Trojan.DownLoader26.51070

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Classes\CNHD\Shell\Open\command] '' = '"%ProgramFiles%\CNPlayer\CNPlayer.exe" /play "%1" /opensource CNHD'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'CNPlayer' = '"%ProgramFiles%\CNPlayer\CNPlayer.exe" /autorun'

Modifies file system:

Creates the following files:

%TEMP%\CNPlayer\Install\tool\atl71.dll
%ProgramFiles%\CNPlayer\msvcr90.dll
%ProgramFiles%\CNPlayer\msvcp90.dll
%ProgramFiles%\CNPlayer\Microsoft.VC90.CRT.manifest
%ProgramFiles%\CNPlayer\images\ProgressBarFill.bmp
%ProgramFiles%\CNPlayer\images\ProgressBarBk.bmp
%ProgramFiles%\CNPlayer\images\Confirm_Normal.bmp
%ProgramFiles%\CNPlayer\images\Confirm_Hover.bmp
%ProgramFiles%\CNPlayer\images\Confirm_Down.bmp
%ProgramFiles%\CNPlayer\images\Confirm_Disable.bmp
%ProgramFiles%\CNPlayer\images\Close_Hover.bmp
%TEMP%\CNPlayer\Install\CNPSetup.exe
%ProgramFiles%\CNPlayer\images\Close_Down.bmp
%ProgramFiles%\CNPlayer\images\Close_Disable.bmp
%ProgramFiles%\CNPlayer\images\CF_Top.bmp
%ProgramFiles%\CNPlayer\images\CF_RightTop.bmp
%ProgramFiles%\CNPlayer\images\CF_RightBottom.bmp
%ProgramFiles%\CNPlayer\images\CF_Right.bmp
%ProgramFiles%\CNPlayer\images\CF_LeftTop.bmp
%ProgramFiles%\CNPlayer\images\CF_LeftBottom.bmp
%ProgramFiles%\CNPlayer\images\Close_Normal.bmp
%ProgramFiles%\CNPlayer\EventHelper.dll
%TEMP%\CNPlayer\Install\setupcfg.js
%TEMP%\Cab9.tmp
%TEMP%\Cab7.tmp
%TEMP%\Cab5.tmp
%TEMP%\Cab3.tmp
%TEMP%\CNPlayer\Config\player.js
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\2VAZY7AN\player[1].js
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\U98D4X8H\chaoneng[1]
<Current directory>\skin.stat
%ProgramFiles%\CNPlayer\ShoppingHelper.2.2.1.150.(246).dll
%ProgramFiles%\CNPlayer\images\CF_Left.bmp
%ProgramFiles%\CNPlayer\ShoppingHelper.dll
%ALLUSERSPROFILE%\Start Menu\Programs\і¬ДЬІҐ·ЕЖч\і¬ДЬІҐ·ЕЖч.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\і¬ДЬІҐ·ЕЖч.lnk
%ALLUSERSPROFILE%\Start Menu\і¬ДЬІҐ·ЕЖч.lnk
%ALLUSERSPROFILE%\Desktop\і¬ДЬІҐ·ЕЖч.lnk
%TEMP%\nso2.tmp\Time.dll
%ProgramFiles%\CNPlayer\CNPAgent.244.dll
%ProgramFiles%\CNPlayer\Uninst.exe
%TEMP%\CNPlayer\Install\instlog.txt
%TEMP%\nso2.tmp\NSISLog.dll
%ALLUSERSPROFILE%\Start Menu\Programs\і¬ДЬІҐ·ЕЖч\Р¶ФШі¬ДЬІҐ·ЕЖч.lnk
%TEMP%\nso2.tmp\System.dll
%ProgramFiles%\CNPlayer\images\CF_Bottom.bmp
%ProgramFiles%\CNPlayer\images\CF_Bk.bmp
%ProgramFiles%\CNPlayer\images\Cancel_Normal.bmp
%TEMP%\CNPlayer\Install\tool\xl_cximage.dll
%ProgramFiles%\CNPlayer\tool\libjpeg6b.dll
%ProgramFiles%\CNPlayer\tool\jscript.dll
%ProgramFiles%\CNPlayer\tool\giflib4.dll
%ProgramFiles%\CNPlayer\tool\data.dll
%ProgramFiles%\CNPlayer\tool\atl71.dll
%TEMP%\CNPlayer\Install\tool\EventHelper.dll
%TEMP%\CNPlayer\Install\skin\data.db
%TEMP%\CNPlayer\Install\skin\config.xml
%TEMP%\CabB.tmp
%ProgramFiles%\CNPlayer\tool\msscript.ocx
%TEMP%\CNPlayer\Install\tool\tool.dll
%TEMP%\CNPlayer\Install\tool\msvcr71.dll
%TEMP%\CNPlayer\Install\tool\msvcp71.dll
%TEMP%\CNPlayer\Install\tool\msscript.ocx
%TEMP%\CNPlayer\Install\tool\libpng13.dll
%TEMP%\CNPlayer\Install\tool\libjpeg6b.dll
%TEMP%\CNPlayer\Install\tool\jscript.dll
%TEMP%\CNPlayer\Install\tool\giflib4.dll
%TEMP%\CNPlayer\Install\tool\data.dll
%TEMP%\CNPlayer\Install\tool\zlib1.dll
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\і¬ДЬІҐ·ЕЖч.lnk
%ProgramFiles%\CNPlayer\tool\msvcp71.dll
%ProgramFiles%\CNPlayer\tool\xl_cximage.dll
%ProgramFiles%\CNPlayer\tool\msvcr71.dll
%ProgramFiles%\CNPlayer\images\Cancel_Hover.bmp
%ProgramFiles%\CNPlayer\images\Cancel_Down.bmp
%ProgramFiles%\CNPlayer\images\Cancel_Disable.bmp
%ProgramFiles%\CNPlayer\zlib1.dll
%ProgramFiles%\CNPlayer\WBHost.dll
%ProgramFiles%\CNPlayer\PlayerBase.dll
%ProgramFiles%\CNPlayer\msvcr71.dll
%ProgramFiles%\CNPlayer\msvcp71.dll
%ProgramFiles%\CNPlayer\tool\tool.dll
%ProgramFiles%\CNPlayer\minizip.dll
%ProgramFiles%\CNPlayer\tool\libpng13.dll
%ProgramFiles%\CNPlayer\CNPlayer.exe
%ProgramFiles%\CNPlayer\CNPAgent.dll
%ProgramFiles%\CNPlayer\autoupdator.exe
%ProgramFiles%\CNPlayer\autoupdate.dll
%ProgramFiles%\CNPlayer\atl71.dll
%ProgramFiles%\CNPlayer\tool\Data\data.db
%ProgramFiles%\CNPlayer\tool\Data\config.xml
%ProgramFiles%\CNPlayer\tool\zlib1.dll
%ProgramFiles%\CNPlayer\mini_unzip_dll.dll
%ProgramFiles%\CNPlayer\{48EAAE6B-A37B-4cc1-8125-41A207B4C56A}.history

Deletes the following files:

%TEMP%\nso2.tmp\NSISLog.dll
%TEMP%\nso2.tmp\System.dll
%TEMP%\nso2.tmp\Time.dll
%TEMP%\Cab3.tmp
%TEMP%\Cab5.tmp
%TEMP%\Cab7.tmp
%TEMP%\Cab9.tmp
%TEMP%\CabB.tmp

Network activity:

Connects to:

'localhost':1036
'ch##neng.tv':80
'22#.#86.50.253':88
'localhost':1040
'ai#.##artssl.com':80
'download.windowsupdate.com':80

TCP:

HTTP GET requests:

http://www.ch##neng.tv/config/setupcfg.js via ch##neng.tv
http://www.ch##neng.tv/config/update.xml via ch##neng.tv
http://www.ch##neng.tv/ via ch##neng.tv
http://www.ch##neng.tv/config/player.js via ch##neng.tv
http://ai#.##artssl.com/certs/ca.crt
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt via download.windowsupdate.com
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab via download.windowsupdate.com

UDP:

DNS ASK www.ch##neng.tv
DNS ASK ai#.##artssl.com
DNS ASK www.download.windowsupdate.com

Miscellaneous:

Searches for the following windows:

ClassName: 'MS_AutodialMonitor' WindowName: ''
ClassName: 'MS_WebcheckMonitor' WindowName: ''

Creates and executes the following:

'%TEMP%\CNPlayer\Install\CNPSetup.exe' /autorun /uid 000000000001BGN /instsource Standard /instdir "%ProgramFiles%\CNPlayer" /setuppath "<Full path to file>"
'%ProgramFiles%\CNPlayer\CNPlayer.exe' /opensource Installer
'%ProgramFiles%\CNPlayer\autoupdator.exe'

Executes the following: