Home > Others

Congratulations, your second prize? Originally, it was named --ieplus.exe/Trojan. win32.qqfish. X/packed. win32.klone.

Source: Internet
Author: User
Tags crypt sha1
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
Congratulations, your second prize? Originally, it marked --ieplus.exe endurer original
In addition to Kaspersky's reply, the 2nd version of 1st found a QQ horn icon in the taskbar flashing on its host today. After clicking it, It appears: Click to open hxxp in IE browser: // www. qq ** I ** t ** 9 ***. CN/so lucky? No, even QQ hasn't opened yet. Dial-up online, run QQ doctor, found:

Hosts hijacking and several system vulnerabilities are also found.

Disconnect the broadband connection, run pe_xscan to scan logs, and analyze the data. The following suspicious items are found: 
Pe_xscan 08-11-22 by Purple endurer
10:17:38
Windows XP Service Pack 2 (5.1.2600)
MSIE: 7.0.5730.13
Administrator user group
Normal Mode
C:/Documents and Settings/all users/Start Menu/Program/start/ieplus.exe * 200 | 8:59:36
O1-hosts: 121.11.76.26 QQ.com
O1-hosts: 121.11.76.26 sn.qq.com
O1-hosts: 157.150.195.10 www.dhghost.com welcome to the UN _ It's your world
O4-HKLM/../policies/Explorer/run: [gem] C:/Documents and Settings/all users/Start Menu/Program/start/ieplus.exe
O4-Global startup: ieplus.exe-> fail to open file
O18-Protocol: ic32pp ()-{BBCA9F81-8F4F-11D2-90FF-0080C83D3571}-C:/Windows/wc98pp. dll | 12:44:54

Open the task manager to terminate ieplus.exe, use bat_do to package and back up ieplus.exe and wc98pp. dll, and then delete it.

Scan and clean up with the QQ doctor.

 

File Description: C:/Documents and Settings/all users/Start Menu/Program/start/ieplus.exe
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Created at: 16:55:10
Modification time: 16:59:36
Size: 453493 bytes, 442.885 KB
MD5: bc47deb5e9bf2d3d99f6e8a38a5ecd6d
Sha1: 0e0c0ac000095015b101df70e520f214dac628661
CRC32: 1e3146ec

 

Rising news: Trojan. win32.qqfish. x

Kaspersky Report: packed. win32.klone. BI [KLAN-18869865]

 

The ieplus.exe file was received at 10:20:02 (CET)

Anti-Virus engine Version Last update Scan results
A-squared 4.0.0.73 2008.12.28 Virus. win32.agent. SIQ! Ik
AhnLab-V3 2008.12.25.0 2008.12.27 Win32/malpackedb. Suspicious
AntiVir 7.9.0.45 2008.12.28 TR/crypt. xpack. gen
Authentium 5.1.0.4 2008.12.28 -
Avast 4.8.1281.0 2008.12.27 Win32: hupigon-ekk
AVG 8.0.0.199 2008.12.28 Win32/heur
BitDefender 7.2 2008.12.28 -
Cat-quickheal 10.00 2008.12.27 -
ClamAV 0.94.1 2008.12.28 -
Comodo 826 2008.12.27 -
Drweb 4.44.0.09170 2008.12.28 -
Esafe 7.0.20. 2008.12.24 -
ETrust-vet 31.6.6276 2008.12.24 -
Ewido 4.0 2008.12.27 -
F-Prot 4.4.4.56 2008.12.27 -
F-Secure 8.0.14332.0 2008.12.28 Suspicious: W32/malware! Gemini
Fortinet 3.117.0.0 2008.12.28 Suspicious
Gdata 19 2008.12.28 Win32: hupigon-ekk
Ikarus T3.1.1.45.0 2008.12.28 Virus. win32.agent. SIQ
K7antivirus 7.10.568 2008.12.27 -
Kaspersky 7.0.0.125 2008.12.28 -
McAfee 5476 2008.12.27 -
McAfee + Artemis 5476 2008.12.27 Generic! Artemis
Microsoft 1.4205 2008.12.28 PWS: Win32/qqpass. AA
NOD32 3719 2008.12.27 -
Norman 5.80.02 2008.12.26 -
Panda 9.0.0.4 2008.12.27 Trj/Vb. ABC
Pctools 4.4.2.0 2008.12.27 -
Prevx1 V2 2008.12.28 Cloaked malware
Rising 21.09.62.00 2008.12.28 Trojan. win32.qqfish. x
Secureweb-Gateway 6.7.6 2008.12.28 Trojan. crypt. xpack. gen
Sophos 4.37.0 2008.12.28 Mal/generic-
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.28 Trojan. fakemess
Thehacker 6.3.1.4.200 2008.12.26 -
TrendMicro 8.700.0.1004 2008.12.26 -
Vba32 3.12.8.10 2008.12.27 Suspected of backdoor. xiaobird.5 (paranoid heuristics)
ViRobot 2008.12.26.1536 2008.12.26 -
Virusbuster 4.5.11.0 2008.12.27 -
Additional information
File Size: 453493 bytes
Md5...: bc47deb5e9bf2d3d99f6e8a38a5ecd6d
Sha1..: 0e0c0ac000095015b101df70e520f214dac628661
Sha256: sha256
Sha512: 28f0605842f49ac9750a698a417cb333abdfceaf88c66c561e843499f74eb606
Bytes
Ssdeep: 12288: wv6/wvqjz7uf2gdeduxqc1s2e/tca61xgiw6tud: njz7rzdkqc1s20tc51
Vtud
Peid ..:-
TRID...: file type identification
Win32 EXE Yoda's crypter (56.9%)
Win32 executable generic (18.2%)
Win32 dynamic link library (generic) (0, 16.2%)
Generic win/DOS executable (4.2%)
DOS executable generic (4.2%)
Peinfo: PE Structure Information

(Base data)
Entrypointaddress.: 0x401000
Timedatestamp...: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
Machinetype ......: 0x14c (i386)

(2 sections)
Name viradd virsiz rawdsiz ntrpy MD5
. Packed 0x1000 0xc0000 0x200 6.07 b601_f893cb08122b637914cf8e9c0
. Rlpack 0xc1000 0x72c72 0x6e775 7.76 b6c35744713c21a6137a3e32cb07a710

(1 Imports)
> Kernel32.dll: loadlibrarya, getprocaddress, virtualalloc, virtualprotect, virtualfree, getmodulehandlea

(0 exports)
Packers (Kaspersky): pe_patch.rlpack
Cwsandbox info:Http://research.sunbelt-software.com/partnerresource/MD5.aspx? MD5 = bc47deb5e9bf2d3d99f6e8a38a5ecd6d
Prevx info:Http://info.prevx.com/aboutprogramtext.asp? Px5 = cbccf66675867db6eb5e06c83f4b93003d017d10
Packers (avast): rlpack

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
msdn win32 apache win32 gtk win32 win32 download win32 time win32 compiler binaries win32

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More