Submission Summary:

What's been foundSeverity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.

 

Technical Details:

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %CommonPrograms%\Startup\gorun.jse 223 bytes MD5: 0x07C2EA7B749392BFD0F21E9782977A44
SHA-1: 0xAC30DA519B1E1ED755BA24E9E9947846DAAC3F5B
(not available)
2 %DesktopDir%\����֮�������.lnk 724 bytes MD5: 0x34E25C9BDB37D39F4F2D8C317A6FF944
SHA-1: 0x30C611BED15BC1C0C068783BFB4733344A9CC63D
(not available)
3 %AppData%\Microsoft\Windows Media\9.0\WMSDKNSD.XML 53 bytes MD5: 0xA9B5DA9AEC61657B32393D96217165F0
SHA-1: 0x80B5C577155ACD269B450D70F6B2CBED693EDF49
(not available)
4 %Programs%\My application\Website.lnk 741 bytes MD5: 0xD0599CF95A68775A3EDE8249C20149C4
SHA-1: 0x9E7C5FEA02CB0EBBA60F9F55B891A2E27DA9501E
(not available)
5 %Programs%\My application\����֮�������.lnk 736 bytes MD5: 0x7E54915EFDC8409A23455FAE95717AE0
SHA-1: 0xB71A1D12CB53FD7767A307FD50FE3CFA258FB772
(not available)
6 c:\index.jse
%ProgramFiles%\UltraEdit\ico\tao.ico
1,728 bytes MD5: 0xC22EA0D5F2A588CF15D6B9B2FC13B04E
SHA-1: 0x3C7C4E4E239FE93464D3D9B221F68FED89C7D8FD
Downloader.Psyme [PCTools]
Trojan-Clicker.VBS.Agent [Ikarus]
7 %ProgramFiles%\My application\360_setup.url 43 bytes MD5: 0x9B69370D72CCD9539ABBEE752A8BA0AC
SHA-1: 0x96804388E0D69DD1C9C80A29578F9182CDD41926
(not available)
8 %ProgramFiles%\My application\theworld.ac 1,783 bytes MD5: 0x716255ACC951A0E97C569DAB0B75D92A
SHA-1: 0x3E6D0F8465731851A7E664E3275881D029F78921
(not available)
9 %ProgramFiles%\My application\TheWorld.exe 1,427,152 bytes MD5: 0x4CC2EE7059C053763153B5B8B072FC99
SHA-1: 0xBFA60E80FF08E4A6FA6A7E9BAF6EC0061ADA6AC3
Virus.Win32.Trojan [Ikarus]
10 %ProgramFiles%\My application\TheWorld.ico 67,646 bytes MD5: 0x3B6301F550C3C561FD2CE0AC82E1D3F7
SHA-1: 0x65E18E1FD175751F356FCFE353DCBEC74EB3E4F5
(not available)
11 %ProgramFiles%\My application\theworld.ini 11,822 bytes MD5: 0x169E97EEA077795393F496CE4AE1CC61
SHA-1: 0xA7CEE0795DB2E101E17D0C0F2A82BD41AE0CA1BC
(not available)
12 %ProgramFiles%\My application\twcache.ini 274 bytes MD5: 0x2051980C407F3A48FF3E8729B7ACD7EA
SHA-1: 0xADE79E76BC1B1DAD9B0D0AFC7EFB0ADF56D09A7F
(not available)
13 %ProgramFiles%\winsoft9\1.vbs 157 bytes MD5: 0x4B962B7441146CED39582A349F00F9EB
SHA-1: 0x4EB9CFB3D79C3938412FC461DDBC3A94B6AFF368
Trojan-Clicker.VBS.Agent.bn [Kaspersky Lab]
Trojan-Clicker.VBS.Agent [Ikarus]
14 %ProgramFiles%\winsoft9\2222.vbs 471 bytes MD5: 0x2824245171CF637208DCAB397E47EE58
SHA-1: 0xF8BD96F2DFB4E0241F27C9FE3146F13B6242ECB7
Adware.Adpopup!rem [PCTools]
Vbs.Startpage [Ikarus]
15 %ProgramFiles%\winsoft9\3.bat 1,555 bytes MD5: 0x7178074FE2E68EF48E28AF24EE7B0C24
SHA-1: 0xA1C1ABDD79D2CAA133606F0E61F9428370E6E62E
Adware.Adpopup!rem [PCTools]
Trojan.BAT.StartPage.ie [Kaspersky Lab]
Trojan.BAT.StartPage [Ikarus]
16 %ProgramFiles%\winsoft9\3.vbs 1,011 bytes MD5: 0xF29F42E57F3079728B69971F0DD43A00
SHA-1: 0x9E1081E728C8AE61CF712E5BC11B24007B9A7534
Adware.StartPage!rem [PCTools]
Trojan.StartPage [Ikarus]
17 %ProgramFiles%\winsoft9\bho.exe 667,212 bytes MD5: 0x1A7C1CDB1C42A348B279044A7D8EF116
SHA-1: 0x9ED584B2B7DE0B6899E2C5323A596AD4160BB249
Trojan.ADH [PCTools]
Generic.dx!uxo [McAfee]
Virus.Win32.Trojan [Ikarus]
18 %ProgramFiles%\winsoft9\game.ico 15,086 bytes MD5: 0x173D5C23AF9B3A269EB19B1C7426E7D2
SHA-1: 0x47BAB303B6880DDBECD3C138FEDF028449150F85
(not available)
19 %ProgramFiles%\winsoft9\kusila.ico 13,944 bytes MD5: 0xD20B373E54407D97A951978932BF24DC
SHA-1: 0x8CD46E13F2F2F62218C858849A95ECD139DC8ABD
(not available)
20 %ProgramFiles%\winsoft9\mm.ico 9,662 bytes MD5: 0xC6B53DF7E7006FC1CE1BFD8A57CC5DD4
SHA-1: 0x06EA81EA5758B4D5AE700EDAF6AAACBCD834B86E
(not available)
21 %ProgramFiles%\winsoft9\t2.exe 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
(not available)
22 %ProgramFiles%\winsoft9\taobao.ico 2,238 bytes MD5: 0xD77877537A5527E65AA9C34862C6B1E4
SHA-1: 0x4811C789B60DC8C25FCEE1FA1E7B8A030C44C4EB
(not available)
23 %ProgramFiles%\winsoft9\test.exe 41,884 bytes MD5: 0x7D4E6588338ED3ED0856B590EE819151
SHA-1: 0x007ACD3358E4B24EF2DB4A83DE91A899CB0F2F1F
Trojan.ADH [PCTools]
Trojan-Clicker.VBS.Agent.bi [Kaspersky Lab]
Generic.dx!tfj [McAfee]
Mal/Generic-L [Sophos]
TrojanDownloader:Win32/Troxen!rts [Microsoft]
Trojan-Clicker.VBS.Agent [Ikarus]
24 %Windir%\Survival_0.txt 3 bytes MD5: 0xA5EA0AD9260B1550A14CC58D2C39B03D
SHA-1: 0xF0AEDF295071ED34AB8C6A7692223D22B6A19841
(not available)
25 %System%\kbd101b.dll
%Windir%\Temp\OLD12.tmp
%Windir%\Temp\OLD29.tmp
%Windir%\Temp\OLD3F.tmp
%Windir%\Temp\OLD54.tmp
%Windir%\Temp\OLD64.tmp
6,144 bytes MD5: 0x15CC5E30A8CFFFAC6056EC7CF2070187
SHA-1: 0x520BF2D27179B0FCC0CBD6C8A0070569AF8E84CF
(not available)
26 %System%\kbd101c.dll
%Windir%\Temp\OLD16.tmp
%Windir%\Temp\OLD2C.tmp
%Windir%\Temp\OLD42.tmp
%Windir%\Temp\OLD57.tmp
%Windir%\Temp\OLD6A.tmp
6,144 bytes MD5: 0xE1CB8EE6C0DC70E0DBCFA8D32C849E91
SHA-1: 0x85C76426A7D74B6D8216C9372355553AE0B3D41B
(not available)
27 %System%\kbd103.dll
%Windir%\Temp\OLD1A.tmp
%Windir%\Temp\OLD2F.tmp
%Windir%\Temp\OLD45.tmp
%Windir%\Temp\OLD5A.tmp
%Windir%\Temp\OLD6D.tmp
5,632 bytes MD5: 0x1AB5B6C627EBC61883EA311367F51130
SHA-1: 0x9C3B9EA1AA884B36EDDD588D7AE955F22709FB32
(not available)
28 %System%\kbd106.dll
%Windir%\Temp\OLD1E.tmp
%Windir%\Temp\OLD32.tmp
%Windir%\Temp\OLD48.tmp
%Windir%\Temp\OLD5D.tmp
%Windir%\Temp\OLD70.tmp
6,144 bytes MD5: 0x5F5124D2FE8AE381E914C9147353D64C
SHA-1: 0x5631295E512BDE2F18C8E0FD9DF9106F7B0C2E47
(not available)
29 %System%\kbdjpn.dll
%Windir%\Temp\OLD22.tmp
%Windir%\Temp\OLD35.tmp
%Windir%\Temp\OLD4B.tmp
%Windir%\Temp\OLD60.tmp
%Windir%\Temp\OLD73.tmp
8,704 bytes MD5: 0x804B09FA1E3A86E729ABCCA7F30AE53C
SHA-1: 0xFD7F04B8F2DDFF19C703FC852EF7701248C65159
(not available)
30 %System%\kbdkor.dll
%Windir%\Temp\OLD26.tmp
%Windir%\Temp\OLD38.tmp
%Windir%\Temp\OLD4E.tmp
%Windir%\Temp\OLD63.tmp
%Windir%\Temp\OLD76.tmp
8,192 bytes MD5: 0x3244B59A0EB07E7B181F52D80D5E7385
SHA-1: 0x0E4A9EF72972142FA6211242C35CAADD131AF120
(not available)

 

Memory Modifications

Process NameProcess FilenameMain Module Size
[filename of the sample #1][file and pathname of the sample #1]221,184 bytes

 

Registry Modifications

 

Other details

China

Remote HostPort Number
110.75.187.7280
110.75.187.8780
116.228.55.3380
116.228.55.5180
119.167.201.24180
119.42.227.25280
119.42.239.2680
122.225.254.10580
175.6.0.24080
211.100.61.5580
222.241.150.15782

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014 ThreatExpert. All rights reserved.