Submission Summary:

What's been foundSeverity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Threat CategoryDescription
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
A program that downloads files to the local computer that may represent security risk
A code with the rootkit-specific techniques designed to hide the software presence in the system
A hacktool that could be used by attackers to break into a system

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 c:\360.exe 85,504 bytes MD5: 0x82D9580BF21C3D086E32BDDBB0445928
SHA-1: 0x574DC6267B7F42C4674138C528A643E99CD9BE7D
Trojan-Dropper.Win32.VB.amma [Kaspersky Lab]
Trojan-Dropper.Win32.BHO [Ikarus]
packed with UPX [Kaspersky Lab]
2 %CommonDesktopDir%\�����Ӱ.lnk 1,639 bytes MD5: 0xC80AA5ACDBE7EE50797BA8127354B7CD
SHA-1: 0xC74081AEA92AC649BE2F21DC48488B83CAD25A08
(not available)
3 %CommonDesktopDir%\�Ա�����.lnk 1,631 bytes MD5: 0x9585665EB83A325A73F33C6FAC1E75E7
SHA-1: 0x79D8676BCD7E2794CDF52BE410180F8EEE195E21
(not available)
4 %CommonPrograms%\Internet Explorer.lnk 1,614 bytes MD5: 0x19B219A7124E1615BC5BFAF78480618A
SHA-1: 0x88DAB8B2C307EAF2622C349813EB3F37B6E4E2C7
(not available)
5 %CommonPrograms%\Startup\host.vbe
%Programs%\Startup\host.vbe
6,668 bytes MD5: 0x36AFC15A819D1F178266988C30814CBF
SHA-1: 0x3307458A83C48EDD70CD84B06DE217C629096314
Trojan.VBS.StartPage.et [Kaspersky Lab]
Trojan.VBS.StartPage [Ikarus]
VBS/Startpage [AhnLab]
6 %AppData%\f.exe 44,497 bytes MD5: 0x51642679AE9CA2CD69C7CAA68C0B5925
SHA-1: 0xC2CB1A7E9B65D02746944D7ADE9DD1F9EA2B81A0
Trojan.Dropper [PCTools]
Trojan.Dropper [Symantec]
Trojan-Downloader.Win32.Geral.ssc [Kaspersky Lab]
Generic Downloader.x!eon [McAfee]
Mal/Generic-L [Sophos]
Generic.Trojan.Generic [Ikarus]
packed with PE_Patch.RLPack [Kaspersky Lab]
7 %Favorites%\�ٶ�����.url 202 bytes MD5: 0x4FD3E002F880030A8599E558B69E4229
SHA-1: 0x1654A3F3442A14E16F3DB09DE238FC1C94BD4AEF
(not available)
8 %Favorites%\��������-�������κ��������,���������ɣ�.url 166 bytes MD5: 0x041969CC0AF39B8C1F6F2FD817E647CD
SHA-1: 0xDFE753FB2E90A3C593AA9CF483B13AA94C2B1CEB
(not available)
9 %Favorites%\�Ա��� - �ԣ���ϲ��.url 202 bytes MD5: 0x61D5DD301019FB706784EDB27D2CCBBC
SHA-1: 0x0D040EB186C61351872ABF250BF64272B10AA0D3
(not available)
10 %Favorites%\��������-���ڵ�����.url 298 bytes MD5: 0x27EBBBDD93F1E73645329EA0321479B6
SHA-1: 0x93559A6532337CBF7D43B1EEC9C36A43B0F9C212
(not available)
11 %Programs%\Startup\dll.vbe 1,502 bytes MD5: 0x54BF69FD09160732885BFE9F2D4D6BD8
SHA-1: 0x7631CE4C249BA3328CE12E6978AFB86E491DED81
Trojan.VBS.Agent.iw [Kaspersky Lab]
Virus.VBS.Agent [Ikarus]
12 %Programs%\Startup\iesearch.vbe
%System%\iesearch.vbe
3,572 bytes MD5: 0xBFDA1BD00F22DCAA3C6F034B37CD34D0
SHA-1: 0x6552B01CAE3B3BEF88B0E4C73B8BC976F8820D6A
Trojan.Gen [PCTools]
Trojan.Gen [Symantec]
Trojan.VBS.Agent.ix [Kaspersky Lab]
VBS/Agent [AhnLab]
13 %Programs%\Startup\index.vbe
%System%\index.vbe
2,996 bytes MD5: 0x0F5ED6C1CF333B330E2F93540A38FB79
SHA-1: 0x0255A0282D985830822B5ADB094D46E6957F00FA
Trojan.Gen [PCTools]
Trojan.Gen [Symantec]
Trojan.Agent [Ikarus]
14 %Programs%\Startup\lnk.vbe
%System%\lnk.vbe
2,160 bytes MD5: 0x68BAA43CDD6164CA362AF81A1DA866DB
SHA-1: 0x0255BC9B263809DC990069CE2FF7DAAF12530CE8
Trojan.Gen [PCTools]
Trojan.Gen [Symantec]
Trojan.VBS.Agent.iz [Kaspersky Lab]
VBS/Agent [AhnLab]
15 %Programs%\Startup\open.vbe 254 bytes MD5: 0x3C22886856AD5BAFA11773561B808998
SHA-1: 0xF64B0BA49A6396DD369A6172D5E0199EDA524283
Trojan.VBS.Starter.bb [Kaspersky Lab]
16 %ProgramFiles%\Internet Explorer\iexlore.exe
%Windir%\baidu.exe
%System%\iebho.exe
57,344 bytes MD5: 0x28EE1CCE8C78AF3CDA481EDE79AB65D6
SHA-1: 0x62B1D517D7F27F7E40AB15906B9796968370410A
Trojan.Gen [PCTools]
Trojan.Gen [Symantec]
Trojan-Clicker.Win32.VB.eek [Kaspersky Lab]
BackDoor-EWB [McAfee]
Mal/Emogen-F [Sophos]
Trojan:Win32/Comisproc [Microsoft]
Trojan-Clicker.Win32.VB [Ikarus]
17 %ProgramFiles%\RAV\CCtest.inf 4,141 bytes MD5: 0x0CE844ACE54876423AB40E88352593C3
SHA-1: 0x4ADF114246F663A88628E6A4FEE3262FC1B398C4
(not available)
18 %ProgramFiles%\RAV\CCtest.sys 7,808 bytes MD5: 0x62A291DDFC8D86B4164D195211CF90D9
SHA-1: 0xBD60C9C7402211FD2CF0AC0E0840F2A688705ACC
Hacktool.Rootkit [PCTools]
Hacktool.Rootkit [Symantec]
Rootkit.Win32.Agent.bgio [Kaspersky Lab]
Generic.dx!tjf [McAfee]
Mal/Rootkit-X [Sophos]
Trojan:Win32/Orsam!rts [Microsoft]
Rootkit.Win32.Agent [Ikarus]
19 %Windir%\back_Qvod.DLL
%Windir%\Qvod.dll
28,672 bytes MD5: 0x9FFB7EDAFDE0D1CEA20C6A879385E071
SHA-1: 0xF60C354312726121C6316A2CB2D2FA16136D1414
Trojan.Gen [PCTools]
Trojan.Gen [Symantec]
Trojan.Win32.BHO.agbp [Kaspersky Lab]
Generic.dx!tav [McAfee]
Mal/Generic-L [Sophos]
Trojan:Win32/BHO.CQ!dll [Microsoft]
Trojan.Win32.BHO [Ikarus]
Win-Trojan/Bho.28672.GQ [AhnLab]
20 %Windir%\bhoreg.reg 173 bytes MD5: 0x33DFD4FE1174CE6AD292F4D85BC5C413
SHA-1: 0xE126109260DA921CC1AFDAC2F9298D034B5426DD
(not available)
21 %Windir%\bing\del.bat 117 bytes MD5: 0xA42D48AA732112827C3EB351DFDE2E89
SHA-1: 0x9249C98B8C45E35285A368D6CB84226046D2D7BD
(not available)
22 %Windir%\bing\lsass.exe 69,632 bytes MD5: 0x6E4373DC24A586231D2EE75CE019198E
SHA-1: 0xD6831739E2AABE065736F8B25585EE1802E42D44
Trojan.Gen [PCTools]
Trojan.Gen [Symantec]
Trojan.Win32.Swisyn.adhl [Kaspersky Lab]
Generic.dx!tav [McAfee]
Mal/Generic-L [Sophos]
Trojan:Win32/Orsam!rts [Microsoft]
Trojan-Dropper.Win32.BHO [Ikarus]
Win-Trojan/Swisyn.69632.L [AhnLab]
23 %Windir%\search.reg 2,277 bytes MD5: 0x3EB707DABE49517038E05DDDB46649CF
SHA-1: 0xFE59EDAB49AA0BF18B6BDED31E2037DE4DB375CF
(not available)
24 %Windir%\StrongIndex.reg 1,421 bytes MD5: 0x958217370AA43A176700027F14D8620D
SHA-1: 0x301EDCE9B46A9B6D67378B83EF4C98C280C32E3E
Trojan.WinREG.StartPage.aq [Kaspersky Lab]
25 %System%\dll.vbe 1,440 bytes MD5: 0x43E9401A266E06F64CC35FA6F3572FDB
SHA-1: 0xB127D046FEA0DB8561F7FBD8A7E1E6CF8D177788
Trojan.Gen [PCTools]
Trojan.Gen [Symantec]
VBS.Agent [Ikarus]
26 %System%\movie.ico 9,664 bytes MD5: 0xD8E0BE34624CB0C76871614DBF0B198C
SHA-1: 0x9209FA489BBEC6C6A7829B09746A714AACE4CC36
(not available)
27 %System%\reg.reg 185 bytes MD5: 0xD97B3524C509D4A3DB97CC9EA1774681
SHA-1: 0x27455FF98564FE4CCFAFB1106AA5194580698FE8
(not available)
28 %System%\tao.ico 9,664 bytes MD5: 0x4A6E0D18BDDCFC0464DD4784B26E4072
SHA-1: 0x6519C101B718C5A610688C39E533F3E7A5F5C39B
(not available)
29 %Windir%\updateLnk.vbe 4,973 bytes MD5: 0xD038577954E119598669925CE6DF97AD
SHA-1: 0x5C00A1C4FAAA35806A4233808D98A1ADB7A87F4E
Trojan.VBS.Agent.iu [Kaspersky Lab]
30 %Windir%\WiWii\smss.exe 90,112 bytes MD5: 0x5079E390EDEA5437DE64ED148F40DD57
SHA-1: 0x76F2DC46333EF4A14D5A7D1943CA2F516BA47BEB
Trojan.Gen [PCTools]
Trojan.Gen [Symantec]
Trojan.Win32.VB.adrd [Kaspersky Lab]
Generic.dx!tav [McAfee]
Mal/Generic-L [Sophos]
Trojan:Win32/Provis!rts [Microsoft]
Trojan.Win32.VB [Ikarus]
Win-Trojan/Xema.variant [AhnLab]

 

Memory Modifications

Process NameProcess FilenameMain Module Size
360.exec:\360.exe364,544 bytes
[filename of the sample #1][file and pathname of the sample #1]364,544 bytes

Process NameMain Module Size
smss.exee98,304 bytes
lsass.exegao.ex77,824 bytes

Module NameModule FilenameAddress Space Details
Qvod.dll%Windir%\Qvod.dllProcess name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0x11000000 - 0x11007000
Qvod.dll%Windir%\Qvod.dllProcess name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0x11000000 - 0x11007000

 

Registry Modifications

 

Other details

China

PortProtocolProcess
1089UDP360.exe (c:\360.exe)
1090TCP360.exe (c:\360.exe)
1093TCP360.exe (c:\360.exe)

Remote HostPort Number
110.75.187.6480
119.147.105.7780
119.84.84.1180
123.235.43.21580
124.248.35.21080
183.60.136.4380
183.60.136.4480
183.60.136.4580
183.60.136.4680
219.153.20.18180
202.103.221.20123
218.93.205.20210086
218.93.205.20210

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014 ThreatExpert. All rights reserved.