This is a worm, it will be downloaded by a user when visiting malicious websites, dropped by other malwares or spreaded by USB flash disk and msn. This worm will connect to the server of hacker and receive commands.

The worm will copy itself, and create service for it:

• %TEMP%\{random name}.exe

Copy itself to all root directory, and create config files, the worm will be runned when user click the disk:

• {all root directorys}\_recycling49.exe
• {all root directorys}\autorun.inf
• {all root directorys}\autorun.bat
• {all root directorys}\autorun.vbs

Add registry:

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vuauxlfelk]
  • "Type"=0x00000110
  • "Start"=0x00000002
  • "ErrorControl"=0x00000000
  • "ImagePath"="%TEMP%\{random name1}.exe -svc"
  • "DisplayName"="bzyktpisqh"
  • "ObjectName"="LocalSystem"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vuauxlfelk\Security]
  • "Security"=01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vuauxlfelk\Enum]
  • "0"="Root\LEGACY_VUAUXLFELK\0000"
  • "Count"=0x00000001
  • "NextInstance"=0x00000001
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer]
  • "{name1 got from the information of disk}"={hexadecimal number got from the local time}
  • "{name2 got from the information of disk}"=0x00000001

Visit the website(Failure):

• http://network.e****d.com/webyx/iLog.php?dl=5.6&log=Loader: 506^EXP

Connect to the remote web server(Failure):

• {random name2}.ive****edya.com/webyx/remote.php?
• {random name2}.ivep****edya.com/webyx/remote.php?
• {random name2}.ipr****tya.com/webyx/remote.php?
• {random name2}.emn****ying.com/webyx/remote.php?
• {random name2}.emn****rked.com/webyx/remote.php?

Receive commands:

• reset - terminate process of the worm and config it
• use - start the worm
• useasuser - start the worm with administrator
• sleep - suspend process of the worm
• dl - download malwares from the web server
• visit - visit directory of the worm
• setasnew - delete registry of the worm
• update - update the worm

And this worm will spread to all friends by msn

It's the Trojan,which disables Task Manager, Registry Editor, and Folder Options.
It connects to specified websites to send and receive information.
It can encrypt the user all the files, and then extort money from the user.
 

Upon execution,it copies itself into the affected system:

• %Application Data%\{random}\{random}.exe
• %System%\{random}.exe

It adds the following registry entries to enable its automatic execution at every system startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

        {random}= "%User Profile%\Application Data\{random}\{random}.exe"
It modifies the following registry entries:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon   

        Userinit = "%System%\userinit.exe,%System%\{random}.exe,"
This Trojan creates the following registry entries to disable Task Manager, Registry Tools and Folder Options:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe

        Debugger= "P9KDMF.EXE"

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe

        Debugger = "P9KDMF.EXE"

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe

        Debugger= "P9KDMF.EXE"

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

        "DisableRegistryTools"=dword:00000001

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

        "DisableRegedit"=dword:00000001
It connects to the following website to send and receive information:

• http://hor{blocked}rum.com/a.php
• http://spa{blocked}eb.com/a.php
• http://q{blocked}cc.com/a.php
• http://ho{blocked}o.com/a.php
• http://sp{blocked}w.com/a.php
• http://q{blocked}a.com/a.php

Receive hacker commands:

• IMAGES        Display picture
• EXECUTE        Execute files   
• LOAD        Download and Execute
• GEO        Sleep
• LOCK        Lock all the files
• UNLOCK        Unlock all the files
• URLS        Modify url
• KILL        Uninstall itself
• UPGRADE        Update itself
• UPGRADEURL    Update connect url and download file

From the above instructions,i think it will encrypt the user all the document, and then extort money from the user.

This is a worm, it may be downloaded by a user when visting malicious websites or it could be released by other malware.
It connects remote website and receives harmful hacker commands.

Upon execution,it copies itself into the affected system:

• %Application Data%\{the HDD serial number}.exe

It creates the following registry entry to enable its automatic run at every system startup:

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run

       {the HDD serial number}.exe="%Application Data%\{the HDD serial number}.exe"

• HKEY_USERS\S-1-5-21-1606980848-1677128483-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Run

       {the HDD serial number}.exe="%Application Data%\{the HDD serial number}.exe"
It can connect the following web to collects the user's IP address and country of origin:

• http://api.wipmania.com/

Connect following IRC server:

• ng.ma{blocked}lone.com
• ng.th{blocked}aby.com
• ng.li{blocked}sez11.com
• ng.co{blocked}oan.com

Receive hacker commands:

• dl        Downloads and executes
• up        Update it
• die        kill it
• rm        Uninstall itself
• m        Enable/disable all commands
• vs        Visit specified website
• v        Send bot's Version
• rc        reconnect IRC server
• j        Join channel
• p        Part channel   
• s        sort
• us        Unsort
• mod        Enable/disable modules that use hooks
• stats        Retrieves statistics
• logins        Retrieves all grabbed logins information
• http.set    Set the message for facebook spreading
• http.int    Set the number of Facebook messages
• http.inj    HTTP inject
• mod        module on/offmsn.set
• msn.ini        Set the number of MSN
• msn.set        Set message to spread via MSN messages
• mdns        Block access to specified Domain/IP   
• ssyn        SYN attack
• udp        UDP attack

It prevents users from accessing a URL that contains the following string:

• webroot.
• fortinet.
• virusbuster.nprotect.
• gdatasoftware.
• virus.
• precisesecurity.
• lavasoft.
• heck.tc
• emsisoft.
• onlinemalwarescanner.
• onecare.live.
• f-secure.
• bullguard.
• clamav.
• pandasecurity.
• sophos.
• malwarebytes.
• sunbeltsoftware.
• norton.
• norman.
• mcafee.
• symantec
• comodo.
• avast.
• avira.
• avg.
• bitdefender.
• eset.
• kaspersky.
• trendmicro.
• iseclab.
• virscan.
• garyshood.
• viruschief.
• jotti.
• threatexpert.
• novirusthanks.
• virustotal.

Visit our website contains the following string, it will collects the user's password

• *paypal.*/webscr?cmd=_login-submit*
• *google.*/*ServiceLoginAuth*
• *aol.*/*login.psp*
• *screenname.aol.*/login.psp*
• *bigstring.*/*index.php*
• *fastmail.*/mail/*
• *gmx.*/*FormLogin*
• *login.live.*/*post.srf*
• *login.yahoo.*/*login*
• *facebook.*/login.php*
• *hackforums.*/member.php
• *steampowered*/login*
• *dyndns*/account*
• *runescape*/*weblogin*
• *.moneybookers.*/*login.pl
• *.alertpay.*/*login.aspx
• *twitter.com/sessions
• *secure.logmein.*/*logincheck*
• *officebanking.cl/*login.asp*

This is trojan, it may be downloaded by a user when visiting malicious websites or dropped by other malwares. It will record the buttons of keyboard and send the information to the hacker.

Upon execution, a message box will apears:

Release a config file:

• %SYSTEM32%\setkl.sys

Release and execute a BAT file:

• C:\tmp.bat

Copy itself to:

• %SYSTEM32%\kl.exe

Add registry to set it executing with starting up of system:

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  • ccv="%SYSTEM32%\kl.exe"

This trojan will record the buttons of keyboard, login the email:

• username:ma***535@gmail.com
• password:0142***3313

Send the record of information to the email of hacker:

• be.hza***000@gmail.com

This is a spyware.It arrives in the affected system as dropped or downloaded file by other malware or unsuspecting users.
It steals account information of following online games:AskTao, DragonNest, XCB.

Upon execution, it creates following files:

• %CommonProgramFiles%\whh{random number}.ocx  detected as Spyware/WOW.B732 by Anchiva
• %CommonProgramFiles%\{random}.dll detected as Trojan/Generic.F1F4 by Anchiva
• %System32%\whhfd008.ocx detected as Trojan/Virtum.A36C by Anchiva

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\CONTROL\KEYBOARD LAYOUTS\E0200804

• AskTao
• DragonNest
• XCB

• http://113.107.95.81:801/fen{block}01/lin.asp
• http://113.107.95.81:801/fe{block}bao.asp
• http://113.107.95.81:801/fen{block}ny.asp

It is a trojan,it will steal onlinegame<Dungeon Fighter> user's password,and send to the remote sites.
It may be in the user visit a malicious sites cheated to download and execution.

Upon execution,it copy itself to the followinig path:

• C:\WINDOWS\system32\t91.mod

Modify the following registry key:

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

      "SFCDisable"=dword:ffffff9d
      "SFCScan"=dword:00000000
Find the following process and try to closed

• DNF.exe
• DNFchina.exe
• QQlogin.exe

Create following configuration file:

• C:\WINDOWS\system32\t910080ttt86t950065.t91

Drops following files from itself.

• C:\WINDOWS\system32\dlsp.dll    Detected as "Spyware/OnLineGames.565A!pws" by ANCHIVA
• C:\WINDOWS\system32\0ILX.dll    Detected as "Trojan/Packed.59EF" by ANCHIVA

The "dlsp.dll" file is added to the Service Provider Interface(SIP) for monitor the network.
It modifies the following system file:

• C:\WINDOWS\system32\rasapi32.dll    Detected as "Trojan/Patched.48D0" by ANCHIVA

The modified file will load "0ILX.dll" file,so every time the game starts,"0ILX.dll" will be loading.The "0ILX.dll"file mian purpose is steal onlinegame<Dungeon Fighter> user's password and send to the specified site.
The "0ILX.dll" files also be download following file and execution.

• http://c3905{BLOCKED}7d84.3322.org:7043/1.jpg

Modifies the original "hosts" file,and writing the following strings to the file:

• 60.***.217.243  7a57a{BLOCKED}894a0e.3322.org

At last,it will download the other malicious software from following websize and save it as "t910.exe"

• 121.***.113.77:368/1.exe        Detected as"Trojan/Injepe.C768!dldr" by ANCHIVA

This is a worm, it may be downloaded by a user when visting malicious websites or spreaded by FaceBook and MSN. It will connect to the IRC server and receive hacker commands.

Upon executing, this worm will inject the process of explorer.exe, write the Boot Sector, to prevent being killed, and it will start with explorer.exe.
Copy itself to:

• %APPDATA%\{The name got form serial number of hard disk drives}.exe

Add registry:

• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  • "{The name got form serial number of hard disk drives}"="%APPDATA%\{The name got form serial number of hard disk drives}.exe"

It will visit the website to get the information of  ip address and area:

• http://api.wipmania.com/

Visit the IRC of hacker:

• ng.best****sever.biz
• ng.xm****verx.info
• ng.ido****ies.com
• ng.furi****zzle.info
• ng.stud****center-org.com

Receive hacker commands:

• dl -
  •      Connect to the specified server:
    • 146.185.246.133
  •      Download and execute files:
    •      %APPDATA%\{number1}.exe(Indentified by anchiva as:Trojan/Jorik.0733)
    •      %APPDATA%\{number2}.exe(Indentified by anchiva as:Trojan/Injector.1D15!drop)
    •      %APPDATA%\{number3}.exe(Indentified by anchiva as:Trojan/Yakes.6AD7)
• v - Send the customer name, its version and the filepath to hacker
• rc - Reconnect  
• die - Disconnect from the IRC server and does not reconnect until its system reboots
• rm - Remove itself
• s   - Join the channel for its country
• us - Part the channel for its country
• stats - Retrieves statistics for spreading and/or login grabbing
• logins - Retrieves all grabbed and cached logins and prints them to channel or PM.Can also be used to clear login cache.
• msn.set - Set the message that will be used for MSN spreading
• msn.int - Set the number of MSN messages in a conversation before one is changed with your spreading message
• http.set - Set the message that will be used for FaceBook spreading
• http.int - Set the number of Facebook messages in a conversation before one is changed with your spreading message
• up - Updates its file

This is a spyware.It maybe downloaded or dropped by other malwares or unsuspecting users.
It steals account information from following FTP softwares and web browsers:Firefox, FireFTP, LeechFTP, WinFTP, FTPGetter, ALFTP, IE, DeluxeFTP, Chrome, FreshFTP, GoFTP, 3D-FTP, Robo-FTP.It also downloads and executes other malwares.

Upon execution, it creates following registry entry as an infection marker:

• HKLM\Software\WinRAR

• Firefox
• FireFTP
• LeechFTP
• WinFTP
• FTPGetter
• ALFTP
• IE
• DeluxeFTP
• Chrome
• FreshFTP
• GoFTP
• 3D-FTP
• Robo-FTP

• http://www.alberghi.com:8080/po{block}e.php
• http://buyandsmile.atomclick.co:8080{block}te.php
• http://licitatiiblog.ro/jzVvvc3{block}uo.exe - detected as Spyware/Zbot.DEAD by Anchiva

It is a trojan,it will terminate user's Security software,it attemps to infected user's removable disk.
It will download other malicous software in order to achieve the purpose of further control the victim computer.

Once launched,it coye itself to following path:

• C:\Program Files\Common Files\rgdltecq\nhoifz.pif

It extracts files from its body and saves them in the system as:

• C:\\WINDOWS\\system32\\622421.DLL   Detected by ANCHIVA as "Trojan/KillAV.12A3"

(In fact the name is random number)
The dll file download configuration from the following website:

• http://c.shi{BLOCK}bian.com/s.gif

It to decrypt the configuration file, it will download other malicious software from the following URL:

• http://blog.51cto.com/attachment/201204/4594{BLOCK}138005.rar    Detected by ANCHIVA as "Spyware/OnLineGames.80C9!pws"

The DLL file dorp following driver file:

• C:\WINDOWS\system\XeWz.url     Detected by ANCHIVA as "Trojan/KillAV.1199"

And registered the following system services:

• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\autb]

       "Type"=dword:00000001
       "Start"=dword:00000003
       "ErrorControl"=dword:00000000
       "ImagePath"=\??\C:\WINDOWS\system\XeWz.url
       "DisplayName"="autb"
The Trojan horse in order to run automatically when the computer reboot, it create registered items as follows:

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

       "360se"="C:\Program Files\Common Files\rgdltecq\nhoifz.pif"

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

       "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]

        @="C:\\WINDOWS\\system32\\622421.DLL"
It will terminate the following process:

• ekrn.exe
• 360safe.exe
• egui.exe
• nod32krn.exe
• RSTray.exe
• avgnt.exe
• avnotify.exe
• avguard.exe
• guardgui.exe
• avwebgrd.exe
• kudiskmon.EXE
• beikearpsvc.EXE
• mcshield.exe
• RavMonD.EXE
• kpopserver.exe
• KVMonXP.EXE
• QQPCTray.EXE
• Twister.EXE
• avp.EXE
• KANSvr.EXE

In face contanin many anti-spware software,Fox example:HijackThisTrojanDetectorIceSword etc.
It will through the infection removable disk spread itself.

This is a trojan, it may be downloaded by a user when visting malicious websites or dropped by other malwares. It will modify the default setting of browser and visit the web sites of hacker.

This trojan will modify the registry to set the proxy server of Internet Explorer:

• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
  • "AutoConfigUrl"="http://vid****ame.portal****dastrohsbc.org"
  • "ProxyHttp1.1"=0x00000001
  • "EnableHttp1.1"=0x00000001
• [HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]
  • "Connection Settings"=0x00000001

And it will terminate the process of firefox.exe, modify the setting file to set firefox.exe launch with proxy.
Visit the website of hacker:

• www.10****agen-biel.ch/media/system/css/style/notify.php

Search the address list of email and send it to hacker:

• www.di****na.org/dipa/logs/files/Archive.php

This is a dropper.It arrives in the affected system as dropped or downloaded file by other malwares or unsuspecting users.
It drops other malware, removes Temporary Internet files and Cookies, accesses malicious urls, monitors internet connection and restarts system.

Upon execution, it creates following file:

• %SYSTEM32%\{random}.dll - detected as Trojan/Kryptik.45F3 by Anchiva

• C:\Documents and Settings\Administrator\Cookies
• C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows  

• clickjoinseo.com/phpbb/get.php?id={Product Id}&key={random}&av=0&vm=1&al=0&p={random}&os={OS Version}&z={random}&hash={hash value of computer name}

This is a trojan, it may be released by other malware or downloaded by trojan downloader. This program will update the client of XtremeRAT.

This torjan will inject to the processes of svchost.exe and explorer.exe
Copy itself to:

• %SYSTEM32%\Windows5.0\Taskmg.exe

Release files:

• %APPDATA%\Microsoft\Windows\uQTEXD.cfg
• %APPDATA%\Microsoft\Windows\uQTEXD.dat

Delete registry:

• [HKEY_CURRENT_USER\SOFTWARE\XtremeRAT]

Add registry:

• [HKEY_CURRENT_USER\SOFTWARE\uQTEXD\]
  • "ServerStarted"="(localtime)"
  • "InstalledServer"="%SYSTEM32%\Windows5.0\Taskmg.exe"
• [HKEY_CURRENT_USERSOFTWARE\FakeMessage\]
  • "FakeMessage"="OK"
• [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
  • "Antivirus"="%SYSTEM32%\Windows5.0\Taskmg.exe"
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
  • "Antivirus"="%SYSTEM32%\Windows5.0\Taskmg.exe"
• [HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{5F3D0Y86-3B3O-R5Q4-52HI-PW6BO4Q266N6}\]
  • "StubPath"="%SYSTEM32%\Windows5.0\Taskmg.exe"
• [HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{5F3D0Y86-3B3O-R5Q4-52HI-PW6BO4Q266N6}\]
  • "StubPath"="%SYSTEM32%\Windows5.0\Taskmg.exe"
• [HKEY_CURRENT_USER\SOFTWARE\(processID)\]
  • "Mutex"="uQTEXD"

Visit the website of hacker:

• URL= http://djamel.hopto.org:92/1234567890.functions

Download file to update the client of XtremeRAT：

• %APPDATA%\Microsoft\Windows\uQTEXD.xtr

It is a Trojan horse,it disguised as a picture file trick users into clicking.In order to self-start it register a system service.
The trojan connect to a remote hacker sites,execution hackers insttuctions,Ex:DDOS attacks,download other malicious program.

Upon execution,it will copy itself to following directory and delete itself.

• C:\Documents and Settings\UserData.exe

Then,restart copy file,it register a system service and creates the following registry entries:

• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalahy]

       "Type"=dword:00000010
       "Start"=dword:00000002
       "ErrorControl"=dword:00000000
       "ImagePath"="C:\Documents and Settings\UserData.exe"
       "DisplayName"="Nationalyyq Instruments Domain Service"
       "ObjectName"="LocalSystem"
       "Description"="Providesnnb a domain server for NI security."

• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALAHY\0000]

       "Service"="Nationalahy"
       "Legacy"=dword:00000001
       "ConfigFlags"=dword:00000000
       "Class"="LegacyDriver"
       "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
       "DeviceDesc"="Nationalyyq Instruments Domain Service"

It may inject itself to the following process:

• iexplore.exe

The trojan wil send users information to following websize:

• tj{BLOCK}.3322.org:123

Receive instructions,it will execution following operation:

• Execution files
• Update itself
• Download and execution files
• Shut down the computer
• Simulation browser requests
• Delete itself
• User IE browse the web
• Send data
• receive date
• DDOS attack

This is a worm.It arrives in the affected system via removable drives or dropped by other malwares.
It downloads, drops and executes other malwares, also infects mobile disk.

Upon execution, it creates following files:

• %COMMONPROGRAMFILES%\rgdltecq\ngoifz.pif - copy itself
• %SYSTEM32%\{random number}.dll - detected as Trojan/Geral.31D1!dldr by Anchiva

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

WebCheck = {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

• HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

{default} = %SYSTEM32%\{random number}.dll

• http://b.shidaihuabian.com/{block}f - expired

• ESET Nod32
• 360
• QQ PCManager
• AntiVir Guard
• Kaspersky
• rising

It is backdoor, it Destruction of  security software Trusteer Rapport,and impersonates it to tricked user
It opens a back door on the compromised computer,to accept some of the hackers instruction.

 Upon execution,it copy itself to following directory and delete itself.

• %System%\[RANDOM].exe
• %Temp%\[RANDOM].exe

• %ProgramFiles%\Trusteer Rapport\Stop Rapport.lnk
• %ProgramFiles%\Trusteer Rapport\Rapport Console.lnk
• %ProgramFiles%\Trusteer Rapport\Start Rapport.lnk

• %ProgramFiles%\Trusteer\Rapport\bin\RapportService.exe
• %System%\RPService.exe

• [HKEY_CLASSES_ROOT\.eze]

• [HKEY_CLASSES_ROOT\MyEze.1\shell\open\command]

• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

• [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

• %System%\drivers\RaportKELL.sys

• LOAD: Download and execute files
• EXECUTE: Execute files
• URLS: Specified website to download file
• KILL: kill itself
• UPGRADE: UPGRADE itself
• X: Sleep

This is a spyware.It maybe dropped or downloaded by other malwares and unsuspecting users.
It steals account information of World Of Warcraft.

 Upon execution, it creates following files:

• %TEMP%\{random number}.dat - detected as Spyware/Frethoq.A95A by anchiva
• %SYSTEM32%\ksuser.dll - detected as Spyware/Frethoq.A95A by anchiva
• %SYSTEM32%\midimap.dll - detected as Spyware/Frethoq.A95A by anchiva
• %SYSTEM32%\msimg32.dll - detected as Spyware/Frethoq.A95A by anchiva
• %SYSTEM32%\sysapp{random}.dll - detected as Spyware/Frethoq.A95A by anchiva

This is a trojan, it may be downloaded by a user when visting malicious web sites or dropped by other malwares. It will drop a backdoor program, this backdoor will connect to the server of hacker.

It will drop files like:

• c:\t.bat
• c:\tt.inf
• c:\windows\system32\winhelp32.exe(Indentified by anchiva as Backdoor/PoisonIvy.09C0)

Run c:\t.bat, add the registry to create the service for winhelp32.exe:

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinHelp64]
  • "Type"=0x00000010
  • "Start"=0x00000002
  • "ErrorControl"=0x00000000
  • "ImagePath"="c:\windows\system32\winhelp32.exe
  • "DisplayName"="Windows Internet Service"
  • "ObjectName"="LocalSystem"
  • "Description"="提供对 Internet 信息服务管理的支持。"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinHelp64\Enum]
  • "0"="Root\LEGACY_WINHELP64\0000"
  • "Count"=0x00000001
  • "NextInstance"=0x00000001

The service will connect to the server of hacker:

• a.9**k.com:6060(74.126.178.24:6060)

Send the information of system to the hacker, receive commands to download a malware or clean the trace of the trojan.

It is a spyware,it will steal onlinegame <Vindictus> user's password,and send to the hacker remote sites.
This spyware may be in the user visit malicious sites to deceive download and Execution.

Upon execution it copy itslef to following directory,then execution copy file and delete the original file.

• %temp%\Help360hero.exe

It attemps to closed following process:

• HeroesLauncher.exe
• HEroes.exe

Then,it through check the registry and file traversal to find the game directory,it drop following file to the directory.

• <Game directory>\hero.dll  Detected as “Spyware/OnLineGames.1992!pws” by ANCHIVA

The "hero.dll" will steal password information and save the following file in the game directory.

• <Game directory>\info.cy

The following is the content of "info.cy" file:

• [LQCYC]

         id = <User account>
         mm = <User password>
         place = <Area Code>

It will send that to following sites:

• 58.***.35.110

then it modify the game the default "nmconew.dll",erevy time the game will start loading "nmconew DLL.",the modification of he "nmconew.dll" will attempt to laod "hero.dll",so each time the game is running, the account will be stolen.

Finally it create following  empty file,it used for infection success marks.

• %Systemroot%\System32\lq0223.Fe

This is a backdoor program, it may be downloaded by a user when visting malicious web sites or dropped by other malwares. This program will connect to the server of hacker.

Upon executing, it will copy itself to the system directory and create a service:

• %SYSTEM32%\{random name}.exe

Add the registry:

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
  • "%SYSTEM32%\{random name}.exe"="%SYSTEM32%\ffntdq.exe:*:Enabled:Microsoft (R) Internetal IExplore"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rcmdsvc]
  • "Type"=0x00000010
  • "Start"=0x00000002
  • "ErrorControl"=0x00000000
  • "ImagePath"="%SYSTEM32%\{random name}.exe"
  • "DisplayName"="Remote Command Service"
  • "ObjectName"="LocalSystem"
  • "Description"="Windows Resource Kit"

Connect to the server of hacker:

• 121.163.177.95(Failure)

Receive commands to do something like:

• Download and execute the pernicious file:
  • %TEMP%\cvbdfgj.exe
• Send the information of system
• File management
• Monitoring desktop

This is a trojan.It may be downloaded or dropped by other malwares and unsuspecting users.
It steals account information of following online games:DNF, MapleStory, FIFA Online2, World of Warcraft, PMang BoardGame, RayCity.

Upon execution, it creates following file:

• %SYSTEMROOT%\Tasks\{random}.dat - detected as Trojan/Heur.1D11 by Anchiva

• NaverVaccine
• ALYac
• V3Lite

• DNF
• MapleStory
• FIFA Online2
• World of Warcraft
• PMang BoardGame
• RayCity

• {blokc}rackserver@rambler.ru