.FD, Trojan.Win32.Alureon.FD, Trojan.Win32.IEDummy.FD, TrojanDropperVtimrun.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan-Downloader, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 4733c34a7ccff4c1b5e3f161e777fcd5

SHA1: 2465d4c9649b20875ecf161e7d78432b0b86e750

SHA256: 0787960a4da1ec23ee8f4cc0340d83493a1a3971f6d7007e6815c789cb4511dd

SSDeep: 24576:62RGmay4PA5NLqDYXyvDB2NeJfGaJYk1UsRNhwcBc4:7GfQNuN7seJ 2Yk/twIr

Size: 1082826 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: r-installer

Created at: 2009-06-07 00:41:59

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan-Dropper creates the following process(es):

BaiduSd.exe:3596
shandian.exe:1588
shandian.exe:476
F30241_s_0523.exe:1072
BaiduSdTray.exe:2920
bddownloader.exe:3304
regsvr32.exe:3556
BaiduSdSvc.exe:2716
BaiduSdSvc.exe:2612
netsh.exe:3540
BDKVWsc.exe:2976
RegSvr32.exe:3024
RegSvr32.exe:3316
BDDownloader.exe:2896
BDDownloader.exe:2700

The Trojan-Dropper injects its code into the following process(es):

emaaif_70690.exe:2652
sdad.exe:1628
%original file name%.exe:464
iexplore.exe:1664
services.exe:764
svchost.exe:1088

File activity

The process shandian.exe:1588 makes changes in the file system.


The Trojan-Dropper deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DF6409.tmp (0 bytes)

The process shandian.exe:476 makes changes in the file system.


The Trojan-Dropper creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\20140527160745_754[1].jpg (1826 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\hotdata[1].js (992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\subnav_v41[1].png (634 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@123.sogou[2].txt (1879 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\favicon[1].ico (681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\icon4[1].gif (1 bytes)
%Program Files%\shandian\bin\twcache.ini (696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\20130830161205_609[1].gif (2789 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\v53_2icos[1].gif (2 bytes)
%Program Files%\shandian\bin\ImgCache\123.sogou.com_favicon.ico (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\20130820165531_481[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\v53_123n[2].js (2192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\20140508103513_537[1].gif (4179 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\guide_tip[1].png (1012 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\newioage[1].css (715 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\20140526163043_207[1].jpg (186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\i8g7XZO1lz1162[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\foot_slider[1].jpg (322 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VGX3.tmp (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\ufo2[2].js (11043 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\citydata[1].js (2933 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\ufo2[1].js (12131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\123.sogou[1].htm (19620 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\skin_tips_n1[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\logo_1112293[1].gif (1266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\fbg_about[1].png (634 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@123.sogou[1].txt (1398 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\welcome_cn[1].htm (1469 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\v53_123n[1].js (3215 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (454 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\get_123_v53[1].php (7789 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\cloudy[1].gif (1 bytes)
%Program Files%\shandian\bin\shandian.ini.tmp (244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\start_button[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\_ads_2[1].js (3 bytes)
%Program Files%\shandian\bin\theworld.ac (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\get_tj[1].php (1020 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\v53_bicos[1].gif (826 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\selogo_111207[1].png (1960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\20140528121909_796[1].jpg (186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\v53_arrow_h[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\new-erweima2[1].png (5570 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\20130531144119_126[1].png (3340 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\20140526170756_638[1].jpg (186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\skin2_0[1].gif (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\citydata[2].js (2772 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\cloudy[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\i-ico-2b[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\search_arrow[1].gif (447 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\main[2].js (2328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\skin3[1].gif (1266 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@wan.sogou[1].txt (193 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\rec[1].do (374 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\selogo_111207[2].png (1858 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\20140526163446_912[1].jpg (1264 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\mE8bXnNioe2802[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\setting_icon[1].gif (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\setskinbg[1].gif (397 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\texture[1].gif (1148 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\new-ico[1].png (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\skin_[1].css (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\guide_tip[1].png (2099 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\titlebg[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\main[1].js (3049 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\DD_belatedPNG_0.0.8a-min[2].js (254 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\_ads_2[2].js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\img-news[1].gif (225 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\guide_top[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\v33_sugg_ajaj_v40_3[2].js (1187 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (9640 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\v33_sugg_ajaj_v40_3[1].js (1352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\selogo_111207[1].png (2331 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\hotdata[1].js (478 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\DD_belatedPNG_0.0.8a-min[1].js (678 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\20140526163242_997[1].jpg (186 bytes)

The Trojan-Dropper deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@123.sogou[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\guide_tip[1].png (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (0 bytes)
%Program Files%\shandian\bin\shandian.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130212 (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@123.sogou[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\v53_123n[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\cloudy[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021320130214 (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\_ads_2[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\citydata[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\ufo2[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021520130216\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021520130216 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\guide_tip[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\main[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\hotdata[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021320130214\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\v33_sugg_ajaj_v40_3[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130212\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\DD_belatedPNG_0.0.8a-min[1].js (0 bytes)

The process emaaif_70690.exe:2652 makes changes in the file system.


The Trojan-Dropper creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsl9.tmp\hu.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl9.tmp\BDMReport.dll.bdl (37083 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl9.tmp\g.exe.bdl (658579 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl9.tmp\BDLogicUtils.dll (31856 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (1121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl9.tmp\System.dll (784 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (200 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl9.tmp\g.exe (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl9.tmp\BDMNet.dll.bdl (39524 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl9.tmp\BDMSkin.dll (36698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl9.tmp\BDMNetGetInfo.dll (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl9.tmp\BDMDownload.dll (5520 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Desktop\Global.db (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb8.tmp (128685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl9.tmp\tmppm4bkx.dll (24832 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl9.tmp\dl.dll (65930 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl9.tmp\res\onlineWnd.zip (14184 bytes)

The Trojan-Dropper deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl9.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (0 bytes)

The process sdad.exe:1628 makes changes in the file system.


The Trojan-Dropper creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\b17[1].jpg (8043 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\Untitled-1[1].gif (4902 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\stat[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\style[1].css (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\ico_new2[1].png (11140 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\aaa7[1].jpg (1254 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\aaa9[1].jpg (1798 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\aaa1[1].jpg (6743 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\tj[1].js (279 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[2].txt (166 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\b14[1].jpg (5425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\xinwen[1].htm (881 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\aaa1[1].jpg (7701 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\nvxing_509_366[1].htm (2047 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\b19[1].jpg (1055 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (22456 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\core[1].php (798 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\b18[2].jpg (2436 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\aaa6[1].jpg (6809 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\lieqi_509_366[1].htm (2049 bytes)
%Program Files%\shandian\bin\update\PopWinParam.xml (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\close[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\cpc_ztyw[1].css (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\b19[1].jpg (2237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\cpc_swf[1].asp (1286 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@70e[1].txt (514 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\xinwen[2].htm (881 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\Untitled-3[1].jpg (2926 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (166 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@70e[2].txt (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\b14[1].jpg (6863 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\aaa2[2].jpg (7789 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\aaa2[1].jpg (3173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\b15[1].jpg (4419 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\meinv[1].htm (882 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\nvxing_509_366[1].htm (1591 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\normal_bg[1].png (9772 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\core[1].php (798 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\b17[1].jpg (8728 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\Close[1].gif (348 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\jiankang_509_366[1].htm (2049 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\aaa6[1].jpg (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\jquery-1.7.2.min[1].js (45051 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\stat[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\aaa4[1].jpg (14268 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\cpc_img[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\shehui_509_366[1].htm (2049 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@565882[1].txt (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\aaa10[1].jpg (1518 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\b13[1].jpg (7942 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[2].txt (404 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\stat[1].php (1177 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (607 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.mdtxw[2].txt (696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\aaa7[1].jpg (3892 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\aaa10[1].jpg (1878 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\aaa8[1].jpg (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\b15[1].jpg (7788 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\b16[1].jpg (8744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\meinv[1].htm (882 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\aaa4[1].jpg (9878 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[2].txt (326 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\Untitled-2[1].gif (1416 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\b18[1].jpg (2118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\cpc_swf[1].asp (1807 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\cpc_img[1].htm (884 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\d[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\jiankang_509_366[1].htm (2049 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\aaa5[1].jpg (14586 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\aaa3[1].jpg (5531 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\aaa8[1].jpg (1878 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\stylemini[1].css (4664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\0[1].gif (17661 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\miniindex[1].htm (4605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\min[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\shehui_509_366[1].htm (2049 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\aaa3[2].jpg (14482 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\2012_swf[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\aaa9[1].jpg (975 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@zhouliboguju[1].txt (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\b13[1].jpg (7144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\lieqi_509_366[1].htm (2049 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\jquery-1.7.2.min[1].js (7973 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\aaa5[1].jpg (15401 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\cpv1[1].htm (1117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\b16[1].jpg (8350 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.mdtxw[1].txt (1017 bytes)

The Trojan-Dropper deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@70e[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\aaa6[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\style[1].css (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\b18[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\cpc_swf[1].asp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\cpc_img[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\b19[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\jiankang_509_366[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\style[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\aaa3[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\cpc_swf[1].asp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@70e[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\b17[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\shehui_509_366[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\aaa9[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\aaa8[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\style[2].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\b13[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\b14[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2TEZGT87\xinwen[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\aaa1[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.mdtxw[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\aaa7[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\aaa4[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\aaa10[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\nvxing_509_366[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\meinv[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\core[1].php (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\aaa2[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\lieqi_509_366[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\aaa5[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.mdtxw[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LMNOLE7\b16[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\b15[1].jpg (0 bytes)

The process %original file name%.exe:464 makes changes in the file system.


The Trojan-Dropper creates and/or writes to the following file(s):

%Program Files%\shandian\ico\360.ico (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\desktop.ini (67 bytes)
%Program Files%\shandian\bin\shandian.ini (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JER6H25\stat[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\config0.ini (3 bytes)
%Documents and Settings%\%current user%\Desktop\Internet Explorer.lnk (1 bytes)
%Program Files%\shandian\home.bat (691 bytes)
%Program Files%\shandian\bin\shandian.exe (28332 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\F30241_s_0523.exe (91814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\Md5dll.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O61T592M\emaaif_70690[1].rar (12288 bytes)
%Program Files%\shandian\ico\ie.ico (700 bytes)
%Documents and Settings%\%current user%\Desktop\脙茠芒鈧