ThreatExpert Report: Trojan Horse, TSPY_LEGMIR.SG, Trojan.Drondog..

Submission Summary:

Submission details:

Submission received: 23 May 2008, 17:16:41
Processing time: 9 min 37 sec
Submitted sample:

File MD5: 0x6E8F83D547BF6B08930840A1808AB0EB
File SHA-1: 0x967311D69277AF13A8F756DEBB041318A74900BD
Filesize: 892,809 bytes

Summary of the findings:

What's been found	Severity Level
Packed with a packer that is known to be used by malware (e.g. to complicate threat analysis or detection).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Rootkit.Order	Rootkit.Order hides files with filenames containing the word "order" in them. It also tries to contact a remote server. The threat is known to target financial institutions by stealing sensitive information.

Attention! The following threat categories were identified:

Threat Category	Description
	A code with the rootkit-specific techniques designed to hide the software presence in the system
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
	A hacktool that could be used by attackers to break into a system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\1.food00.net\a.exe	4,096 bytes	MD5: 0x83710847063C62BBD39AB0353E4EBEFA SHA-1: 0xCAA273BA5CEAEDEF39CA9BE9C29116A735652B09	(not available)
2	%Temp%\1.food00.net\a0.exe	16,384 bytes	MD5: 0x428F547E608DD0B59DFF544C2FAD95D7 SHA-1: 0x9F05605DACE97FE9FC45FDE36D3083F5560B1653	Trojan Horse [Symantec] TSPY_LEGMIR.SG [Trend Micro]
3	%Temp%\3.food00.net\a17.exe	25,600 bytes	MD5: 0x9E141138F373C98109F300A1DF2132F2 SHA-1: 0x4588B18F55595C3F675099E51BDFCA6B34659309	Trojan.Drondog [Symantec]
4	%Temp%\4.food00.net\a28.exe	24,028 bytes	MD5: 0x526E0694C6D59E30867D2E29A4743CE7 SHA-1: 0xAA0F659C58B4D35FCC5907F0B3E28A1B1D0D9D8E	Trojan.Dropper [Symantec] Trojan-PSW.Win32.OnLineGames.adup [Kaspersky Lab] PWS-OnlineGames.a [McAfee] TROJ_MALQAZ.A [Trend Micro]
5	%Temp%\4.food00.net\a32.exe	30,835 bytes	MD5: 0x1EF9B40A15E1C58E6FDFA81A3B188D3C SHA-1: 0x3A4875BDBAAA9B2A597FD4994C7B2B38F376658A	Trojan.OnlineGames.Gen.65 [PCTools] Infostealer.Gampass [Symantec] Trojan-PSW.Win32.QQPass.bzg [Kaspersky Lab] TSPY_QQGAME.AE [Trend Micro]
6	%Temp%\4.food00.net\a34.exe	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
7	%Temp%\4.food00.net\a36.exe	16,384 bytes	MD5: 0x088C74A2E1587BBB36F1C80C8496A4BC SHA-1: 0xABA642EE5F8C0B2F895AFD2B330D886707C79454	(not available)
8	%Temp%\a.111991.netiii\a0.exe	16,384 bytes	MD5: 0x356E8FEE2AB00ECE101CD9B5F90803FC SHA-1: 0x97A9F538B39DCBED5EBA2E1005FF991001FEAE6E	(not available)
9	%Temp%\a.111991.netiii\a10.exe	23,884 bytes	MD5: 0x28D2D2F82DFF16B5F9EF1D9BA5A218C0 SHA-1: 0xFF9BD449882AF798A1B75440967B9AEC29F30D59	Trojan-PSW.Win32.OnLineGames.afql [Kaspersky Lab] PWS-OnlineGames.a [McAfee] TROJ_MALQAZ.A [Trend Micro]
10	%Temp%\Desktop.ini	78 bytes	MD5: 0x2F3983FB88427005AAF9F93CE1B8AF9C SHA-1: 0x4DC5DA0BD62052CC6B0260F81118FD0712DFE44D	(not available)
11	%Temp%\tmp16.tmp %System%\msosptfs00.dll	11,904 bytes	MD5: 0x2B99B38195553C7488B70D2CD9FC892E SHA-1: 0x3B6CD8185C312F728933F0B1FA3E8285035D6BD5	Infostealer [Symantec] PWS-OnlineGames.s [McAfee]
12	%Temp%\tmp18.tmp %System%\msosping00.dll	12,440 bytes	MD5: 0xBB5CAB9CDCBB2BB87AA5DA4D9FB278DA SHA-1: 0x62376C192967797540008857DEC3CDE26137603A	Infostealer.Gampass [Symantec] Trojan-Proxy.Win32.Xorpix.eq [Kaspersky Lab] PWS-OnlineGames.s [McAfee] TROJ_PROXY.ZK [Trend Micro]
13	%Temp%\tmp1C.tmp %System%\msosfmsq00.dll	10,433 bytes	MD5: 0xDFAEC9E312A4BEF791405D2D1E5E5076 SHA-1: 0xBFCC4E567DF9EA1CFBBC82B5AF971182DC079646	Infostealer.Gampass [Symantec] Trojan-PSW.Win32.OnLineGames.aenz [Kaspersky Lab] PWS-OnlineGames.s [McAfee] TSPY_ONLINEG.GHY [Trend Micro]
14	%Temp%\tmp1D.tmp %System%\msosdrop00.dll	11,718 bytes	MD5: 0x03C12504133CF477BFD120849B85DEA8 SHA-1: 0xBC80F5CA7C0B727EE14F727090AD9F77F7F399F3	Infostealer [Symantec] PWS-OnlineGames.a [McAfee]
15	%Temp%\tmp27.tmp %System%\msosjtio00.dll	10,852 bytes	MD5: 0xBA5354B84D445DE3668FDFD387AACA7E SHA-1: 0x703BC7AAB6286DE3D165CD9291A7D56A886CAA43	Infostealer.Gampass [Symantec] PWS-OnlineGames.s [McAfee]
16	%Temp%\tmp2C.tmp %System%\msosdrop01.dll	10,746 bytes	MD5: 0x7BCBC2202CD0CDA3797E94AF78730C37 SHA-1: 0x5C2CD0CF8596A8E4EC273AF2152D85731C74F695	Infostealer.Gampass [Symantec] PWS-OnlineGames.s [McAfee]
17	%Temp%\tmp32.tmp %System%\nicozftp01.dll	12,437 bytes	MD5: 0x6D8E4774B4A4D221A0D6A2E5EB0B4AB3 SHA-1: 0xEC779FAB9C2D38B2CB9DF4A07C57B3F537973FCF	Infostealer.Gampass [Symantec] Trojan-PSW.Win32.OnLineGames.aicy [Kaspersky Lab] PWS-OnlineGames.s [McAfee] TSPY_ONLINEG.PRO [Trend Micro]
18	%Temp%\tmp33.tmp	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
19	%Temp%\tmp5.tmp %System%\msosmhfp00.dll	12,526 bytes	MD5: 0x8ABF4D5BEAAF5ABEB6CBECEAC02A0F6B SHA-1: 0xCCB6E8157FBFE7F7B439A87C57C763801DAEFFD7	PWS-OnlineGames.s [McAfee]
20	%Temp%\tmp9.tmp %System%\nicozftp00.dll	12,433 bytes	MD5: 0xFEAB8588B71BC094C65AE30C0E4F8130 SHA-1: 0x9F7F77DAB3D24AF4EEF5BCA59A5366B69D6B40EA	Infostealer [Symantec] Trojan-PSW.Win32.OnLineGames.aicy [Kaspersky Lab] PWS-OnlineGames.s [McAfee]
21	%Temp%\tmpB.tmp %System%\msosdohs00.dll	12,954 bytes	MD5: 0xBA4E0A77E959B299C2D0A138B4C3C65B SHA-1: 0x64024F017D156681E79AC511B24E64C39B42556C	PWS-OnlineGames.s [McAfee]
22	%Temp%\tmpF.tmp %System%\msosmnsf00.dll	12,067 bytes	MD5: 0x1E77B169DE73207C1801551E22BA8FA0 SHA-1: 0x5C5E3CB4536DF3CC36CCE258FB5EB07949F7E873	PWS-OnlineGames.s [McAfee]
23	%Temp%\WER67c0.dir00\manifest.txt	1,320 bytes	MD5: 0x068A8D72AA1214D8CCC187C84287AA1B SHA-1: 0x511E203AB4C1D498395CAFE772BD1E155A4301F4	(not available)
24	%Temp%\WER67c0.dir00\sysdata.xml	113,886 bytes	MD5: 0xBCE1B57215175773E7F9559BC979292D SHA-1: 0x2042A5076F248EC5A3B4EEE998420DD95C6727FA	(not available)
25	c:\SFC_OS.DLL	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
26	%Windir%\anistio.exE	16,201 bytes	MD5: 0xE32230ED6197E2E21796EB66E6B013F5 SHA-1: 0xB59E4B2C1AAA38A7299333340983E4C3B6276788	Trojan.OnlineGames.Gen.77 [PCTools] Infostealer.Gampass [Symantec] Trojan-PSW.Win32.OnLineGames.adqo [Kaspersky Lab] Generic PWS.y [McAfee] TSPY_GAMEOL.AQ [Trend Micro]
27	%Windir%\bincdwsa.exe	17,168 bytes	MD5: 0x53F482CB014234AECCD60F20FC075B30 SHA-1: 0x36A7121AC7EBD737BB84014FB00CF49A1203EAD3	Infostealer [Symantec] Trojan-PSW.Win32.OnLineGames.aigr [Kaspersky Lab] Generic.dx [McAfee] TSPY_ONLINEG.BQO [Trend Micro]
28	%Windir%\cinfonmc.exe	18,717 bytes	MD5: 0x370B0AC95B8249C33AF36B9354DDC2D4 SHA-1: 0x00909176063C9C5C103CC7978B3523938A0BA0C6	Trojan.OnlineGames.Gen.77 [PCTools] Infostealer [Symantec] Trojan-PSW.Win32.OnLineGames.ygb [Kaspersky Lab] Generic PWS.y [McAfee] TSPY_ONLINEG.SKJ [Trend Micro]
29	%Windir%\dionpis.exe	20,764 bytes	MD5: 0xF2C0943F1A39ADA04927587D52165071 SHA-1: 0xC677FF767A7E1A893E7D9F956845F6479F7F87A3	Trojan.OnlineGames.Gen.77 [PCTools]
30	%Windir%\dndsioc.exe	18,777 bytes	MD5: 0xC9A327C525AD7BD2392758F20ADDB4A8 SHA-1: 0x5AE816D11CD359518445549985548F20EF3BDF3A	Trojan.OnlineGames.Gen.77 [PCTools] Infostealer [Symantec] Trojan-PSW.Win32.OnLineGames.acnp [Kaspersky Lab] PWS-OnlineGames.a [McAfee] TROJ_SYSTEMHI.BU [Trend Micro]
31	%Windir%\fmbiost.exe	19,736 bytes	MD5: 0xD3FA7B3D721D52E0DE9A36E1969FEEE5 SHA-1: 0x5AD52690E2D91B6074EDC54A967D30371C420441	Trojan.OnlineGames.Gen.77 [PCTools]
32	%Windir%\fmsbbqi.exe	19,216 bytes	MD5: 0x527A05ACCF77BBB4BD9D00A85F97B71C SHA-1: 0x29ABF886BDDEC1A410DFDB6553118F3837F98064	Trojan.OnlineGames.Gen.77 [PCTools] Infostealer [Symantec] Trojan-PSW.Win32.OnLineGames.aibk [Kaspersky Lab] TSPY_ONLINEG.BMC [Trend Micro]
33	%Windir%\fmsiocps.exe	20,252 bytes	MD5: 0xA9D9753E18B16AED107661CDDC51E8F4 SHA-1: 0xE753DB69BF8B4ECFB14FB4B1B02659A81DFB7F51	(not available)
34	%Windir%\fmsjhif.exe	19,905 bytes	MD5: 0xA78B6DB12E30387AD3339BE3AEC7A0D8 SHA-1: 0xFB75E5E6DC3C61707C715CDDA03628DB3DEBB82C	Trojan.OnlineGames.Gen.77 [PCTools] Infostealer [Symantec] Trojan-PSW.Win32.OnLineGames.aiaq [Kaspersky Lab] PWS-Mmorpg.gen [McAfee] TSPY_ONLINEG.OZN [Trend Micro]
35	%Windir%\hefcndy.exe	18,200 bytes	MD5: 0xD3F9D9760DD182335F510B584363E1BD SHA-1: 0x8B6C960B956EAE3C0A2E19B4579E205FE93A9C64	Trojan.OnlineGames.Gen.77 [PCTools] Infostealer [Symantec] Trojan-PSW.Win32.OnLineGames.aiij [Kaspersky Lab] TROJ_SYSTEMHI.DE [Trend Micro]
36	%Windir%\huifitc.exe	17,176 bytes	MD5: 0x9AB93B22663B918AE800B94597BE9544 SHA-1: 0x3FAF06DA852583257876099925D8F5DA17000918	Trojan.OnlineGames.Gen.77 [PCTools] Infostealer [Symantec] Trojan-PSW.Win32.OnLineGames.aidd [Kaspersky Lab]
37	%Windir%\isndntio.exe	16,656 bytes	MD5: 0xB315CB9AF95BFC867725CB7136145A96 SHA-1: 0x0A86E5E8015FE37BFFEB714A4B0DCAAF16F0E969	Trojan.OnlineGames.Gen.77 [PCTools]
38	%Windir%\issms32.exe	19,740 bytes	MD5: 0x2D566428F7F8C4E15D11084E6DC5DB9E SHA-1: 0x85CCC6E642FF357360D08EEFEBFEC295EAE57C56	(not available)
39	%Windir%\mfchlp64.exe	17,672 bytes	MD5: 0x4439D7366D2FF7CC2423F6D02057293F SHA-1: 0xD53C75BA689A34A72DF01AD562DD24D5236C5BC9	(not available)
40	%Windir%\Nt_File_Temp\__temp.bat	53 bytes	MD5: 0x695DCFB4098A37B565FCE20A4A0ACA0D SHA-1: 0xC4B5F2D93DA02B756086B38604548CA8F39ED455	(not available)
41	%Windir%\Nt_File_Temp\__write_ok__	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
42	%Windir%\ptshell.exe	19,937 bytes	MD5: 0x1166B0BCED531382BBF99E180844699E SHA-1: 0x16EDE460655322DCB22290FAB2AE01A7292CE3CC	Trojan.OnlineGames.Gen.77 [PCTools] Infostealer [Symantec] Trojan-PSW.Win32.OnLineGames.aeka [Kaspersky Lab] PWS-Mmorpg.gen [McAfee] TSPY_ONLINEG.PLU [Trend Micro]
43	%System%\anistio.dll	24,860 bytes	MD5: 0x3111173BEADD4765FD23ED59F0122090 SHA-1: 0x66B86970B5E49CB0AFF7A22C7EBC44F73FACB060	Trojan.OnlineGames.Gen.77 [PCTools] TSPY_ONLINEG.RKQ [Trend Micro]
44	%System%\bincdwsa.dll	24,336 bytes	MD5: 0x02A5415B69104637CE8996C4B2DF3FA8 SHA-1: 0xF71EDBAC358355065DC19EF33545C64582C97A0D	Infostealer.Gampass [Symantec] Trojan-PSW.Win32.OnLineGames.aigr [Kaspersky Lab] TSPY_ONLINEG.ETQ [Trend Micro]
45	%System%\bpakwh.dll	37,144 bytes	MD5: 0x446891BFE9654A6FAECE6AA1BB90EA71 SHA-1: 0x838E2D7F2936718525119B87A7333368721E4BA5	Trojan.OnlineGames.Gen.77 [PCTools] Trojan-PSW.Win32.OnLineGames.aidd [Kaspersky Lab] PWS-QQPass.dll [McAfee] TSPY_ONLINEG.RKQ [Trend Micro]
46	%System%\cinfonmc.dll	28,444 bytes	MD5: 0x63279B002D78FB32FDE0ECDB24DCBF89 SHA-1: 0xFE3D174ACB7BDDC22AFF1176EB1F188ACE3F44D3	Trojan.OnlineGames.Gen.77 [PCTools] Infostealer.Gampass [Symantec] Trojan-PSW.Win32.OnLineGames.ygh [Kaspersky Lab] PWS-Mmorpg.gen [McAfee] TSPY_ONLINEG.ASB [Trend Micro]
47	%System%\dionpis.dll	28,956 bytes	MD5: 0xB46964F290213DE531C4514EDE8678A7 SHA-1: 0x1FC5E143946CCD278ED08016AC3260BD4D5D725C	Trojan.OnlineGames.Gen.77 [PCTools]
48	%System%\dndsioc.dll	27,928 bytes	MD5: 0x70B17639033EE1B81D8F4331386B9D93 SHA-1: 0x521D6A47C3D266652C7A6A8468342BCA41648EE0	Trojan.OnlineGames.Gen.77 [PCTools] Infostealer.Gampass [Symantec] Trojan-PSW.Win32.OnLineGames.afeg [Kaspersky Lab] PWS-OnlineGames.a [McAfee] TSPY_ONLINEG.GHW [Trend Micro]
49	%System%\drivers\msosmsfpfis64.sys	2,560 bytes	MD5: 0x9A7D5F7F8D17E414A0E5AA241E583937 SHA-1: 0x6306244D08D73A3EE39605C0EEFA3EA582C1739C	Trojan-Proxy.Win32.Xorpix.ey [Kaspersky Lab] TROJ_PROXY.ABQ [Trend Micro]
50	%System%\drivers\msosmsp2p32.sys	3,840 bytes	MD5: 0x9C82AB9C1D15C90DBBB198C9FB8E6B6F SHA-1: 0x95C95C71A5BC9978A1E83C8CACF065170AB2A656	(not available)
51	%System%\drivers\nicomsp2p32.sys	3,072 bytes	MD5: 0xCA34F230F0B2F6FB0D81A7A0B659B446 SHA-1: 0x0954B4A3B99C9BA796BCC3D160A8671C35DAEE58	Rootkit.Order [PCTools] Hacktool.Rootkit [Symantec] Trojan-PSW.Win32.OnLineGames.aicq [Kaspersky Lab]
52	%System%\fmbiost.dll	27,416 bytes	MD5: 0x4FB362CCA7C12ADA7857887C0A5D0E5D SHA-1: 0x3F377096D11110F75435810FA441DBCA4FD9FD3B	Trojan.OnlineGames.Gen.77 [PCTools]
53	%System%\fmsbbqi.dll	28,432 bytes	MD5: 0x8BFE586FB107E4FA1C1E1A247AA66110 SHA-1: 0xE402433BAD13A7CE4B2ADAE84FEEFD1CAA1086FA	Trojan.OnlineGames.Gen.77 [PCTools] Infostealer.Gampass [Symantec] PWS-Mmorpg.gen [McAfee]
54	%System%\fmsiocps.dll	30,492 bytes	MD5: 0xE4B7260E0C6ECFD9E88A6F8D678EE98E SHA-1: 0x71D6AD0E4D5D7C94A285FC503ED3994F0F15647E	PWS-QQPass.dll [McAfee]
55	%System%\fmsjhif.dll	29,976 bytes	MD5: 0xD2940F3BB48ACCCCD5E4489224481DCE SHA-1: 0x18EF2D14490E4F2DD69A5538AF1CBC91C08E4113	Trojan.OnlineGames.Gen.77 [PCTools] Infostealer.Gampass [Symantec] PWS-QQPass.dll [McAfee] TSPY_ONLINEG.CDB [Trend Micro]
56	%System%\hefcndy.dll	24,856 bytes	MD5: 0x82A6F6F9C5B3D20557FE65AE6721D4D1 SHA-1: 0x5FE91DC10E302CBF904C99D58690287751939278	Trojan.OnlineGames.Gen.77 [PCTools] Infostealer.Gampass [Symantec]
57	%System%\huifitc.dll	37,144 bytes	MD5: 0x19EEB41834EB2B3057AE3E23EBF57A41 SHA-1: 0x51963D775C2798A5E75A804A3A3438113B527E2D	Trojan.OnlineGames.Gen.77 [PCTools] TSPY_ONLINEG.RKQ [Trend Micro]
58	%System%\isndntio.dll	22,800 bytes	MD5: 0x3F58FBA091CE5DD7E66E0D3F680EACE7 SHA-1: 0x19ABFA92161F093CD23F776B3081349370CF3CE8	Trojan.OnlineGames.Gen.77 [PCTools]
59	%System%\issms32.dll	26,396 bytes	MD5: 0x4AAD63668ACBAF45961AEA817CCB919C SHA-1: 0xD811AFDE57848E5B40113DDB7A09687C444D321F	(not available)
60	%System%\mfchlp64.dll	25,352 bytes	MD5: 0x0B52272D00B6A38928641EC037EFC998 SHA-1: 0x3F3C4618BD113884A6FDDE77E7DCC8EEB42B2CD0	PWS-QQPass.dll [McAfee]
61	%System%\msoscqit.dat	256 bytes	MD5: 0x2FD26817DCCF37B6DA68A008009A7BD5 SHA-1: 0xE7D6F59B3FFB02FC6A2B396F9567EBCD377B38AB	(not available)
62	%System%\msoscqit00.dll	11,294 bytes	MD5: 0xC8577A5E8429F8730D636E439BC82F71 SHA-1: 0xF9A6D90CF74A393FAE6B0CACAFF98EB1C28BF2C9	Infostealer [Symantec] Trojan-PSW.Win32.OnLineGames.aers [Kaspersky Lab] PWS-OnlineGames.s [McAfee] TSPY_ONLINEG.LHY [Trend Micro]
63	%System%\msosdohs.dat	256 bytes	MD5: 0x9200288650E8E5927CD54BCF53AC1661 SHA-1: 0x8FBC3F1B13E9F75819DDAF43EF184F5197328759	(not available)
64	%System%\msosdrop.dat	512 bytes	MD5: 0xA02B88C7650DB702C2CBCDCC30FF8942 SHA-1: 0xCCDD83314A223C78E672BC2AB34133D14A5B4F1A	(not available)
65	%System%\msosfmsq.dat	256 bytes	MD5: 0x4EB412A10A5EAB86AB164D954DA01D21 SHA-1: 0x53AE9925BBB2694106589329F935E1DEDAD189DF	(not available)
66	%System%\msosjtio.dat	256 bytes	MD5: 0xCA7ED1789ECF48D0777A152B9D7432D1 SHA-1: 0xD221854D23A011100AA7A79C09B6D8D7F1132729	(not available)
67	%System%\msosmhfp.dat	256 bytes	MD5: 0xD90BAB31FCC17827DB79344DF48F12E2 SHA-1: 0xAAFE76E97D050A5C6AF9A4F759E8A85E090F6129	(not available)
68	%System%\msosmnsf.dat	256 bytes	MD5: 0xCED03B5906E0237594BC4AEE8ECD3270 SHA-1: 0x657790C09B5F4DD96A1BAC6C0C41C16FD7455D9F	(not available)
69	%System%\msosping.dat	256 bytes	MD5: 0x901C0EC7C5E7BEE96FE4800CFD6C44D5 SHA-1: 0x5F9ABA440AA127CF23CF176EB2C897B41263E87B	(not available)
70	%System%\msosptfs.dat	256 bytes	MD5: 0x557141765D7C50BFACFDFD72959B39DA SHA-1: 0x7ABF19506B3B88CB4F43696F22370AB3514EFA8F	(not available)
71	%System%\nicozftp.dat	256 bytes	MD5: 0x28C9BDDE24AD014E62C97D2F101D74BA SHA-1: 0xD5C7B79E709F31825E362525B2BA892286BC79C8	(not available)
72	%System%\odhtgg.dll %System%\twzlvtfp.dll	31,512 bytes	MD5: 0xA3B6F3CA0DE7B86383FE155A957235B0 SHA-1: 0xE92A19ECDDA6E9EB8652A063CB743AEE48CC07AF	Trojan.OnlineGames.Gen.77 [PCTools] Infostealer.Gampass [Symantec] Trojan-PSW.Win32.OnLineGames.aiej [Kaspersky Lab] PWS-QQPass.dll [McAfee] TSPY_ONLINEG.KRD [Trend Micro]
73	%System%\oduxpx.dll	31,004 bytes	MD5: 0x8DF503C8007BA4EF0FE4757E4AF872B9 SHA-1: 0x85F4CEF6248E973089E2F2B7C1FF8996F6DD64EC	Trojan.OnlineGames.Gen.77 [PCTools] Infostealer.Gampass [Symantec] Trojan-PSW.Win32.OnLineGames.aila [Kaspersky Lab] PWS-QQPass.dll [McAfee]
74	%System%\ptshell.dll	28,952 bytes	MD5: 0x57C3B373AA6A3833DE63D014BED93D1F SHA-1: 0x5BF7057982E56C25530335518964FCB605D18624	Trojan.OnlineGames.Gen.77 [PCTools] Infostealer.Gampass [Symantec]
75	[file and pathname of the sample #1]	892,809 bytes	MD5: 0x6E8F83D547BF6B08930840A1808AB0EB SHA-1: 0x967311D69277AF13A8F756DEBB041318A74900BD	Trojan-PSW.Win32.OnLineGames.aihg, Trojan-PSW.Win32.OnLineGames.ahvj, Trojan-PSW.Win32.OnLineGames.acnp, Trojan-PSW.Win32.OnLineGames.aiko, Trojan-PSW.Win32.OnLineGames.aehr, Trojan-PSW.Win32.OnLineGames.afel, Trojan-PSW.Win32.OnLineGames.adup [Kaspersky Lab]
76	%System%\SysDaJHv.dll	19,482 bytes	MD5: 0x0EB1D97133D142BEE92BEF4C9C164AFE SHA-1: 0x0B7CFFB736D4CBD9F1CD65DF54EC4A69FB116A3B	Packed.Generic.93 [Symantec] Generic PWS.y [McAfee] Cryp_Pai-3 [Trend Micro]
77	%System%\SysZxaC.dll	19,284 bytes	MD5: 0x85A2B1D93451D37F815E656499AFBA3E SHA-1: 0x266AF98EDBD588F5BB7B2C9791C100979BDC7FB1	Packed.Generic.93 [Symantec] New Malware.ey [McAfee] Cryp_Pai-3 [Trend Micro]
78	%System%\ticisms.dll	29,464 bytes	MD5: 0x2C5C9A06BD15EF58204FB4AF1135EF2E SHA-1: 0x1095E29002D42A9EF930B1967BA9D75CF107E3FB	Trojan.OnlineGames.Gen.77 [PCTools] Infostealer.Gampass [Symantec] PWS-Mmorpg.gen [McAfee]
79	%System%\timfpo.dll	27,420 bytes	MD5: 0x37F36F1AC0FF2A38EFB33E6BE21244E1 SHA-1: 0x4E0AA25370F1B9597FB772CF95C3CF1BDE2B2DC6	Infostealer.Gampass [Symantec] PWS-QQPass.dll [McAfee]
80	%System%\WINSvr64.dll	27,420 bytes	MD5: 0x9D15B68F1717C4CFC494B4D345E3C5E4 SHA-1: 0xA54B3D3C73C3A3295A598357214D6909C5AC4304	(not available)
81	%System%\yghgsd.dll	30,488 bytes	MD5: 0x01D8DAF8998B37AAF9C3BC2954E06591 SHA-1: 0x7D0C48AECA44F5C705BD495400B2114EE7AD192F	Trojan.OnlineGames.Gen.77 [PCTools] PWS-OnlineGames.a [McAfee] TSPY_ONLINEG.TIP [Trend Micro]
82	%System%\yuiabct.dll	29,468 bytes	MD5: 0xCA65ECC969841E660A8A1BF7915894AF SHA-1: 0x7A97CD03056C1F4357AB0D071E39D2B597869EBB	(not available)
83	%System%\zxsyhv.dll	24,860 bytes	MD5: 0x14BBD2649DD9098EB1115CB577C6CB55 SHA-1: 0xCFD226164F31C37AB268C0C8E4DBE04B64266619	Trojan.OnlineGames.Gen.77 [PCTools] Infostealer.Gampass [Symantec] PWS-QQPass.dll [McAfee] TSPY_ONLINEG.RKQ [Trend Micro]
84	%Windir%\ticisms.exe	20,760 bytes	MD5: 0x7BA9010A9D1FC81F83ABB9255B5FF43A SHA-1: 0x5E840BE7C1DB6BACBA7F8937CD4F20D6DC0D93AC	Trojan.OnlineGames.Gen.77 [PCTools] Infostealer.Gampass [Symantec] PWS-Mmorpg.gen [McAfee] TSPY_ONLINEG.PIA [Trend Micro]
85	%Windir%\udlikpqf.exe	20,705 bytes	MD5: 0x9D13A032DDBFFAF32F51CCBC2C9B34D1 SHA-1: 0x30F15902C1AEB5310301D4904CBB047A079F49C3	Trojan.OnlineGames.Gen.77 [PCTools] Infostealer [Symantec] TSPY_ONLINEG.KQL [Trend Micro]
86	%Windir%\WINSvr64.exe	19,228 bytes	MD5: 0x8F206FC7911654C972195236FE3855CF SHA-1: 0x4A45CBC223C987129909A5B8BBED0D033D6A2297	Infostealer.Gampass [Symantec] TSPY_ONLINEG.SBU [Trend Micro]
87	%Windir%\yuiabct.exe	20,373 bytes	MD5: 0x79B2981DF64B1C3901911F21CD14E7D5 SHA-1: 0x5C40EA752287119CFDD06D6FED9643DFB605F582	Trojan.OnlineGames.Gen.77 [PCTools] Infostealer [Symantec] Generic.dx [McAfee]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following directories were created:

%Temp%\1.food00.net
%Temp%\3.food00.net
%Temp%\4.food00.net
%Temp%\a.111991.netiii
%Temp%\b.111991.netiii
%Temp%\WER67c0.dir00
%Windir%\Nt_File_Temp

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
a.exe	%Temp%\1.food00.net\a.exe	16,384 bytes
a1.exe	%Temp%\1.food00.net\a1.exe	57,344 bytes
a2.exe	%Temp%\1.food00.net\a2.exe	57,344 bytes
a3.exe	%Temp%\1.food00.net\a3.exe	53,248 bytes
a4.exe	%Temp%\1.food00.net\a4.exe	53,248 bytes
a5.exe	%Temp%\1.food00.net\a5.exe	57,344 bytes
a6.exe	%Temp%\1.food00.net\a6.exe	53,248 bytes
a7.exe	%Temp%\1.food00.net\a7.exe	57,344 bytes
a15.exe	%Temp%\3.food00.net\a15.exe	69,632 bytes
a16.exe	%Temp%\3.food00.net\a16.exe	57,344 bytes
a32.exe	%Temp%\4.food00.net\a32.exe	106,496 bytes
a18.exe	%Temp%\3.food00.net\a18.exe	53,248 bytes
a19.exe	%Temp%\3.food00.net\a19.exe	65,536 bytes
a20.exe	%Temp%\3.food00.net\a20.exe	57,344 bytes
a33.exe	%Temp%\4.food00.net\a33.exe	49,152 bytes
a21.exe	%Temp%\3.food00.net\a21.exe	53,248 bytes
a22.exe	%Temp%\3.food00.net\a22.exe	65,536 bytes
a35.exe	%Temp%\4.food00.net\a35.exe	57,344 bytes
a23.exe	%Temp%\3.food00.net\a23.exe	53,248 bytes
a24.exe	%Temp%\3.food00.net\a24.exe	53,248 bytes
a25.exe	%Temp%\4.food00.net\a25.exe	53,248 bytes
a26.exe	%Temp%\4.food00.net\a26.exe	53,248 bytes
a19.exe	%Temp%\b.111991.netiii\a19.exe	65,536 bytes
a27.exe	%Temp%\4.food00.net\a27.exe	49,152 bytes
a10.exe	%Temp%\a.111991.netiii\a10.exe	106,496 bytes
a3.exe	%Temp%\a.111991.netiii\a3.exe	61,440 bytes
a28.exe	%Temp%\4.food00.net\a28.exe	106,496 bytes
a6.exe	%Temp%\a.111991.netiii\a6.exe	53,248 bytes
a8.exe	%Temp%\a.111991.netiii\a8.exe	49,152 bytes
a29.exe	%Temp%\4.food00.net\a29.exe	53,248 bytes
a30.exe	%Temp%\4.food00.net\a30.exe	65,536 bytes
a20.exe	%Temp%\b.111991.netiii\a20.exe	69,632 bytes
a31.exe	%Temp%\4.food00.net\a31.exe	49,152 bytes
a9.exe	%Temp%\a.111991.netiii\a9.exe	53,248 bytes
a11.exe	%Temp%\b.111991.netiii\a11.exe	53,248 bytes
a23.exe	%Temp%\b.111991.netiii\a23.exe	53,248 bytes
a12.exe	%Temp%\b.111991.netiii\a12.exe	49,152 bytes
a15.exe	%Temp%\b.111991.netiii\a15.exe	69,632 bytes
a16.exe	%Temp%\b.111991.netiii\a16.exe	69,632 bytes
a14.exe	%Temp%\b.111991.netiii\a14.exe	69,632 bytes
a34.exe	%Temp%\4.food00.net\a34.exe	49,152 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	45,056 bytes

There were new kernel-mode drivers installed in the system:

Driver Name	Driver Filename
msfpfis64	%System%\drivers\msosmsfpfis64.sys
msp2p32	%System%\drivers\nicomsp2p32.sys

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FMSQ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FMSQ\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MHFP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MHFP\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSFPFIS64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSFPFIS64\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSP2P32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSP2P32\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cqit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cqit\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\drop
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\drop\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hook
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hook\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jtio
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jtio\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mnsf
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mnsf\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msfpfis64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msfpfis64\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msp2p32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msp2p32\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ping
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ping\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ptfs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ptfs\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zftp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zftp\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_FMSQ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_FMSQ\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MHFP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MHFP\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSFPFIS64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSFPFIS64\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSP2P32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSP2P32\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cqit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cqit\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\drop
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\drop\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\hook
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\hook\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\jtio
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\jtio\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mnsf
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mnsf\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msfpfis64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msfpfis64\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msp2p32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msp2p32\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ping
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ping\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ptfs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ptfs\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\zftp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\zftp\Security

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FMSQ\0000]

Service = "fmsq"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "fmsq"
Capabilities = 0x00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FMSQ]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MHFP\0000]

Service = "mhfp"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "mhfp"
Capabilities = 0x00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MHFP]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSFPFIS64\0000]

Service = "msfpfis64"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "msfpfis64"
Capabilities = 0x00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSFPFIS64]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSP2P32\0000]

Service = "msp2p32"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "msp2p32"
Capabilities = 0x00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSP2P32]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cqit\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cqit]

Type = 0x00000001
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "\??\%Temp%\tmp33.tmp"
DisplayName = "cqit"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\drop\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\drop]

Type = 0x00000001
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "\??\%Temp%\tmp1B.tmp"
DisplayName = "drop"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hook\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hook]

Type = 0x00000001
Start = 0x00000003
ErrorControl = 0x00000001
ImagePath = "%Windir%\Nt_File_Temp\hook.sys"
DisplayName = "hook"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jtio\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jtio]

Type = 0x00000001
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "\??\%Temp%\tmp25.tmp"
DisplayName = "jtio"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mnsf\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mnsf]

Type = 0x00000001
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "\??\%Temp%\tmpE.tmp"
DisplayName = "mnsf"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msfpfis64\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msfpfis64]

Type = 0x00000001
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%System%\drivers\msosmsfpfis64.sys"
DisplayName = "msfpfis64"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msp2p32\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msp2p32]

Type = 0x00000001
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%System%\drivers\nicomsp2p32.sys"
DisplayName = "msp2p32"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ping\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ping]

Type = 0x00000001
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "\??\%Temp%\tmp17.tmp"
DisplayName = "ping"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ptfs\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ptfs]

Type = 0x00000001
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "\??\%Temp%\tmp14.tmp"
DisplayName = "ptfs"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zftp\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zftp]

Type = 0x00000001
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "\??\%Temp%\tmp7.tmp"
DisplayName = "zftp"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_FMSQ\0000]

Service = "fmsq"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "fmsq"
Capabilities = 0x00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_FMSQ]

NextInstance = 0x00000001

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex objects were created:

msp2p32
_M_498tmp5.tmp
_M_4msosmhfp00.dll
_M_160msosmhfp00.dll
_M_198msosmhfp00.dll
_M_1b0msosmhfp00.dll
_M_1dcmsosmhfp00.dll
_M_1e8msosmhfp00.dll
_M_278msosmhfp00.dll
_M_2bcmsosmhfp00.dll
_M_2d8msosmhfp00.dll
_M_314msosmhfp00.dll
_M_348msosmhfp00.dll
_M_414msosmhfp00.dll
_M_47cmsosmhfp00.dll
_M_500msosmhfp00.dll
_M_620msosmhfp00.dll
_M_70cmsosmhfp00.dll
_M_73cmsosmhfp00.dll
_M_9cmsosmhfp00.dll
_M_184msosmhfp00.dll
_M_194msosmhfp00.dll
_M_74msosmhfp00.dll
_M_39cmsosmhfp00.dll
_M_3c4msosmhfp00.dll
_M_4a8msosmhfp00.dll
_M_554msosmhfp00.dll
_M_498msosdohs00.dll
_M_498nicozftp00.dll
_M_60cmsosmhfp00.dll
_M_668msosmhfp00.dll
_M_684msosmhfp00.dll
_M_698msosmhfp00.dll
_M_6acmsosmhfp00.dll
_M_6c8msosmhfp00.dll
_M_498msosmnsf00.dll
_M_498msosptfs00.dll
_M_498msosping00.dll
_M_498msosfmsq00.dll
_M_4a8msosdohs00.dll
_M_4a8nicozftp00.dll
_M_4a8msosmnsf00.dll
_M_4a8msosptfs00.dll
_M_4a8msosping00.dll
_M_4a8msosfmsq00.dll
_M_4a8msosdrop00.dll
_M_4a8msosjtio00.dll
_M_4a8msosdrop01.dll
_M_4a8nicozftp01.dll
_M_4a8msoscqit00.dll
_M_4nicozftp00.dll
_M_160nicozftp00.dll
_M_198nicozftp00.dll
_M_554tmp9.tmp
_M_1b0nicozftp00.dll
_M_1dcnicozftp00.dll
_M_1e8nicozftp00.dll
_M_278nicozftp00.dll
_M_2bcnicozftp00.dll
_M_2d8nicozftp00.dll
_M_314nicozftp00.dll
_M_348nicozftp00.dll
_M_414nicozftp00.dll
_M_47cnicozftp00.dll
_M_500nicozftp00.dll
_M_620nicozftp00.dll
_M_70cnicozftp00.dll
_M_73cnicozftp00.dll
_M_9cnicozftp00.dll
_M_184nicozftp00.dll
_M_194nicozftp00.dll
_M_74nicozftp00.dll
_M_39cnicozftp00.dll
_M_3c4nicozftp00.dll
_M_60cnicozftp00.dll
_M_668nicozftp00.dll
_M_684nicozftp00.dll
_M_698nicozftp00.dll
_M_554msosdohs00.dll
_M_6acnicozftp00.dll
_M_6c8nicozftp00.dll
_M_554msosmnsf00.dll
_M_554msosptfs00.dll
_M_554msosping00.dll
_M_554msosfmsq00.dll
_M_574msosfmsq00.dll
_M_574nicozftp00.dll
_M_574msosmnsf00.dll
_M_574msosmhfp00.dll
_M_574msosdrop00.dll
_M_574msosptfs00.dll
_M_574msosdohs00.dll
_M_574msosping00.dll
_M_574msosjtio00.dll
_M_574msosdrop01.dll
_M_574nicozftp01.dll
_M_574msoscqit00.dll
_M_584msosfmsq00.dll
_M_584nicozftp00.dll
_M_584msosmnsf00.dll
_M_584msosmhfp00.dll

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.