ThreatExpert Report: Trojan:Win32/Meredrop, Virus.Win32.Agent.COH, Win-Trojan/Xema.variant..

Submission Summary:

Submission details:

Submission received: 7 April 2009, 23:47:33
Processing time: 13 min 3 sec
Submitted sample:

File MD5: 0xD6008272D00C7A1D004A79F8C5C3A264
File SHA-1: 0x8C031818D6E07B46AC331557F3409273E4C77C7C
Filesize: 1,131,128 bytes
Alias:

Summary of the findings:

What's been found	Severity Level
Sets the drive to autoplay by creating autorun.inf file in its root directory. If the drive is shared across the network then other remote computers can be infected any time they try to access this share.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Installs a default debugger that is injected into the execution sequence of a target application. If a threat is installed as a default debugger, it will be run every time a target application is attempted to be launched - either to mimic it and hide its own presence (e.g. an open port or a running process), or simply to be activated as often as possible.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat categories were identified:

Threat Category	Description
	A network-aware worm that attempts to replicate across the existing network(s)
	A code with the rootkit-specific techniques designed to hide the software presence in the system
	A hacktool that could be used by attackers to break into a system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	c:\AutoRun.inf	169 bytes	MD5: 0xD47A84B3B3AF846F0B8861786B1C24E3 SHA-1: 0x7E86A62BA4894F32466E740FAA42F17ACAFC5DEF	INF.Autorun.Gen [PCTools]
2	%Temp%\E_N4\HtmlView.fne	217,088 bytes	MD5: 0x4C9E8F81BF741A61915D0D4FC49D595E SHA-1: 0xD033008B3A0E5D3FC8876E0423EE5509ECB3897C	(not available)
3	%Temp%\E_N4\iext.fnr	204,800 bytes	MD5: 0x1B74DF2213B76CCC335291B56C43B28D SHA-1: 0x4FB84748E4666DB7D14115478CE3B5B09E899352	Trojan-GameThief.Win32.Magania [Ikarus]
4	%Temp%\E_N4\iext2.fne	471,040 bytes	MD5: 0x6EB20BB6CAFD6D31E871ED3ABD65A59C SHA-1: 0xAE6495EA4241BCDE20E415F2940313785A4A10D2	(not available)
5	%Temp%\E_N4\krnln.fne %Temp%\E_N4\krnln.fnr	1,101,824 bytes	MD5: 0x3FE72F93AB5F24A0EA2D753013A41C4B SHA-1: 0x9206CD206C0B2782A2B1AD1D19ACE97BAE6E491E	Mal/Generic-A [Sophos]
6	%Temp%\E_N4\shell.fne	40,960 bytes	MD5: 0xD54753E7FC3EA03AEC0181447969C0E8 SHA-1: 0x824E7007B6569AE36F174C146AE1B7242F98F734	W32/AutoRun-MO [Sophos]
7	%Temp%\E_N4\spec.fne	69,632 bytes	MD5: 0x8985D73F08638B4B48ECD30759C9E53F SHA-1: 0x400A90C9EABEB94AE05E5036E21DC922B0C1FFAD	(not available)
8	c:\SysSafe.exe	56,260 bytes	MD5: 0xD91B82AB35FAAAAB9F27C77843014144 SHA-1: 0x7D9674C3D85713F95850AE15C70A181706ABFA27	W32.SillyFDC [Symantec] Worm.Win32.AutoRun.acua [Kaspersky Lab] W32/Autorun.worm.gen [McAfee] Mal/Generic-A [Sophos] Trojan:Win32/Qhost.V [Microsoft] Virus.Win32.Agent.GZY [Ikarus]
9	[file and pathname of the sample #1]	1,131,128 bytes	MD5: 0xD6008272D00C7A1D004A79F8C5C3A264 SHA-1: 0x8C031818D6E07B46AC331557F3409273E4C77C7C	Trojan:Win32/Meredrop [Microsoft] Virus.Win32.Agent.COH [Ikarus] Win-Trojan/Xema.variant [AhnLab]
10	%System%\TIANLAI.dll	14,004 bytes	MD5: 0x26E5CDA8308B6D433679E7E0F67B0C86 SHA-1: 0x7EC1CB6F420859D7B3D4C3378E946DB84F2E5A59	not-a-virus:RiskTool.Win32.HideProc.c [Ikarus]
11	%System%\tianlai.tmp %System%\zhuruqi.tmp	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
12	%System%\tl.sys	2,560 bytes	MD5: 0xE512D6B049DE8F79104E8C8D7D371FC7 SHA-1: 0x10D308F56675D6984D33B1CC4EDC39AB310C36D2	Hacktool.Rootkit [Symantec] Rootkit.Win32.Agent.giz [Kaspersky Lab] Generic.dx [McAfee] Mal/Generic-A [Sophos] Rootkit.Win32.Agent [Ikarus] Win-Trojan/Agent.2560.AS [AhnLab]
13	%System%\zhuruqi.exe	30,569 bytes	MD5: 0xA328ADA616EC6EA3A6F94AF739429CA2 SHA-1: 0xAA2868D198651B67FA77B32F336B5985F79DEC72	Suspicious.MH690 [Symantec] New Malware.bx [McAfee] Trojan:Win32/Qhost.V [Microsoft] Trojan-Spy.Win32.Agent.ccb [Ikarus]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directory was created:

%Temp%\E_N4

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
zhuruqi.exe	%System%\zhuruqi.exe	95,593 bytes
svchosi.exe	%System%\svchosi.exe	174,532 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Tray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSrv.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frogagent.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvdetect.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvHistory.kxp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvsrvxp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcshield.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMon.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPStart.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC1.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC2.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ras.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwstub.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shstat.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srck.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srgui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sriecli.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srieh.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UlibCfg.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VsTskMgr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiUtilities.exe
HKEY_CURRENT_USER\Software\FlySky
HKEY_CURRENT_USER\Software\FlySky\E
HKEY_CURRENT_USER\Software\FlySky\E\Install

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

ÏµÍ³×¢ï¿½ï¿½ï¿½ï¿½ = "%System%\zhuruqi.exe"
svchosi = "%System%\svchosi.exe"

so that zhuruqi.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of 360Safe.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of 360safebox.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Tray.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of 360Tray.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSrv.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of AgentSrv.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of ArSwp.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of avp.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of CCenter.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of ccSvcHst.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of egui.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of ekrn.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frogagent.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of Frogagent.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvdetect.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of kvdetect.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvHistory.kxp]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of KvHistory.kxp by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of KVMonXP.kxp by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvsrvxp.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of kvsrvxp.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of KvXP.kxp by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcshield.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of Mcshield.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMon.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of MPMon.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPStart.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of MPStart.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of MPSVC.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC1.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of MPSVC1.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC2.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of MPSVC2.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ras.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of ras.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of Rav.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of RavMon.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of RavMonD.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of RfwMain.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of rfwProxy.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of rfwsrv.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwstub.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of rfwstub.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTray.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of RSTray.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of runiep.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of safeboxTray.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shstat.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of shstat.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srck.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of srck.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srgui.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of srgui.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sriecli.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of sriecli.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srieh.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of srieh.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UlibCfg.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of UlibCfg.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VsTskMgr.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of VsTskMgr.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiUtilities.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of WoptiUtilities.exe by being installed as its default debugger

[HKEY_CURRENT_USER\Software\FlySky\E\Install]

Path = "%Temp%\E_N4\"

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex object was created:

_!SHMSFTHISTORY!_

The following Internet Connection was established:

Server Name	Server Port	Connect as User	Connection Password
www.zzyun.com	80	(null)	(null)

The following GET requests were made:

index.html
index.jpg

The data identified by the following URLs was then requested from the remote web server:

http://www.dedeke.cn/1.exe
http://www.dedeke.cn/2.exe
http://www.dedeke.cn/3.exe
http://www.dedeke.cn/4.exe
http://www.dedeke.cn/5.exe
http://www.dedeke.cn/6.exe
http://www.dedeke.cn/7.exe
http://www.dedeke.cn/8.exe
http://www.dedeke.cn/9.exe

The following Internet downloads were started (the retrieved bits are saved into the local file):

URL to be downloaded	Filename for the downloaded bits
http://www.dedeke.cn/zhuruqi.exe	%System%\zhuruqi.exe
http://www.dedeke.cn/svchosi.exe	%System%\svchosi.exe
http://www.dedeke.cn/1.exe	%System%\svchos1.exe
http://www.dedeke.cn/2.exe	%System%\svchos2.exe
http://www.dedeke.cn/3.exe	%System%\svchos3.exe
http://www.dedeke.cn/4.exe	%System%\svchos4.exe
http://www.dedeke.cn/5.exe	%System%\svchos5.exe
http://www.dedeke.cn/6.exe	%System%\svchos6.exe
http://www.dedeke.cn/7.exe	%System%\svchos7.exe
http://www.dedeke.cn/8.exe	%System%\svchos8.exe
http://www.dedeke.cn/9.exe	%System%\svchos9.exe

Downloaded File Summary:

Download details:

Download retrieved: 8 April 2009 00:01:10
Processing time: 10 min 15 sec
Downloaded sample #1:

File MD5: 0xA328ADA616EC6EA3A6F94AF739429CA2
File SHA-1: 0xAA2868D198651B67FA77B32F336B5985F79DEC72
Filesize: 30,569 bytes

Downloaded sample #2:

File MD5: 0xD91B82AB35FAAAAB9F27C77843014144
File SHA-1: 0x7D9674C3D85713F95850AE15C70A181706ABFA27
Filesize: 56,260 bytes

Downloaded sample #3:

File MD5: 0x94D931BD25A56B14F0FE19D1F3A0B40E
File SHA-1: 0x2A6FE260352D1A2669F89E682A77C23526C33706
Filesize: 27,974 bytes

Downloaded sample #4:

File MD5: 0xF3C8AC0F52974DEF143AF0A37585C45E
File SHA-1: 0x06921A9A72B9878660180C5C114B0D9864E42B08
Filesize: 22,499 bytes

Downloaded sample #5:

File MD5: 0x47AE2F5F02E242989FE9107E5D0730E1
File SHA-1: 0xAC26D37B22755AC33AF372780529D43D15338314
Filesize: 22,037 bytes

Downloaded sample #6:

File MD5: 0xF4FF6EACB0DF8EA5B88BA9DB66610F37
File SHA-1: 0x93CA5C6B020A78E848393CD45DA4633BA4171E28
Filesize: 16,160 bytes

Downloaded sample #7:

File MD5: 0x9D923A1ED671ADF3208D83BB2797E2B1
File SHA-1: 0xE1EF04F183BA80930BCC0795446A92205A7FBCED
Filesize: 22,344 bytes

Summary of the findings:

What's been found	Severity Level
Sets the drive to autoplay by creating autorun.inf file in its root directory. If the drive is shared across the network then other remote computers can be infected any time they try to access this share.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Installs a default debugger that is injected into the execution sequence of a target application. If a threat is installed as a default debugger, it will be run every time a target application is attempted to be launched - either to mimic it and hide its own presence (e.g. an open port or a running process), or simply to be activated as often as possible.
Registers a 32-bit in-process server DLL.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	c:\AutoRun.inf	169 bytes	MD5: 0xD47A84B3B3AF846F0B8861786B1C24E3 SHA-1: 0x7E86A62BA4894F32466E740FAA42F17ACAFC5DEF
2	c:\del.bat	106 bytes	MD5: 0xDAF8D3435254D60C939972A1A5CD24F9 SHA-1: 0xBFDCDC26EB764422B629CC81A40702A98667BA75
3	c:\del2.bat	76 bytes	MD5: 0x23FEB024390ACC051641277201A69AD8 SHA-1: 0xAD12D918B1605F1993E391FAAA0C010CCBCE2A19
4	%Temp%\SelfDel.bat	190 bytes	MD5: 0xE327BE7348BD851F1E655F451E2F5D5E SHA-1: 0x257315928E8B82590D1635243773E7084D51DD81
5	%Temp%\WERcdcc.dir00\appcompat.txt	16,296 bytes	MD5: 0xF560A82E9385739415E085B4553CBA8F SHA-1: 0x958B55E9517896C07D689F6BDDED4EF10D0718A9
6	%Temp%\WERcdcc.dir00\explorer.exe.hdmp	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
7	%Temp%\WERcdcc.dir00\explorer.exe.mdmp	137,828 bytes	MD5: 0x07847751599B24C8048097AACC0F81EC SHA-1: 0x9B38DF347AF11E6A485DDE5B5995C9A662870E72
8	%Temp%\WERcdcc.dir00\manifest.txt	1,998 bytes	MD5: 0xFF71EDAE1891B5D044B656EF9DB0E15F SHA-1: 0x98D1AD236D18AB27A09643A14798CF1ECB4B27DB
9	c:\jizhan.tmp c:\shumen.tmp %System%\tianlai.tmp %System%\zhuruqi.tmp c:\yuyan.tmp	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
10	c:\SysSafe.exe [file and pathname of the sample #2] %System%\svchosi.exe	56,260 bytes	MD5: 0xD91B82AB35FAAAAB9F27C77843014144 SHA-1: 0x7D9674C3D85713F95850AE15C70A181706ABFA27
11	%FontsDir%\ComRes.dll	161,776 bytes	MD5: 0x2473F0341759B68DCA80286A03D32F0F SHA-1: 0xB482421C7D42732BF359FAE74C085937A92A8013
12	%FontsDir%\gth69331.fon	1,312 bytes	MD5: 0xF236EC4D8869B206175616366FF11A25 SHA-1: 0xAF96A4175136112FB47BEA0447084A03E3479979
13	%FontsDir%\gth69331.ttf	28,160 bytes	MD5: 0x2445D1DACF17A80215B84E1D9A54C62E SHA-1: 0x9643F6C23D51B39951FD19389ED022AF9435CAD3
14	%System%\edjmkkhm.dll	40,960 bytes	MD5: 0xC0507F89455B89194ABFF6C38C01B0A7 SHA-1: 0xF4DFA6D0811F00A04479DCEAA0CA98884A2BF194
15	%System%\gth69331.exe	33,280 bytes	MD5: 0x8358193945474F68A2D498CBED8EB97E SHA-1: 0xA905C9849147628387F6B1D5A7BF88FD5A64F15F
16	%System%\mmsfc1.dll	133,120 bytes	MD5: 0xE8F132E41430A1EFD24282BE4DFF0723 SHA-1: 0x96FF851E5CC953D99950110F64D0DA8E67D9B215
17	[file and pathname of the sample #1] %System%\zhuruqi.exe	30,569 bytes	MD5: 0xA328ADA616EC6EA3A6F94AF739429CA2 SHA-1: 0xAA2868D198651B67FA77B32F336B5985F79DEC72
18	[file and pathname of the sample #3]	27,974 bytes	MD5: 0x94D931BD25A56B14F0FE19D1F3A0B40E SHA-1: 0x2A6FE260352D1A2669F89E682A77C23526C33706
19	[file and pathname of the sample #4]	22,499 bytes	MD5: 0xF3C8AC0F52974DEF143AF0A37585C45E SHA-1: 0x06921A9A72B9878660180C5C114B0D9864E42B08
20	[file and pathname of the sample #5]	22,037 bytes	MD5: 0x47AE2F5F02E242989FE9107E5D0730E1 SHA-1: 0xAC26D37B22755AC33AF372780529D43D15338314
21	[file and pathname of the sample #6]	16,160 bytes	MD5: 0xF4FF6EACB0DF8EA5B88BA9DB66610F37 SHA-1: 0x93CA5C6B020A78E848393CD45DA4633BA4171E28
22	[file and pathname of the sample #7]	22,344 bytes	MD5: 0x9D923A1ED671ADF3208D83BB2797E2B1 SHA-1: 0xE1EF04F183BA80930BCC0795446A92205A7FBCED
23	%System%\sysgth.dll	792,064 bytes	MD5: 0x6728270CB7DBB776ED086F5AC4C82310 SHA-1: 0xE913CC86F68627541DAE2A92509AB230F427E980
24	%System%\TIANLAI.dll	14,004 bytes	MD5: 0x26E5CDA8308B6D433679E7E0F67B0C86 SHA-1: 0x7EC1CB6F420859D7B3D4C3378E946DB84F2E5A59
25	%System%\tl.sys	2,560 bytes	MD5: 0xE512D6B049DE8F79104E8C8D7D371FC7 SHA-1: 0x10D308F56675D6984D33B1CC4EDC39AB310C36D2

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%FontsDir% is a variable that refers to a virtual folder containing fonts. A typical path is C:\Windows\Fonts.

The following directory was created:

%Temp%\WERcdcc.dir00

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
svchosi.exe	%System%\svchosi.exe	174,532 bytes
[filename of the sample #6]	[file and pathname of the sample #6]	225,280 bytes
zhuruqi.exe	%System%\zhuruqi.exe	95,593 bytes
[filename of the sample #2]	[file and pathname of the sample #2]	174,532 bytes
[filename of the sample #7]	[file and pathname of the sample #7]	90,112 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	95,593 bytes
gth69331.exe	%System%\gth69331.exe	45,056 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ED364416-3459-43A2-AA15-0C44F2185683}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ED364416-3459-43A2-AA15-0C44F2185683}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Tray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSrv.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frogagent.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvdetect.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvHistory.kxp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvsrvxp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcshield.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMon.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPStart.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC1.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC2.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ras.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwstub.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shstat.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srck.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srgui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sriecli.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srieh.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UlibCfg.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VsTskMgr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiUtilities.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ED364416-3459-43A2-AA15-0C44F2185683}\InProcServer32]

(Default) = "%System%\edjmkkhm.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

{ED364416-3459-43A2-AA15-0C44F2185683} = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

ÏµÍ³×¢ï¿½ï¿½ï¿½ï¿½ = "%System%\zhuruqi.exe"
svchosi = "%System%\svchosi.exe"

so that zhuruqi.exe runs every time Windows starts

so that svchosi.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

ED364416 = "{ED364416-3459-43A2-AA15-0C44F2185683}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of 360Safe.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of 360safebox.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Tray.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of 360Tray.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSrv.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of AgentSrv.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of ArSwp.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of avp.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of CCenter.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of ccSvcHst.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of egui.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of ekrn.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frogagent.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of Frogagent.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvdetect.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of kvdetect.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvHistory.kxp]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of KvHistory.kxp by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of KVMonXP.kxp by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvsrvxp.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of kvsrvxp.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of KvXP.kxp by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcshield.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of Mcshield.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMon.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of MPMon.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPStart.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of MPStart.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of MPSVC.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC1.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of MPSVC1.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC2.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of MPSVC2.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ras.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of ras.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of Rav.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of RavMon.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of RavMonD.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of RfwMain.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of rfwProxy.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of rfwsrv.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwstub.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of rfwstub.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTray.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of RSTray.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of runiep.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of safeboxTray.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shstat.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of shstat.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srck.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of srck.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srgui.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of srgui.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sriecli.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of sriecli.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srieh.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of srieh.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UlibCfg.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of UlibCfg.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VsTskMgr.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of VsTskMgr.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiUtilities.exe]

Debugger = "%System%\zhuruqi.exe"

so that zhuruqi.exe is injected into the execution sequence of WoptiUtilities.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]

%Windir%\explorer.exe = "EnableNXShowUI"

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex objects were created:

gth1016
gth1760
gth1068
gth1072
gth1140
gth116
gth1172
gth1200
gth1280
gth1304
gth1504
gth1528
gth1536
gth156
gth1756
gth1836
gth1884
gth2076
gth2200
gth2288
gth2376
gth2404
gth2476
gth2632
gth2636
gth2724
gth2788
gth2852
gth2912
gth2920
gth2976
gth3000
gth3032
gth3064
gth3104
gth3176
gth3224
gth3240
gth3272
gth3288
gth3372
gth3476
gth3484
gth3528
gth3540
gth3684
gth3704
gth3772
gth3788
gth3856
gth3888
gth3960
gth3996
gth4036
gth4064
gth4128
gth4172
gth4192
gth4244
gth4280
gth4388
gth4436
gth4456
gth4532
gth4588
gth4612
gth4616
gth4680
gth4756
gth4832
gth4856
gth4908
gth4920
gth4936
gth4956
gth5020
gth5096
gth5208
gth5252
gth5276
gth5336
gth5360
gth5400
gth5404
gth5460
gth5484
gth5584
gth5608
gth5632
gth5688
gth5700
gth5736
gth5740
gth5760
gth5788
gth5876
gth5912
gth5960
gth5988
gth6040
gth6160

The data identified by the following URLs was then requested from the remote web server:

http://www.dedeke.cn/1.exe
http://www.dedeke.cn/2.exe
http://www.dedeke.cn/3.exe
http://www.dedeke.cn/4.exe
http://www.dedeke.cn/5.exe
http://www.dedeke.cn/6.exe
http://www.dedeke.cn/7.exe
http://www.dedeke.cn/8.exe
http://www.dedeke.cn/9.exe

The following Internet downloads were started (the retrieved bits are saved into the local file):

URL to be downloaded	Filename for the downloaded bits
http://www.dedeke.cn/1.exe	%System%\svchos1.exe
http://www.dedeke.cn/2.exe	%System%\svchos2.exe
http://www.dedeke.cn/3.exe	%System%\svchos3.exe
http://www.dedeke.cn/4.exe	%System%\svchos4.exe
http://www.dedeke.cn/5.exe	%System%\svchos5.exe
http://www.dedeke.cn/6.exe	%System%\svchos6.exe
http://www.dedeke.cn/7.exe	%System%\svchos7.exe
http://www.dedeke.cn/8.exe	%System%\svchos8.exe
http://www.dedeke.cn/9.exe	%System%\svchos9.exe
http://www.dedeke.cn/svchosi.exe	%System%\svchosi.exe
http://www.dedeke.cn/zhuruqi.exe	%System%\zhuruqi.exe

There were application-defined hook procedures installed into the hook chain (e.g. to monitor keystrokes). The installed hooks are handled by the following modules:

%System%\COMRes.dll
%FontsDir%\ComRes.dll
%System%\edjmkkhm.dll

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.