ThreatExpert Report: HTML.Psyme.Gen, VBS/Psyme

Submission Summary:

Submission details:

Submission received: 7 January 2010, 10:14:56
Processing time: 9 min 20 sec
Submitted sample:

File MD5: 0xDE1ADB1DF396863E7E3967271E7DB734
File SHA-1: 0x1C77D74B0634DB7B205ABF3EF4487E20D3611781
Filesize: 196,096 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%Temp%\ads3.exe %Temp%\FunshionInstall_C43423.exe %Temp%\ie.vbs %Temp%\kaixin.exe %Temp%\[filename of the sample #1]	125 bytes	MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415 SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41
2	[file and pathname of the sample #1]	196,096 bytes	MD5: 0xDE1ADB1DF396863E7E3967271E7DB734 SHA-1: 0x1C77D74B0634DB7B205ABF3EF4487E20D3611781
3	%Windir%\Temp\scsA.tmp	2,686 bytes	MD5: 0x4A587187D760161311010B03417B3C3F SHA-1: 0x863BBF5F7F4114A1307C6BAD5DD89224D511FED5
4	%Windir%\Temp\scsB.tmp	1,670 bytes	MD5: 0x71F4B39C5EB73DF738AD3E0DACD89057 SHA-1: 0x8565ED558AD273232104E0B10CD87CFF723A1ECA

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	233,472 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_CURRENT_USER\Software\Microsoft\Windows Script
HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings

The newly created Registry Value is:

[HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings]

JITDebug = 0x00000000

Other details

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
www.100ip.info	80	(null)	(null)
neirong.funshion.com	80	(null)	(null)

The following GET requests were made:

down/game.exe
down/ie.vbs
down/ads.exe
software/download.php?id=43423
down/kaixin.exe

The following HTTP URLs were started reading:

http://www.77pic.com/?ie"&Chr(13)&Chr(10)
http://www.700yy.com/?ie"&Chr(13)&Chr(10)
http://pindao.huoban.taobao.com/channel/channelCode.htm?pid=mm_10037779_0_0"&Chr(13)&Chr(10)

Downloaded File Summary:

Download details:

Download retrieved: 7 January 2010 10:24:17
Processing time: 11 min 37 sec
Downloaded sample #1:

File MD5: 0xA8EB826C45842707FD9230E2B809186A
File SHA-1: 0x68104237C3B49514AA8D2BC7CB47A8A5EF062797
Filesize: 195,584 bytes

Downloaded sample #2:

File MD5: 0x78D38DC89F6E9D85D291B033580BF2BB
File SHA-1: 0xCB58CAB6EB1983A1604DDE275C1FE557A6311E89
Filesize: 245,056 bytes

Downloaded sample #3:

File MD5: 0x41BF5D6816D6B401196DF101D5BA1725
File SHA-1: 0x804ABAA60FF11A6BEB7158BD1C45C1634481A851
Filesize: 2,160,851 bytes

Downloaded sample #4:

File MD5: 0x79F5F9C323F46473D88F27976634C70A
File SHA-1: 0x8953E24AD5AA1EE4EA7427C436248C49C64B3A29
Filesize: 4,430,616 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Modifies some system settings that may have negative impact on overall system security state.
Creates a startup registry entry.

Technical Details:

The new window was created, as shown below:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonDesktopDir%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½.lnk	626 bytes	MD5: 0x4C48D625D300289324E6A2087CC27569 SHA-1: 0x5D41F0A393BAD01A6723D8A39F1C180A9C0D9644	(not available)
2	%CommonPrograms%\Startup\qq.vbs	672 bytes	MD5: 0x53E00D1F075C56F01D5120A0AF86A0F3 SHA-1: 0x10056177161F3B0C7D859AE1B227FB03D8F5961F	HTML.Psyme.Gen [PCTools] VBS/Psyme [McAfee]
3	%CommonPrograms%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½.lnk	638 bytes	MD5: 0x53CDA88A7CA72B9F00DDDEFBE82F777D SHA-1: 0xEE8A4FBAD9B3C1E1C90DE10C8A6F4DA036116B1F	(not available)
4	%AppData%\%ComputerName%.exe [file and pathname of the sample #1]	195,584 bytes	MD5: 0xA8EB826C45842707FD9230E2B809186A SHA-1: 0x68104237C3B49514AA8D2BC7CB47A8A5EF062797	(not available)
5	%Temp%\729397.vbs	1,548 bytes	MD5: 0x6C08233024A586D4647AE243779F4C72 SHA-1: 0xD081278B4BD3155EB6CDEBFA2C87D841790BEBA2	(not available)
6	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\bin\CameraDll.dll	265,728 bytes	MD5: 0xF6164E18BE446ED9DBDDCEF2776923C8 SHA-1: 0x0DE1A8AF9848C8796FA09AE4E9488524800D2B3F	(not available)
7	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\bin\lame_enc.dll	157,184 bytes	MD5: 0x6B49F28705B79E315D90EEB3B4313CE9 SHA-1: 0x46FD5D529A05A88227AC44378AC72FF5A6C40147	(not available)
8	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\bin\shdoclc.dll	498,176 bytes	MD5: 0x8AACF2DAB353F88F56A17E5E471D5BA1 SHA-1: 0xF76C54C38F56213DFA8CB4FDE157B9464C6A20BD	(not available)
9	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\bin\SnapShot.exe	36,352 bytes	MD5: 0xEDFA47918570B66FBFF66890A146898B SHA-1: 0xFD93666EC0DCBDF3E163071156888C3DB7D39F4D	(not available)
10	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\bin\TangoWeb.exe	557,056 bytes	MD5: 0xABA05FD78FB7AED8043B0C4BF30D7D63 SHA-1: 0xCAAC459FA36CEBAE791430258A31D7BFA95C46A9	(not available)
11	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\bin\TGGDI2.dll	212,992 bytes	MD5: 0x31B369E116CBAE100DE1BAB0B41DA577 SHA-1: 0x5BDB37DA72671B75C9815E3F105FD7D1E048E111	(not available)
12	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\bin\TGHistory.dll	368,640 bytes	MD5: 0x1B97A7755FC521A24126E5B362BF7BF5 SHA-1: 0xC5698D12A57B5B0991E7AB99577A4E4123FA7736	(not available)
13	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\bin\wmdll3.dll	90,112 bytes	MD5: 0x18BD752B5F99C9DF38A5898378D5F43E SHA-1: 0xB24B4EE8C539BC826E13D57BD008A72D83019C81	(not available)
14	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\custom.ini	660 bytes	MD5: 0x3ADE181E42013FCC7FFA4B36661C0644 SHA-1: 0x9BC7D04E50892B09A6567D981E24C3D611C30460	(not available)
15	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\404top.htm	658 bytes	MD5: 0x56C930E1EC7D12B7582C101A1EDA894C SHA-1: 0xF6534874478271AF4FCB1ACEDC8ADE802D64EEE8	(not available)
16	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\all.htm	15,392 bytes	MD5: 0xD80D72C7AA269EF6227D96F96C865586 SHA-1: 0x55326291A8FD1ABFEFFCCD7D09E3AECD4DE81B19	(not available)
17	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\help_1.htm	9,239 bytes	MD5: 0x3324656F3D27B095D592C2A18212FC08 SHA-1: 0x7010AFB1F8E60C8767E1B33F18EDCAD5CF451D31	(not available)
18	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\help_10.htm	6,369 bytes	MD5: 0xEDAA8D73DC11A3D7797C873609A09E4F SHA-1: 0x9D443D09301F2FEFC9AEB93D4B7ABBCB4BD064CA	(not available)
19	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\help_11.htm	6,367 bytes	MD5: 0xC3B6C9765AB738880690FBCFD7C6E89B SHA-1: 0xB3C6EBFDF77722B1E2B70C88AF9A8E88B12940EB	(not available)
20	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\help_12.htm	6,267 bytes	MD5: 0xE0135C42B972FED4E6C6528C37B09CF8 SHA-1: 0x1AFA0E9C178C1179F8CEDA477BD6528F2F6CFF79	(not available)
21	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\help_13.htm	6,273 bytes	MD5: 0x9BAED87D904A29D879065E37B10B2BCA SHA-1: 0x2A52ED41ABF14C132F365652344812CF039154F5	(not available)
22	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\help_2.htm	6,390 bytes	MD5: 0x432BE084CC2672F4AF395947693506B2 SHA-1: 0x4F8BAAE0E3668A492AFF195B9EF2872EC36A22E3	(not available)
23	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\help_3.htm	8,250 bytes	MD5: 0xFA7CF95558B3F612BCEE4501F2A7EE37 SHA-1: 0xA403F0F49C3C11958F654B592C48CDD7844B13C8	(not available)
24	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\help_5.htm	6,640 bytes	MD5: 0xCD79C0A36E729EB31ACEC4B0579FD4E7 SHA-1: 0xE50892F12C5D7BEAA7C2EE816B4139AB407564BE	(not available)
25	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\help_7.htm	6,693 bytes	MD5: 0xE31F31BBBC054C8D25049B83DC2C1ACE SHA-1: 0x94E38C601226ADFD5FAFAC1D14540296CF8BDACB	(not available)
26	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\help_9.htm	6,536 bytes	MD5: 0x6F44CEF956AF92BE74C730F4EAADA2EA SHA-1: 0x8209CC633C9511ED8D788F999F6CB567336065AA	(not available)
27	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\help_faq.htm	9,033 bytes	MD5: 0x05AF9605B6B7325CDBEE691082FA6B98 SHA-1: 0xF8BD989165B66A388347E6EC310DF8A98BA7F5E5	(not available)
28	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\jiqiao.htm	8,329 bytes	MD5: 0x04E5F3F5F93201705124C69AA5DC6080 SHA-1: 0x75BB5BEFA91D30B9C2876D979577CB4759379DBC	(not available)
29	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\jiqiao_10.htm	8,207 bytes	MD5: 0x341D09387D3AC08BF721F71A81B24A97 SHA-1: 0xABDB6D2DFA983D456C9A35BE740A7B08D030FB31	(not available)
30	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\jiqiao_11.htm	8,216 bytes	MD5: 0x644FED51A79FDCF931BCF00AD7431538 SHA-1: 0xC87AC9BA0EEC190F24E1E81349AAADE4AA19F0DD	(not available)
31	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\jiqiao_12.htm	8,414 bytes	MD5: 0x1AD5FF67A5E98C06EB246571ED4AE160 SHA-1: 0x69EF20BFBE49061D22F365703324AF2D83E8FF40	(not available)
32	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\jiqiao_13.htm	8,195 bytes	MD5: 0x8198EDF7882297037A13279EEFE4EDC2 SHA-1: 0xC7BFD5BB9F0B877F819632881F5CA71B57865D53	(not available)
33	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\jiqiao_14.htm	8,207 bytes	MD5: 0x1414D7F4620282B4FE86F7318FAF1E91 SHA-1: 0x562600B8AA731E87C7C66EC9735F3F715FB3A4F1	(not available)
34	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\jiqiao_15.htm	8,202 bytes	MD5: 0x2EDB3D70640F71C31655630B3D134BA0 SHA-1: 0x91C15FAE7B97BDF94B0C54B30A1CE74026D3744C	(not available)
35	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\jiqiao_16.htm	8,220 bytes	MD5: 0x87D4D4CB277DE258A5E44693BA4B853D SHA-1: 0x663DDEDEF43B180E70BD3EAA82BD6639F1EF5E27	(not available)
36	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\jiqiao_17.htm	8,190 bytes	MD5: 0xF9A556075034BE1D5DC73F7B7BC0DE15 SHA-1: 0x43B2FEB33A9E9377EE39AF7750B78A66574CC53E	(not available)
37	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\jiqiao_18.htm	8,205 bytes	MD5: 0x43509D67D306C805CECDB9DCD3152F2F SHA-1: 0x4CAA5BE1064EAA8F318DE5382F6749A8D5D2CE62	(not available)
38	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\jiqiao_19.htm	8,203 bytes	MD5: 0xEA8FEFE2B0F5493F21A1EC06C5AF8845 SHA-1: 0xD08620705F181CBD101AE0F6286F987E744355C2	(not available)
39	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\jiqiao_2.htm	8,764 bytes	MD5: 0x53C34EC602EFF251C43CAD3F6C164160 SHA-1: 0xA52B67932AB3A443F891FF31749B44BF71DF49C4	(not available)
40	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\jiqiao_20.htm	8,200 bytes	MD5: 0x6E01156816B636186ADA31AE969BC578 SHA-1: 0x992113B9F81CA48E7CE7FCB6CF67D89C7DD4C2CE	(not available)
41	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\jiqiao_3.htm	9,212 bytes	MD5: 0x57E213360A237373D1225289B9C01E98 SHA-1: 0x7ADF5606DF7B6F5372F43C181125E06BD0ADC2E2	(not available)
42	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\jiqiao_4.htm	10,982 bytes	MD5: 0x3490DF7629DB87D87A18693569B803D3 SHA-1: 0x695610DDDDBD7A481865ADBFD901DB05B7D02983	(not available)
43	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\jiqiao_5.htm	9,173 bytes	MD5: 0x9A09DFB3673FA7091DCF8D09126C05D1 SHA-1: 0xBAE8ADFC7C22C34AC9B494DF31CA8C230F14EEC5	(not available)
44	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\jiqiao_6.htm	8,196 bytes	MD5: 0x02C5A2A472C1EDBAB24C0CFA2FB4BD4C SHA-1: 0x76667D8CB756E6A7DA664762DB30F537629DFD96	(not available)
45	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\jiqiao_7.htm	8,186 bytes	MD5: 0x8BFD3357F2E010556947B8A82F161626 SHA-1: 0x9F2F963EBCAB992FE829DDAECBFA82B4D3F4EB97	(not available)
46	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\jiqiao_8.htm	8,214 bytes	MD5: 0xAE49F501B11E9AE83EF033AF396A55E3 SHA-1: 0x8AB04CE640D3BB073D94197747A1B95D0F0FB3E1	(not available)
47	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\jiqiao_9.htm	8,207 bytes	MD5: 0xBC16F9AC34862443D136911A4FABD11F SHA-1: 0x10B2F91585AB9B15284F02563504439AA9E1585D	(not available)
48	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\quick.htm	5,139 bytes	MD5: 0x1AB880684E7FCE66A8E220CF468F521C SHA-1: 0x1ECFFEDBB9C513BB702CF2ED6DDD98BBE19602C0	(not available)
49	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\quick_2.htm	5,123 bytes	MD5: 0xC73623656FF31BBA6B45C528C4544DC5 SHA-1: 0x00163B2E9B3FF7BDBB25A67197C020D735B83662	(not available)
50	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\quick_3.htm	4,993 bytes	MD5: 0x208A60DDA7DAC873DE64ADE3FBE9B690 SHA-1: 0x33E2D8B4DC6FCE0B349AC3DD5EB33CC7E1081832	(not available)
51	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\quick_4.htm	5,122 bytes	MD5: 0xDFD2BC39133D6DB26EF98DC4FD8B00E2 SHA-1: 0xB8920FCEA81D23E8F57D9BF96643DD4661650FD0	(not available)
52	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\quick_5.htm	5,312 bytes	MD5: 0x499870DAB2F537ED70D6487DFF195692 SHA-1: 0x2A90AB73A67348BC13DEC6BE543EF706C8AE62BD	(not available)
53	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\quick_6.htm	4,947 bytes	MD5: 0x555DD5F5AA317D038594785090DFCDB7 SHA-1: 0x3A1F7395F7B70EB99BEFAD38CE9BBDE7A70C8CE5	(not available)
54	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\quick_7.htm	4,942 bytes	MD5: 0x327874EBAA517B3C4EE25F51B9DAEFC6 SHA-1: 0xA6DBA92C83E068508C21E04A67EC1D06A43EE36C	(not available)
55	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\tango.css	986 bytes	MD5: 0x24EB9BD9216A893D33AF674968C08997 SHA-1: 0xDBF55BC68CDD10A08D2445D6129417F6B2F44CB6	(not available)
56	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\tango2.css	1,819 bytes	MD5: 0x502C68A4310B152524C5BCDFEB451B85 SHA-1: 0xA1D6A73B4B6505C549DECD6C038251BCBAD1A5F1	(not available)
57	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\view.htm	5,884 bytes	MD5: 0xB8EA4080E7C03E939F421C988EB563F1 SHA-1: 0x72F3C9CF90163A73DC727DE95034DB0CEE5AB389	(not available)
58	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\view_10.htm	6,075 bytes	MD5: 0x4B95FB8E40CFD856180ABCF576138A0E SHA-1: 0xD6464E0959EC8A75920E5FE0B0B03F53275C3D80	(not available)
59	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\view_11.htm	6,067 bytes	MD5: 0x4574B0E6D786B4CFCD29F2187EB92658 SHA-1: 0xBE228366F4130C9768817E23FB0A327D5F11EACE	(not available)
60	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\view_12.htm	6,073 bytes	MD5: 0x0FDAF78C723731FDDA9C752FDAAC8800 SHA-1: 0x1CDCF270EFA0BF3DD41307C5B4F0FE12D4EE9FBF	(not available)
61	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\view_2.htm	6,051 bytes	MD5: 0xAC091BFE6138B9208F866CE750B420B5 SHA-1: 0x06C64669D02A483F699D79343E6A51E27E1E9495	(not available)
62	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\view_3.htm	6,061 bytes	MD5: 0x1CA463C8E487BBC8070A83C41E3891C9 SHA-1: 0x9856A525CDB7FF686A04DDB494B7AB9E6C267C50	(not available)
63	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\view_4.htm	6,063 bytes	MD5: 0x9935BD96E6750DBE633623012692E4F3 SHA-1: 0x4D09A4FFC582EFD2387A39EE595FC6112728D2AD	(not available)
64	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\view_5.htm	6,066 bytes	MD5: 0x4049E79B63D2F9E19669656C8F6CA9B9 SHA-1: 0x7038B8CCBA328DBD7FB157B93E323C5BC4CDD2A7	(not available)
65	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\view_6.htm	6,074 bytes	MD5: 0xBC0883EE9A660F62D6783401EAE364FB SHA-1: 0xCFA4056C5D722500F82DBE4814D433F12AA899DD	(not available)
66	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\view_7.htm	6,060 bytes	MD5: 0x56049E7578F1A5955A0174B7734857B2 SHA-1: 0xDBB935E50AC402B3BE2A37C8D7DC46A977D949F7	(not available)
67	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\view_8.htm	6,074 bytes	MD5: 0xE93CADD14DBFB5DF4352C267F1646BBF SHA-1: 0xAD4F1DD01E2A8EA52E62976A18A2BB30C2857D4B	(not available)
68	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc\view_9.htm	6,057 bytes	MD5: 0xE1C48827CB98921B4E44C63BEF3A5101 SHA-1: 0xD1A316651BA3A432DAA20B34CF344D21596104DB	(not available)
69	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\favorites3.txt	1,860 bytes	MD5: 0xF587BFC87C52AF4DFCD63767BFFF58DA SHA-1: 0x9267C2900499DDF4515C5FE349E7554AC3E9CA7F	(not available)
70	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\ad_hunter.ico %ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\nopop2.ico	1,150 bytes	MD5: 0xC13EC93B33CAE820AB094A1321B916E1 SHA-1: 0xBAA841FC0CF478DB826B5C66631A8503940160BF	(not available)
71	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\alexa.ico	2,550 bytes	MD5: 0xC343B3F1D39DCEAB0252D53685CE2C62 SHA-1: 0xB67BEC4EBA17D4AE0BF86A7C2CAFC78566229DC5	(not available)
72	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\book.ico	1,150 bytes	MD5: 0x46105EF93A72D46C48E9416A2EA9C285 SHA-1: 0x7ADBBE47C6080FBE9FC7D511D54CF30954934D6C	(not available)
73	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\booko.ico	1,150 bytes	MD5: 0xF9661C0CBB7A11D3CD09CAD035B91F0B SHA-1: 0x05C899DAAAC44FF4747F92F1B67C12EF89771D3B	(not available)
74	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\catchhtml.ico	2,550 bytes	MD5: 0x89E3DC4065A011AC3F8391A8E7296FFC SHA-1: 0x63703107D58730FE285BE5ABBAF570631DC4B028	(not available)
75	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\clean.ico %ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\plugin\ï¿½ï¿½ï¿½ï¿½ï¿½Â¼\tgplug.ico	1,150 bytes	MD5: 0x4B56E65583465F215456F9BED2D193FD SHA-1: 0xBF8990D283B891AE8E656E309E7249D1577958AE	(not available)
76	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\close.ico	1,150 bytes	MD5: 0xB63735FE2793818A4C36362BEA5B5970 SHA-1: 0x4D839159F495083C2D42CC305E12F3E3E828D238	(not available)
77	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\closed.ico	2,550 bytes	MD5: 0x2D8808F655E4DC887F9694FDE16749A6 SHA-1: 0x23E49CE9C04680F3EAED7DAB2581E816A7B2819E	(not available)
78	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\copy.ico	1,150 bytes	MD5: 0xECBA48B2002D5A1B67BFB0514DB854D9 SHA-1: 0x680873ED5FE695DED9802016D5946563E8EE2A5B	(not available)
79	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\cut.ico	1,150 bytes	MD5: 0xAC890BCE0863956AE67044037AB55803 SHA-1: 0x0C1BF9873EEDFCBB612F9CDE1110930E87800E16	(not available)
80	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\danger.ico	1,150 bytes	MD5: 0x438B5450D47ACEFB9A62AC7DA68CB195 SHA-1: 0x0CF9C3FD4BF0CA5D2498B985CA583BAD11C161BF	(not available)
81	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\date.ico	1,406 bytes	MD5: 0xDDD10DABDEC16FE46E32021D390A4CEE SHA-1: 0x02F6FD1E8918CD2145793620F9F19662E6149368	(not available)
82	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\default.ico	1,150 bytes	MD5: 0x004A902D74C3E8FEB9A96DA4C9AA1580 SHA-1: 0x0746656CC73B34022E6883A69BAFB9CF1B4C59A7	(not available)
83	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\dsearch.ico	2,862 bytes	MD5: 0x4E2BBD947048D7C4C9E6DC622A674EBC SHA-1: 0xFE26D6E4956150ED97BCF36C30E4AB29A818FB17	(not available)
84	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\encoding.ico	1,150 bytes	MD5: 0x8751892C7FF01559D04594C5951B6F94 SHA-1: 0xA03EF31C9824DE0E08D4196732381EF1BDB895A8	(not available)
85	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\engset.ico	1,150 bytes	MD5: 0x41DF4323CD307844A31D596287CAEA41 SHA-1: 0xB2593B5D7F1FF22FABDBC1E9CA659FD876EB0604	(not available)
86	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\exsearch.ico	2,862 bytes	MD5: 0x0AEC1D39D91732CA40141E2441775622 SHA-1: 0xEFC61A5645D3F5CE4FA56BE991BD036CE1AF72DF	(not available)
87	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\extendtool.ico	2,550 bytes	MD5: 0x548964573119A0D3EF0928DF5D39E09A SHA-1: 0x9BFD4242FED82C5A5641FB8DEC349E3D20167117	(not available)
88	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\favorites.ico	1,150 bytes	MD5: 0x43727596C93CC83ED86B9694DD9A58F8 SHA-1: 0x87C1801F3503B0EE03728A25C459955D6504924D	(not available)
89	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\fillform.ico %ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\plugin\ï¿½Ô¶ï¿½ï¿½ï¿½ï¿½\tgplug.ico	1,150 bytes	MD5: 0x593EF44CB4D6CB1A21D18D41699A7786 SHA-1: 0xB704E37E97E316A59C7C23832F7A4FBAD40F807A	(not available)
90	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\filter.ico	1,150 bytes	MD5: 0x1F510754298E69DA3B99E4AB644336F3 SHA-1: 0x35869B4F53F674AA63B55D702F00A7BF32A67056	(not available)
91	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\filterad.ico	2,550 bytes	MD5: 0x3D623A0C9B49BEB0ADF3577DC82CD4D0 SHA-1: 0x8C47B6893324949D7258F545558067BD2CFE7DAE	(not available)
92	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\filterad2.ico	2,550 bytes	MD5: 0xBCFCC9CE9407E6DA97708D24A4C44A5A SHA-1: 0x4FA9DFCB1E1FF79857C21DAAD47DF85C09DE5852	(not available)
93	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\find.ico	1,150 bytes	MD5: 0x46C31AD3A6AAEE1B5AF32C3947A93087 SHA-1: 0x7ADFBAA5A3B6FE4959175D54E145B17F083E4A66	(not available)
94	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\find_next.ico	2,550 bytes	MD5: 0xA3D5E54F16348873B5F22CAD9938E9E2 SHA-1: 0xA5209321559CAE57F44413A2BF2A059E63E6968E	(not available)
95	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\find_prior.ico	2,550 bytes	MD5: 0xDB2CFF1E191FF5C04C888C8A362B53B8 SHA-1: 0x58AB5B3752CC000FFDEDBBB3C2E7C2270CBE036C	(not available)
96	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\folder.ico	2,550 bytes	MD5: 0xFFAFA5A72FBACC997429CAF7B81897CF SHA-1: 0x321FD116D6D74F5777995C7BCB37151A27DE60E6	(not available)
97	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\font_size.ico	1,150 bytes	MD5: 0x8C35C3007670290784D2672DB098A9AD SHA-1: 0x38DF84FAF00DE103BD9B491396124CD72A29BF8A	(not available)
98	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\highlight.ico	2,550 bytes	MD5: 0x79141B9D266D6F3224BCF5C0030A504E SHA-1: 0x86A79E0AC884CC43E9C348848B1B7B1BF987704D	(not available)
99	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\history.ico	1,150 bytes	MD5: 0xCAF6774CBB188B9E63A6EAE8EEA03A56 SHA-1: 0xC2BAAB7EE9708E2C56D601612AB225DB38156CD7	(not available)
100	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image\home.ico	1,150 bytes	MD5: 0x62F325C65A8A9E00DDC17F5E0D367C3F SHA-1: 0x958E42B660EE0FB489CC6C55B66CCA40A2DA0926	(not available)

Notes:

%CommonDesktopDir% is a variable that refers to the file system directory that contains files and folders that appear on the desktop for all users. A typical path is C:\Documents and Settings\All Users\Desktop (Windows NT/2000/XP).
%CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directories were created:

%CommonPrograms%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½
%Temp%\EbkReader
%Temp%\EbkReader\{43742D8B-53E1-4037-9B3C-CA9F419F1826}
%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½
%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\bin
%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\data
%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\doc
%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\image
%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\plugin
%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\plugin\ï¿½ï¿½ï¿½ï¿½ï¿½Â¼
%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\plugin\ï¿½â²¿ï¿½ï¿½ï¿½ï¿½
%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\plugin\ï¿½Ô¶ï¿½ï¿½ï¿½ï¿½
%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\skin
%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\tgmusic
%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\tgmusic\lrcs
%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\tgmusic\playlist
%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\tgmusic\tglib
%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\webicon

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	233,472 bytes
[filename of the sample #2]	[file and pathname of the sample #2]	667,648 bytes
%ComputerName%.exe	%AppData%\%ComputerName%.exe	233,472 bytes
snapshot.exe	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\bin\snapshot.exe	86,016 bytes
tangoweb.exe	%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\bin\tangoweb.exe	573,440 bytes
[filename of the sample #3]	[file and pathname of the sample #3]	90,112 bytes
[filename of the sample #4]	[file and pathname of the sample #4]	1,298,432 bytes
[filename of the sample #3 without extension].tmp	%Temp%\is-0RPMH.tmp\[filename of the sample #3 without extension].tmp	749,568 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87682234-6735-6735-6735-293844586610}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87682234-6735-6735-6735-293844586610}\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87682234-6735-6735-6735-293844586610}\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87682234-6735-6735-6735-293844586610}\Shell\D
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87682234-6735-6735-6735-293844586610}\Shell\D\Command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87682234-6735-6735-6735-293844586610}\Shell\ï¿½ï¿½ï¿½ï¿½(&H)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87682234-6735-6735-6735-293844586610}\Shell\ï¿½ï¿½ï¿½ï¿½(&H)\Command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87682234-6735-6735-6735-293844586610}\Shell\ï¿½ï¿½ï¿½ï¿½(&R)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87682234-6735-6735-6735-293844586610}\Shell\ï¿½ï¿½ï¿½ï¿½(&R)\Command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87682234-6735-6735-6735-293844586610}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\file\shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\file\shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\file\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\TangoBrowser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\TangoBrowser\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HTTP\shell\TangoBrowser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HTTP\shell\TangoBrowser\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https\shell\TangoBrowser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https\shell\TangoBrowser\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1F013122-EA3D-414F-B58F-5A31A64EA5D5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1F013122-EA3D-414F-B58F-5A31A64EA5D5}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1F013122-EA3D-414F-B58F-5A31A64EA5D5}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1F013122-EA3D-414F-B58F-5A31A64EA5D5}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\shell\TangoBrowser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\shell\TangoBrowser\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\TangoBrowser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\TangoBrowser\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{60BCA7D2-14D1-4832-A278-50670CD9975E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{60BCA7D2-14D1-4832-A278-50670CD9975E}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{60BCA7D2-14D1-4832-A278-50670CD9975E}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{60BCA7D2-14D1-4832-A278-50670CD9975E}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{60BCA7D2-14D1-4832-A278-50670CD9975E}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{60BCA7D2-14D1-4832-A278-50670CD9975E}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\kaixin.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\kaixin.exe\shell
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\kaixin.exe\shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\kaixin.exe\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{87682234-6735-6735-6735-293844586610}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9E0C3CE3-DD6D-448B-8BD8-692FE88A1397}_is1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CURRENT_USER\Software\Microsoft\Windows Script
HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel
HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC
HKEY_CURRENT_USER\Software\Caislabs Software
HKEY_CURRENT_USER\Software\Caislabs Software\E-Book Reader
HKEY_CURRENT_USER\.htm
HKEY_CURRENT_USER\.html
HKEY_CURRENT_USER\.mht
HKEY_CURRENT_USER\.mhtml
HKEY_CURRENT_USER\.shtm
HKEY_CURRENT_USER\.shtml
HKEY_CURRENT_USER\.url
HKEY_CURRENT_USER\CLSID
HKEY_CURRENT_USER\CLSID\{0002DF01-0000-0000-C000-000000000046}
HKEY_CURRENT_USER\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32
HKEY_CURRENT_USER\file
HKEY_CURRENT_USER\file\shell
HKEY_CURRENT_USER\file\shell\open
HKEY_CURRENT_USER\file\shell\open\command
HKEY_CURRENT_USER\htmlfile
HKEY_CURRENT_USER\htmlfile\shell
HKEY_CURRENT_USER\htmlfile\shell\open
HKEY_CURRENT_USER\htmlfile\shell\open\command
HKEY_CURRENT_USER\http
HKEY_CURRENT_USER\http\shell
HKEY_CURRENT_USER\http\shell\open
HKEY_CURRENT_USER\http\shell\open\command
HKEY_CURRENT_USER\https
HKEY_CURRENT_USER\https\shell
HKEY_CURRENT_USER\https\shell\open
HKEY_CURRENT_USER\https\shell\open\command
HKEY_CURRENT_USER\InternetShortcut
HKEY_CURRENT_USER\InternetShortcut\shell
HKEY_CURRENT_USER\InternetShortcut\shell\open
HKEY_CURRENT_USER\InternetShortcut\shell\open\command
HKEY_CURRENT_USER\mhtmlfile
HKEY_CURRENT_USER\mhtmlfile\shell
HKEY_CURRENT_USER\mhtmlfile\shell\open
HKEY_CURRENT_USER\mhtmlfile\shell\open\command

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.shtml]

(Default) = "htmlfile"
Content Type = "text/html"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32]

(Default) = "ole32.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87682234-6735-6735-6735-293844586610}\Shell\D\Command]

(Default) = "Rundll32.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87682234-6735-6735-6735-293844586610}\Shell\ï¿½ï¿½ï¿½ï¿½(&H)\Command]

(Default) = "%ProgramFiles%\Internet Explorer\iexplore.exe %1 http://www.%39%39%33%34.cn"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87682234-6735-6735-6735-293844586610}\Shell\ï¿½ï¿½ï¿½ï¿½(&R)\Command]

(Default) = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87682234-6735-6735-6735-293844586610}\Shell\ï¿½ï¿½ï¿½ï¿½(&R)]

(Default) = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87682234-6735-6735-6735-293844586610}\Shell\ï¿½ï¿½ï¿½ï¿½(&H)]

(Default) = "ï¿½ï¿½ï¿½ï¿½Ò³(&H)"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87682234-6735-6735-6735-293844586610}\Shell\D]

(Default) = "É¾ï¿½ï¿½(&D)"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87682234-6735-6735-6735-293844586610}\ShellFolder]

Attributes = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87682234-6735-6735-6735-293844586610}\Shell]

(Default) = "ï¿½ï¿½ï¿½ï¿½(&H)"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87682234-6735-6735-6735-293844586610}\DefaultIcon]

(Default) = "%ProgramFiles%\Internet Explorer\iexplore.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87682234-6735-6735-6735-293844586610}]

(Default) = "Internet Explorer"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\DefaultIcon]

(Default) = "%SystemRoot%\\system32\\SHELL32.dll,3"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\file\shell\open\command]

(Default) = ""%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\kaixin.exe" "%1""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\file\shell]

(Default) = "TangoBrowser"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\TangoBrowser\command]

(Default) = ""%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\kaixin.exe" "%1""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HTTP\shell]

(Default) = "TangoBrowser"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HTTP\shell\TangoBrowser\command]

(Default) = ""%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\kaixin.exe" "%1""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https\shell]

(Default) = "TangoBrowser"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https\shell\TangoBrowser\command]

(Default) = ""%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\kaixin.exe" "%1""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1F013122-EA3D-414F-B58F-5A31A64EA5D5}\TypeLib]

(Default) = "{60BCA7D2-14D1-4832-A278-50670CD9975E}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1F013122-EA3D-414F-B58F-5A31A64EA5D5}\ProxyStubClsid32]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1F013122-EA3D-414F-B58F-5A31A64EA5D5}\ProxyStubClsid]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1F013122-EA3D-414F-B58F-5A31A64EA5D5}]

(Default) = "ITGPlayer"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\shell]

(Default) = "TangoBrowser"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\shell\TangoBrowser\command]

(Default) = ""%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\kaixin.exe" "%1""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\TangoBrowser\command]

(Default) = ""%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\kaixin.exe" "%1""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{60BCA7D2-14D1-4832-A278-50670CD9975E}\1.0\0\win32]

(Default) = "%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\kaixin.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{60BCA7D2-14D1-4832-A278-50670CD9975E}\1.0\HELPDIR]

(Default) = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{60BCA7D2-14D1-4832-A278-50670CD9975E}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{60BCA7D2-14D1-4832-A278-50670CD9975E}\1.0]

(Default) = "TGPlayer"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\kaixin.exe\shell\open\command]

(Default) = "%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\kaixin.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\kaixin.exe]

LocalizedString = "?????"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]

Check_Associations = "no"
ShowedCheckBrowser = "yes"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{87682234-6735-6735-6735-293844586610}]

(Default) = "Internet Explorer"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

ÏµÍ³ï¿½ï¿½Â¼ï¿½ï¿½ï¿½ï¿½ï¿½Ä¼ï¿½ = "%AppData%\%ComputerName%.exe"

so that %ComputerName%.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9E0C3CE3-DD6D-448B-8BD8-692FE88A1397}_is1]

Inno Setup: Setup Version = "5.2.3"
Inno Setup: App Path = "%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½"
InstallLocation = "%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\"
Inno Setup: Icon Group = "ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½"
Inno Setup: User = "%UserName%"
Inno Setup: Selected Tasks = "desktopicon,quicklaunchicon"
Inno Setup: Deselected Tasks = ""
DisplayName = "ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½"
UninstallString = ""%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\unins000.exe""
QuietUninstallString = ""%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\unins000.exe" /SILENT"
NoModify = 0x00000001
NoRepair = 0x00000001
InstallDate = "20100107"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

Check_Associations = "no"
ShowedCheckBrowser = "yes"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

NoInternetIcon = 0x00000001
NoDesktopCleanupWizard = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

DisableRegistryTools = 0x00000001

to disable the Windows registry editors (Regedt32.exe and Regedit.exe)

[HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings]

JITDebug = 0x00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]

Homepage = "1"

[HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC]

RestrictToPermittedSnapins = 0x00000001

[HKEY_CURRENT_USER\.htm]

(Default) = "htmlfile"

[HKEY_CURRENT_USER\.html]

(Default) = "htmlfile"

[HKEY_CURRENT_USER\.mht]

(Default) = "mhtmlfile"

[HKEY_CURRENT_USER\.mhtml]

(Default) = "mhtmlfile"

[HKEY_CURRENT_USER\.shtm]

(Default) = "htmlfile"
Content Type = "text/html"

[HKEY_CURRENT_USER\.shtml]

(Default) = "htmlfile"
Content Type = "text/html"

[HKEY_CURRENT_USER\.url]

(Default) = "InternetShortcut"

[HKEY_CURRENT_USER\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32]

(Default) = "%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\kaixin.exe"

[HKEY_CURRENT_USER\file\shell\open\command]

(Default) = ""%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\kaixin.exe" "%1""

[HKEY_CURRENT_USER\file\shell]

(Default) = "TangoBrowser"

[HKEY_CURRENT_USER\htmlfile\shell\open\command]

(Default) = ""%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\kaixin.exe" "%1""

[HKEY_CURRENT_USER\htmlfile\shell]

(Default) = "TangoBrowser"

[HKEY_CURRENT_USER\http\shell\open\command]

(Default) = ""%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\kaixin.exe" "%1""

[HKEY_CURRENT_USER\http\shell]

(Default) = "TangoBrowser"

[HKEY_CURRENT_USER\https\shell\open\command]

(Default) = ""%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\kaixin.exe" "%1""

[HKEY_CURRENT_USER\https\shell]

(Default) = "TangoBrowser"

[HKEY_CURRENT_USER\InternetShortcut\shell\open\command]

(Default) = ""%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\kaixin.exe" "%1""

[HKEY_CURRENT_USER\InternetShortcut\shell]

(Default) = "TangoBrowser"

[HKEY_CURRENT_USER\mhtmlfile\shell\open\command]

(Default) = ""%ProgramFiles%\ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½\kaixin.exe" "%1""

[HKEY_CURRENT_USER\mhtmlfile\shell]

(Default) = "TangoBrowser"

The following Registry Value was deleted:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\DefaultIcon]

(Default) = "%System%\shell32.dll,2"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgID]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HTTP\shell\open\command]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https\shell\open\command]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\shell\open\command]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open\command]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet]

(Default) =

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

Start Page =

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex objects were created:

CAPTURING
_!SHMSFTHISTORY!_
1009
AMResourceMutex2
VideoRenderer

The following port was open in the system:

Port	Protocol	Process
1037	UDP	[file and pathname of the sample #2]

The following Host Names were requested from a host database:

data.alexa.com
www.google.com
www.languangav.com
www.tgsoso.com
www.9934.cn
img.tongji.linezing.com

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
img.tongji.linezing.com	1038

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
www.9934.cn	80	(null)	(null)
se.34414.com	80	(null)	(null)

The following GET requests were made:

play.html
index.jpg
index.html
?kx

The following HTTP URLs were started reading:

http://www.languangav.com/tango/templ300.zip
http://www.google.com/search?client=navclient-auto&ch=76276110449&features=Rank&q=info:www.9934.cn
http://data.alexa.com/data?cli=10&dat=snba&url=www.9934.cn
http://www.tgsoso.com/ad300.txt
http://www.languangav.com/tango/tangover3.txt
http://www.9934.cn/favicon.ico
http://img.tongji.linezing.com/1189076/tongji.gif
http://www.25994.com/play/?url="+window.location.href;

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.