Skip to main content

Trojan.Win32.FlyStudio_85bb67b4c7


HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!SB.0 (VIPRE), Trojan.Win32.Hider!IK (Emsisoft), Backdoor.Win32.Farfli.FD, Installer.Win32.InnoSetup.2.FD, Trojan-PSW.Win32.MSNPassword.FD, Trojan.NSIS.StartPage.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Backdoor, Installer

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 85bb67b4c761bd0622df20a6452d9fab

SHA1: f7f28afcf66d3baa11af6f15c9e57849bf840842

SHA256: 4cfa2e5a3eb189a363fd486dfae97780eb864c6392c3d74b3b96ecf13ceb5dd6

SSDeep: 98304:c1BcXBBTyoxepTn5k/9YwIc I38 ojhd7O2QynrJmzwYD7ldSn:xwT5k/9h uY/7WcgddSn

Size: 4694016 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6

Company: no certificate found

Created at: 2013-11-02 13:48:15

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

Ghost3.exe:304
tcp32.exe:588
3.exe:196
statistics.exe:576
zhainan.exe:452
BeeWeather.exe:1284
BeeWeather.exe:1648
BeeWeather.exe:588
BeeWeather.exe:128
BeeWeather.exe:296
BeeWeather.exe:224
BeeWeather.exe:1368
%original file name%.exe:1148
Х¬ДРУ°Тф_91_5869_.exe:512
Х¬ДРУ°Тф_91_5869_.tmp:1516
kbsetup_dubo_65606.exe:1592

File activity

The process Ghost3.exe:304 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\kbsetup_dubo_65606.exe (2719557 bytes)

The process tcp32.exe:588 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\2228500.dll (134656 bytes)
C:\NT_Path.jpg (27 bytes)

The process 3.exe:196 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\weigei.exe (18944 bytes)

The process statistics.exe:576 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files%\TianXingTV\config.dat (1726 bytes)

The process zhainan.exe:452 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Х¬ДРУ°Тф_91_5869_.exe (2265336 bytes)

The process %original file name%.exe:1148 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\3.exe (18944 bytes)
C:\Ghost3.exe (3817472 bytes)
C:\zhainan.exe (3358720 bytes)
%System%\drivers\etc\hosts (311 bytes)
C:\tcp32.exe (141824 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013110920131110\index.dat (32768 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041220130413 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041220130413\index.dat (0 bytes)

The process Х¬ДРУ°Тф_91_5869_.exe:512 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-I6RDE.tmp\Х¬ДРУ°Тф_91_5869_.tmp (1298712 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-I6RDE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-I6RDE.tmp\Х¬ДРУ°Тф_91_5869_.tmp (0 bytes)

The process Х¬ДРУ°Тф_91_5869_.tmp:1516 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files%\BeeWeather13110900\Images\small\is-7U17S.tmp (7262 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\UpdateIcon.dll (33280 bytes)
%Program Files%\BeeWeather13110900\unins000.dat (37183 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\_isetup\_iscrypt.dll (2560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\WaterLib.dll (492032 bytes)
%Documents and Settings%\All Users\Главное меню\Программы\BeeWeather\BeeWeather.lnk (678 bytes)
%Documents and Settings%\All Users\Главное меню\Программы\BeeWeather\4472ѕшЙ«µзУ°Нш.url (45 bytes)
%Documents and Settings%\All Users\Главное меню\Программы\BeeWeather\BeeWeather НшХѕ.url (47 bytes)
%Program Files%\BeeWeather13110900\is-NH8BO.tmp (559896 bytes)
%Documents and Settings%\%current user%\Application Data (8192 bytes)
%Program Files%\BeeWeather13110900\is-BJVLD.tmp (766468 bytes)
%Documents and Settings%\All Users\Главное меню\Программы\BeeWeather\ЕдЦГ\Р¶ФШ BeeWeather.lnk (674 bytes)
%Documents and Settings%\%current user%\Application Data\Sogou.ico (38022 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-I6RDE.tmp\Х¬ДРУ°Тф_91_5869_.tmp (774424 bytes)
%Documents and Settings%\All Users\Рабочий стол\BeeWeather.lnk (666 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\_isetup\_RegDLL.tmp (4096 bytes)
%Documents and Settings%\%current user%\Application Data\ѕшЙ«µзУ°.ico (38022 bytes)
%Documents and Settings%\%current user%\Рабочий стол\ѕшЙ«µзУ°.lnk (1102 bytes)
%Program Files%\BeeWeather13110900 (4096 bytes)
%Program Files%\BeeWeather13110900\Images\future\is-4NALB.tmp (6027 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\License.txt (2543 bytes)
%Program Files%\BeeWeather13110900\Images\large\is-TQFUS.tmp (18745 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\Unis.ico (18718 bytes)
%Program Files%\BeeWeather13110900\is-8M6BF.tmp (559896 bytes)
%Program Files%\BeeWeather13110900\unins000.msg (6975 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-I6RDE.tmp\RCX86.tmp (851039 bytes)
%Program Files%\BeeWeather13110900\is-AIOC8.tmp (492032 bytes)
%Documents and Settings%\%current user%\Рабочий стол\Internet Sogou.lnk (1072 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\_isetup\_shfoldr.dll (23312 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-I6RDE.tmp\Х¬ДРУ°Тф_91_5869_.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\Unis.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\_isetup\_RegDLL.tmp (0 bytes)
%Program Files%\BeeWeather13110900\BeeWeather.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\_isetup\_iscrypt.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\UpdateIcon.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\License.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\WaterLib.dll (0 bytes)

The process kbsetup_dubo_65606.exe:1592 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files%\TianXingTV\Skin\default\normal_btn.PNG (939 bytes)
%Program Files%\TianXingTV\Skin\default\DownLoadWnd.png (4917 bytes)
%Program Files%\TianXingTV\Data\SystemSetting.ini (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\yt.bmp (206680 bytes)
%Program Files%\TianXingTV\Skin\default\BT_CLOSE1 (2).PNG (2825 bytes)
%Program Files%\TianXingTV\Skin\default\150.bmp (8486 bytes)
%Program Files%\TianXingTV\tb.ico (84030 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\NsDialogs.dll (9728 bytes)
%Program Files%\TianXingTV\Skin\default\BT4.png (15646 bytes)
%Program Files%\TianXingTV\TXPlayer.exe (282624 bytes)
%Program Files%\TianXingTV\TXPlayData.dll (135168 bytes)
%Program Files%\TianXingTV\Skin\default\big_tip_logo.png (63869 bytes)
%Program Files%\TianXingTV\Skin\default\page_forward_btn.png (1978 bytes)
%Program Files%\TianXingTV\Skin\default\BT8.png (15475 bytes)
%Program Files%\TianXingTV\Skin\default\progress.png (3332 bytes)
%Program Files%\TianXingTV\krnln.fnr (1138688 bytes)
%Program Files%\TianXingTV\Skin\default\hmin.png (3035 bytes)
%Program Files%\TianXingTV\Skin\default\SettingWnd2.png (3320 bytes)
%Program Files%\TianXingTV\Unins.exe (149840 bytes)
%Program Files%\TianXingTV\Skin\default\subwnd_close_btn.PNG (2255 bytes)
%Program Files%\TianXingTV\Skin\default\BT_MIN1.png (3620 bytes)
%Documents and Settings%\%current user%\Мои документы\dh.ico (82151 bytes)
%Program Files%\TianXingTV\eAPI.fne (344064 bytes)
%Program Files%\TianXingTV\Skin\default\box_logo.png (14365 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\NSISdl.dll (14848 bytes)
%Program Files%\TianXingTV\Skin\default\BT3.png (15428 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc84.tmp (5586052 bytes)
%Program Files%\TianXingTV\Skin\default\down_finish.png (3114 bytes)
%Program Files%\TianXingTV\Skin\default\white_bkg.png (116 bytes)
%Program Files%\TianXingTV\kb.ini (707 bytes)
%Program Files%\TianXingTV\Skin\default\Setup.png (3480 bytes)
%Documents and Settings%\%current user%\Рабочий стол\МФ±¦ИИВф.lnk (1260 bytes)
%Program Files%\TianXingTV\Skin\default\system.button.menu.png (3807 bytes)
%Program Files%\TianXingTV\Skin\default\player_mode_btn.PNG (902 bytes)
%Program Files%\TianXingTV\Skin\default\Exit.png (3382 bytes)
%Program Files%\TianXingTV\Skin\default\down_recycle.png (3170 bytes)
%Program Files%\TianXingTV\config.dat (585 bytes)
%Program Files%\TianXingTV\Skin\default\BT7.png (14173 bytes)
%Program Files%\TianXingTV\Skin\default\BT6.png (14566 bytes)
%Documents and Settings%\%current user%\Главное меню\Программы\МмРРУ°Тф\Р¶ФШМмРРУ°Тф.lnk (515 bytes)
%Program Files%\TianXingTV\Skin\default\SettingWnd.png (1374 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\blk.bmp (570864 bytes)
%Program Files%\TianXingTV\Skin\default\shortcut_btn.PNG (2442 bytes)
%Program Files%\TianXingTV\Skin\default\BT1.png (15041 bytes)
%Program Files%\TianXingTV\Skin\default\mainwndbkg.png (50704 bytes)
%Program Files%\TianXingTV\Skin\default\BT2.png (13456 bytes)
%Program Files%\TianXingTV\TianXingTV.exe (282624 bytes)
%Program Files%\TianXingTV\Skin\default\SettingWnd1.png (4253 bytes)
%Program Files%\TianXingTV\Skin\default\down_manager_btn.png (1471 bytes)
%Documents and Settings%\%current user%\Рабочий стол\Hao123.lnk (1144 bytes)
%Program Files%\TianXingTV\com.run (282624 bytes)
%Program Files%\TianXingTV\Skin\default\download_category1.PNG (2991 bytes)
%Program Files%\TianXingTV\Skin\default\bottom.png (2984 bytes)
%Program Files%\TianXingTV\Skin\default\folder.png (3569 bytes)
%Program Files%\TianXingTV\Skin\default\BT0.png (13527 bytes)
%Program Files%\TianXingTV\Skin\default\download_category.PNG (3082 bytes)
%Program Files%\TianXingTV\Skin\default\MENU.png (3492 bytes)
%Program Files%\TianXingTV\shell.fne (77824 bytes)
%Program Files%\TianXingTV\Skin\default\edit.png (3040 bytes)
%Program Files%\TianXingTV\Skin\default\BT_CLOSE.png (4418 bytes)
%Program Files%\TianXingTV\Skin\default\BT5.png (13619 bytes)
%Program Files%\TianXingTV\Skin\default\topshow_btn.PNG (2603 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\modern-wizard.bmp (206680 bytes)
%Program Files%\TianXingTV\Skin\default\record_btn.PNG (5905 bytes)
%Program Files%\TianXingTV\Skin\default\arrow.png (2954 bytes)
%Program Files%\TianXingTV\dp1.fne (147456 bytes)
%Program Files%\TianXingTV\Skin\default\playClose.png (3160 bytes)
%Program Files%\TianXingTV\Skin\default\Down.png (2952 bytes)
%Program Files%\TianXingTV\Skin\default\Setting_Browse_Btn.png (1032 bytes)
%Program Files%\TianXingTV\Skin\default\toolbar_item.png (7349 bytes)
%Program Files%\TianXingTV\statistics.exe (48128 bytes)
%Program Files%\TianXingTV\Skin\default\BT_MIN.PNG (2128 bytes)
%Documents and Settings%\%current user%\Главное меню\Программы\МмРРУ°Тф\МмРРУ°Тф.lnk (622 bytes)
%Program Files%\TianXingTV\Skin\default\page_back_btn.png (1942 bytes)
%Program Files%\TianXingTV\Skin\default\playmode_html.png (3180 bytes)
%Program Files%\TianXingTV\Skin\default\BT_MAX.PNG (3530 bytes)
%Program Files%\TianXingTV\Skin\default\topshow2_btn.PNG (2587 bytes)
%Documents and Settings%\%current user%\Рабочий стол\МмРРУ°Тф.lnk (610 bytes)
%Program Files%\TianXingTV\Skin\default\BT9.png (13308 bytes)
%Program Files%\TianXingTV\Data\Histroy.xml (114 bytes)
%Program Files%\TianXingTV\Skin\default\CHECK_BOX.png (3860 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\System.dll (11264 bytes)
%Program Files%\TianXingTV\Skin\default\BT_MAX1.png (3929 bytes)
%Program Files%\TianXingTV\Skin\default\playmode_min.png (2964 bytes)
%Program Files%\TianXingTV\Skin\default\about_logo.png (24678 bytes)
%Documents and Settings%\%current user%\Мои документы\tb.ico (67646 bytes)
%Program Files%\TianXingTV\Skin\default\bk.bmp (1136440 bytes)
%Program Files%\TianXingTV\Skin\default\MainWnd.png (78508 bytes)
%Program Files%\TianXingTV\Skin\default\SubWnd.png (3074 bytes)
%Program Files%\TianXingTV\dh.ico (98535 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx83.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\GuaGua5.1.5Setup_09121643_6068.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\IFoxInstall-y-c204421885-nsi-s-run-x.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\blk.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\yt.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\NsDialogs.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\Setup_37wanWd.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\WanDouJiaSetup_daocaoren2_kb.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\modern-wizard.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\setup_qjr_30923.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\NSISdl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\360Inst_tianxing.exe (0 bytes)

Registry activity

The process Ghost3.exe:304 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 A4 2A D8 3F 2B 9D 06 1B DC 91 E1 38 12 65 8A"

The process tcp32.exe:588 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 28 9A A7 D6 6E A9 EF 98 A3 27 8E 24 7E 89 71"

[HKLM\System\CurrentControlSet\Services\RemoteAccess\RouterManagers\Ip]
"DLLPath" = "C:\2228500.dll"

The process 3.exe:196 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 06 0A 7E EC 31 52 82 1E 87 EB 10 91 C0 70 67"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Мои документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process statistics.exe:576 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 32 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 78 12 85 70 C8 A1 90 4E B7 55 40 A8 E7 21 4E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process zhainan.exe:452 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 70 F2 7F 11 15 9C 2B 48 24 5A 9D 2B 04 6F CF"

The process BeeWeather.exe:1284 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 5F E5 90 02 8D 72 8C 0B 31 1A 6D F2 D1 62 5A"

The process BeeWeather.exe:1648 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 1D 59 E1 8C 9E A2 66 31 2F 7B 60 20 52 8E 1D"

The process BeeWeather.exe:588 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 91 FC 70 11 28 53 59 D7 06 39 42 25 2E 48 D5"

The process BeeWeather.exe:128 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 CB EF FA BE 6B AE 2E B1 4E 19 E6 D0 70 74 E2"

The process BeeWeather.exe:296 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 B3 96 8D B6 A1 A3 2F 27 FE C8 4A 34 B9 8A 05"

The process BeeWeather.exe:224 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 03 A7 4A 7B BD F3 A3 96 C8 F7 0D 62 49 7F 2C"

The process BeeWeather.exe:1368 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 7D 3B 4C BA 5C FA 01 FF 2B 78 83 66 75 07 26"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 33 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1148 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoViewContextMenu" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"HomePage" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013110920131110]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012013110920131110\"
"CacheOptions" = "11"

"CachePrefix" = ":2013110920131110:"
"CacheRepair" = "0"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoControlPanel" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 31 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF A5 34 B2 62 82 9E 5B B9 36 A4 D7 96 9E AA 42"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.duba.com/?un_4_374118"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013110920131110]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZDYY" = "C:\Ghost3.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013041220130413]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Х¬ДРУ°Тф_91_5869_.exe:512 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 90 E0 16 4C 92 60 0B 61 11 8A 92 E4 EC 4F 29"

The process Х¬ДРУ°Тф_91_5869_.tmp:1516 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BeeWeather_is1]
"Inno Setup: User" = "%CurrentUserName%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Главное меню\Программы"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BeeWeather_is1]
"HelpLink" = "http://ppw.43994.com/"
"UninstallString" = "%Program Files%\BeeWeather13110900\unins000.exe"
"NoModify" = "1"
"QuietUninstallString" = "%Program Files%\BeeWeather13110900\unins000.exe /SILENT"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BeeWeather_is1]
"NoRepair" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Главное меню"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Мои документы"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BeeWeather_is1]
"InstallLocation" = "%Program Files%\BeeWeather13110900\"
"Publisher" = "ЙПИДКР»ЄУОїЖјјУРПЮ№«Лѕ"
"Inno Setup: Selected Tasks" = "appdesktopicon"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonMusic" = "%Documents and Settings%\All Users\Документы\Моя музыка"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Рабочий стол"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BeeWeather_is1]
"Inno Setup: Icon Group" = "BeeWeather"
"Inno Setup: App Path" = "%Program Files%\BeeWeather13110900"
"DisplayVersion" = "1.5.0.183"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\Мои документы\Мои рисунки"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BeeWeather_is1]
"MajorVersion" = "1"
"Inno Setup: Setup Version" = "5.5.1.e2 (a)"

"URLUpdateInfo" = "http://ppw.43994.com/"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Главное меню"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BeeWeather_is1]
"MinorVersion" = "5"
"DisplayIcon" = "%Program Files%\BeeWeather13110900\unins000.exe"
"DisplayName" = "BeeWeather"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Документы\Мои видеозаписи"
"CommonPictures" = "%Documents and Settings%\All Users\Документы\Мои рисунки"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 35 24 CF A6 36 B0 04 9D AE 73 75 EF 95 A5 E6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Главное меню\Программы"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://hao.budexing.com/"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Рабочий стол"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BeeWeather_is1]
"Inno Setup: Language" = "chinesesimp"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\is-I6RDE.tmp\Х¬ДРУ°Тф_91_5869_.tmp.tmp,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BeeWeather_is1]
"Inno Setup: Deselected Tasks" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BeeWeather_is1]
"InstallDate" = "20131109"
"UninstallDataFile" = "%Program Files%\BeeWeather13110900\unins000.dat"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BeeWeather_is1]
"URLInfoAbout" = "http://ppw.43994.com/"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BeeWeather" = "%Program Files%\BeeWeather13110900\BeeWeather.exe -system"

The process kbsetup_dubo_65606.exe:1592 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\TianXingTV]
"Service_Releation" = "1"
"InstallName" = "kbsetup_dubo_65606.exe"
"InstallPath" = "%Program Files%\TianXingTV"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Главное меню"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Мои документы"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\МмРРУ°Тф]
"DisplayName" = "МмРРУ°Тф V3.10.11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\TianXingTV]
"Service_Update" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Документы\Моя музыка"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Рабочий стол"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\МмРРУ°Тф]
"URLInfoAbout" = "http://www.tianxingkj.com"
"Publisher" = "ФжЧЇКРМмРРРЕПўјјКхУРПЮ№«Лѕ"
"UninstallString" = "%Program Files%\TianXingTV\Unins.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\Мои документы\Мои рисунки"
"Start Menu" = "%Documents and Settings%\%current user%\Главное меню"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Документы\Мои видеозаписи"
"CommonPictures" = "%Documents and Settings%\All Users\Документы\Мои рисунки"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 22 93 9A E4 32 7F B0 BB F9 AE 46 5B DC 21 98"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Рабочий стол"
"Programs" = "%Documents and Settings%\%current user%\Главное меню\Программы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\МмРРУ°Тф]
"DisplayVersion" = "V3.10.11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

Network activity (URLs)

URL IP
spx.tianqi.com
www.halou114.com
ppw.43994.com
img.users.51.la
cdn.866dy.com
xy.mgzm520.com
union.267dh.com
www.vip5866.net
beikecount.43994.com


HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 311 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1www.kelepan.com
127.0.0.1www.789pan.com
127.0.0.1www.supan.la
127.0.0.1www.cfwudao.cc
127.0.0.1www.75ts.com
127.0.0.1www.cfmimang.com
127.0.0.1www.cfbingpo.com
127.0.0.1www.cfyuandun.com
127.0.0.1www.lepan.cn
127.0.0.1www.9ap.cc
127.0.0.1www.qidianwp.com


Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    Ghost3.exe:304
    tcp32.exe:588
    3.exe:196
    statistics.exe:576
    zhainan.exe:452
    BeeWeather.exe:1284
    BeeWeather.exe:1648
    BeeWeather.exe:588
    BeeWeather.exe:128
    BeeWeather.exe:296
    BeeWeather.exe:224
    BeeWeather.exe:1368
    %original file name%.exe:1148
    Х¬ДРУ°Тф_91_5869_.exe:512
    Х¬ДРУ°Тф_91_5869_.tmp:1516
    kbsetup_dubo_65606.exe:1592

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\kbsetup_dubo_65606.exe (2719557 bytes)
    C:\2228500.dll (134656 bytes)
    C:\NT_Path.jpg (27 bytes)
    %WinDir%\weigei.exe (18944 bytes)
    %Program Files%\TianXingTV\config.dat (1726 bytes)
    C:\Х¬ДРУ°Тф_91_5869_.exe (2265336 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    C:\3.exe (18944 bytes)
    C:\Ghost3.exe (3817472 bytes)
    C:\zhainan.exe (3358720 bytes)
    %System%\drivers\etc\hosts (311 bytes)
    C:\tcp32.exe (141824 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013110920131110\index.dat (32768 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-I6RDE.tmp\Х¬ДРУ°Тф_91_5869_.tmp (1298712 bytes)
    %Program Files%\BeeWeather13110900\Images\small\is-7U17S.tmp (7262 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\UpdateIcon.dll (33280 bytes)
    %Program Files%\BeeWeather13110900\unins000.dat (37183 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\_isetup\_iscrypt.dll (2560 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\WaterLib.dll (492032 bytes)
    %Documents and Settings%\All Users\Главное меню\Программы\BeeWeather\BeeWeather.lnk (678 bytes)
    %Documents and Settings%\All Users\Главное меню\Программы\BeeWeather\4472ѕшЙ«µзУ°Нш.url (45 bytes)
    %Documents and Settings%\All Users\Главное меню\Программы\BeeWeather\BeeWeather НшХѕ.url (47 bytes)
    %Program Files%\BeeWeather13110900\is-NH8BO.tmp (559896 bytes)
    %Documents and Settings%\%current user%\Application Data (8192 bytes)
    %Program Files%\BeeWeather13110900\is-BJVLD.tmp (766468 bytes)
    %Documents and Settings%\All Users\Главное меню\Программы\BeeWeather\ЕдЦГ\Р¶ФШ BeeWeather.lnk (674 bytes)
    %Documents and Settings%\%current user%\Application Data\Sogou.ico (38022 bytes)
    %Documents and Settings%\All Users\Рабочий стол\BeeWeather.lnk (666 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\_isetup\_RegDLL.tmp (4096 bytes)
    %Documents and Settings%\%current user%\Application Data\ѕшЙ«µзУ°.ico (38022 bytes)
    %Documents and Settings%\%current user%\Рабочий стол\ѕшЙ«µзУ°.lnk (1102 bytes)
    %Program Files%\BeeWeather13110900\Images\future\is-4NALB.tmp (6027 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\License.txt (2543 bytes)
    %Program Files%\BeeWeather13110900\Images\large\is-TQFUS.tmp (18745 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\Unis.ico (18718 bytes)
    %Program Files%\BeeWeather13110900\is-8M6BF.tmp (559896 bytes)
    %Program Files%\BeeWeather13110900\unins000.msg (6975 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-I6RDE.tmp\RCX86.tmp (851039 bytes)
    %Program Files%\BeeWeather13110900\is-AIOC8.tmp (492032 bytes)
    %Documents and Settings%\%current user%\Рабочий стол\Internet Sogou.lnk (1072 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\_isetup\_shfoldr.dll (23312 bytes)
    %Program Files%\TianXingTV\Skin\default\normal_btn.PNG (939 bytes)
    %Program Files%\TianXingTV\Skin\default\DownLoadWnd.png (4917 bytes)
    %Program Files%\TianXingTV\Data\SystemSetting.ini (72 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\yt.bmp (206680 bytes)
    %Program Files%\TianXingTV\Skin\default\BT_CLOSE1 (2).PNG (2825 bytes)
    %Program Files%\TianXingTV\Skin\default\150.bmp (8486 bytes)
    %Program Files%\TianXingTV\tb.ico (84030 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\NsDialogs.dll (9728 bytes)
    %Program Files%\TianXingTV\Skin\default\BT4.png (15646 bytes)
    %Program Files%\TianXingTV\TXPlayer.exe (282624 bytes)
    %Program Files%\TianXingTV\TXPlayData.dll (135168 bytes)
    %Program Files%\TianXingTV\Skin\default\big_tip_logo.png (63869 bytes)
    %Program Files%\TianXingTV\Skin\default\page_forward_btn.png (1978 bytes)
    %Program Files%\TianXingTV\Skin\default\BT8.png (15475 bytes)
    %Program Files%\TianXingTV\Skin\default\progress.png (3332 bytes)
    %Program Files%\TianXingTV\krnln.fnr (1138688 bytes)
    %Program Files%\TianXingTV\Skin\default\hmin.png (3035 bytes)
    %Program Files%\TianXingTV\Skin\default\SettingWnd2.png (3320 bytes)
    %Program Files%\TianXingTV\Unins.exe (149840 bytes)
    %Program Files%\TianXingTV\Skin\default\subwnd_close_btn.PNG (2255 bytes)
    %Program Files%\TianXingTV\Skin\default\BT_MIN1.png (3620 bytes)
    %Documents and Settings%\%current user%\Мои документы\dh.ico (82151 bytes)
    %Program Files%\TianXingTV\eAPI.fne (344064 bytes)
    %Program Files%\TianXingTV\Skin\default\box_logo.png (14365 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\NSISdl.dll (14848 bytes)
    %Program Files%\TianXingTV\Skin\default\BT3.png (15428 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc84.tmp (5586052 bytes)
    %Program Files%\TianXingTV\Skin\default\down_finish.png (3114 bytes)
    %Program Files%\TianXingTV\Skin\default\white_bkg.png (116 bytes)
    %Program Files%\TianXingTV\kb.ini (707 bytes)
    %Program Files%\TianXingTV\Skin\default\Setup.png (3480 bytes)
    %Documents and Settings%\%current user%\Рабочий стол\МФ±¦ИИВф.lnk (1260 bytes)
    %Program Files%\TianXingTV\Skin\default\system.button.menu.png (3807 bytes)
    %Program Files%\TianXingTV\Skin\default\player_mode_btn.PNG (902 bytes)
    %Program Files%\TianXingTV\Skin\default\Exit.png (3382 bytes)
    %Program Files%\TianXingTV\Skin\default\down_recycle.png (3170 bytes)
    %Program Files%\TianXingTV\Skin\default\BT7.png (14173 bytes)
    %Program Files%\TianXingTV\Skin\default\BT6.png (14566 bytes)
    %Documents and Settings%\%current user%\Главное меню\Программы\МмРРУ°Тф\Р¶ФШМмРРУ°Тф.lnk (515 bytes)
    %Program Files%\TianXingTV\Skin\default\SettingWnd.png (1374 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\blk.bmp (570864 bytes)
    %Program Files%\TianXingTV\Skin\default\shortcut_btn.PNG (2442 bytes)
    %Program Files%\TianXingTV\Skin\default\BT1.png (15041 bytes)
    %Program Files%\TianXingTV\Skin\default\mainwndbkg.png (50704 bytes)
    %Program Files%\TianXingTV\Skin\default\BT2.png (13456 bytes)
    %Program Files%\TianXingTV\TianXingTV.exe (282624 bytes)
    %Program Files%\TianXingTV\Skin\default\SettingWnd1.png (4253 bytes)
    %Program Files%\TianXingTV\Skin\default\down_manager_btn.png (1471 bytes)
    %Documents and Settings%\%current user%\Рабочий стол\Hao123.lnk (1144 bytes)
    %Program Files%\TianXingTV\com.run (282624 bytes)
    %Program Files%\TianXingTV\Skin\default\download_category1.PNG (2991 bytes)
    %Program Files%\TianXingTV\Skin\default\bottom.png (2984 bytes)
    %Program Files%\TianXingTV\Skin\default\folder.png (3569 bytes)
    %Program Files%\TianXingTV\Skin\default\BT0.png (13527 bytes)
    %Program Files%\TianXingTV\Skin\default\download_category.PNG (3082 bytes)
    %Program Files%\TianXingTV\Skin\default\MENU.png (3492 bytes)
    %Program Files%\TianXingTV\shell.fne (77824 bytes)
    %Program Files%\TianXingTV\Skin\default\edit.png (3040 bytes)
    %Program Files%\TianXingTV\Skin\default\BT_CLOSE.png (4418 bytes)
    %Program Files%\TianXingTV\Skin\default\BT5.png (13619 bytes)
    %Program Files%\TianXingTV\Skin\default\topshow_btn.PNG (2603 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\modern-wizard.bmp (206680 bytes)
    %Program Files%\TianXingTV\Skin\default\record_btn.PNG (5905 bytes)
    %Program Files%\TianXingTV\Skin\default\arrow.png (2954 bytes)
    %Program Files%\TianXingTV\dp1.fne (147456 bytes)
    %Program Files%\TianXingTV\Skin\default\playClose.png (3160 bytes)
    %Program Files%\TianXingTV\Skin\default\Down.png (2952 bytes)
    %Program Files%\TianXingTV\Skin\default\Setting_Browse_Btn.png (1032 bytes)
    %Program Files%\TianXingTV\Skin\default\toolbar_item.png (7349 bytes)
    %Program Files%\TianXingTV\statistics.exe (48128 bytes)
    %Program Files%\TianXingTV\Skin\default\BT_MIN.PNG (2128 bytes)
    %Documents and Settings%\%current user%\Главное меню\Программы\МмРРУ°Тф\МмРРУ°Тф.lnk (622 bytes)
    %Program Files%\TianXingTV\Skin\default\page_back_btn.png (1942 bytes)
    %Program Files%\TianXingTV\Skin\default\playmode_html.png (3180 bytes)
    %Program Files%\TianXingTV\Skin\default\BT_MAX.PNG (3530 bytes)
    %Program Files%\TianXingTV\Skin\default\topshow2_btn.PNG (2587 bytes)
    %Documents and Settings%\%current user%\Рабочий стол\МмРРУ°Тф.lnk (610 bytes)
    %Program Files%\TianXingTV\Skin\default\BT9.png (13308 bytes)
    %Program Files%\TianXingTV\Data\Histroy.xml (114 bytes)
    %Program Files%\TianXingTV\Skin\default\CHECK_BOX.png (3860 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\System.dll (11264 bytes)
    %Program Files%\TianXingTV\Skin\default\BT_MAX1.png (3929 bytes)
    %Program Files%\TianXingTV\Skin\default\playmode_min.png (2964 bytes)
    %Program Files%\TianXingTV\Skin\default\about_logo.png (24678 bytes)
    %Documents and Settings%\%current user%\Мои документы\tb.ico (67646 bytes)
    %Program Files%\TianXingTV\Skin\default\bk.bmp (1136440 bytes)
    %Program Files%\TianXingTV\Skin\default\MainWnd.png (78508 bytes)
    %Program Files%\TianXingTV\Skin\default\SubWnd.png (3074 bytes)
    %Program Files%\TianXingTV\dh.ico (98535 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ZDYY" = "C:\Ghost3.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BeeWeather" = "%Program Files%\BeeWeather13110900\BeeWeather.exe -system"

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps