ThreatExpert Report: Mal/Behav-160, Mal/Emogen-E

Submission Summary:

Submission details:

Submission received: 6 November 2009, 13:21:09
Processing time: 8 min 54 sec
Submitted sample:

File MD5: 0x0CB3C7BC8539F8117E82F02CB00C72E1
File SHA-1: 0xF409CF68E2FEE4F47D0C6F184C3476505337DD07
Filesize: 73,728 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%System%\netsver.exe	125 bytes	MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415 SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41
2	[file and pathname of the sample #1]	73,728 bytes	MD5: 0x0CB3C7BC8539F8117E82F02CB00C72E1 SHA-1: 0xF409CF68E2FEE4F47D0C6F184C3476505337DD07

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[generic host process]	[generic host process filename]	20,480 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
[filename of the sample #1]	[file and pathname of the sample #1]	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0xAA0000 - 0xAC5000
[filename of the sample #1]	[file and pathname of the sample #1]	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0xB10000 - 0xB35000
[filename of the sample #1]	[file and pathname of the sample #1]	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0xF80000 - 0xFA5000

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{244AE512-A46A-4BEF-AAB7-1D9FFD3AB1E4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{244AE512-A46A-4BEF-AAB7-1D9FFD3AB1E4}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{244AE512-A46A-4BEF-AAB7-1D9FFD3AB1E4}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{244AE512-A46A-4BEF-AAB7-1D9FFD3AB1E4}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{244AE512-A46A-4BEF-AAB7-1D9FFD3AB1E4}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{244AE512-A46A-4BEF-AAB7-1D9FFD3AB1E4}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FE966A4A-CA47-4BEB-B4F2-A1181237D512}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FE966A4A-CA47-4BEB-B4F2-A1181237D512}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FE966A4A-CA47-4BEB-B4F2-A1181237D512}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FE966A4A-CA47-4BEB-B4F2-A1181237D512}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D30380A7-B720-4DCF-ACE4-2B99B3CB4D34}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D30380A7-B720-4DCF-ACE4-2B99B3CB4D34}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D30380A7-B720-4DCF-ACE4-2B99B3CB4D34}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D30380A7-B720-4DCF-ACE4-2B99B3CB4D34}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D30380A7-B720-4DCF-ACE4-2B99B3CB4D34}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D30380A7-B720-4DCF-ACE4-2B99B3CB4D34}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BHOLOCKER.BhoLock
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BHOLOCKER.BhoLock\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BHOLOCKER.BhoLock\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BHOLOCKER.BhoLock.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BHOLOCKER.BhoLock.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{244AE512-A46A-4BEF-AAB7-1D9FFD3AB1E4}

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{244AE512-A46A-4BEF-AAB7-1D9FFD3AB1E4}\VersionIndependentProgID]

(Default) = "Internet Explorer"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{244AE512-A46A-4BEF-AAB7-1D9FFD3AB1E4}\TypeLib]

(Default) = "{D30380A7-B720-4DCF-ACE4-2B99B3CB4D34}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{244AE512-A46A-4BEF-AAB7-1D9FFD3AB1E4}\ProgID]

(Default) = "Internet Explorer"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{244AE512-A46A-4BEF-AAB7-1D9FFD3AB1E4}\InprocServer32]

(Default) = "[file and pathname of the sample #1]"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{244AE512-A46A-4BEF-AAB7-1D9FFD3AB1E4}]

(Default) = "IEï¿½ï¿½Ç¿ï¿½Ä°ï¿½È«ï¿½ï¿½ï¿½ï¿½"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FE966A4A-CA47-4BEB-B4F2-A1181237D512}\TypeLib]

(Default) = "{D30380A7-B720-4DCF-ACE4-2B99B3CB4D34}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FE966A4A-CA47-4BEB-B4F2-A1181237D512}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FE966A4A-CA47-4BEB-B4F2-A1181237D512}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FE966A4A-CA47-4BEB-B4F2-A1181237D512}]

(Default) = "IBhoLock"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D30380A7-B720-4DCF-ACE4-2B99B3CB4D34}\1.0\0\win32]

(Default) = "[file and pathname of the sample #1]"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D30380A7-B720-4DCF-ACE4-2B99B3CB4D34}\1.0\HELPDIR]

(Default) = "%System%\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D30380A7-B720-4DCF-ACE4-2B99B3CB4D34}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D30380A7-B720-4DCF-ACE4-2B99B3CB4D34}\1.0]

(Default) = "BHOLOCKER 1.0 Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BHOLOCKER.BhoLock\CurVer]

(Default) = "Internet Explorer"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BHOLOCKER.BhoLock\CLSID]

(Default) = "{244AE512-A46A-4BEF-AAB7-1D9FFD3AB1E4}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BHOLOCKER.BhoLock]

(Default) = "IEï¿½ï¿½Ç¿ï¿½Ä°ï¿½È«ï¿½ï¿½ï¿½ï¿½"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BHOLOCKER.BhoLock.1\CLSID]

(Default) = "{244AE512-A46A-4BEF-AAB7-1D9FFD3AB1E4}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BHOLOCKER.BhoLock.1]

(Default) = "IEï¿½ï¿½Ç¿ï¿½Ä°ï¿½È«ï¿½ï¿½ï¿½ï¿½"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{244AE512-A46A-4BEF-AAB7-1D9FFD3AB1E4}]

NoExplorer = 0x00000001

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex objects were created:

_SHuassist.mtx
_!SHMSFTHISTORY!_

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
ad.68077.com	80	(null)	(null)
www.97398.com	80	(null)	(null)

The following GET requests were made:

ie/ie2.ini
?ssss
ie/netsver.exe
index.jpg

Downloaded File Summary:

Download details:

Download retrieved: 6 November 2009 13:30:03
Processing time: 10 min 43 sec
Downloaded sample:

File MD5: 0xB5108E2073CE0F4B353607644B1F7871
File SHA-1: 0x9E8AA7BBB3DE9A2C3C4ABEBDA8FF9D9FDBEE2B1B
Filesize: 46,080 bytes
Alias: Mal/Behav-160, Mal/Emogen-E [Sophos]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%System%\Corpor.dll %System%\csrmss.exe %System%\dllcache\clipsrv.exe %System%\tcpip.ini	125 bytes	MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415 SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41	(not available)
2	%System%\netsver.exe [file and pathname of the sample #1]	46,080 bytes	MD5: 0xB5108E2073CE0F4B353607644B1F7871 SHA-1: 0x9E8AA7BBB3DE9A2C3C4ABEBDA8FF9D9FDBEE2B1B	Mal/Behav-160, Mal/Emogen-E [Sophos]
3	%Windir%\Temp\scs1F.tmp %Windir%\Temp\scs21.tmp %Windir%\Temp\scs22.tmp	2,686 bytes	MD5: 0x4A587187D760161311010B03417B3C3F SHA-1: 0x863BBF5F7F4114A1307C6BAD5DD89224D511FED5	(not available)
4	%Windir%\Temp\scs20.tmp	1,670 bytes	MD5: 0x71F4B39C5EB73DF738AD3E0DACD89057 SHA-1: 0x8565ED558AD273232104E0B10CD87CFF723A1ECA	(not available)
5	%Windir%\Temp\scs23.tmp %Windir%\Temp\scs24.tmp	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)

Notes:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	86,016 bytes

There was a new memory page created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
ntvdm.exe	%System%\ntvdm.exe	577,536 bytes

Other details

Analysis of the file resources indicate the following possible country of origin:

China

The following Internet Connection was established:

Server Name	Server Port	Connect as User	Connection Password
ad.68077.com	80	(null)	(null)

The following GET requests were made:

ie/ie2.ini
ie/Corpor.dll
ie/csrmss.exe
ie/ie.ini

Downloaded File Summary (Generation #2):

Download details:

Download retrieved: 6 November 2009 13:40:47
Processing time: 12 min 0 sec
Downloaded sample #1:

File MD5: 0x7D93600FF05B2509554D323A2AF06CF6
File SHA-1: 0x4E41332027A6E1E9D105C2E36E43B98E73FD6210
Filesize: 72,192 bytes

Downloaded sample #2:

File MD5: 0xBD470EDD6DBFF6B9F0002D22D83F0A1D
File SHA-1: 0x4F655413AABD94FDC989311412AEB05B5309B221
Filesize: 114,688 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	c:\csrmss.exe %System%\csrmss.exe %System%\dllcache\clipsrv.exe [file and pathname of the sample #2]	114,688 bytes	MD5: 0xBD470EDD6DBFF6B9F0002D22D83F0A1D SHA-1: 0x4F655413AABD94FDC989311412AEB05B5309B221
2	%System%\Corpor.dll %System%\netsver.exe %System%\tcpip.ini	125 bytes	MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415 SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41
3	[file and pathname of the sample #1]	72,192 bytes	MD5: 0x7D93600FF05B2509554D323A2AF06CF6 SHA-1: 0x4E41332027A6E1E9D105C2E36E43B98E73FD6210
4	%Windir%\Temp\scs23.tmp %Windir%\Temp\scs24.tmp	2,686 bytes	MD5: 0x4A587187D760161311010B03417B3C3F SHA-1: 0x863BBF5F7F4114A1307C6BAD5DD89224D511FED5
5	%Windir%\Temp\scs29.tmp %Windir%\Temp\scs2A.tmp	1,670 bytes	MD5: 0x71F4B39C5EB73DF738AD3E0DACD89057 SHA-1: 0x8565ED558AD273232104E0B10CD87CFF723A1ECA

Notes:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following file was modified:

%System%\clipsrv.exe

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[generic host process]	[generic host process filename]	20,480 bytes
[filename of the sample #2]	[file and pathname of the sample #2]	221,184 bytes
csrmss.exe	c:\csrmss.exe	221,184 bytes
csrmss.exe	%System%\csrmss.exe	221,184 bytes
clipsrv.exe	%System%\dllcache\clipsrv.exe	221,184 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

There were new memory pages created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
ntvdm.exe	%System%\ntvdm.exe	987,136 bytes
ntvdm.exe	%System%\ntvdm.exe	987,136 bytes

The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
[filename of the sample #1]	[file and pathname of the sample #1]	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0xAA0000 - 0xAC5000
[filename of the sample #1]	[file and pathname of the sample #1]	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0xB10000 - 0xB35000
[filename of the sample #1]	[file and pathname of the sample #1]	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0xF80000 - 0xFA5000

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{244AE512-A46A-4BEF-AAB7-1D9FFD3AB1E4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{244AE512-A46A-4BEF-AAB7-1D9FFD3AB1E4}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{244AE512-A46A-4BEF-AAB7-1D9FFD3AB1E4}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{244AE512-A46A-4BEF-AAB7-1D9FFD3AB1E4}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{244AE512-A46A-4BEF-AAB7-1D9FFD3AB1E4}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{244AE512-A46A-4BEF-AAB7-1D9FFD3AB1E4}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FE966A4A-CA47-4BEB-B4F2-A1181237D512}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FE966A4A-CA47-4BEB-B4F2-A1181237D512}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FE966A4A-CA47-4BEB-B4F2-A1181237D512}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FE966A4A-CA47-4BEB-B4F2-A1181237D512}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D30380A7-B720-4DCF-ACE4-2B99B3CB4D34}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D30380A7-B720-4DCF-ACE4-2B99B3CB4D34}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D30380A7-B720-4DCF-ACE4-2B99B3CB4D34}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D30380A7-B720-4DCF-ACE4-2B99B3CB4D34}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D30380A7-B720-4DCF-ACE4-2B99B3CB4D34}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D30380A7-B720-4DCF-ACE4-2B99B3CB4D34}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BHOLOCKER.BhoLock
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BHOLOCKER.BhoLock\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BHOLOCKER.BhoLock\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BHOLOCKER.BhoLock.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BHOLOCKER.BhoLock.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{244AE512-A46A-4BEF-AAB7-1D9FFD3AB1E4}

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{244AE512-A46A-4BEF-AAB7-1D9FFD3AB1E4}\VersionIndependentProgID]

(Default) = "Internet Explorer"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{244AE512-A46A-4BEF-AAB7-1D9FFD3AB1E4}\TypeLib]

(Default) = "{D30380A7-B720-4DCF-ACE4-2B99B3CB4D34}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{244AE512-A46A-4BEF-AAB7-1D9FFD3AB1E4}\ProgID]

(Default) = "Internet Explorer"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{244AE512-A46A-4BEF-AAB7-1D9FFD3AB1E4}\InprocServer32]

(Default) = "[file and pathname of the sample #1]"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{244AE512-A46A-4BEF-AAB7-1D9FFD3AB1E4}]

(Default) = "IEï¿½ï¿½Ç¿ï¿½Ä°ï¿½È«ï¿½ï¿½ï¿½ï¿½"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FE966A4A-CA47-4BEB-B4F2-A1181237D512}\TypeLib]

(Default) = "{D30380A7-B720-4DCF-ACE4-2B99B3CB4D34}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FE966A4A-CA47-4BEB-B4F2-A1181237D512}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FE966A4A-CA47-4BEB-B4F2-A1181237D512}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FE966A4A-CA47-4BEB-B4F2-A1181237D512}]

(Default) = "IBhoLock"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D30380A7-B720-4DCF-ACE4-2B99B3CB4D34}\1.0\0\win32]

(Default) = "[file and pathname of the sample #1]"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D30380A7-B720-4DCF-ACE4-2B99B3CB4D34}\1.0\HELPDIR]

(Default) = "%System%\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D30380A7-B720-4DCF-ACE4-2B99B3CB4D34}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D30380A7-B720-4DCF-ACE4-2B99B3CB4D34}\1.0]

(Default) = "BHOLOCKER 1.0 Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BHOLOCKER.BhoLock\CurVer]

(Default) = "Internet Explorer"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BHOLOCKER.BhoLock\CLSID]

(Default) = "{244AE512-A46A-4BEF-AAB7-1D9FFD3AB1E4}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BHOLOCKER.BhoLock]

(Default) = "IEï¿½ï¿½Ç¿ï¿½Ä°ï¿½È«ï¿½ï¿½ï¿½ï¿½"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BHOLOCKER.BhoLock.1\CLSID]

(Default) = "{244AE512-A46A-4BEF-AAB7-1D9FFD3AB1E4}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BHOLOCKER.BhoLock.1]

(Default) = "IEï¿½ï¿½Ç¿ï¿½Ä°ï¿½È«ï¿½ï¿½ï¿½ï¿½"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{244AE512-A46A-4BEF-AAB7-1D9FFD3AB1E4}]

NoExplorer = 0x00000001

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex objects were created:

_SHuassist.mtx
_!SHMSFTHISTORY!_

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
ad.68077.com	80	(null)	(null)
www.97398.com	80	(null)	(null)

The following GET requests were made:

ie/Corpor.dll
ie/ie2.ini
ie/netsver.exe
ie/ie.ini
?ssss
index.jpg

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.