About “Win32/Injector.DIQE” infection

The Win32/Injector.DIQE is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.

DOWNLOAD NOW

6-day free trial available.

What Win32/Injector.DIQE virus can do?

• Behavioural detection: Executable code extraction – unpacking
• SetUnhandledExceptionFilter detected (possible anti-debug)
• Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution
• Yara rule detections observed from a process memory dump/dropped files/CAPE
• Creates RWX memory
• Possible date expiration check, exits too soon after checking local time
• Dynamic (imported) function loading detected
• Enumerates the modules from a process (may be used to locate base addresses in process injection)
• Enumerates running processes
• Repeatedly searches for a not-found process, may want to run with startbrowser=1 option
• Reads data out of its own binary image
• CAPE extracted potentially suspicious content
• Drops a binary and executes it
• Unconventionial binary language: Chinese (Simplified)
• Unconventionial language used in binary resources: Chinese (Simplified)
• Authenticode signature is invalid
• A scripting utility was executed
• A ping command was executed with the -n argument possibly to delay analysis
• Uses Windows utilities for basic functionality
• Behavioural detection: Injection (Process Hollowing)
• Executed a process and injected code into it, probably while unpacking
• Attempts to remove evidence of file being downloaded from the Internet
• Behavioural detection: Injection (inter-process)
• Installs itself for autorun at Windows startup
• Spoofs its process name and/or associated pathname to appear as a legitimate process
• Creates a hidden or system file
• Creates a copy of itself
• Uses suspicious command line tools or Windows utilities

How to determine Win32/Injector.DIQE?

File Info:
name: 2344098C7FA4F859BE14.mlw
path: /opt/CAPEv2/storage/binaries/44332953b819aac9ffcc2c7cfef3809e2914059c64d6538cf8109236bd6f5c0f
crc32: D6CAFA0C
md5: 2344098c7fa4f859be1426ce2ad7ae8e
sha1: e7f194d8757c6fa722158ed1720f94b7479455ff
sha256: 44332953b819aac9ffcc2c7cfef3809e2914059c64d6538cf8109236bd6f5c0f
sha512: fc9a4d840202d8a878fbb1b46e3a4754401ffaa0b33683168fff7d853edf0cb06ff9d44323eaa1b62ceb9b6b38d56ad020b801d78820ebe5dc4277f5edaf48b8
ssdeep: 3072:FoUyOczgSLpSBG+ldH4aHtqWu3usOKrWjE9DvsfsBQ8uudc3bnBrkEvQ9BRZdgrP:MbzgeABVR4ZZiagiEUBQ8uumBpaerk6
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T1AE24AF46E64B0062F2158830999D76F49BBA6C37370F9F3FFB94ED0E24B56901D6027A
sha3_384: 1b330c7081f8964e4d71ac1bba47c93ae7094517797b42758105493225b68d2ee1c97ae6b38e9fc955845dd961de572f
ep_bytes: 556aff8bec6808e640006890b3400064
timestamp: 2016-11-10 18:59:09

Version Info:
CompanyName: 
FileDescription: 通信 Microsoft 基础类应用程序
FileVersion: 1, 0, 0, 1
InternalName: 通信
LegalCopyright: 版权所有 (C) 2005
LegalTrademarks: 
OriginalFilename: 通信.EXE
ProductName: 通信 应用程序
ProductVersion: 1, 0, 0, 1
Translation: 0x0804 0x04b0

Win32/Injector.DIQE also known as:

How to remove Win32/Injector.DIQE?

• Download and install GridinSoft Anti-Malware.
• Open GridinSoft Anti-Malware and perform a “Standard scan“.
• “Move to quarantine” all items.
• Open “Tools” tab – Press “Reset Browser Settings“.
• Select proper browser and options – Click “Reset”.
• Restart your computer.