HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Mikey.10993 (B) (Emsisoft), Gen:Variant.Mikey.10993 (AdAware), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: c3199e60629cd96f407f1f0d229eef5a
SHA1: 75aa95693e365af66c91f0eb895db157bfdff0bf
SHA256: c17cd8e44647cf7aa14365011a21c2025dfcc9c2fbb3f11180ac83aa362ea983
SSDeep: 12288:lojzoucNj2BOQoh9/iEK8eKisrgr/G4F2Q2QajqB7IrGbEo1s:lojuNj2BOQoh9aEK8lrgbJFqQajXrGbS
Size: 610304 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: ICorporation
Created at: 2014-04-28 17:25:42
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:1332
Mutexes
The following mutexes were created/opened:
CTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003ZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutexWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_RasPbFileShimCacheMutex
File activity
The process %original file name%.exe:1332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\qlogin[1].htm (897 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\xui[1].js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\icons[1].gif (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
Registry activity
The process %original file name%.exe:1332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 48 09 44 BE 2A 9C 87 EC 42 52 F8 6C 8E AD F2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\qlogin[1].htm (897 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\xui[1].js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\icons[1].gif (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral
Company Name: Product Name: ?????Product Version: 1.0.0.0Legal Copyright: ?????? ????????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ?????Comments: ??????????(http://www.eyuyan.com)Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.data | 4096 | 437552 | 438272 | 5.16794 | 99dff01e7ff4629b1b39e81ff4afed30 |
.rdata | 442368 | 68046 | 69632 | 2.89351 | 920285cabfd0600f3b8249d93ef5bc0b |
.data | 512000 | 187496 | 61440 | 4.25007 | 43752c00e6af341d9d023c4dd0ae3fab |
.rsrc | 700416 | 33500 | 36864 | 3.59791 | 0ef646c3c025eb989e2cac38f8147249 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://ui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=¶m=u1%3Dhttp%253A%252F%252Fwww.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0 | |
hxxp://imgcache.qq.com.cdngc.net/ptlogin/ver/10159/js/xui.js?v=10007 | 174.35.71.28 |
hxxp://imgcache.qq.com.cdngc.net/ptlogin/v4/style/0/images/icons.gif | 174.35.71.28 |
hxxp://imgcache.qq.com/ptlogin/ver/10159/js/xui.js?v=10007 | 174.35.71.28 |
hxxp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=¶m=u1%3Dhttp%253A%252F%252Fwww.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0 | 163.177.72.188 |
hxxp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif | 174.35.71.28 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /ptlogin/ver/10159/js/xui.js?v=10007 HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=¶m=u1%3Dhttp%253A%252F%252FVVV.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Tue, 31 May 2016 21:02:06 GMT
Server: PWS/8.1.36.0005
X-Px: ms h0-s1210.p11-fra ( h0-s1214.p11-fra), rf-ht h0-s1214.p11-fra ( h0-s1022.p7-icn), ht h0-s1022.p7-icn.cdngp.net
ETag: "574d2c38-21f8"
Cache-Control: max-age=600
Expires: Tue, 31 May 2016 21:07:31 GMT
Age: 276
Content-Length: 3459
Content-Type: application/x-javascript
Content-Encoding: gzip
Vary: Accept-Encoding
Last-Modified: Tue, 31 May 2016 06:16:24 GMT
Connection: keep-alive
....8,MW...Z.w.... X....,..i..qR'..........#.....w........O.i.#''.F..43..4.2.m.......s.D...E`'....0q.2..n}....2..E.g..oD$G.....=.Ca..w.j..M...F5F@.-..v...O\...z.@...f...]R.m6.....zr~u.K.8}wv.K....H5........LWj...X.\..=5.>:...:9$....S......?V.*v.....vG...`.{..t...v.....<.".N.:.(.b.G....:....:..g.............1...r.......9H..cT.._.....Z.n.p.....&...8t.0P......C....LN........._..;G.j.@s...15q.K...9......._...^....Fdbq.LI..na...p......X...F.r.....2...6.q..8..H.B....;j .......-.....fs.j.Q .......?..Kb&H........>h.|.......e>...*...H..J<.E?..Uv.,.@77W.O...C.]O...,.....Co.,.z.1*..W....j..J.\..s=...`.....*.../Dma.....t.p.0...~......1$m3...;F~>n&_f?_\}<..]^..._.&>..T.<..".S....b.......;...f...IL..E.Q...U>..P..iZ..B*V....V..../....|....&......|.....)........[l..!..N..........R=. dZ.X...x........_,...!."t.~_...-.....g!....1..S.#..J.~...p .q..q...
GET /ptlogin/v4/style/0/images/icons.gif HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=¶m=u1%3Dhttp%253A%252F%252FVVV.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Tue, 31 May 2016 21:02:06 GMT
Server: PWS/8.1.36.0005
X-Px: ms h0-s1210.p11-fra ( h0-s1214.p11-fra), ht h0-s1214.p11-fra.cdngp.net
ETag: "5506987c-1ede"
Cache-Control: max-age=7200
Expires: Tue, 31 May 2016 22:03:54 GMT
Age: 3492
Content-Length: 7902
Content-Type: image/gif
Last-Modified: Mon, 16 Mar 2015 08:46:52 GMT
Connection: keep-alive
GIF89as.r.................................................^....A...................! ............B.....}....................1)-t....................j...........................................................c..>..p[E............z...........q.....u.....j.........................................Z.................b..................................................^................................!.......,....s.r.....'..........X......'...............................X.............................X......................................)....Fz%.K.1.......*\......#J.H.....3".........I.....'K.S..e..0..\).&..-m...RgO.3w..94(..F..T.t...P.J.J.*..X...*....%Fr.K....h..].....p....KWn..x....p...'..\....... ^......#K.L.....3C..w..................@...c.....k..g....v.......|....q ..{.....K...te...k..0...'....F......_.........O..............z....B.Y_:.....6.........ZP...b(a..n.!......!.8..".h..(..b.0....2.x..8....;>...@.._.D.i...&i`..q.1..PF)..P>Y..Db...\....^....Y.Y&.[..&._....o....r....l.y..|......J....j(.5$...p\..gIzV..p.....f....v.....*....j.............".....j..<........... ....k...&....6...MD m...X...8....L.....;m.........n....n........ko...................0..$....7....G,....`...< ........C ...$.l.....2.*[.2./.... ..2.7..3.;.,..<....=.-t.H..t.L....PG-..TS...Xg...(t.5...$.....I......_....p{..._....(..w.|....}..w...>.............G....W....d....w.y......].`..80 6.............n............../....o|..$..........Q..U...GF0....w...../.....o.............3 ....a..X.!A!K.....0...@......L......:......'H..Z.......
<<< skipped >>>
GET /cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=¶m=u1%3Dhttp%253A%252F%252FVVV.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xui.ptlogin2.qq.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Tue, 31 May 2016 21:01:59 GMT
Content-Type: text/html
Content-Length: 5460
Connection: keep-alive
Server: QZHTTP-2.38.20
P3P: CP="CAO PSA OUR"
Cache-Control: max-age=604800
Set-Cookie: pt_local_token=708669680; PATH=/; DOMAIN=ptlogin2.qq.com;
Last-Modified: Thu, 08 Mar 2012 02:04:00 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="hXXp://VVV.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><style type="text/css">u{text-decoration:none}body{font-family:Tahoma,Verdana,Arial,......;font-size:12px;margin:0}.clear{clear:both;font-size:0;line-height:0;height:0}#login{margin:0 auto;float:none;width:320px;padding:0 0 10px 50px}.linemid{padding:10px 8px 0 30px;color:gray}.btn_select,.btn_gray{border:0;color:#2473a2;width:103px;height:28px;padding-left:2px;cursor:pointer;font-weight:bold;font-size:14px}.btn_select{background:url(hXXp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif) no-repeat -102px -130px}.btn_gray{background:url(hXXp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif) no-repeat -102px -225px}#login #list_uin img{padding:7px;background:url(hXXp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif) no-repeat 0 -329px}#list_uin li{list-style:none;padding:0 0 0 28px; padding-left:12px;width:270px;word-wrap:break-word;min-height:20px;clear:both}#list_uin li input{float:left;margin-bottom:5px;width:20px}#list_uin label{margin:2px 0 0 4px;float:left;width:220px}#login p{padding:8px 15px 12px 32px;margin:0;font-size:12px;color:#535353}.x_lowLogin{padding:10px 0 0 28px;display:none}</style><script>var g_begTime=new Date();..(function(){...window.onerror = function(msg,url,line){....var reportUrl = location.protoco
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1332:
.data
.data
.rdata
.rdata
@.data
@.data
.rsrc
.rsrc
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
.gy;}
.gy;}
atl.dll
atl.dll
13348808547@163.com
13348808547@163.com
smtp.163.com
smtp.163.com
2060576533@qq.com
2060576533@qq.com
284874056@qq.com
284874056@qq.com
hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=¶m=u1%3Dhttp%253A%252F%252FVVV.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0
hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=¶m=u1%3Dhttp%253A%252F%252FVVV.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0
javascript:for(var C=0;C
javascript:for(var C=0;C
F%*.*f
F%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
RASAPI32.dll
RASAPI32.dll
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
USER32.dll
USER32.dll
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
WINMM.dll
WINMM.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
COMCTL32.dll
COMCTL32.dll
WS2_32.dll
WS2_32.dll
WININET.dll
WININET.dll
GetCPInfo
GetCPInfo
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
comdlg32.dll
comdlg32.dll
RegCreateKeyExA
RegCreateKeyExA
.PAVCException@@
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
: %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
out.prn
out.prn
%d.%d
%d.%d
%d / %d
%d / %d
%d/%d
%d/%d
Bogus message code %d
Bogus message code %d
(%d-%d):
(%d-%d):
%ld%c
%ld%c
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
HELO %s
HELO %s
SMTP
SMTP
AUTH LOGIN
AUTH LOGIN
LOGIN
LOGIN
AUTH=LOGIN
AUTH=LOGIN
EHLO %s
EHLO %s
Content-Type: application/octet-stream; name=%s
Content-Type: application/octet-stream; name=%s
Content-Disposition: attachment; filename=%s
Content-Disposition: attachment; filename=%s
MAIL FROM:
MAIL FROM:
RCPT TO:
RCPT TO:
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÃ
zcÃ
c:\%original file name%.exe
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
(*.*)
(*.*)
1.0.0.0
1.0.0.0
(hXXp://VVV.eyuyan.com)
(hXXp://VVV.eyuyan.com)
%original file name%.exe_1332_rwx_00401000_0006B000:
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
.gy;}
.gy;}