Trojan.Win32.Agentb.htu (Kaspersky), Trojan.Generic.8879933 (B) (Emsisoft), Trojan.Generic.8879933 (AdAware), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericInjector.YR, GenericPhysicalDrive0.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 087e3623466ba1a66dea97260b7e573f
SHA1: c047c21293c72c541f3484e56a26abb1d322448a
SHA256: 29db62116d6be7a5aa642e5800e4f46ca76b05797c0c354247381c44730cc726
SSDeep: 49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1Nk:DBIKRAGRe5K2UZw
Size: 3350576 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: Xacti, LLC
Created at: 2012-02-09 00:09:46
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:560
The Trojan injects its code into the following process(es):
cb2da.exe:1116
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:560 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\ÅäÖÃ\cb2da.exe (22433 bytes)
The process cb2da.exe:1116 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\ÅäÖÃ\¹ýÇÅ·ÃÂß(´Ó½ø´¬Ò»Ö±µ½ÃÂÂÆÂÉÃÂÃæµÄÄã²»ÃÂèÒª¶¯Ö»ÃÂèÒª´Ó×îºóÃâ€Ãƒâ„¢Ã‚¼Ã“×ø±ê¾Ã¿ÉÒÃâ€ÃƒÂË).txt (166 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
C:\ÅäÖÃ\±ù»ðµºÃÂòÕÂËùÃÂè²ÄÃÂÃÂÒ»ÀÀ.txt (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ip138[1].txt (209 bytes)
C:\ÅäÖÃ\¹ýÂËÓë³öÊÛ.txt (2 bytes)
The Trojan deletes the following file(s):
C:\ÅäÖÃ\cb2da.exe (0 bytes)
Registry activity
The process %original file name%.exe:560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC 08 31 AD 8F 6A 43 D5 76 62 21 5B A0 59 E5 0D"
The process cb2da.exe:1116 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 11 89 78 81 18 7E CA 46 A6 7C 0B 57 FD 2C 04"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
a6aaad773aad9d4706c720ef41864f67 | c:\ÅäÖÃ\cb2da.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:560
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\ÅäÖÃ\cb2da.exe (22433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\ÅäÖÃ\¹ýÇÅ·ÃÂß(´Ó½ø´¬Ò»Ö±µ½ÃÂÂÆÂÉÃÂÃæµÄÄã²»ÃÂèÒª¶¯Ö»ÃÂèÒª´Ó×îºóÃâ€Ãƒâ„¢Ã‚¼Ã“×ø±ê¾Ã¿ÉÒÃâ€ÃƒÂË).txt (166 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
C:\ÅäÖÃ\±ù»ðµºÃÂòÕÂËùÃÂè²ÄÃÂÃÂÒ»ÀÀ.txt (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ip138[1].txt (209 bytes)
C:\ÅäÖÃ\¹ýÂËÓë³öÊÛ.txt (2 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral
Company Name: Product Name: ?????Product Version: 1.0.0.0Legal Copyright: ?????? ????????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ?????Comments: ??????????(http://www.eyuyan.com)Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
CODE | 4096 | 8192 | 8192 | 3.72406 | 579a2e6bfdd7b549dfb1d71f9fa16911 |
.text | 12288 | 2022314 | 2023424 | 4.48194 | 96f01445a0c028f2c988f638925b25e3 |
.rdata | 2035712 | 453530 | 454656 | 3.06415 | b90a32af6c79cfdae5ed7bba579eb329 |
.data | 2490368 | 1296482 | 827392 | 3.87079 | f8dc20b7142a6628894a65ccb970940d |
.rsrc | 3788800 | 29596 | 32768 | 3.25764 | 2e18d322da9fcc3e4b9987bda8597b4f |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 7
48a9251902677a0bbe667458e3065288
d920debbd516a57a81643d71e2b0bfd5
cdb46da6ea297a66555760807fda2dc2
a99211ba9da9623e76757a69a4903462
da9311605c4fcb9d0b3055cfab5a8ce0
dfbda9820dc6e174a1c36040d1993970
1dc9a686d83a8a8c21389f717dd2a612
Network Activity
URLs
URL | IP |
---|---|
hxxp://yd.ecoma.ourwebpic.com/ips8.asp | |
hxxp://city.ip138.com.cname.yunjiasu-cdn.net/ips8.htm | 162.159.210.67 |
hxxp://city.ip138.com/ips8.htm | 162.159.210.67 |
hxxp://www.ip138.com/ips8.asp | 87.245.198.83 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /ips8.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: city.ip138.com
Cache-Control: no-cache
Connection: Keep-Alive
HTTP/1.1 503 Service Temporarily Unavailable
Date: Wed, 25 May 2016 00:38:02 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Set-Cookie: __cfduid=d9721cbbb4819680dd69c38121d7f4bf01464136682; expires=Thu, 25-May-17 00:38:02 GMT; path=/; domain=.ip138.com; HttpOnly
X-Frame-Options: SAMEORIGIN
Refresh: 8;URL=/cdn-cgi/l/chk_jschl?pass=1464136686.556-xF754MqOep
Cache-Control: no-cache
Server: yunjiasu-nginx
CF-RAY: 2a84ec19ff0c3702-ARN
c0a..<!DOCTYPE HTML>.<html lang="en-US">.<head>. <meta charset="UTF-8" />. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />. <meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />. <meta name="robots" content="noindex, nofollow" />. <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1" />. <title>..................</ti..
GET /ips8.asp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.ip138.com
Cache-Control: no-cache
HTTP/1.0 302 Moved Temporarily
Server: Cdn Cache Server V2.0
Date: Wed, 25 May 2016 00:38:02 GMT
Content-Length: 0
Location: hXXp://city.ip138.com/ips8.htm
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
cb2da.exe_1116:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
{82B46959-3065-46a0-8340-3BB58B77A259}
{82B46959-3065-46a0-8340-3BB58B77A259}
bywayboy@gmail.com
bywayboy@gmail.com
hXXp://VVV.ecodeproject.cn/bbs
hXXp://VVV.ecodeproject.cn/bbs
:16882569
:16882569
kernel32.dll
kernel32.dll
ole32.dll
ole32.dll
msvcrt.dll
msvcrt.dll
fne.dll
fne.dll
t%SVh
t%SVh
t$(SSh
t$(SSh
~%UVW
~%UVW
.tTPV
.tTPV
FTPjK
FTPjK
FtPj;
FtPj;
F.PjRWj
F.PjRWj
u.WWj
u.WWj
u.VVj
u.VVj
u$SShe
u$SShe
ntdll.dll
ntdll.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
advapi32.dll
advapi32.dll
shlwapi.dll
shlwapi.dll
user32.dll
user32.dll
EnumWindows
EnumWindows
UnregisterHotKey
UnregisterHotKey
RegisterHotKey
RegisterHotKey
{86AB1D8A-7995-4D86-AE5F-18710759228B}
{86AB1D8A-7995-4D86-AE5F-18710759228B}
MySQL
MySQL
N@C:\ks77.ini
N@C:\ks77.ini
\\.\PhysicalDrive0
\\.\PhysicalDrive0
X-X-X-X-X-X
X-X-X-X-X-X
@*.exe
@*.exe
hXXp://VVV.ip138.com/ips8.asp
hXXp://VVV.ip138.com/ips8.asp
smtp.163.com
smtp.163.com
wys810320@163.com
wys810320@163.com
zbxxsm@126.com
zbxxsm@126.com
Report
Report
).txt
).txt
-127 20\
-127 20\
checkkey:
checkkey:
80818283
80818283
xmlhttp
xmlhttp
1970-1-1-00-00-01
1970-1-1-00-00-01
00000000
00000000
88 05 00 00
88 05 00 00
87 05 00 00
87 05 00 00
89 05 00 00
89 05 00 00
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.*)|*.*
(*.*)|*.*
elementclient.exe
elementclient.exe
*.txt
*.txt
,125-126
,125-126
,127-130
,127-130
127.0.0.1
127.0.0.1
21000701
21000701
I%.D_ac
I%.D_ac
.adz||~
.adz||~
.cdz||~
.cdz||~
pB))@AC.TJ
pB))@AC.TJ
1970-01-01 08:00:00
1970-01-01 08:00:00
1970-01-01 00:00:00
1970-01-01 00:00:00
login
login
(elementclient.exe)|*.exe
(elementclient.exe)|*.exe
(*.exe)|*.exe|
(*.exe)|*.exe|
40 41 17 17 20
40 41 17 17 20
023100023100
023100023100
383 -114
383 -114
382 -199
382 -199
402 -199
402 -199
402 -270
402 -270
398 -288
398 -288
407 -316
407 -316
393 -317
393 -317
9 10 11 12
9 10 11 12
13 14 15
13 14 15
\MicroSu.dll
\MicroSu.dll
`.data
`.data
@.reloc
@.reloc
MSVBVM60.DLL
MSVBVM60.DLL
%System%\MSVBVM60.DLL\3
%System%\MSVBVM60.DLL\3
LogIn
LogIn
LogInEx
LogInEx
KeyCheck
KeyCheck
KeyEndDate
KeyEndDate
KeyAdd
KeyAdd
KeyMod
KeyMod
KeyDel
KeyDel
winmm.dll
winmm.dll
GdiplusShutdown
GdiplusShutdown
VBA6.DLL
VBA6.DLL
D:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
D:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
password
password
MicroSu.dll
MicroSu.dll
stdole2.tlbWWW
stdole2.tlbWWW
%SendGifW
%SendGifW
ReportWW
ReportWW
KLogInWWW
KLogInWWW
ULogInExW
ULogInExW
KeyEndDateWW
KeyEndDateWW
KeyAddWW
KeyAddWW
4KeyModWW
4KeyModWW
KeyDelWW
KeyDelWW
urlW
urlW
4,5054585
4,5054585
regsvr32 /s MicroSu.dll
regsvr32 /s MicroSu.dll
MicroSu.Reply
MicroSu.Reply
66000001
66000001
21000001
21000001
49430000
49430000
85050000
85050000
160004000000
160004000000
160062000000
160062000000
160002000000
160002000000
16 00 04 00 00 00
16 00 04 00 00 00
160030000000
160030000000
160032000000
160032000000
160033000000
160033000000
160036000000
160036000000
-237.982 47.8555
-237.982 47.8555
404 -297
404 -297
417 -295
417 -295
400 -294
400 -294
400 -198
400 -198
383 -198
383 -198
160030020000
160030020000
160038020000
160038020000
160039020000
160039020000
160068030000
160068030000
160070030000
160070030000
160069030000
160069030000
160075030000
160075030000
160074030000
160074030000
160077030000
160077030000
LOGIN
LOGIN
(*.mp3)|*.mp3
(*.mp3)|*.mp3
(7),01444
(7),01444
'9=82<.342>
'9=82<.342>
(elementclient.exe)|elementclient.exe
(elementclient.exe)|elementclient.exe
2011:03:31 03:05:53
2011:03:31 03:05:53
192.168.1.100
192.168.1.100
1.2.18
1.2.18
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
?%*.*f
?%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
portuguese-brazilian
portuguese-brazilian
deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
inflate 1.1.4 Copyright 1995-2002 Mark Adler
inflate 1.1.4 Copyright 1995-2002 Mark Adler
MSVFW32.dll
MSVFW32.dll
AVIFIL32.dll
AVIFIL32.dll
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
MPR.dll
MPR.dll
WINMM.dll
WINMM.dll
WS2_32.dll
WS2_32.dll
VERSION.dll
VERSION.dll
RASAPI32.dll
RASAPI32.dll
GetProcessHeap
GetProcessHeap
WinExec
WinExec
GetWindowsDirectoryA
GetWindowsDirectoryA
GetCPInfo
GetCPInfo
SetNamedPipeHandleState
SetNamedPipeHandleState
WaitNamedPipeA
WaitNamedPipeA
KERNEL32.DLL
KERNEL32.DLL
GetKeyState
GetKeyState
EnumChildWindows
EnumChildWindows
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
USER32.dll
USER32.dll
GetViewportOrgEx
GetViewportOrgEx
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
GDI32.dll
GDI32.dll
WINSPOOL.DRV
WINSPOOL.DRV
comdlg32.dll
comdlg32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
OLEAUT32.dll
OLEAUT32.dll
COMCTL32.dll
COMCTL32.dll
WSOCK32.dll
WSOCK32.dll
HttpQueryInfoA
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
WININET.dll
WININET.dll
%x.tmp
%x.tmp
.PAVCException@@
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
: %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
out.prn
out.prn
%d.%d
%d.%d
%d / %d
%d / %d
%d/%d
%d/%d
Bogus message code %d
Bogus message code %d
(%d-%d):
(%d-%d):
%ld%c
%ld%c
(*.avi)|*.avi
(*.avi)|*.avi
%d.%d.%d.%d
%d.%d.%d.%d
WPFT532.CNV
WPFT532.CNV
WPFT632.CNV
WPFT632.CNV
EXCEL32.CNV
EXCEL32.CNV
write32.wpc
write32.wpc
Windows Write
Windows Write
mswrd632.wpc
mswrd632.wpc
Word for Windows 6.0
Word for Windows 6.0
wword5.cnv
wword5.cnv
Word for Windows 5.0
Word for Windows 5.0
mswrd832.cnv
mswrd832.cnv
mswrd632.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
Word 6.0/95 for Windows & Macintosh
html32.cnv
html32.cnv
TrayIcon event: %x
TrayIcon event: %x
1.1.3
1.1.3
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
HELO %s
HELO %s
SMTP
SMTP
AUTH LOGIN
AUTH LOGIN
AUTH=LOGIN
AUTH=LOGIN
EHLO %s
EHLO %s
Content-Type: application/octet-stream; name=%s
Content-Type: application/octet-stream; name=%s
Content-Disposition: attachment; filename=%s
Content-Disposition: attachment; filename=%s
MAIL FROM:
MAIL FROM:
RCPT TO:
RCPT TO:
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÁ
zcÁ
PIPE
PIPE
ssl-cert
ssl-cert
ssl-key
ssl-key
pipe
pipe
port
port
MYSQL
MYSQL
\\%s\pipe\%s
\\%s\pipe\%s
Unknown option to protocol: %s
Unknown option to protocol: %s
d:t:o,/tmp/client.trace
d:t:o,/tmp/client.trace
MYSQL_PWD
MYSQL_PWD
Windows_NT
Windows_NT
MYSQL_UNIX_PORT
MYSQL_UNIX_PORT
MYSQL_TCP_PORT
MYSQL_TCP_PORT
mysql
mysql
Connection using old (pre 4.1.1) authentication protocol refused (client option 'secure_auth' enabled)
Connection using old (pre 4.1.1) authentication protocol refused (client option 'secure_auth' enabled)
Can't open shared memory. %s event don't create for client (%lu)
Can't open shared memory. %s event don't create for client (%lu)
Using unsupported buffer type: %d (parameter: %d)
Using unsupported buffer type: %d (parameter: %d)
Can't send long data for non string or binary data types (parameter: %d)
Can't send long data for non string or binary data types (parameter: %d)
Can't set state of named pipe to host: %-.64s pipe: %-.32s (%lu)
Can't set state of named pipe to host: %-.64s pipe: %-.32s (%lu)
Can't open named pipe to host: %-.64s pipe: %-.32s (%lu)
Can't open named pipe to host: %-.64s pipe: %-.32s (%lu)
Can't wait for named pipe to host: %-.64s pipe: %-.32s (%lu)
Can't wait for named pipe to host: %-.64s pipe: %-.32s (%lu)
%-.100s via named pipe
%-.100s via named pipe
Lost connection to MySQL server during query
Lost connection to MySQL server during query
%-.100s via TCP/IP
%-.100s via TCP/IP
MySQL client run out of memory
MySQL client run out of memory
Protocol mismatch. Server Version = %d Client Version = %d
Protocol mismatch. Server Version = %d Client Version = %d
MySQL server has gone away
MySQL server has gone away
Unknown MySQL Server Host '%-.100s' (%d)
Unknown MySQL Server Host '%-.100s' (%d)
Can't create TCP/IP socket (%d)
Can't create TCP/IP socket (%d)
Can't connect to MySQL server on '%-.100s' (%d)
Can't connect to MySQL server on '%-.100s' (%d)
Can't connect to local MySQL server through socket '%-.100s' (%d)
Can't connect to local MySQL server through socket '%-.100s' (%d)
Can't create UNIX socket (%d)
Can't create UNIX socket (%d)
Unknown MySQL error
Unknown MySQL error
TCP/IP (%d)
TCP/IP (%d)
socket (%d)
socket (%d)
named pipe
named pipe
%s would have been started with the following arguments:
%s would have been started with the following arguments:
error: Found option without preceding group in config file: %s at line: %d
error: Found option without preceding group in config file: %s at line: %d
error: Wrong group definition in config file: %s at line %d
error: Wrong group definition in config file: %s at line %d
C:/mysql/
C:/mysql/
Index.xml
Index.xml
Software\MySQL
Software\MySQL
HAVE_TCPIP
HAVE_TCPIP
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Can't initialize threads: error %d
Can't initialize threads: error %d
Can't sync file '%s' to disk (Errcode: %d)
Can't sync file '%s' to disk (Errcode: %d)
Error on realpath() on '%s' (Error %d)
Error on realpath() on '%s' (Error %d)
Can't create symlink '%s' pointing at '%s' (Error %d)
Can't create symlink '%s' pointing at '%s' (Error %d)
Can't read value for symlink '%s' (Error %d)
Can't read value for symlink '%s' (Error %d)
Out of resources when opening file '%s' (Errcode: %d)
Out of resources when opening file '%s' (Errcode: %d)
Character set '%s' is not a compiled character set and is not specified in the '%s' file
Character set '%s' is not a compiled character set and is not specified in the '%s' file
Can't create directory '%s' (Errcode: %d)
Can't create directory '%s' (Errcode: %d)
Disk is full writing '%s'. Waiting for someone to free space...
Disk is full writing '%s'. Waiting for someone to free space...
%d files and %d streams is left open
%d files and %d streams is left open
Warning: '%s' had %d links
Warning: '%s' had %d links
Can't change dir to '%s' (Errcode: %d)
Can't change dir to '%s' (Errcode: %d)
Can't get working dirctory (Errcode: %d)
Can't get working dirctory (Errcode: %d)
Can't open stream from handle (Errcode: %d)
Can't open stream from handle (Errcode: %d)
Can't change size of file (Errcode: %d)
Can't change size of file (Errcode: %d)
Can't get stat of '%s' (Errcode: %d)
Can't get stat of '%s' (Errcode: %d)
Can't read dir of '%s' (Errcode: %d)
Can't read dir of '%s' (Errcode: %d)
Can't unlock file (Errcode: %d)
Can't unlock file (Errcode: %d)
Can't lock file (Errcode: %d)
Can't lock file (Errcode: %d)
Unexpected eof found when reading file '%s' (Errcode: %d)
Unexpected eof found when reading file '%s' (Errcode: %d)
Error on rename of '%s' to '%s' (Errcode: %d)
Error on rename of '%s' to '%s' (Errcode: %d)
Error on delete of '%s' (Errcode: %d)
Error on delete of '%s' (Errcode: %d)
Out of memory (Needed %u bytes)
Out of memory (Needed %u bytes)
Error on close of '%s' (Errcode: %d)
Error on close of '%s' (Errcode: %d)
Error writing file '%s' (Errcode: %d)
Error writing file '%s' (Errcode: %d)
Error reading file '%s' (Errcode: %d)
Error reading file '%s' (Errcode: %d)
Can't create/write to file '%s' (Errcode: %d)
Can't create/write to file '%s' (Errcode: %d)
File '%s' not found (Errcode: %d)
File '%s' not found (Errcode: %d)
charsets.charset.collation.map
charsets.charset.collation.map
charsets.charset.collation.flag
charsets.charset.collation.flag
charsets.charset.collation.order
charsets.charset.collation.order
charsets.charset.collation.id
charsets.charset.collation.id
charsets.charset.collation.name
charsets.charset.collation.name
charsets.charset.collation
charsets.charset.collation
charsets.charset.unicode.map
charsets.charset.unicode.map
charsets.charset.unicode
charsets.charset.unicode
charsets.charset.lower.map
charsets.charset.lower.map
charsets.charset.lower
charsets.charset.lower
charsets.charset.upper.map
charsets.charset.upper.map
charsets.charset.upper
charsets.charset.upper
charsets.charset.ctype.map
charsets.charset.ctype.map
charsets.charset.ctype
charsets.charset.ctype
charsets.charset.alias
charsets.charset.alias
charsets.charset.description
charsets.charset.description
charsets.charset.family
charsets.charset.family
charsets.charset.name
charsets.charset.name
charsets.charset.binary-id
charsets.charset.binary-id
charsets.charset.primary-id
charsets.charset.primary-id
charsets.charset
charsets.charset
charsets.max-id
charsets.max-id
xml.encoding
xml.encoding
xml.version
xml.version
1.1.4
1.1.4
%,%$%4%
%,%$%4%
eZl%u
eZl%u
Q.YeY
Q.YeY
R:\Sg|p5rL
R:\Sg|p5rL
e$e#e e4e5e7e6e8eKuHeVeUeMeXe^e]erexe
e$e#e e4e5e7e6e8eKuHeVeUeMeXe^e]erexe
s4s/s)s%s>sNsOs
s4s/s)s%s>sNsOs
!&"&$&%&&&'&(&)&*& &,&-&.&/&0&1&
!&"&$&%&&&'&(&)&*& &,&-&.&/&0&1&
2&3&4&5&6&7&8&
2&3&4&5&6&7&8&
!(,("(-(
!(,("(-(
!,!5!6!
!,!5!6!
!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%%?%@%A%B%C%D%E%F%G%H%I%J%K%L%M%N%O%P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%t%u%v%
!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%%?%@%A%B%C%D%E%F%G%H%I%J%K%L%M%N%O%P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%t%u%v%
g9H5_DF>L!9yMGE~8
g9H5_DF>L!9yMGE~8
%Sv0$S
%Sv0$S
|T)>~T%C
|T)>~T%C
8]7]:]=5
8]7]:]=5
.Dh26a
.Dh26a
Z6%d#d
Z6%d#d
ReXeQe
ReXeQe
uewexe
uewexe
6*6 8*8 5*5 :*: ;*; =*=
6*6 8*8 5*5 :*: ;*; =*=
/"2"6"5"
/"2"6"5"
21314151
21314151
'2(2)2*2 2
'2(2)2*2 2
-6.6/6061626
-6.6/6061626
.7/70717
.7/70717
[7\7]7^7
[7\7]7^7
=8>8?8@8
=8>8?8@8
19293949
19293949
%;&;';(;
%;&;';(;
%>&>'>(>
%>&>'>(>
=>>>?>@>
=>>>?>@>
[@\@]@^@
[@\@]@^@
"U#U$U%U
"U#U$U%U
8[9[:[;[[
8[9[:[;[[
&\'\(\)\
&\'\(\)\
~\!]"]#]
~\!]"]#]
/]0]1]2]
/]0]1]2]
4]5]6]7]8]
4]5]6]7]8]
|_}_~_!`
|_}_~_!`
&`'`(`)`
&`'`(`)`
2`3`4`5`
2`3`4`5`
WeXe
WeXe
vewexe
vewexe
$f%f&f
$f%f&f
@mAmBmCmDm
@mAmBmCmDm
S%S'S(S)S S,S-S0S2S5SSBSLSKSYS[SaScSeSlSmSrSyS~S
S%S'S(S)S S,S-S0S2S5SSBSLSKSYS[SaScSeSlSmSrSyS~S
d d"d$d%d)d*d/d0d5d=d?dKdOdQdRdSdTdZd[d\d]d_d`dadcdmdsdtd{d}d
d d"d$d%d)d*d/d0d5d=d?dKdOdQdRdSdTdZd[d\d]d_d`dadcdmdsdtd{d}d
.AK.)
.AK.)
.uGvG
.uGvG
/%S67
/%S67
-<.gig>
-<.gig>
I.pKqK
I.pKqK
J.AeRtH49
J.AeRtH49
U U!U"U#U$U%U&U'U(U)U*U U,U-U.U/U0U1U2U3U4U5U6U7U8U9U:U;UU?U@UAUBUCUDUEUFUGUHUIUJUKULUMUNUOUPUQURUSUTUUUVUWUXUYUZU[U\U]U^U_U`UaUbUcUdUeUfUgUhUiUjUkUlUmUnUoUpUqUrUsUtUuUvU
U U!U"U#U$U%U&U'U(U)U*U U,U-U.U/U0U1U2U3U4U5U6U7U8U9U:U;UU?U@UAUBUCUDUEUFUGUHUIUJUKULUMUNUOUPUQURUSUTUUUVUWUXUYUZU[U\U]U^U_U`UaUbUcUdUeUfUgUhUiUjUkUlUmUnUoUpUqUrUsUtUuUvU
?q.SM!@
?q.SM!@
$R&ß
$R&ß
C.JMH
C.JMH
-)./...6. .
-)./...6. .
E~ExE|E{E
E~ExE|E{E
&t.KIx
&t.KIx
"*0QIs%u1
"*0QIs%u1
)Q.GN
)Q.GN
X X!X"X#X$X%X&X'X(X)X*X X,X-X.X/X0X1X2X3X4X5X6X7X8X9X:X;XX?X@XAXBXCXDXEXFXGXHXIXJXKXLXMXNXOXPXQXRXSXTXUXVXWXXXYXZX[X\X]X^X_X`XaXbXcXdXeXfX
X X!X"X#X$X%X&X'X(X)X*X X,X-X.X/X0X1X2X3X4X5X6X7X8X9X:X;XX?X@XAXBXCXDXEXFXGXHXIXJXKXLXMXNXOXPXQXRXSXTXUXVXWXXXYXZX[X\X]X^X_X`XaXbXcXdXeXfX
S"S$S%S'S(S)S S,S-S/S0S1S2S3S4S5S6S7S8S
S"S$S%S'S(S)S S,S-S/S0S1S2S3S4S5S6S7S8S
U!U%U&U
U!U%U&U
X"X#X%X&X'X(X)X X,X-X.X/X1X2X3X4X6X7X8X9X:X;X
X"X#X%X&X'X(X)X X,X-X.X/X1X2X3X4X6X7X8X9X:X;X
_!_"_#_$_
_!_"_#_$_
%d'd(d)d d.d/d0d1d2d3d5d6d7d8d9d;dd@dBdCdIdKdLdMdNdOdPdQdSdUdVdWdYdZd[d\d]d_d`dadbdcdddedfdhdjdkdldndodpdqdrdsdtdudvdwd{d|d}d~d
%d'd(d)d d.d/d0d1d2d3d5d6d7d8d9d;dd@dBdCdIdKdLdMdNdOdPdQdSdUdVdWdYdZd[d\d]d_d`dadbdcdddedfdhdjdkdldndodpdqdrdsdtdudvdwd{d|d}d~d
"e#e$e&e'e(e)e*e,e-e0e1e2e3e7e:e
"e#e$e&e'e(e)e*e,e-e0e1e2e3e7e:e
2!2"2#2$2%2&2'2(2)2
2!2"2#2$2%2&2'2(2)2
"P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%
"P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%
1 1!1"1#1$1%1&1'1(1)1
1 1!1"1#1$1%1&1'1(1)1
!0"0#0$0%0&0'0(0)0
!0"0#0$0%0&0'0(0)0
% %!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%%?%@%A%B%C%D%E%F%G%H%I%J%K%
% %!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%%?%@%A%B%C%D%E%F%G%H%I%J%K%
W%f?i
W%f?i
e.lFO
e.lFO
}!}#}$}%}&}(})}*},}-}.}0}1}2}3}4}5}6}
}!}#}$}%}&}(})}*},}-}.}0}1}2}3}4}5}6}
urlsS
urlsS
~ ~!~"~#~$~%~&~'~(~)~*~ ~,~-~.~/~0~1~2~3~4~5~6~7~8~9~
~ ~!~"~#~$~%~&~'~(~)~*~ ~,~-~.~/~0~1~2~3~4~5~6~7~8~9~
u%urrGS
u%urrGS
]']&].]$]
]']&].]$]
s"s9s%s,s8s1sPsMsWs`slsos~s
s"s9s%s,s8s1sPsMsWs`slsos~s
x
x
{.{1{ {%{${3{>{
{.{1{ {%{${3{>{
!!"!#!(!
!!"!#!(!
4!5!6!7!8!9!:!;!>!?!
4!5!6!7!8!9!:!;!>!?!
~!2!3!
~!2!3!
.VZN'Uu:&7V@
.VZN'Uu:&7V@
%FxG=R
%FxG=R
~e%fWM
~e%fWM
rP.BPb
rP.BPb
C^%X*?M[lRzF*E
C^%X*?M[lRzF*E
(m|P%c
(m|P%c
NN"L.PSD25X^uU7
NN"L.PSD25X^uU7
.QqP8j9j:j5:
.QqP8j9j:j5:
%CxF-kJD
%CxF-kJD
(d.deB
(d.deB
3G,===%d
3G,===%d
&8.pB1
&8.pB1
mS.Xk@
mS.Xk@
tq.RG^JK
tq.RG^JK
B]HC
B]HC
yTDI.SS8`3
yTDI.SS8`3
t6ZeXeYe@5
t6ZeXeYe@5
*M%u#u4=(u
*M%u#u4=(u
"*")"'"("
"*")"'"("
%d&`&a&e&g&c&
%d&`&a&e&g&c&
%!%"%&%'%)%*%-%.%1%2%5%6%9%:$=%>%@%A%C%D%E%F%G%H%I%J%
%!%"%&%'%)%*%-%.%1%2%5%6%9%:$=%>%@%A%C%D%E%F%G%H%I%J%
[!\!]!^!
[!\!]!^!
mQ.bx
mQ.bx
{ | }9},
{ | }9},
d6exe9j
d6exe9j
]%sOu
]%sOu
m.t.zB}
m.t.zB}
w%xIyWy
w%xIyWy
%f?iCt
%f?iCt
#$%&'()* ,
#$%&'()* ,
!"#$%&'()* ,-./0123456789:;?@
!"#$%&'()* ,-./0123456789:;?@
%
%
%q%r%s%
%q%r%s%
`!`'`)` `
`!`'`)` `
e%f-f f'f/f
e%f-f f'f/f
%x-x x
%x-x x
~NzP}P\PGPCPLPZPIPePvPNPUPuPtPwPOP
~NzP}P\PGPCPLPZPIPePvPNPUPuPtPwPOP
]8^6^3^7^
]8^6^3^7^
c{cichczc]eVeQeYeWe_UOeXeUeTe
c{cichczc]eVeQeYeWe_UOeXeUeTe
r6s%s4s)s:t*t3t"t%t5t6t4t/t
r6s%s4s)s:t*t3t"t%t5t6t4t/t
t&t(t%u&ukuju
t&t(t%u&ukuju
a.bidodyd
a.bidodyd
duewexe
duewexe
]!^"^#^ ^$^
]!^"^#^ ^$^
t.uGuHu
t.uGuHu
h&h(h.hMh:h%h h,k/k-k1k4kmk
h&h(h.hMh:h%h h,k/k-k1k4kmk
k%lzmcmdmvm
k%lzmcmdmvm
{1{ {-{/{2{8{
{1{ {-{/{2{8{
WHX%X
WHX%X
`IaJa aEa6a2a.aFa/aOa)a@a bh
`IaJa aEa6a2a.aFa/aOa)a@a bh
d@d%d'd
d@d%d'd
kCpDpJpHpIpEpFp
kCpDpJpHpIpEpFp
3: %s unexpected (ident or '/' wanted)
3: %s unexpected (ident or '/' wanted)
5: %s unexpected ('>' wanted)
5: %s unexpected ('>' wanted)
6: %s unexpected ('?' wanted)
6: %s unexpected ('?' wanted)
4: %s unexpected (ident or string wanted)
4: %s unexpected (ident or string wanted)
1: %s unexpected (ident wanted)
1: %s unexpected (ident wanted)
'%s>' unexpected ('%s>' wanted)
'%s>' unexpected ('%s>' wanted)
\cb2da.exe
\cb2da.exe
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
PAD
PAD
dll\agentReply.vbp
dll\agentReply.vbp
hXXp://su.microrui.com/
hXXp://su.microrui.com/
hXXp://su2.microrui.com/
hXXp://su2.microrui.com/
&password=
&password=
Msxml2.XMLHTTP
Msxml2.XMLHTTP
Microsoft.XMLHTTP
Microsoft.XMLHTTP
&passwordstr=
&passwordstr=
uploadpic.aspx?
uploadpic.aspx?
application/x-www-form-urlencoded
application/x-www-form-urlencoded
getanswer.aspx?IDString=
getanswer.aspx?IDString=
report.aspx?IDString=
report.aspx?IDString=
CardUse.aspx?action=reg&username=
CardUse.aspx?action=reg&username=
CardUse.aspx?action=denglu&username=
CardUse.aspx?action=denglu&username=
CardUse.aspx?action=chongzhi&username=
CardUse.aspx?action=chongzhi&username=
CardUse.aspx?action=chaxun&username=
CardUse.aspx?action=chaxun&username=
ZhuceUse.aspx?
ZhuceUse.aspx?
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
c:\temp.xml
c:\temp.xml
Microsoft.XMLDOM
Microsoft.XMLDOM
ADODB.Stream
ADODB.Stream
bin.base64
bin.base64
c:\\MicroSu.log
c:\\MicroSu.log
Scripting.FileSystemObject
Scripting.FileSystemObject
su.microrui.com
su.microrui.com
1.00.0002
1.00.0002
(*.*)
(*.*)
1.0.0.0
1.0.0.0
(hXXp://VVV.eyuyan.com)
(hXXp://VVV.eyuyan.com)