Submission Summary:

• Submission details:
• Submission received: 15 October 2011, 19:01:32
• Processing time: 7 min 53 sec
• Submitted sample:
• File MD5: 0xEE2DD66CEB1A74355290D5D539B6D199
• File SHA-1: 0x2BB092C712E6889C219D572CF322F7B7C06D7F1E
• Filesize: 1,417,069 bytes
• Alias:
• Trojan.Win32.Agent.hieq [Kaspersky Lab]
• Trojan.Win32.Agent [Ikarus]

• Summary of the findings:

What's been found	Severity Level
Contains characteristics of an identified security risk.

Technical Details:

• The new window was created, as shown below:

Possible Security Risk

• Attention! The following threat categories were identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A program that downloads files to the local computer that may represent security risk
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%DesktopDir%\��Ϸ��--qq������.lnk	567 bytes	MD5: 0xDFE0D0524F165F65173E7C718C122AEC SHA-1: 0x7FF0757F46F96C39A8CC19EDE3B26A8EC1DF2F93	(not available)
2	%Programs%\��Ϸ��--qq������\Uninstall.lnk	579 bytes	MD5: 0x872981A9BAD9948E8412FEE8288CE5B1 SHA-1: 0x212B0EACBA7A5A48A2364A150CD49B67EB6454B2	(not available)
3	%Programs%\��Ϸ��--qq������\website.lnk	786 bytes	MD5: 0xD37875EEFC9474D3536E68466AC48283 SHA-1: 0x94EBB0E5538F9D86C6D616A0A162EB80428A7A46	(not available)
4	%Programs%\��Ϸ��--qq������\��Ϸ��--qq������.lnk	579 bytes	MD5: 0x38182AB7C477E71612A828DEED7AA951 SHA-1: 0x36D473BE09FA9550DE820FD1E043B6F7DC4692C0	(not available)
5	%ProgramFiles%\��Ϸ��--QQ������\crazyddz.dll	28,672 bytes	MD5: 0x92AD69E108998533A5E382C8C0C1A051 SHA-1: 0x794960F30DDFA7476EC6C22E2213764DA68526B2	Trojan.Win32.Agent.fuee [Kaspersky Lab] Trojan.Win32.Agent [Ikarus]
6	%ProgramFiles%\��Ϸ��--QQ������\crazysk.dll	32,768 bytes	MD5: 0xF852113293A356ABE60D51402689B65C SHA-1: 0xC0B4A6C4CF9B83DD782B4BFC49ADFDDB2BD0BE77	(not available)
7	%ProgramFiles%\��Ϸ��--QQ������\gamehorse.swf	15,168 bytes	MD5: 0x24E288307431D477F6B93F5964A724D6 SHA-1: 0x5B73E42129FB42E3576DC87A66E194357456971F	packed with Swf2Swc [Kaspersky Lab]
8	%ProgramFiles%\��Ϸ��--QQ������\gamehorse.xml	1,810 bytes	MD5: 0x1B6D5E3D2D4A2D635C024E0408A4B02C SHA-1: 0x961C5FFBF61E7925D7D8E47FD77BD940DF1A517F	(not available)
9	%ProgramFiles%\��Ϸ��--QQ������\hlddz.dll	32,768 bytes	MD5: 0x0D98F8B6EB7A06F4A8919F934D176B21 SHA-1: 0xAF92D4C8C171CE1C0F2D376C21AA41A611F4FCCB	(not available)
10	%ProgramFiles%\��Ϸ��--QQ������\jpqxy.dat	64 bytes	MD5: 0x77A954CEB6672504BF8689D0A531E67F SHA-1: 0xEFA0B10D2C9AC6AF7E16C58748A8405CB64E9FF8	(not available)
11	%ProgramFiles%\��Ϸ��--QQ������\Main_dtdj.ini	72 bytes	MD5: 0xEE8D1989443FAB18C97C1B129BDB77B8 SHA-1: 0xE4DA524F0497B8B2AD24C05256C07D57AA9C8C99	(not available)
12	%ProgramFiles%\��Ϸ��--QQ������\qq510k.dll	90,112 bytes	MD5: 0x0C9CD55752A768A47680E88BC986A8BE SHA-1: 0x4347BE2F02CEB27FC11A9944A1BFE33C42D68020	(not available)
13	%ProgramFiles%\��Ϸ��--QQ������\qqbh.dll	32,768 bytes	MD5: 0x9296F9F95BFCBD5894FF161983DC9C9B SHA-1: 0xE1C1C0578510F52A1458F0F3EEA6D2D9E228226B	Trojan.Win32.Agent.hiem [Kaspersky Lab]
14	%ProgramFiles%\��Ϸ��--QQ������\qqcdd.dll	28,672 bytes	MD5: 0x8563C904D9B9B4218BE81ADA5A90B21E SHA-1: 0xD3330B114E3EA9CD284449350FF186DA55D0D0DB	Trojan.Win32.Agent.ndxz [Kaspersky Lab]
15	%ProgramFiles%\��Ϸ��--QQ������\qqddz.dll	32,768 bytes	MD5: 0x1CEECE33A982108132E61BE95C75A7C7 SHA-1: 0x6D98CD563F5B984037BCA263B3C84E3A77044357	(not available)
16	%ProgramFiles%\��Ϸ��--QQ������\qqddzrpg.dll	32,768 bytes	MD5: 0x36D2ABE5D88797DB9C1F500AEF88FCB4 SHA-1: 0xCB119FF5A0C2D7E0BE2F294C0B432A72ACCEAE59	(not available)
17	%ProgramFiles%\��Ϸ��--QQ������\qqgj.dll	94,208 bytes	MD5: 0x48EEF9CA0DE42C60DDF60F6F80718C52 SHA-1: 0x33059A64640DE63597E0A7354798E5DC3F092652	(not available)
18	%ProgramFiles%\��Ϸ��--QQ������\qqgzh.dll	98,304 bytes	MD5: 0xDF18CBB441E1A84C1395A174C8FAE132 SHA-1: 0x7F3D4760B1123691D6692980A440601237163021	(not available)
19	%ProgramFiles%\��Ϸ��--QQ������\qqHookSock.dll	32,768 bytes	MD5: 0xB44E08A9BBA2BE31AAC218BA4780B6B9 SHA-1: 0x94E58349085494A830F14ED2B0BAC9931C2D7D62	Trojan-Downloader.Win32.Agent.fpyi [Kaspersky Lab]
20	%ProgramFiles%\��Ϸ��--QQ������\qqhs.dll	32,768 bytes	MD5: 0x072FC27527A610DF3FEACE147DDEC6BD SHA-1: 0x7E1E2D0BC19C19499A2F345D8529B155A35D029B	(not available)
21	%ProgramFiles%\��Ϸ��--QQ������\qqhsy.dll	32,768 bytes	MD5: 0x3937AC4A9E35B946DF82D4621439B9F8 SHA-1: 0x5FC911A7BFF2EDCB95A7409D84017DB3F26AF327	Backdoor.Win32.Bredavi.egs [Kaspersky Lab]
22	%ProgramFiles%\��Ϸ��--QQ������\qqjpq.exe	1,740,800 bytes	MD5: 0xE6E6B3E6C11AEC3C325B4481AFB0D6A1 SHA-1: 0xCA0C3B45CC8BA352EEBFE5461B44E73A218C6A27	(not available)
23	%ProgramFiles%\��Ϸ��--QQ������\qqjpqa.exe	2,493,440 bytes	MD5: 0x2BD80789CA2225E9809C19A8B6EE2CE2 SHA-1: 0x84C3D5DEC00CF5C7288FFCE191A53074DC7FB91C	(not available)
24	%ProgramFiles%\��Ϸ��--QQ������\qqnewddz.dll	28,672 bytes	MD5: 0xF3E0081454AA61A811B0A23209AD923E SHA-1: 0x2738D11FE318B8C2D877333C5D85630EE7FB8B15	Trojan.Win32.Agent.higi [Kaspersky Lab] Trojan.Win32.Agent [Ikarus]
25	%ProgramFiles%\��Ϸ��--QQ������\qqnewsj.dll	32,768 bytes	MD5: 0x8CC83A2DC4CB306087A1D27A2C503891 SHA-1: 0x89BDFBCFF393CA8E0393CA709872AA9F45583CA6	Backdoor.Win32.Bredavi.egt [Kaspersky Lab]
26	%ProgramFiles%\��Ϸ��--QQ������\qqpdk.dll	32,768 bytes	MD5: 0xBEA8D41F64584CEE0AAF816B355C4617 SHA-1: 0x8F3AB0F41BF2A841A6EAF4E1D04F72DC6CCBED81	Trojan.Win32.Agent.hieq [Kaspersky Lab]
27	%ProgramFiles%\��Ϸ��--QQ������\qqsdy.dll	32,768 bytes	MD5: 0x4CA8360D12DBE933FFAA18703D5F895B SHA-1: 0xB9BEBF2E8B8C2A16DFC883E79D1CE93977411829	Trojan.Win32.Agent.hier [Kaspersky Lab]
28	%ProgramFiles%\��Ϸ��--QQ������\qqshk.dll	32,768 bytes	MD5: 0x0B31EF63E0E6DA28027DE023B2B04FC6 SHA-1: 0xC2437AA9205E33DCB37817E81409197BFA5EDEF5	Trojan.Win32.Agent.hsqi [Kaspersky Lab]
29	%ProgramFiles%\��Ϸ��--QQ������\qqsjrpq.dll	32,768 bytes	MD5: 0x68FD4A82F1292D0B68207A853E0ADEA7 SHA-1: 0x628C842C880AB77F86DF07EF3A2BAFB46FE6CA7B	(not available)
30	%ProgramFiles%\��Ϸ��--QQ������\qqspddz.dll	28,672 bytes	MD5: 0x8B6707EA008C76260B9AED65F363285E SHA-1: 0x66F68176815423B9A9DDD9B9E7952BC8B9EA2176	Trojan.Win32.Agent.ndxx [Kaspersky Lab]
31	%ProgramFiles%\��Ϸ��--QQ������\qqwk.dll	28,672 bytes	MD5: 0x8ED8B83E4CA5943B08416F69AC068A58 SHA-1: 0x4FB9E0CCA889881FDEE7CDCEC833A1E8BD9B7CB1	Trojan.Win32.Agent.hgbz [Kaspersky Lab]
32	%ProgramFiles%\��Ϸ��--QQ������\uninst.exe	78,214 bytes	MD5: 0xB8C0BE157A1933298A28C28A9719489D SHA-1: 0x3137EF5473E300173231F6F5BF17F905ADE3B312	(not available)
33	%ProgramFiles%\��Ϸ��--QQ������\��Ϸ��--QQ������.url	48 bytes	MD5: 0xC33DA3639D2DCFA19D44B35091BDA618 SHA-1: 0x707D9D1A48469A33BFAC80A1640E582CA486CD7C	(not available)
34	[file and pathname of the sample #1]	1,417,069 bytes	MD5: 0xEE2DD66CEB1A74355290D5D539B6D199 SHA-1: 0x2BB092C712E6889C219D572CF322F7B7C06D7F1E	Trojan-Downloader.Win32.Agent.fpyi, Trojan.Win32.Agent.haql, Trojan.Win32.Agent.haqm, Trojan.Win32.Agent.haqn, Trojan.Win32.Agent.haqo, Trojan.Win32.Agent.haqp, Backdoor.Win32.Bredavi.ebi, Trojan.Win32.Agent.fuee, Trojan.Win32.Agent.hiel, Trojan.Win32.Agent.hiet, Trojan.Win32.Agent.hieo, Trojan.Win32.Agent.hiem, Backdoor.Win32.Bredavi.egt, Trojan.Win32.Agent.hier, Trojan.Win32.Agent.ndxx, Trojan.Win32.Agent.ndxz, Backdoor.Win32.Bredavi.egs, Trojan.Win32.Agent.hieq [Kaspersky Lab] Trojan.Win32.Agent [Ikarus]

• Notes:
• %DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
• %Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.
• %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

• The following directories were created:
• %Programs%\��Ϸ��--qq������
• %ProgramFiles%\��Ϸ��--QQ������

Memory Modifications

• There was a new process created in the system:

Registry Modifications

• The following Registry Keys were created:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\��Ϸ��--QQ������
• HKEY_CURRENT_USER\Software\Youxi

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\��Ϸ��--QQ������]
• DisplayName = "��Ϸ��--QQ������ V2.15"
• UninstallString = "%ProgramFiles%\��Ϸ��--QQ������\uninst.exe"
• DisplayIcon = "%ProgramFiles%\��Ϸ��--QQ������\qqjpq.exe"
• DisplayVersion = "V2.15"
• URLInfoAbout = "http://www.552200.com/"
• Publisher = "������Ϸ����"
• [HKEY_CURRENT_USER\Software\Youxi]
• count = 0x00000001

• The following Registry Values were modified:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
• Start Page =
• [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
• Start Page =

Other details

• Analysis of the file resources indicate the following possible country of origin:

	China