Skip to main content

Trojan.Generic.8879933_087e362346


Trojan.Win32.Agentb.htu (Kaspersky), Trojan.Generic.8879933 (B) (Emsisoft), Trojan.Generic.8879933 (AdAware), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericInjector.YR, GenericPhysicalDrive0.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 087e3623466ba1a66dea97260b7e573f

SHA1: c047c21293c72c541f3484e56a26abb1d322448a

SHA256: 29db62116d6be7a5aa642e5800e4f46ca76b05797c0c354247381c44730cc726

SSDeep: 49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1Nk:DBIKRAGRe5K2UZw

Size: 3350576 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171

Company: Xacti, LLC

Created at: 2012-02-09 00:09:46

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour Description
EmailWormWorm can send e-mails.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:560

The Trojan injects its code into the following process(es):

cb2da.exe:1116

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:560 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\ÅäÖÃ\cb2da.exe (22433 bytes)

The process cb2da.exe:1116 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\ÅäÖÃ\¹ýÇÅ·Ïß(´Ó½ø´¬Ò»Ö±µ½ÏÂÆÂÉÏÃæµÄÄã²»ÐèÒª¶¯Ö»ÐèÒª´Ó×îºóÔÙ¼Ó×ø±ê¾Í¿ÉÒÔÁË).txt (166 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
C:\ÅäÖÃ\±ù»ðµºÐòÕÂËùÐè²ÄÁÏÒ»ÀÀ.txt (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ip138[1].txt (209 bytes)
C:\ÅäÖÃ\¹ýÂËÓë³öÊÛ.txt (2 bytes)

The Trojan deletes the following file(s):

C:\ÅäÖÃ\cb2da.exe (0 bytes)

Registry activity

The process %original file name%.exe:560 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC 08 31 AD 8F 6A 43 D5 76 62 21 5B A0 59 E5 0D"

The process cb2da.exe:1116 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 11 89 78 81 18 7E CA 46 A6 7C 0B 57 FD 2C 04"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
a6aaad773aad9d4706c720ef41864f67c:\ÅäÖÃ\cb2da.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:560

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\ÅäÖÃ\cb2da.exe (22433 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    C:\ÅäÖÃ\¹ýÇÅ·Ïß(´Ó½ø´¬Ò»Ö±µ½ÏÂÆÂÉÏÃæµÄÄã²»ÐèÒª¶¯Ö»ÐèÒª´Ó×îºóÔÙ¼Ó×ø±ê¾Í¿ÉÒÔÁË).txt (166 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
    C:\ÅäÖÃ\±ù»ðµºÐòÕÂËùÐè²ÄÁÏÒ»ÀÀ.txt (1 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@ip138[1].txt (209 bytes)
    C:\ÅäÖÃ\¹ýÂËÓë³öÊÛ.txt (2 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral

Company Name: Product Name: ?????Product Version: 1.0.0.0Legal Copyright: ?????? ????????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ?????Comments: ??????????(http://www.eyuyan.com)Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE4096819281923.72406579a2e6bfdd7b549dfb1d71f9fa16911
.text12288202231420234244.4819496f01445a0c028f2c988f638925b25e3
.rdata20357124535304546563.06415b90a32af6c79cfdae5ed7bba579eb329
.data249036812964828273923.87079f8dc20b7142a6628894a65ccb970940d
.rsrc378880029596327683.257642e18d322da9fcc3e4b9987bda8597b4f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 7
48a9251902677a0bbe667458e3065288
d920debbd516a57a81643d71e2b0bfd5
cdb46da6ea297a66555760807fda2dc2
a99211ba9da9623e76757a69a4903462
da9311605c4fcb9d0b3055cfab5a8ce0
dfbda9820dc6e174a1c36040d1993970
1dc9a686d83a8a8c21389f717dd2a612

Network Activity

URLs

URL IP
hxxp://yd.ecoma.ourwebpic.com/ips8.asp
hxxp://city.ip138.com.cname.yunjiasu-cdn.net/ips8.htm162.159.210.67
hxxp://city.ip138.com/ips8.htm162.159.210.67
hxxp://www.ip138.com/ips8.asp87.245.198.83

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /ips8.htm HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: city.ip138.com

Cache-Control: no-cache

Connection: Keep-Alive

HTTP/1.1 503 Service Temporarily Unavailable

Date: Wed, 25 May 2016 00:38:02 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: close

Set-Cookie: __cfduid=d9721cbbb4819680dd69c38121d7f4bf01464136682; expires=Thu, 25-May-17 00:38:02 GMT; path=/; domain=.ip138.com; HttpOnly

X-Frame-Options: SAMEORIGIN

Refresh: 8;URL=/cdn-cgi/l/chk_jschl?pass=1464136686.556-xF754MqOep

Cache-Control: no-cache

Server: yunjiasu-nginx

CF-RAY: 2a84ec19ff0c3702-ARN

c0a..<!DOCTYPE HTML>.<html lang="en-US">.<head>. <meta charset="UTF-8" />. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />. <meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />. <meta name="robots" content="noindex, nofollow" />. <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1" />. <title>..................</ti..

GET /ips8.asp HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.ip138.com

Cache-Control: no-cache

HTTP/1.0 302 Moved Temporarily

Server: Cdn Cache Server V2.0

Date: Wed, 25 May 2016 00:38:02 GMT

Content-Length: 0

Location: hXXp://city.ip138.com/ips8.htm

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

cb2da.exe_1116:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

{82B46959-3065-46a0-8340-3BB58B77A259}

{82B46959-3065-46a0-8340-3BB58B77A259}

bywayboy@gmail.com

bywayboy@gmail.com

hXXp://VVV.ecodeproject.cn/bbs

hXXp://VVV.ecodeproject.cn/bbs

:16882569

:16882569

kernel32.dll

kernel32.dll

ole32.dll

ole32.dll

msvcrt.dll

msvcrt.dll

fne.dll

fne.dll

t%SVh

t%SVh

t$(SSh

t$(SSh

~%UVW

~%UVW

.tTPV

.tTPV

FTPjK

FTPjK

FtPj;

FtPj;

F.PjRWj

F.PjRWj

u.WWj

u.WWj

u.VVj

u.VVj

u$SShe

u$SShe

ntdll.dll

ntdll.dll

IPHLPAPI.DLL

IPHLPAPI.DLL

advapi32.dll

advapi32.dll

shlwapi.dll

shlwapi.dll

user32.dll

user32.dll

EnumWindows

EnumWindows

UnregisterHotKey

UnregisterHotKey

RegisterHotKey

RegisterHotKey

{86AB1D8A-7995-4D86-AE5F-18710759228B}

{86AB1D8A-7995-4D86-AE5F-18710759228B}

MySQL

MySQL

N@C:\ks77.ini

N@C:\ks77.ini

\\.\PhysicalDrive0

\\.\PhysicalDrive0

X-X-X-X-X-X

X-X-X-X-X-X

@*.exe

@*.exe

hXXp://VVV.ip138.com/ips8.asp

hXXp://VVV.ip138.com/ips8.asp

smtp.163.com

smtp.163.com

wys810320@163.com

wys810320@163.com

zbxxsm@126.com

zbxxsm@126.com

Report

Report

).txt

).txt

-127 20\

-127 20\

checkkey:

checkkey:

80818283

80818283

xmlhttp

xmlhttp

1970-1-1-00-00-01

1970-1-1-00-00-01

00000000

00000000

88 05 00 00

88 05 00 00

87 05 00 00

87 05 00 00

89 05 00 00

89 05 00 00

(*.txt)|*.txt|

(*.txt)|*.txt|

(*.*)|*.*

(*.*)|*.*

elementclient.exe

elementclient.exe

*.txt

*.txt

,125-126

,125-126

,127-130

,127-130

127.0.0.1

127.0.0.1

21000701

21000701

I%.D_ac

I%.D_ac

.adz||~

.adz||~

.cdz||~

.cdz||~

pB))@AC.TJ

pB))@AC.TJ

1970-01-01 08:00:00

1970-01-01 08:00:00

1970-01-01 00:00:00

1970-01-01 00:00:00

login

login

(elementclient.exe)|*.exe

(elementclient.exe)|*.exe

(*.exe)|*.exe|

(*.exe)|*.exe|

40 41 17 17 20

40 41 17 17 20

023100023100

023100023100

383 -114

383 -114

382 -199

382 -199

402 -199

402 -199

402 -270

402 -270

398 -288

398 -288

407 -316

407 -316

393 -317

393 -317

9 10 11 12

9 10 11 12

13 14 15

13 14 15

\MicroSu.dll

\MicroSu.dll

`.data

`.data

@.reloc

@.reloc

MSVBVM60.DLL

MSVBVM60.DLL

%System%\MSVBVM60.DLL\3

%System%\MSVBVM60.DLL\3

LogIn

LogIn

LogInEx

LogInEx

KeyCheck

KeyCheck

KeyEndDate

KeyEndDate

KeyAdd

KeyAdd

KeyMod

KeyMod

KeyDel

KeyDel

winmm.dll

winmm.dll

GdiplusShutdown

GdiplusShutdown

VBA6.DLL

VBA6.DLL

D:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB

D:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB

password

password

MicroSu.dll

MicroSu.dll

stdole2.tlbWWW

stdole2.tlbWWW

%SendGifW

%SendGifW

ReportWW

ReportWW

KLogInWWW

KLogInWWW

ULogInExW

ULogInExW

KeyEndDateWW

KeyEndDateWW

KeyAddWW

KeyAddWW

4KeyModWW

4KeyModWW

KeyDelWW

KeyDelWW

urlW

urlW

4,5054585

4,5054585

regsvr32 /s MicroSu.dll

regsvr32 /s MicroSu.dll

MicroSu.Reply

MicroSu.Reply

66000001

66000001

21000001

21000001

49430000

49430000

85050000

85050000

160004000000

160004000000

160062000000

160062000000

160002000000

160002000000

16 00 04 00 00 00

16 00 04 00 00 00

160030000000

160030000000

160032000000

160032000000

160033000000

160033000000

160036000000

160036000000

-237.982 47.8555

-237.982 47.8555

404 -297

404 -297

417 -295

417 -295

400 -294

400 -294

400 -198

400 -198

383 -198

383 -198

160030020000

160030020000

160038020000

160038020000

160039020000

160039020000

160068030000

160068030000

160070030000

160070030000

160069030000

160069030000

160075030000

160075030000

160074030000

160074030000

160077030000

160077030000

LOGIN

LOGIN

(*.mp3)|*.mp3

(*.mp3)|*.mp3

(7),01444

(7),01444

'9=82<.342>

'9=82<.342>

(elementclient.exe)|elementclient.exe

(elementclient.exe)|elementclient.exe

2011:03:31 03:05:53

2011:03:31 03:05:53

192.168.1.100

192.168.1.100

1.2.18

1.2.18

inflate 1.1.3 Copyright 1995-1998 Mark Adler

inflate 1.1.3 Copyright 1995-1998 Mark Adler

?%*.*f

?%*.*f

CNotSupportedException

CNotSupportedException

commctrl_DragListMsg

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

Afx:%x:%x

COMCTL32.DLL

COMCTL32.DLL

CCmdTarget

CCmdTarget

MSWHEEL_ROLLMSG

MSWHEEL_ROLLMSG

__MSVCRT_HEAP_SELECT

__MSVCRT_HEAP_SELECT

portuguese-brazilian

portuguese-brazilian

deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly

deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly

inflate 1.1.4 Copyright 1995-2002 Mark Adler

inflate 1.1.4 Copyright 1995-2002 Mark Adler

MSVFW32.dll

MSVFW32.dll

AVIFIL32.dll

AVIFIL32.dll

iphlpapi.dll

iphlpapi.dll

SHLWAPI.dll

SHLWAPI.dll

MPR.dll

MPR.dll

WINMM.dll

WINMM.dll

WS2_32.dll

WS2_32.dll

VERSION.dll

VERSION.dll

RASAPI32.dll

RASAPI32.dll

GetProcessHeap

GetProcessHeap

WinExec

WinExec

GetWindowsDirectoryA

GetWindowsDirectoryA

GetCPInfo

GetCPInfo

SetNamedPipeHandleState

SetNamedPipeHandleState

WaitNamedPipeA

WaitNamedPipeA

KERNEL32.DLL

KERNEL32.DLL

GetKeyState

GetKeyState

EnumChildWindows

EnumChildWindows

CreateDialogIndirectParamA

CreateDialogIndirectParamA

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookExA

SetWindowsHookExA

USER32.dll

USER32.dll

GetViewportOrgEx

GetViewportOrgEx

SetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

SetViewportExtEx

ScaleViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

GetViewportExtEx

GDI32.dll

GDI32.dll

WINSPOOL.DRV

WINSPOOL.DRV

comdlg32.dll

comdlg32.dll

RegCloseKey

RegCloseKey

RegOpenKeyExA

RegOpenKeyExA

RegCreateKeyExA

RegCreateKeyExA

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

OLEAUT32.dll

OLEAUT32.dll

COMCTL32.dll

COMCTL32.dll

WSOCK32.dll

WSOCK32.dll

HttpQueryInfoA

HttpQueryInfoA

HttpSendRequestA

HttpSendRequestA

HttpOpenRequestA

HttpOpenRequestA

InternetCrackUrlA

InternetCrackUrlA

InternetCanonicalizeUrlA

InternetCanonicalizeUrlA

WININET.dll

WININET.dll

%x.tmp

%x.tmp

.PAVCException@@

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.prn)|*.prn|

(*.*)|*.*||

(*.*)|*.*||

Shell32.dll

Shell32.dll

Mpr.dll

Mpr.dll

Advapi32.dll

Advapi32.dll

User32.dll

User32.dll

Gdi32.dll

Gdi32.dll

Kernel32.dll

Kernel32.dll

(&07-034/)7 '

(&07-034/)7 '

?? / %d]

?? / %d]

%d / %d]

%d / %d]

: %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

(*.CUR)|*.CUR|

%s:%d

%s:%d

windows

windows

out.prn

out.prn

%d.%d

%d.%d

%d / %d

%d / %d

%d/%d

%d/%d

Bogus message code %d

Bogus message code %d

(%d-%d):

(%d-%d):

%ld%c

%ld%c

(*.avi)|*.avi

(*.avi)|*.avi

%d.%d.%d.%d

%d.%d.%d.%d

WPFT532.CNV

WPFT532.CNV

WPFT632.CNV

WPFT632.CNV

EXCEL32.CNV

EXCEL32.CNV

write32.wpc

write32.wpc

Windows Write

Windows Write

mswrd632.wpc

mswrd632.wpc

Word for Windows 6.0

Word for Windows 6.0

wword5.cnv

wword5.cnv

Word for Windows 5.0

Word for Windows 5.0

mswrd832.cnv

mswrd832.cnv

mswrd632.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

Word 6.0/95 for Windows & Macintosh

html32.cnv

html32.cnv

TrayIcon event: %x

TrayIcon event: %x

1.1.3

1.1.3

;3 #>6.&

;3 #>6.&

'2, / 0&7!4-)1#

'2, / 0&7!4-)1#

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

HTTP/1.0

%s

%s

Reply-To: %s

Reply-To: %s

From: %s

From: %s

To: %s

To: %s

Subject: %s

Subject: %s

Date: %s

Date: %s

Cc: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

%a, %d %b %Y %H:%M:%S

HELO %s

HELO %s

SMTP

SMTP

AUTH LOGIN

AUTH LOGIN

AUTH=LOGIN

AUTH=LOGIN

EHLO %s

EHLO %s

Content-Type: application/octet-stream; name=%s

Content-Type: application/octet-stream; name=%s

Content-Disposition: attachment; filename=%s

Content-Disposition: attachment; filename=%s

MAIL FROM:

MAIL FROM:

RCPT TO:

RCPT TO:

.PAVCObject@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCResourceException@@

.PAVCUserException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

.PAVCArchiveException@@

zcÁ

zcÁ

PIPE

PIPE

ssl-cert

ssl-cert

ssl-key

ssl-key

pipe

pipe

port

port

MYSQL

MYSQL

\\%s\pipe\%s

\\%s\pipe\%s

Unknown option to protocol: %s

Unknown option to protocol: %s

d:t:o,/tmp/client.trace

d:t:o,/tmp/client.trace

MYSQL_PWD

MYSQL_PWD

Windows_NT

Windows_NT

MYSQL_UNIX_PORT

MYSQL_UNIX_PORT

MYSQL_TCP_PORT

MYSQL_TCP_PORT

mysql

mysql

Connection using old (pre 4.1.1) authentication protocol refused (client option 'secure_auth' enabled)

Connection using old (pre 4.1.1) authentication protocol refused (client option 'secure_auth' enabled)

Can't open shared memory. %s event don't create for client (%lu)

Can't open shared memory. %s event don't create for client (%lu)

Using unsupported buffer type: %d (parameter: %d)

Using unsupported buffer type: %d (parameter: %d)

Can't send long data for non string or binary data types (parameter: %d)

Can't send long data for non string or binary data types (parameter: %d)

Can't set state of named pipe to host: %-.64s pipe: %-.32s (%lu)

Can't set state of named pipe to host: %-.64s pipe: %-.32s (%lu)

Can't open named pipe to host: %-.64s pipe: %-.32s (%lu)

Can't open named pipe to host: %-.64s pipe: %-.32s (%lu)

Can't wait for named pipe to host: %-.64s pipe: %-.32s (%lu)

Can't wait for named pipe to host: %-.64s pipe: %-.32s (%lu)

%-.100s via named pipe

%-.100s via named pipe

Lost connection to MySQL server during query

Lost connection to MySQL server during query

%-.100s via TCP/IP

%-.100s via TCP/IP

MySQL client run out of memory

MySQL client run out of memory

Protocol mismatch. Server Version = %d Client Version = %d

Protocol mismatch. Server Version = %d Client Version = %d

MySQL server has gone away

MySQL server has gone away

Unknown MySQL Server Host '%-.100s' (%d)

Unknown MySQL Server Host '%-.100s' (%d)

Can't create TCP/IP socket (%d)

Can't create TCP/IP socket (%d)

Can't connect to MySQL server on '%-.100s' (%d)

Can't connect to MySQL server on '%-.100s' (%d)

Can't connect to local MySQL server through socket '%-.100s' (%d)

Can't connect to local MySQL server through socket '%-.100s' (%d)

Can't create UNIX socket (%d)

Can't create UNIX socket (%d)

Unknown MySQL error

Unknown MySQL error

TCP/IP (%d)

TCP/IP (%d)

socket (%d)

socket (%d)

named pipe

named pipe

%s would have been started with the following arguments:

%s would have been started with the following arguments:

error: Found option without preceding group in config file: %s at line: %d

error: Found option without preceding group in config file: %s at line: %d

error: Wrong group definition in config file: %s at line %d

error: Wrong group definition in config file: %s at line %d

C:/mysql/

C:/mysql/

Index.xml

Index.xml

Software\MySQL

Software\MySQL

HAVE_TCPIP

HAVE_TCPIP

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Can't initialize threads: error %d

Can't initialize threads: error %d

Can't sync file '%s' to disk (Errcode: %d)

Can't sync file '%s' to disk (Errcode: %d)

Error on realpath() on '%s' (Error %d)

Error on realpath() on '%s' (Error %d)

Can't create symlink '%s' pointing at '%s' (Error %d)

Can't create symlink '%s' pointing at '%s' (Error %d)

Can't read value for symlink '%s' (Error %d)

Can't read value for symlink '%s' (Error %d)

Out of resources when opening file '%s' (Errcode: %d)

Out of resources when opening file '%s' (Errcode: %d)

Character set '%s' is not a compiled character set and is not specified in the '%s' file

Character set '%s' is not a compiled character set and is not specified in the '%s' file

Can't create directory '%s' (Errcode: %d)

Can't create directory '%s' (Errcode: %d)

Disk is full writing '%s'. Waiting for someone to free space...

Disk is full writing '%s'. Waiting for someone to free space...

%d files and %d streams is left open

%d files and %d streams is left open

Warning: '%s' had %d links

Warning: '%s' had %d links

Can't change dir to '%s' (Errcode: %d)

Can't change dir to '%s' (Errcode: %d)

Can't get working dirctory (Errcode: %d)

Can't get working dirctory (Errcode: %d)

Can't open stream from handle (Errcode: %d)

Can't open stream from handle (Errcode: %d)

Can't change size of file (Errcode: %d)

Can't change size of file (Errcode: %d)

Can't get stat of '%s' (Errcode: %d)

Can't get stat of '%s' (Errcode: %d)

Can't read dir of '%s' (Errcode: %d)

Can't read dir of '%s' (Errcode: %d)

Can't unlock file (Errcode: %d)

Can't unlock file (Errcode: %d)

Can't lock file (Errcode: %d)

Can't lock file (Errcode: %d)

Unexpected eof found when reading file '%s' (Errcode: %d)

Unexpected eof found when reading file '%s' (Errcode: %d)

Error on rename of '%s' to '%s' (Errcode: %d)

Error on rename of '%s' to '%s' (Errcode: %d)

Error on delete of '%s' (Errcode: %d)

Error on delete of '%s' (Errcode: %d)

Out of memory (Needed %u bytes)

Out of memory (Needed %u bytes)

Error on close of '%s' (Errcode: %d)

Error on close of '%s' (Errcode: %d)

Error writing file '%s' (Errcode: %d)

Error writing file '%s' (Errcode: %d)

Error reading file '%s' (Errcode: %d)

Error reading file '%s' (Errcode: %d)

Can't create/write to file '%s' (Errcode: %d)

Can't create/write to file '%s' (Errcode: %d)

File '%s' not found (Errcode: %d)

File '%s' not found (Errcode: %d)

charsets.charset.collation.map

charsets.charset.collation.map

charsets.charset.collation.flag

charsets.charset.collation.flag

charsets.charset.collation.order

charsets.charset.collation.order

charsets.charset.collation.id

charsets.charset.collation.id

charsets.charset.collation.name

charsets.charset.collation.name

charsets.charset.collation

charsets.charset.collation

charsets.charset.unicode.map

charsets.charset.unicode.map

charsets.charset.unicode

charsets.charset.unicode

charsets.charset.lower.map

charsets.charset.lower.map

charsets.charset.lower

charsets.charset.lower

charsets.charset.upper.map

charsets.charset.upper.map

charsets.charset.upper

charsets.charset.upper

charsets.charset.ctype.map

charsets.charset.ctype.map

charsets.charset.ctype

charsets.charset.ctype

charsets.charset.alias

charsets.charset.alias

charsets.charset.description

charsets.charset.description

charsets.charset.family

charsets.charset.family

charsets.charset.name

charsets.charset.name

charsets.charset.binary-id

charsets.charset.binary-id

charsets.charset.primary-id

charsets.charset.primary-id

charsets.charset

charsets.charset

charsets.max-id

charsets.max-id

xml.encoding

xml.encoding

xml.version

xml.version

1.1.4

1.1.4

%,%$%4%

%,%$%4%

eZl%u

eZl%u

Q.YeY

Q.YeY

R:\Sg|p5rL

R:\Sg|p5rL

e$e#e e4e5e7e6e8eKuHeVeUeMeXe^e]erexe

e$e#e e4e5e7e6e8eKuHeVeUeMeXe^e]erexe

s4s/s)s%s>sNsOs

s4s/s)s%s>sNsOs

!&"&$&%&&&'&(&)&*& &,&-&.&/&0&1&

!&"&$&%&&&'&(&)&*& &,&-&.&/&0&1&

2&3&4&5&6&7&8&

2&3&4&5&6&7&8&

!(,("(-(

!(,("(-(

!,!5!6!

!,!5!6!

!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%%?%@%A%B%C%D%E%F%G%H%I%J%K%L%M%N%O%P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%t%u%v%

!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%%?%@%A%B%C%D%E%F%G%H%I%J%K%L%M%N%O%P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%t%u%v%

g9H5_DF>L!9yMGE~8

g9H5_DF>L!9yMGE~8

%Sv0$S

%Sv0$S

|T)>~T%C

|T)>~T%C

8]7]:]=5

8]7]:]=5

.Dh26a

.Dh26a

Z6%d#d

Z6%d#d

ReXeQe

ReXeQe

uewexe

uewexe

6*6 8*8 5*5 :*: ;*; =*=

6*6 8*8 5*5 :*: ;*; =*=

/"2"6"5"

/"2"6"5"

21314151

21314151

'2(2)2*2 2

'2(2)2*2 2

-6.6/6061626

-6.6/6061626

.7/70717

.7/70717

[7\7]7^7

[7\7]7^7

=8>8?8@8

=8>8?8@8

19293949

19293949

%;&;';(;

%;&;';(;

%>&>'>(>

%>&>'>(>

=>>>?>@>

=>>>?>@>

[@\@]@^@

[@\@]@^@

"U#U$U%U

"U#U$U%U

8[9[:[;[[

8[9[:[;[[

&\'\(\)\

&\'\(\)\

~\!]"]#]

~\!]"]#]

/]0]1]2]

/]0]1]2]

4]5]6]7]8]

4]5]6]7]8]

|_}_~_!`

|_}_~_!`

&`'`(`)`

&`'`(`)`

2`3`4`5`

2`3`4`5`

WeXe

WeXe

vewexe

vewexe

$f%f&f

$f%f&f

@mAmBmCmDm

@mAmBmCmDm

S%S'S(S)S S,S-S0S2S5SSBSLSKSYS[SaScSeSlSmSrSyS~S

S%S'S(S)S S,S-S0S2S5SSBSLSKSYS[SaScSeSlSmSrSyS~S

d d"d$d%d)d*d/d0d5d=d?dKdOdQdRdSdTdZd[d\d]d_d`dadcdmdsdtd{d}d

d d"d$d%d)d*d/d0d5d=d?dKdOdQdRdSdTdZd[d\d]d_d`dadcdmdsdtd{d}d

.AK.)

.AK.)

.uGvG

.uGvG

/%S67

/%S67

-<.gig>

-<.gig>

I.pKqK

I.pKqK

J.AeRtH49

J.AeRtH49

U U!U"U#U$U%U&U'U(U)U*U U,U-U.U/U0U1U2U3U4U5U6U7U8U9U:U;UU?U@UAUBUCUDUEUFUGUHUIUJUKULUMUNUOUPUQURUSUTUUUVUWUXUYUZU[U\U]U^U_U`UaUbUcUdUeUfUgUhUiUjUkUlUmUnUoUpUqUrUsUtUuUvU

U U!U"U#U$U%U&U'U(U)U*U U,U-U.U/U0U1U2U3U4U5U6U7U8U9U:U;UU?U@UAUBUCUDUEUFUGUHUIUJUKULUMUNUOUPUQURUSUTUUUVUWUXUYUZU[U\U]U^U_U`UaUbUcUdUeUfUgUhUiUjUkUlUmUnUoUpUqUrUsUtUuUvU

?q.SM!@

?q.SM!@

$R&ß

$R&ß

C.JMH

C.JMH

-)./...6. .

-)./...6. .

E~ExE|E{E

E~ExE|E{E

&t.KIx

&t.KIx

"*0QIs%u1

"*0QIs%u1

)Q.GN

)Q.GN

X X!X"X#X$X%X&X'X(X)X*X X,X-X.X/X0X1X2X3X4X5X6X7X8X9X:X;XX?X@XAXBXCXDXEXFXGXHXIXJXKXLXMXNXOXPXQXRXSXTXUXVXWXXXYXZX[X\X]X^X_X`XaXbXcXdXeXfX

X X!X"X#X$X%X&X'X(X)X*X X,X-X.X/X0X1X2X3X4X5X6X7X8X9X:X;XX?X@XAXBXCXDXEXFXGXHXIXJXKXLXMXNXOXPXQXRXSXTXUXVXWXXXYXZX[X\X]X^X_X`XaXbXcXdXeXfX

S"S$S%S'S(S)S S,S-S/S0S1S2S3S4S5S6S7S8S

S"S$S%S'S(S)S S,S-S/S0S1S2S3S4S5S6S7S8S

U!U%U&U

U!U%U&U

X"X#X%X&X'X(X)X X,X-X.X/X1X2X3X4X6X7X8X9X:X;X

X"X#X%X&X'X(X)X X,X-X.X/X1X2X3X4X6X7X8X9X:X;X

_!_"_#_$_

_!_"_#_$_

%d'd(d)d d.d/d0d1d2d3d5d6d7d8d9d;dd@dBdCdIdKdLdMdNdOdPdQdSdUdVdWdYdZd[d\d]d_d`dadbdcdddedfdhdjdkdldndodpdqdrdsdtdudvdwd{d|d}d~d

%d'd(d)d d.d/d0d1d2d3d5d6d7d8d9d;dd@dBdCdIdKdLdMdNdOdPdQdSdUdVdWdYdZd[d\d]d_d`dadbdcdddedfdhdjdkdldndodpdqdrdsdtdudvdwd{d|d}d~d

"e#e$e&e'e(e)e*e,e-e0e1e2e3e7e:e

"e#e$e&e'e(e)e*e,e-e0e1e2e3e7e:e

2!2"2#2$2%2&2'2(2)2

2!2"2#2$2%2&2'2(2)2

"P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%

"P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%

1 1!1"1#1$1%1&1'1(1)1

1 1!1"1#1$1%1&1'1(1)1

!0"0#0$0%0&0'0(0)0

!0"0#0$0%0&0'0(0)0

% %!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%%?%@%A%B%C%D%E%F%G%H%I%J%K%

% %!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%%?%@%A%B%C%D%E%F%G%H%I%J%K%

W%f?i

W%f?i

e.lFO

e.lFO

}!}#}$}%}&}(})}*},}-}.}0}1}2}3}4}5}6}

}!}#}$}%}&}(})}*},}-}.}0}1}2}3}4}5}6}

urlsS

urlsS

~ ~!~"~#~$~%~&~'~(~)~*~ ~,~-~.~/~0~1~2~3~4~5~6~7~8~9~

~ ~!~"~#~$~%~&~'~(~)~*~ ~,~-~.~/~0~1~2~3~4~5~6~7~8~9~

u%urrGS

u%urrGS

]']&].]$]

]']&].]$]

s"s9s%s,s8s1sPsMsWs`slsos~s

s"s9s%s,s8s1sPsMsWs`slsos~s

x

x

{.{1{ {%{${3{>{

{.{1{ {%{${3{>{

!!"!#!(!

!!"!#!(!

4!5!6!7!8!9!:!;!>!?!

4!5!6!7!8!9!:!;!>!?!

~!2!3!

~!2!3!

.VZN'Uu:&7V@

.VZN'Uu:&7V@

%FxG=R

%FxG=R

~e%fWM

~e%fWM

rP.BPb

rP.BPb

C^%X*?M[lRzF*E

C^%X*?M[lRzF*E

(m|P%c

(m|P%c

NN"L.PSD25X^uU7

NN"L.PSD25X^uU7

.QqP8j9j:j5:

.QqP8j9j:j5:

%CxF-kJD

%CxF-kJD

(d.deB

(d.deB

3G,===%d

3G,===%d

&8.pB1

&8.pB1

mS.Xk@

mS.Xk@

tq.RG^JK

tq.RG^JK

B]HC

B]HC

yTDI.SS8`3

yTDI.SS8`3

t6ZeXeYe@5

t6ZeXeYe@5

*M%u#u4=(u

*M%u#u4=(u

"*")"'"("

"*")"'"("

%d&`&a&e&g&c&

%d&`&a&e&g&c&

%!%"%&%'%)%*%-%.%1%2%5%6%9%:$=%>%@%A%C%D%E%F%G%H%I%J%

%!%"%&%'%)%*%-%.%1%2%5%6%9%:$=%>%@%A%C%D%E%F%G%H%I%J%

[!\!]!^!

[!\!]!^!

mQ.bx

mQ.bx

{ | }9},

{ | }9},

d6exe9j

d6exe9j

]%sOu

]%sOu

m.t.zB}

m.t.zB}

w%xIyWy

w%xIyWy

%f?iCt

%f?iCt

#$%&'()* ,

#$%&'()* ,

!"#$%&'()* ,-./0123456789:;?@

!"#$%&'()* ,-./0123456789:;?@

%

%

%q%r%s%

%q%r%s%

`!`'`)` `

`!`'`)` `

e%f-f f'f/f

e%f-f f'f/f

%x-x x

%x-x x

~NzP}P\PGPCPLPZPIPePvPNPUPuPtPwPOP

~NzP}P\PGPCPLPZPIPePvPNPUPuPtPwPOP

]8^6^3^7^

]8^6^3^7^

c{cichczc]eVeQeYeWe_UOeXeUeTe

c{cichczc]eVeQeYeWe_UOeXeUeTe

r6s%s4s)s:t*t3t"t%t5t6t4t/t

r6s%s4s)s:t*t3t"t%t5t6t4t/t

t&t(t%u&ukuju

t&t(t%u&ukuju

a.bidodyd

a.bidodyd

duewexe

duewexe

]!^"^#^ ^$^

]!^"^#^ ^$^

t.uGuHu

t.uGuHu

h&h(h.hMh:h%h h,k/k-k1k4kmk

h&h(h.hMh:h%h h,k/k-k1k4kmk

k%lzmcmdmvm

k%lzmcmdmvm

{1{ {-{/{2{8{

{1{ {-{/{2{8{

WHX%X

WHX%X

`IaJa aEa6a2a.aFa/aOa)a@a bh

`IaJa aEa6a2a.aFa/aOa)a@a bh

d@d%d'd

d@d%d'd

kCpDpJpHpIpEpFp

kCpDpJpHpIpEpFp

3: %s unexpected (ident or '/' wanted)

3: %s unexpected (ident or '/' wanted)

5: %s unexpected ('>' wanted)

5: %s unexpected ('>' wanted)

6: %s unexpected ('?' wanted)

6: %s unexpected ('?' wanted)

4: %s unexpected (ident or string wanted)

4: %s unexpected (ident or string wanted)

1: %s unexpected (ident wanted)

1: %s unexpected (ident wanted)

'%s>' unexpected ('%s>' wanted)

'%s>' unexpected ('%s>' wanted)

\cb2da.exe

\cb2da.exe

#include "l.chs\afxres.rc" // Standard components

#include "l.chs\afxres.rc" // Standard components

PAD

PAD

dll\agentReply.vbp

dll\agentReply.vbp

hXXp://su.microrui.com/

hXXp://su.microrui.com/

hXXp://su2.microrui.com/

hXXp://su2.microrui.com/

&password=

&password=

Msxml2.XMLHTTP

Msxml2.XMLHTTP

Microsoft.XMLHTTP

Microsoft.XMLHTTP

&passwordstr=

&passwordstr=

uploadpic.aspx?

uploadpic.aspx?

application/x-www-form-urlencoded

application/x-www-form-urlencoded

getanswer.aspx?IDString=

getanswer.aspx?IDString=

report.aspx?IDString=

report.aspx?IDString=

CardUse.aspx?action=reg&username=

CardUse.aspx?action=reg&username=

CardUse.aspx?action=denglu&username=

CardUse.aspx?action=denglu&username=

CardUse.aspx?action=chongzhi&username=

CardUse.aspx?action=chongzhi&username=

CardUse.aspx?action=chaxun&username=

CardUse.aspx?action=chaxun&username=

ZhuceUse.aspx?

ZhuceUse.aspx?

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}

{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}

c:\temp.xml

c:\temp.xml

Microsoft.XMLDOM

Microsoft.XMLDOM

ADODB.Stream

ADODB.Stream

bin.base64

bin.base64

c:\\MicroSu.log

c:\\MicroSu.log

Scripting.FileSystemObject

Scripting.FileSystemObject

su.microrui.com

su.microrui.com

1.00.0002

1.00.0002

(*.*)

(*.*)

1.0.0.0

1.0.0.0

(hXXp://VVV.eyuyan.com)

(hXXp://VVV.eyuyan.com)