Download Link: hxxp://218.75.91.254/kooloon/shenji.exe File Name: shenji.exe VirusTotal Result: 22/32 (68.75%) AntiVir 7.6.0.85 2008.04.14 TR/Dldr.Delphi.Gen Authentium 4.93.8 2008.04.13 Possibly a new variant of W32/PWStealer1!Generic CAT-QuickHeal 9.50 2008.04.14 TrojanPSW.OnLineGames.aafs DrWeb 4.44.0.09170 2008.04.14 BACKDOOR.Trojan eSafe 7.0.15.0 2008.04.09 suspicious Trojan/Worm F-Prot 4.4.2.54 2008.04.14 W32/Injector.A.gen!Eldorado F-Secure 6.70.13260.0 2008.04.14 W32/Hupigon.gen67 Fortinet 3.14.0.0 2008.04.14 W32/DelpDldr.AAFS!tr.pws Ikarus T3.1.1.26.0 2008.04.14 Backdoor.Win32.Agent.ahj Kaspersky 7.0.0.125 2008.04.14 Trojan-PSW.Win32.OnLineGames.aafs McAfee 5272 2008.04.11 New Malware.u NOD32v2 3025 2008.04.14 a variant of Win32/TrojanDropper.Agent.NIY Norman 5.80.02 2008.04.14 W32/Hupigon.gen67 Panda 9.0.0.4 2008.04.14 Suspicious file Prevx1 V2 2008.04.14 BACKDOOR.PIGEON.KG Rising 20.40.02.00 2008.04.14 Trojan.Win32.Undef.ezj Sophos 4.28.0 2008.04.14 Mal/DelpDldr-F Sunbelt 3.0.1041.0 2008.04.12 VIPRE.Suspicious TheHacker 6.2.92.277 2008.04.14 Trojan/PSW.OnLineGames.aafs VBA32 3.12.6.4 2008.04.14 suspected of Win32.Trojan.Downloader VirusBuster 4.3.26:9 2008.04.14 Packed/NSPack Webwasher-Gateway 6.6.2 2008.04.14 Trojan.Dldr.Delphi.Gen File Info: File size: 24064 bytes MD5...: 8fb916f6ade611ed9ea6f3b5cae8d7f7 SHA1..: 57ed347f62faecdc239a0c8df8277cf1d6a9b28e SHA256: 926d17a4e46ca63e3c150543cb150db68c38b6aa682537b40a2da374100794c0 SHA512: 808a44068ba775134ec4f4ee845ef3b42258f42fddb3a82aa57dfdd80bcc0982 c9bc2c8643ed4f40f18713dc89f1b7be780e9eaf8fa92265bf5d032cfd45c386 PE Structure: Entry Point Address.: 0x40f245 Time Date Stamp.....: 0x47ff204c (Fri Apr 11 08:24:44 2008) Machine Type.......: 0x14c (I386) PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0003 Time/Date stamp: 47FF204C Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 010F Magic: 010B Linker version (major): 06 Linker version (minor): 00 Size of code: 00000000 Size of initialized data: 00006000 Size of uninitialized data: 0000E000 Address of entry point: 0000F245 Base of code: 00001000 Base of data: 0000F000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00016000 Size of headers: 00000400 Checksum: 00006E52 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags ,Uf0 0000E000 00001000 00000000 00000400 E0000060 ,Uf1 00006000 0000F000 00005A00 00000400 E0000060 ,Uf2 00000CB8 00015000 00000000 00000400 E0000060 Import table (libraries: 5) KERNEL32.DLL (imports: 6) LoadLibraryA GetProcAddress VirtualProtect VirtualAlloc VirtualFree ExitProcess MFC42.DLL (imports: 1) #823 MSVCRT.DLL (imports: 1) _controlfp ADVAPI32.DLL (imports: 1) RegisterServiceCtrlHandlerA SHELL32.DLL (imports: 1) ShellExecuteA Process Details: Process ID 1668 Filename C:\shenji.exe Filesize 24064 bytes MD5 8fb916f6ade611ed9ea6f3b5cae8d7f7 Start Reason AnalysisTarget New Files Created: C:\WINDOWS\system32\tcpip.exe Opened Files: \\.\PIPE\lsarpc \SystemRoot\AppPatch\sysmain.sdb \SystemRoot\AppPatch\systest.sdb \Device\NamedPipe\ShimViewer C:\WINDOWS\system32\khvfr.bat Deleted Files: C:\tcpip.l Chronological order: Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Delete File: C:\tcpip.l Copy File: C:\shenji.exe to C:\WINDOWS\system32\tcpip.exe Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\WINDOWS\system32\khvfr.bat () Find File: khvfr.bat Registry Changes: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\portablemsi "Description" = portablemsi Registry Reads: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed" Process Management: Creates Process - Filename () CommandLine: (C:\WINDOWS\system32\khvfr.bat) As User: () Creation Flags: () Kill Process - Filename () CommandLine: () Target PID: (1668) As User: () Creation Flags: () Service Management: Open Service Manager - Name: "SCM" Open Service - Name: "wscsvc" Create Service - Name: (portablemsi) Display Name: (portablemsi) File Name: (C:\WINDOWS\system32\tcpip.exe) Control: () Start Type: (SERVICE_AUTO_START) Start Service - Name: (portablemsi) Display Name: () File Name: () Control: () Start Type: () Control Service - Name: (wscsvc) Display Name: () File Name: () Control: (SERVICE_CONTROL_STOP) Start Type: () Process Started: Process ID 1880 Filename C:\WINDOWS\system32\tcpip.exe Filesize 24064 bytes MD5 8fb916f6ade611ed9ea6f3b5cae8d7f7 Start Reason CreateProcess New Files Created: C:\WINDOWS\system32\portablemsi.dll Opened Files: \\.\PIPE\lsarpc Chronological order: Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Create File: C:\WINDOWS\system32\portablemsi.dll Service Management: Open Service Manager - Name: "SCM" Open Service - Name: "wscsvc" Control Service - Name: (wscsvc) Display Name: () File Name: () Control: (SERVICE_CONTROL_STOP) Start Type: () Process Started: Process ID 1916 Filename C:\WINDOWS\system32\khvfr.bat Filesize 388608 bytes MD5 eeb024f2c81f0d55936fb825d21a91d6 Start Reason CreateProcess Opened Files: C:\WINDOWS\system32\khvfr.bat Deleted Files: C:\shenji.exe C:\WINDOWS\system32\khvfr.bat Chronological order: Get File Attributes: C:\ Flags: (SECURITY_ANONYMOUS) Find File: C:\ Find File: C:\WINDOWS\system32\khvfr.bat Open File: C:\WINDOWS\system32\khvfr.bat (OPEN_EXISTING) Get File Attributes: C:\shenji.exe Flags: (SECURITY_ANONYMOUS) Find File: C:\shenji.exe Delete File: C:\shenji.exe Get File Attributes: C:\WINDOWS\system32\khvfr.bat Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\WINDOWS\system32 Flags: (SECURITY_ANONYMOUS) Delete File: C:\WINDOWS\system32\khvfr.bat Registry Reads: Reads HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DisableUNCCheck" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "EnableExtensions" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DelayedExpansion" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DefaultColor" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "CompletionChar" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "PathCompletionChar" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "AutoRun" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DisableUNCCheck" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "EnableExtensions" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DelayedExpansion" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DefaultColor" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "CompletionChar" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "PathCompletionChar" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "AutoRun" Process Started: Process ID 1520 Filename C:\WINDOWS\Explorer.exe Filesize 1032192 bytes MD5 a0732187050030ae399b241436565e64 Start Reason InjectedCode New Files Created: C:\WINDOWS\system32\drqigfrf.dll C:\WINDOWS\system32\sadrcx.dll C:\WINDOWS\system32\drqigfrf.exe \Device\RasAcd C:\WINDOWS\system32\Aduio.sys C:\WINDOWS\system32\tcpip.sys C:\WINDOWS\system32\Etcpip.sys C:\WINDOWS\system32\EAduio.sys C:\WINDOWS\system32\?m?k\_CHAR(0x18)_ Opened Files: \\.\PIPE\lsarpc c:\autoexec.bat C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\EFTU3R5N\shenji[1].txt C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\7NGRQFU4\update[1].txt C:\WINDOWS\system32\Aduio.sys C:\WINDOWS\system32\tcpip.sys C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\ZNJP2UP0\dodolook591[1].exe C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\I7WPK1KH\yeSetup[1].exe C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\7NGRQFU4\admin6_ver0111[1].exe Deleted Files: C:\WINDOWS\system32\EAduio.sys Chronological order: Copy File: C:\WINDOWS\system32\urlmon.dll to C:\WINDOWS\system32\drqigfrf.dll Copy File: C:\WINDOWS\system32\wininet.dll to C:\WINDOWS\system32\sadrcx.dll Copy File: C:\WINDOWS\system32\calc.exe to C:\WINDOWS\system32\drqigfrf.exe Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Find File: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk Find File: C:\WINDOWS\system32\Ras\*.pbk Get File Attributes: c:\autoexec.bat Flags: (SECURITY_ANONYMOUS) Open File: c:\autoexec.bat (OPEN_EXISTING) Find File: C:\Documents and Settings\Sandbox\Application Data\Microsoft\Network\Connections\Pbk\*.pbk Create/Open File: \Device\RasAcd (OPEN_ALWAYS) Open File: C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\EFTU3R5N\shenji[1].txt (OPEN_EXISTING) Create File: C:\WINDOWS\system32\Aduio.sys Open File: C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\7NGRQFU4\update[1].txt (OPEN_EXISTING) Create File: C:\WINDOWS\system32\tcpip.sys Find File: C:\WINDOWS\system32\tcpip.sys Create File: C:\WINDOWS\system32\Etcpip.sys Find File: C:\WINDOWS\system32\Aduio.sys Create File: C:\WINDOWS\system32\EAduio.sys Open File: C:\WINDOWS\system32\Aduio.sys (OPEN_EXISTING) Open File: C:\WINDOWS\system32\tcpip.sys (OPEN_EXISTING) Open File: C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\ZNJP2UP0\dodolook591[1].exe (OPEN_EXISTING) Create File: C:\WINDOWS\system32\?m?k\_CHAR(0x18)_ Get File Attributes: C:\Documents and Settings\Sandbox Flags: (SECURITY_ANONYMOUS) Find File: C:\WINDOWS\system32\?m?k\_CHAR(0x18)_.* Get File Attributes: C:\WINDOWS\system32\?m?k\_CHAR(0x18)_ Flags: (SECURITY_ANONYMOUS) Open File: C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\I7WPK1KH\yeSetup[1].exe (OPEN_EXISTING) Open File: C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\7NGRQFU4\admin6_ver0111[1].exe (OPEN_EXISTING) Delete File: C:\WINDOWS\system32\EAduio.sys Read INI File: C:\WINDOWS\system32\Etcpip.sys [update] ver = C:\WINDOWS\system32\EAduio.sys [file] count = C:\WINDOWS\system32\EAduio.sys [file] file1 = C:\WINDOWS\system32\Etcpip.sys [popwin] count = C:\WINDOWS\system32\Etcpip.sys [count] url = C:\WINDOWS\system32\EAduio.sys [file] file2 = C:\WINDOWS\system32\EAduio.sys [file] file3 = C:\WINDOWS\system32\Etcpip.sys [popwin] url1 = C:\WINDOWS\system32\Etcpip.sys [popwin] sleeptime1 = C:\WINDOWS\system32\Etcpip.sys [popwin] cishu1 = C:\WINDOWS\system32\Etcpip.sys [popwin] nohide1 = Mutexes: Creates Mutex: ZonesCounterMutex Creates Mutex: ZonesCacheCounterMutex Creates Mutex: ZonesLockedCacheCounterMutex Creates Mutex: RasPbFile Registry Reads: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings "DisableImprovedZoneCheck" HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "DefaultAuthLevel" HKEY_LOCAL_MACHINE\Software\Microsoft\DownloadManager "CacheOk" HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings "User Agent" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "IsTextPlainHonored" HKEY_CLASSES_ROOT\.txt "Content Type" HKEY_CLASSES_ROOT\.exe "Content Type" Enums: HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\ Process Management Creates Process - C:\WINDOWS\system32\?m?k\_CHAR(0x18) Service Management: Open Service Manager - Name: "SCM" Open Service - Name: "RASMAN" Network Activity: Outgoing connection to remote server: 202.108.9.31 port 80 Outgoing connection to remote server: 202.108.9.31 port 80