A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #12759  by EP_X0FF
 Tue Apr 17, 2012 12:35 pm
What a primitive shit. Not interesting.
 #12839  by R136a1
 Sat Apr 21, 2012 9:50 am
I found another Domain where it loads its components:

Known: ht*p://images.hananren.com
New: ht*p://999tshop.com
Dropper (MD5): b0edca4bd5c8d5fffc479aa87437f3c2


From there it loads an executable, e.g. "/20120413.exe" (year/month/day.exe) and a jpg image "/20120413.jpg" (year/month/day.jpg). The Date of the files vary, but the MD5 hashes show it is always the same package.
The executable package contains two DLLs. A modified version of imm32.dll (see Input Method Manager) and a modified version of bdcap32.dll (see Bandi Capture Library).