Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '????' = '%PROGRAM_FILES%\·й»ркужµ\feihuo movie.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '·Й»рКУЖµ' = '%PROGRAM_FILES%\·Й»рКУЖµ\Feihuo Movie.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'PaopaoWeather' = '%PROGRAM_FILES%\PaopaoWeather\PaopaoWeather.exe'
Malicious functions:
Creates and executes the following:
- '%TEMP%\is-Q83DI.tmp\TV_48_13203_.tmp' /SL5="$101D2,460308,72192,%PROGRAM_FILES%\TV_48_13203_.exe"
- '%PROGRAM_FILES%\PaopaoWeather\PaopaoWeather.exe'
- '%PROGRAM_FILES%\·Й»рКУЖµ\Feihuo Movie.exe'
- '%PROGRAM_FILES%\TV_48_13203_.exe'
- '%PROGRAM_FILES%\taskslm.exe'
- '%PROGRAM_FILES%\TV_25_13203_.exe'
- '%TEMP%\is-4DBFN.tmp\TV_25_13203_.tmp' /SL5="$20132,418284,64512,%PROGRAM_FILES%\TV_25_13203_.exe"
Executes the following:
- '<SYSTEM32>\regsvr32.exe' /s "%TEMP%\is-43IOC.tmp\AppCore.dll"
- '<SYSTEM32>\regsvr32.exe' /s "%TEMP%\is-GO6J4.tmp\AppCore.dll"
- '%WINDIR%\explorer.exe'
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system :
Creates the following files:
- %PROGRAM_FILES%\·Й»рКУЖµ\is-T29S1.tmp
- %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\is-AIIOS.tmp
- %PROGRAM_FILES%\·Й»рКУЖµ\is-1VAD4.tmp
- %PROGRAM_FILES%\PaopaoWeather\unins000.dat
- %PROGRAM_FILES%\PaopaoWeather\config.ini
- %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\is-E5149.tmp
- %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\large\is-4GG7R.tmp
- %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\large\is-OQAQC.tmp
- %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\large\is-5IUHP.tmp
- %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\is-H9Q5I.tmp
- %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\large\is-KSLL7.tmp
- %PROGRAM_FILES%\PaopaoWeather\unins000.msg
- %PROGRAM_FILES%\PaopaoWeather\skins\Д¬ИП\is-DNNMO.tmp
- %ALLUSERSPROFILE%\Start Menu\Programs\PaopaoWeather\PaopaoWeather.lnk
- %PROGRAM_FILES%\PaopaoWeather\skins\Д¬ИП\is-6Q0QN.tmp
- %PROGRAM_FILES%\PaopaoWeather\skins\Д¬ИП\is-J1R10.tmp
- %PROGRAM_FILES%\PaopaoWeather\skins\Д¬ИП\is-290QO.tmp
- %TEMP%\is-43IOC.tmp\Uninstall.ico
- %TEMP%\is-Q83DI.tmp\RCX2.tmp
- %ALLUSERSPROFILE%\Start Menu\Programs\PaopaoWeather\ЕдЦГ\Р¶ФШ PaopaoWeather.lnk
- %ALLUSERSPROFILE%\Start Menu\Programs\PaopaoWeather\PaopaoWeather НшХѕ.url
- %ALLUSERSPROFILE%\Start Menu\Programs\PaopaoWeather\4472ѕшЙ«µзУ°Нш.url
- %ALLUSERSPROFILE%\Desktop\PaopaoWeather.lnk
- %ALLUSERSPROFILE%\Start Menu\Programs\·Й»рКУЖµ\·Й»рКУЖµ НшХѕ.url
- %ALLUSERSPROFILE%\Start Menu\Programs\·Й»рКУЖµ\ЕдЦГ\Р¶ФШ ·Й»рКУЖµ.lnk
- %ALLUSERSPROFILE%\Start Menu\Programs\·Й»рКУЖµ\4472ѕшЙ«µзУ°Нш.url
- %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\small\is-GSL4V.tmp
- %ALLUSERSPROFILE%\Start Menu\Programs\·Й»рКУЖµ\·Й»рКУЖµ.lnk
- %PROGRAM_FILES%\·Й»рКУЖµ\unins000.msg
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\update[1].9876825
- %TEMP%\is-GO6J4.tmp\sogou.ico
- %PROGRAM_FILES%\·Й»рКУЖµ\unins000.dat
- %PROGRAM_FILES%\·Й»рКУЖµ\config.ini
- %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\small\is-O7PSN.tmp
- %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\large\is-4VFVB.tmp
- %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\large\is-RJA46.tmp
- %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\large\is-EG7O7.tmp
- %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\large\is-962CB.tmp
- %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\large\is-D2TGF.tmp
- %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\large\is-I5A2L.tmp
- %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\small\is-6RAQ4.tmp
- %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\small\is-ONT6G.tmp
- %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\small\is-5KSJG.tmp
- %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\small\is-5O3Q7.tmp
- %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\small\is-2PEC7.tmp
- %TEMP%\is-43IOC.tmp\UpdateIcon.dll
- %TEMP%\is-43IOC.tmp\license.txt
- %WINDIR%\4472.ico
- %TEMP%\is-43IOC.tmp\psvince.dll
- %TEMP%\is-GO6J4.tmp\4472.ico
- %TEMP%\is-43IOC.tmp\sogou.ico
- %WINDIR%\tupian.ico
- %ALLUSERSPROFILE%\Desktop\ГАЕ®КУЖµ.lnk
- %TEMP%\is-GO6J4.tmp\tupian.ico
- %WINDIR%\sogou.ico
- %ALLUSERSPROFILE%\Desktop\ѕшЙ«µзУ°.lnk
- %TEMP%\is-43IOC.tmp\_isetup\_shfoldr.dll
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\ttx123[1]
- %TEMP%\is-4DBFN.tmp\TV_25_13203_.tmp
- %PROGRAM_FILES%\TV_25_13203_.exe
- %PROGRAM_FILES%\taskslm.exe
- %PROGRAM_FILES%\TV_48_13203_.exe
- %TEMP%\is-GO6J4.tmp\_isetup\_RegDLL.tmp
- %TEMP%\is-GO6J4.tmp\UpdateIcon.dll
- %TEMP%\is-43IOC.tmp\_isetup\_RegDLL.tmp
- %TEMP%\is-Q83DI.tmp\TV_48_13203_.tmp
- %TEMP%\is-GO6J4.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-GO6J4.tmp\psvince.dll
- %PROGRAM_FILES%\PaopaoWeather\is-TK589.tmp
- %PROGRAM_FILES%\PaopaoWeather\is-51MP4.tmp
- %TEMP%\is-4DBFN.tmp\RCX1.tmp
- %TEMP%\is-43IOC.tmp\AppCore.dll
- %TEMP%\is-GO6J4.tmp\Uninstall.ico
- %PROGRAM_FILES%\PaopaoWeather\png\future\is-N0SKJ.tmp
- %PROGRAM_FILES%\PaopaoWeather\skins\Д¬ИП\is-6Q9TS.tmp
- %PROGRAM_FILES%\PaopaoWeather\skins\Д¬ИП\is-0FN3G.tmp
- %PROGRAM_FILES%\PaopaoWeather\skins\Д¬ИП\is-UUU36.tmp
- %PROGRAM_FILES%\PaopaoWeather\png\large\is-QL926.tmp
- %PROGRAM_FILES%\PaopaoWeather\skins\Д¬ИП\is-L1QRA.tmp
- %TEMP%\is-43IOC.tmp\game.ico
- %TEMP%\is-GO6J4.tmp\game.ico
- %WINDIR%\game.ico
- %ALLUSERSPROFILE%\Desktop\МФ±¦МШВф.lnk
- %TEMP%\is-GO6J4.tmp\taobao.ico
- %WINDIR%\taobao.ico
- %ALLUSERSPROFILE%\Desktop\єГНжµДУОП·.lnk
- %TEMP%\is-43IOC.tmp\tupian.ico
- %TEMP%\is-43IOC.tmp\taobao.ico
- %TEMP%\is-43IOC.tmp\4472.ico
- %TEMP%\is-GO6J4.tmp\AppCore.dll
- %ALLUSERSPROFILE%\Desktop\Internet Sogou.lnk
Deletes the following files:
- %TEMP%\is-Q83DI.tmp\TV_48_13203_.tmp
- %TEMP%\is-4DBFN.tmp\TV_25_13203_.tmp
Moves the following files:
- from %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\large\is-962CB.tmp to %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\large\btn_goforward.png
- from %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\large\is-OQAQC.tmp to %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\large\btn_download.png
- from %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\large\is-EG7O7.tmp to %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\large\btn_pause.png
- from %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\large\is-D2TGF.tmp to %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\large\btn_min.png
- from %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\large\is-4GG7R.tmp to %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\large\btn_del.png
- from %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\is-H9Q5I.tmp to %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\skin.xml
- from %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\is-E5149.tmp to %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\btn_volume.png
- from %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\large\is-5IUHP.tmp to %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\large\btn_close.png
- from %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\large\is-KSLL7.tmp to %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\large\bg_large.png
- from %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\large\is-4VFVB.tmp to %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\large\btn_play.png
- from %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\small\is-ONT6G.tmp to %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\small\btn_large.png
- from %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\small\is-6RAQ4.tmp to %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\small\btn_goforward.png
- from %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\small\is-GSL4V.tmp to %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\small\btn_play.png
- from %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\small\is-O7PSN.tmp to %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\small\btn_pause.png
- from %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\small\is-5KSJG.tmp to %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\small\btn_goback.png
- from %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\large\is-I5A2L.tmp to %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\large\img_music.png
- from %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\large\is-RJA46.tmp to %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\large\btn_small.png
- from %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\small\is-2PEC7.tmp to %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\small\btn_close.png
- from %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\small\is-5O3Q7.tmp to %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\small\bg_small.png
- from %PROGRAM_FILES%\PaopaoWeather\skins\Д¬ИП\is-L1QRA.tmp to %PROGRAM_FILES%\PaopaoWeather\skins\Д¬ИП\bg_large.png
- from %PROGRAM_FILES%\PaopaoWeather\png\large\is-QL926.tmp to %PROGRAM_FILES%\PaopaoWeather\png\large\n99.png
- from %PROGRAM_FILES%\PaopaoWeather\skins\Д¬ИП\is-6Q9TS.tmp to %PROGRAM_FILES%\PaopaoWeather\skins\Д¬ИП\btn_close.jpg
- from %PROGRAM_FILES%\PaopaoWeather\skins\Д¬ИП\is-UUU36.tmp to %PROGRAM_FILES%\PaopaoWeather\skins\Д¬ИП\bg_small.png
- from %PROGRAM_FILES%\PaopaoWeather\png\future\is-N0SKJ.tmp to %PROGRAM_FILES%\PaopaoWeather\png\future\n99.png
- from %TEMP%\is-4DBFN.tmp\RCX1.tmp to %TEMP%\is-4DBFN.tmp\TV_25_13203_.tmp
- from %TEMP%\is-4DBFN.tmp\TV_25_13203_.tmp to %TEMP%\is-4DBFN.tmp\TV_25_13203_.tmp.tmp
- from %PROGRAM_FILES%\PaopaoWeather\is-51MP4.tmp to %PROGRAM_FILES%\PaopaoWeather\PaopaoWeather.exe
- from %PROGRAM_FILES%\PaopaoWeather\is-TK589.tmp to %PROGRAM_FILES%\PaopaoWeather\unins000.exe
- from %PROGRAM_FILES%\PaopaoWeather\skins\Д¬ИП\is-0FN3G.tmp to %PROGRAM_FILES%\PaopaoWeather\skins\Д¬ИП\btn_max.jpg
- from %PROGRAM_FILES%\·Й»рКУЖµ\is-1VAD4.tmp to %PROGRAM_FILES%\·Й»рКУЖµ\unins000.exe
- from %TEMP%\is-Q83DI.tmp\RCX2.tmp to %TEMP%\is-Q83DI.tmp\TV_48_13203_.tmp
- from %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\is-AIIOS.tmp to %PROGRAM_FILES%\·Й»рКУЖµ\skins\default\bg_logo.png
- from %PROGRAM_FILES%\·Й»рКУЖµ\is-T29S1.tmp to %PROGRAM_FILES%\·Й»рКУЖµ\Feihuo Movie.exe
- from %TEMP%\is-Q83DI.tmp\TV_48_13203_.tmp to %TEMP%\is-Q83DI.tmp\TV_48_13203_.tmp.tmp
- from %PROGRAM_FILES%\PaopaoWeather\skins\Д¬ИП\is-290QO.tmp to %PROGRAM_FILES%\PaopaoWeather\skins\Д¬ИП\btn_move.jpg
- from %PROGRAM_FILES%\PaopaoWeather\skins\Д¬ИП\is-J1R10.tmp to %PROGRAM_FILES%\PaopaoWeather\skins\Д¬ИП\btn_min.jpg
- from %PROGRAM_FILES%\PaopaoWeather\skins\Д¬ИП\is-DNNMO.tmp to %PROGRAM_FILES%\PaopaoWeather\skins\Д¬ИП\skin.xml
- from %PROGRAM_FILES%\PaopaoWeather\skins\Д¬ИП\is-6Q0QN.tmp to %PROGRAM_FILES%\PaopaoWeather\skins\Д¬ИП\btn_setting.jpg
Network activity:
Connects to:
- 'localhost':1045
- 'localhost':1044
- 'pp####nt.5411.com':80
- 'be#####unt.43994.com':80
- 'localhost':1047
- 'pp#.#3994.com':80
- 'www.tt##23.cn':80
- 'localhost':1036
- 'localhost':1039
- 'pp#.#411.com':80
- 'localhost':1040
TCP:
HTTP GET requests:
- pp#.#3994.com/applist/index112.php
- pp#.#3994.com/update/?r=#########
- www.tt##23.cn/?u=########
- pp#.#411.com/applist/index144.php
UDP:
- DNS ASK be#####unt.43994.com
- DNS ASK pp####nt2.5411.com
- DNS ASK be######ntback.43994.com
- DNS ASK pp####nt.5411.com
- DNS ASK www.tt##23.cn
- DNS ASK pp#.#411.com
- DNS ASK pp#.#3994.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'CSCHiddenWindow' WindowName: '(null)'
- ClassName: 'SystemTray_Main' WindowName: '(null)'
- ClassName: 'MS_WebcheckMonitor' WindowName: '(null)'
- ClassName: 'TWizardForm' WindowName: '????????'
- ClassName: '(null)' WindowName: 'feihuomovie_form_hook'
- ClassName: '(null)' WindowName: 'paopaoweather_form_hook'
- ClassName: 'TWizardForm' WindowName: '???? - PaopaoWeather'
- ClassName: 'MS_AutodialMonitor' WindowName: '(null)'
- ClassName: 'BaseBar' WindowName: 'ChanApp'
- ClassName: 'Proxy Desktop' WindowName: '(null)'
- ClassName: '(null)' WindowName: 'Microsoft Internet Explorer'
- ClassName: 'SysListView32' WindowName: '(null)'
- ClassName: 'IEFrame' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: '' WindowName: '(null)'
