ThreatExpert Report: not-a-virus:AdWare.Win32.IEHlpr.aa, not-a-virus:Downloader.Win32.Agent.g..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 11 September 2007, 13:42:16
Processing time: 3 min 49 sec
Submitted sample:

File MD5: 0xB1009C175ED7ECDB132318840FD4EF3C
Filesize: 1,038,360 bytes
Alias:

not-a-virus:AdWare.Win32.IEHlpr.aa, not-a-virus:Downloader.Win32.Agent.g, Trojan-Downloader.Win32.QQHelper.va, Trojan-Downloader.Win32.Delf.beq, not-a-virus:AdWare.Win32.Agent.ap, Trojan-Downloader.Win32.Agent.bcd, Trojan-Downloader.Win32.Agent.bcd, not-a-virus:AdWare.Win32.Cinmus.j, not-a-virus:AdWare.Win32.Boran.z, not-a-virus:AdWare.Win32.Agent.ap, not-a-virus:AdWare.Win32.WSearch.j, Trojan.Win32.VB.sj, Trojan-Downloader.Win32.Agent.aww [Kaspersky Lab]
TROJ_MULDROP.LX [Trend Micro]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat categories were identified:

Threat Category	Description
	A potentially unwanted adware program designed to deliver various advertisements to the users' systems
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A program that downloads files to the local computer that may represent security risk

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonAppData%\Microsoft\Office\NAVDATA\webnav_2001.dll	118,784 bytes	MD5: 0x6DED6FD75A696C26A1F0DEAEF485461B	Adware.IEhlpr [Symantec] not-a-virus:AdWare.Win32.IEHlpr.aa [Kaspersky Lab]
2	%Temp%\nso2.tmp	1,332,091 bytes	MD5: 0x1EA0EAAF2C169569C3D637431CA251EE	(not available)
3	%Temp%\nstC.tmp\NSISdlSmooth.dll	13,312 bytes	MD5: 0x67BB7985C77F5D4A803E3AB392A1A55A	(not available)
4	%Temp%\_checktemptest	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E	(not available)
5	%System%\alipy_.log %System%\soudmax.dll	49,152 bytes	MD5: 0x130F22AE1B8BA3C3F532F8B134DD3480	not-a-virus:Downloader.Win32.Agent.g [Kaspersky Lab] TROJ_Generic [Trend Micro]
6	%System%\Baidu.exe	125 bytes	MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415	(not available)
7	%System%\c350.exe	207,307 bytes	MD5: 0x0CC54196941258F2D25E4971440C1E5F	Trojan-Downloader.Win32.Delf.beq, not-a-virus:AdWare.Win32.Agent.ap [Kaspersky Lab]
8	%System%\caifu02.exe	60,906 bytes	MD5: 0x353032D8D596DE0C06AEA022D769D852	Trojan-Downloader.Win32.Agent.bcd, Trojan-Downloader.Win32.Agent.bcd [Kaspersky Lab]
9	%System%\dodolook043.exe	179,205 bytes	MD5: 0xB460CB6CE9343E319B606E727A6744A5	Trojan.Dropper [Symantec] not-a-virus:AdWare.Win32.Cinmus.j [Kaspersky Lab]
10	%System%\genedoe.dll	102,400 bytes	MD5: 0x02BF4812753F4C8F2DB7FA6344A8A93B	Downloader [Symantec]
11	%System%\gpssafe.dll	242 bytes	MD5: 0xBF63AAD0FD20C701569C100836C0C102	(not available)
12	%System%\lnkenb.dll	81,920 bytes	MD5: 0x8E6B368CCF7793E7E0A64C627675FB04	Downloader [Symantec]
13	%System%\mms928.exe	234,768 bytes	MD5: 0x8FED07EDD061846A6CFC17F9E35C87AD	not-a-virus:AdWare.Win32.Boran.z, not-a-virus:AdWare.Win32.Agent.ap [Kaspersky Lab]
14	%System%\msvd2.exe	147,456 bytes	MD5: 0x88DDCAF3C82A74B48743AFAE19845797	Trojan.Dropper [Symantec]
15	%System%\relres.dll	77,824 bytes	MD5: 0x24B6D9F42A0C350D7D5F0B5746BF1A6E	Downloader [Symantec] TROJ_AGENT.RAE [Trend Micro]
16	[file and pathname of the sample #1]	1,038,360 bytes	MD5: 0xB1009C175ED7ECDB132318840FD4EF3C	not-a-virus:AdWare.Win32.IEHlpr.aa, not-a-virus:Downloader.Win32.Agent.g, Trojan-Downloader.Win32.QQHelper.va, Trojan-Downloader.Win32.Delf.beq, not-a-virus:AdWare.Win32.Agent.ap, Trojan-Downloader.Win32.Agent.bcd, Trojan-Downloader.Win32.Agent.bcd, not-a-virus:AdWare.Win32.Cinmus.j, not-a-virus:AdWare.Win32.Boran.z, not-a-virus:AdWare.Win32.Agent.ap, not-a-virus:AdWare.Win32.WSearch.j, Trojan.Win32.VB.sj, Trojan-Downloader.Win32.Agent.aww [Kaspersky Lab] TROJ_MULDROP.LX [Trend Micro]
17	%System%\setup.exe	67,128 bytes	MD5: 0xB60786A03DF387C47B6080D7340495D4	Adware.PigSearch [Symantec] not-a-virus:AdWare.Win32.WSearch.j [Kaspersky Lab]
18	%System%\setup0001.exe	55,572 bytes	MD5: 0x50614731D7132C6D059D53F42D01F223	Downloader [Symantec] Trojan.Win32.VB.sj [Kaspersky Lab] New Malware.aj [McAfee] TROJ_VB.BOE [Trend Micro]
19	%System%\sna.exe	55,296 bytes	MD5: 0x96CB5B18DD552C61B8F3074D756DEBE1	Downloader [Symantec] Trojan-Downloader.Win32.Agent.aww [Kaspersky Lab] TROJ_AGENT.LML [Trend Micro]

Notes:

%CommonAppData% is a variable that refers to the file system directory containing application data for all users. A typical path is C:\Documents and Settings\All Users\Application Data.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directories were created:

%CommonAppData%\Microsoft\Office
%Temp%\nstC.tmp
%CommonAppData%\Microsoft\Office\NAVDATA

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	188,416 bytes
bind_50006.exe	%System%\bind_50006.exe	20,480 bytes
AllInOne00000040.exe	%System%\AllInOne00000040.exe	188,416 bytes
Gapr11.exe	%Temp%\Gapr11.exe	28,672 bytes
msvd2.exe	%Temp%\msvd2.exe	147,456 bytes
msvd2.exe	%System%\msvd2.exe	147,456 bytes
2001.exe	%System%\2001.exe	196,608 bytes

The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
soudmax.dll	%System%\soudmax.dll	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x1930000 - 0x1940000

Notes:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{96FC3938-C6CA-475D-8D3B-45F323A6B62B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{96FC3938-C6CA-475D-8D3B-45F323A6B62B}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{96FC3938-C6CA-475D-8D3B-45F323A6B62B}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{96FC3938-C6CA-475D-8D3B-45F323A6B62B}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{96FC3938-C6CA-475D-8D3B-45F323A6B62B}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{96FC3938-C6CA-475D-8D3B-45F323A6B62B}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C86161B2-A673-46FA-9BA3-7A4C4A3F8EC1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C86161B2-A673-46FA-9BA3-7A4C4A3F8EC1}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C86161B2-A673-46FA-9BA3-7A4C4A3F8EC1}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C86161B2-A673-46FA-9BA3-7A4C4A3F8EC1}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{441E1C99-AF97-48A1-835D-581699D072C3}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{441E1C99-AF97-48A1-835D-581699D072C3}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{441E1C99-AF97-48A1-835D-581699D072C3}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{441E1C99-AF97-48A1-835D-581699D072C3}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{441E1C99-AF97-48A1-835D-581699D072C3}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{441E1C99-AF97-48A1-835D-581699D072C3}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Webnav.Navigator
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Webnav.Navigator\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Webnav.Navigator\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Webnav.Navigator.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Webnav.Navigator.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\dinput
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\dinput\update
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\dinput\update\Score
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\dinput\update\StartTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\dinput\update\Version
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{96FC3938-C6CA-475D-8D3B-45F323A6B62B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Video2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Video2\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Video2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Video2\Security

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{96FC3938-C6CA-475D-8D3B-45F323A6B62B}\VersionIndependentProgID]

(Default) = "Webnav.Navigator"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{96FC3938-C6CA-475D-8D3B-45F323A6B62B}\TypeLib]

(Default) = "{441E1C99-AF97-48A1-835D-581699D072C3}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{96FC3938-C6CA-475D-8D3B-45F323A6B62B}\ProgID]

(Default) = "Webnav.Navigator.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{96FC3938-C6CA-475D-8D3B-45F323A6B62B}\InprocServer32]

(Default) = "%CommonAppData%\Microsoft\Office\NAVDATA\webnav_2001.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{96FC3938-C6CA-475D-8D3B-45F323A6B62B}]

(Default) = "Navigator Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C86161B2-A673-46FA-9BA3-7A4C4A3F8EC1}\TypeLib]

(Default) = "{441E1C99-AF97-48A1-835D-581699D072C3}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C86161B2-A673-46FA-9BA3-7A4C4A3F8EC1}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C86161B2-A673-46FA-9BA3-7A4C4A3F8EC1}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C86161B2-A673-46FA-9BA3-7A4C4A3F8EC1}]

(Default) = "INavigator"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{441E1C99-AF97-48A1-835D-581699D072C3}\1.0\0\win32]

(Default) = "%CommonAppData%\Microsoft\Office\NAVDATA\webnav_2001.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{441E1C99-AF97-48A1-835D-581699D072C3}\1.0\HELPDIR]

(Default) = "%CommonAppData%\Microsoft\Office\NAVDATA\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{441E1C99-AF97-48A1-835D-581699D072C3}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{441E1C99-AF97-48A1-835D-581699D072C3}\1.0]

(Default) = "webnav 1.0 Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Webnav.Navigator\CurVer]

(Default) = "Webnav.Navigator.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Webnav.Navigator\CLSID]

(Default) = "{96FC3938-C6CA-475D-8D3B-45F323A6B62B}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Webnav.Navigator]

(Default) = "Navigator Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Webnav.Navigator.1\CLSID]

(Default) = "{96FC3938-C6CA-475D-8D3B-45F323A6B62B}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Webnav.Navigator.1]

(Default) = "Navigator Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\dinput\update]

SetupId = "50006"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

SoundMix = "%System%\rundll32.exe %System%\soudmax.dll,St"

so that soudmax.dll runs every time Windows starts

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Video2\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Video2]

Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%System%\msvd2.exe"
DisplayName = "Windows Video2"
ObjectName = "LocalSystem"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Video2\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Video2]

Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%System%\msvd2.exe"
DisplayName = "Windows Video2"
ObjectName = "LocalSystem"

Other details

Analysis of the file resources indicate the following possible countries of origin:

	China
	Ireland

The data identified by the following URLs was then requested from the remote web server:

http://setup1.tqzn.com/barbindsoft/barsetup.exe?queryid=50006
http://setup2.tqzn.com/barbindsoft/barsetup.exe?queryid=50006
http://setup3.tqzn.com/barbindsoft/barsetup.exe?queryid=50006
http://setup4.tqzn.com/barbindsoft/barsetup.exe?queryid=50006

The following Internet download was started (the retrieved bits are saved into the local file):

URL to be downloaded	Filename for the downloaded bits
http://www.ccwinfo.net/download/sns.txt	%Temp%\sns.txt

There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:

%System%\soudmax.dll

Downloaded File Summary:

Download details:

Download retrieved: 11 September 2007 13:52:59
Processing time: 3 min 40 sec
Downloaded sample #1:

File MD5: 0x541862927BEE0ACAFE779A2548E430F2
Filesize: 356,352 bytes
Alias:

Trojan-Dropper.Win32.Agent.btz [Kaspersky Lab]
TROJ_AGENT.XWS [Trend Micro]

Downloaded sample #2:

File MD5: 0x424D81B43160CDFD5D3C86F546C94DD9
Filesize: 368,640 bytes
Alias:

Trojan-Dropper.Win32.Agent.ayy [Kaspersky Lab]
Generic.dx [McAfee]
TROJ_AGENT.XBH [Trend Micro]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat categories were identified:

Threat Category	Description
	A program that downloads files to the local computer that may represent security risk
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Favorites%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½Õ¾-ï¿½î°²È«ï¿½ï¿½ï¿½Äµï¿½ï¿½ï¿½ï¿½Õ¾.url	50 bytes	MD5: 0x1088F7C02524BDF801F1D6121972EDD6	(not available)
2	%ProgramFiles%\Common Files\System\Updaterun.exe	7,168 bytes	MD5: 0xBB4687DA703607A4E214CF1A4937DE5F	Trojan-Downloader.Win32.Agent.bdn [Kaspersky Lab]
3	%Windir%\f2.exe	32,768 bytes	MD5: 0x45BBB6A126F9596870F8596BE557C027	Trojan-Downloader.Win32.Agent.bbb [Kaspersky Lab] BackDoor-CVM [McAfee] TROJ_AGENT.UXF [Trend Micro]
4	%Windir%\g3.exe	90,112 bytes	MD5: 0x8FFDE530AA2E0BDCA8CCEFA198B53465	Trojan.Win32.StartPage.apb [Kaspersky Lab] Generic StartPage.w [McAfee] TROJ_STARTPA.APB [Trend Micro]
5	%System%\advport.dll	5,952 bytes	MD5: 0xD7D59D6A81CD1E830A8D15FD0F014751	(not available)
6	%System%\drivers\msqmx.sys	7,808 bytes	MD5: 0x6D84827B36873F6A6902A05A55FB1836	Trojan.Win32.StartPage.apb [Kaspersky Lab] Generic Rootkit.d [McAfee] TROJ_STARTPA.EGH [Trend Micro]
7	%System%\drivers\zhpof.sys	10,240 bytes	MD5: 0x0B85823D3C0A3C226A8AC9EAF9C0B765	Trojan-Downloader.Win32.Agent.bbb [Kaspersky Lab] BackDoor-CVM!sys [McAfee]
8	%System%\ekvjf.dll	214,016 bytes	MD5: 0x16F5049B341D06C65DD3B0A50EB27576	Trojan-Downloader.Win32.QQHelper.ep [Kaspersky Lab] PWS-QQPass.dll [McAfee] TROJ_QQHELPER.NY [Trend Micro]
9	%System%\rundllforour.exe	10,240 bytes	MD5: 0x4936A6954ED59700A3C706F9094685EE	BackDoor-CVM [McAfee]
10	[file and pathname of the sample #1]	356,352 bytes	MD5: 0x541862927BEE0ACAFE779A2548E430F2	Trojan-Dropper.Win32.Agent.btz [Kaspersky Lab] TROJ_AGENT.XWS [Trend Micro]
11	[file and pathname of the sample #2]	368,640 bytes	MD5: 0x424D81B43160CDFD5D3C86F546C94DD9	Trojan-Dropper.Win32.Agent.ayy [Kaspersky Lab] Generic.dx [McAfee] TROJ_AGENT.XBH [Trend Micro]
12	%System%\stlgu.dll	9,216 bytes	MD5: 0x68C8D0F01AD3BB0BC0E90BD4985909ED	Trojan-Downloader.Win32.Agent.bbb [Kaspersky Lab] BackDoor-CVM.dll [McAfee] TROJ_AGENT.UYY [Trend Micro]
13	%System%\vlrwk.dll	233,664 bytes	MD5: 0x1D86BABA874A77831D70CDF6B78A186F	Trojan-Downloader.Win32.QQHelper.adm [Kaspersky Lab] PWS-QQPass.dll [McAfee] TROJ_QQHELPER.NY [Trend Micro]
14	%System%\wbem\gnoxf.dll	212,992 bytes	MD5: 0xD86B109014FEABD517E0653A948905F9	Trojan-Downloader.Win32.QQHelper.adl [Kaspersky Lab] PWS-QQPass.dll [McAfee] TROJ_QQHELPER.QD [Trend Micro]
15	%System%\wbem\ocmor.dll	6,304 bytes	MD5: 0x2C9C3948EDBBDB7015054EDA23D1CCA0	(not available)
16	%System%\wbem\yluya.dll	241,664 bytes	MD5: 0xCECB758A5F6A8599AD0FDA83A9434886	Trojan-Downloader.Win32.QQHelper.gg [Kaspersky Lab] PWS-QQPass.dll [McAfee] TROJ_QQHELPER.QT [Trend Micro]

Notes:

%Favorites% is a variable that refers to the file system directory that serves as a common repository for the user's favorite items. A typical path is C:\Documents and Settings\[UserName]\Favorites.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
rundllforour.exe	%System%\rundllforour.exe	16,384 bytes
Updaterun.exe	%ProgramFiles%\common files\system\updaterun.exe	16,384 bytes
g3.exe	%Windir%\g3.exe	94,208 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	356,352 bytes
f2.exe	%Windir%\f2.exe	32,768 bytes
[filename of the sample #2]	[file and pathname of the sample #2]	368,640 bytes

The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
stlgu.dll	%System%\stlgu.dll	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x1950000 - 0x1956000
GNOXF.DLL	%System%\WBEM\GNOXF.DLL	Process name: rundllforour.exe Process filename: %System%\rundllforour.exe Address space: 0x840000 - 0x874000

There were new kernel-mode drivers installed in the system:

Driver Name	Driver Filename
zhpof.sys	%System%\drivers\zhpof.sys
msqmx.sys	%System%\drivers\msqmx.sys

Attention! The following kernel-mode system service function was hooked:

System Call	Driver name	Driver Filename
NtSetValueKey	msqmx.sys	%System%\drivers\msqmx.sys

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Adobe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BRGNS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BRGNS\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BRGNS\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSQMX
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSQMX\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSQMX\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ZHPOF
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ZHPOF\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ZHPOF\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BRGNS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BRGNS\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BRGNS\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ClipArt
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ClipArt\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ClipArt\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msqmx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msqmx\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msqmx\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zhpof
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zhpof\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zhpof\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BRGNS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BRGNS\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BRGNS\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSQMX
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSQMX\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSQMX\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ZHPOF
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ZHPOF\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ZHPOF\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BRGNS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BRGNS\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BRGNS\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipArt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipArt\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipArt\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msqmx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msqmx\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msqmx\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zhpof
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zhpof\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zhpof\Enum

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

System = "%ProgramFiles%\Common Files\system\Updaterun.exe"

so that Updaterun.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Adobe]

Adobe = 0x0001ADBF

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BRGNS\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "BRGNS"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BRGNS\0000]

Service = "BRGNS"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "ClipManage"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BRGNS]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSQMX\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "msqmx"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSQMX\0000]

Service = "msqmx"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "msqmx"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSQMX]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ZHPOF\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "zhpof"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ZHPOF\0000]

Service = "zhpof"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "zhpof"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ZHPOF]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BRGNS\Enum]

0 = "Root\LEGACY_BRGNS\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BRGNS\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BRGNS]

Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\RUNDLLFOROUR.EXE %System%\WBEM\GNOXF.DLL,DllRegisterServer 1087"
DisplayName = "ClipManage"
ObjectName = "LocalSystem"
Description = "ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½é¿´ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½Ô±ï¿½ï¿½ï¿½Ï¸ï¿½ï¿½ï¿½ï¿½Ô¶ï¿½Ì¼ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½Ä¼ï¿½Â¼ï¿½ï¿½Ï¢ï¿½ï¿½"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ClipArt\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ClipArt\Parameters]

ServiceDll = "%System%\vlrwk.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ClipArt]

Type = 0x00000020
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%SystemRoot%\System32\svchost.exe -k netsvcs"
DisplayName = "HTTP Secure Manager"
ObjectName = "LocalSystem"
Description = "ï¿½ï¿½ï¿½ï¿½ HTTP ï¿½ï¿½È«Í¨Ñ¶ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ñ£¬±ï¿½ï¿½ï¿½ Windows ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½È«ï¿½ï¿½ï¿½Ð¡ï¿½ï¿½Þ·ï¿½ï¿½ï¿½Ö¹ï¿½Ë·ï¿½ï¿½ï¿½"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msqmx\Enum]

0 = "Root\LEGACY_MSQMX\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msqmx\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msqmx]

Type = 0x00000001
Start = 0x00000000
ErrorControl = 0x00000001
ImagePath = "system32\drivers\msqmx.sys"
DisplayName = "msqmx"
Group = "System Bus Extender"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zhpof\Enum]

0 = "Root\LEGACY_ZHPOF\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zhpof\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zhpof]

Type = 0x00000001
Start = 0x00000000
ErrorControl = 0x00000001
ImagePath = "System32\DRIVERS\zhpof.sys"
DisplayName = 7A 68 70 6F 66
Group = 53 79 73 74 65 6D 20 42 75 73 20 45 78 74 65 6E 64 65 72

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BRGNS\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "BRGNS"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BRGNS\0000]

Service = "BRGNS"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "ClipManage"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BRGNS]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSQMX\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "msqmx"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSQMX\0000]

Service = "msqmx"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "msqmx"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSQMX]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ZHPOF\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "zhpof"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ZHPOF\0000]

Service = "zhpof"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "zhpof"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ZHPOF]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BRGNS\Enum]

0 = "Root\LEGACY_BRGNS\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BRGNS\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]

Directory = "%Profiles%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]

CachePath = "%Profiles%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]

CachePath = "%Profiles%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]

CachePath = "%Profiles%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]

CachePath = "%Profiles%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]

netsvcs = "6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto Rasman Remoteaccess Schedule

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]

(Default) = 0x0000000B

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]

(Default) = 0x0000000B

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]

Cookies = "%Profiles%\LocalService\Cookies"
Cache = "%Profiles%\LocalService\Local Settings\Temporary Internet Files"
History = "%Profiles%\LocalService\Local Settings\History"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

Start Page = "about.blank.la"

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex object was created:

The data identified by the following URLs was then requested from the remote web server:

http://rising.rising666.com/hb/treucnhnonoly.msn
http://rising.rising666.net/hb/treucnhnology.msn

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.