Trojan.Win32.FlyStudio_eb0ca9362f – Adaware

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):

%original file name%.exe:800

Mutexes

The following mutexes were created/opened:

c:!documents and settings!adm!local settings!history!history.ie5!mshist012015060320150604!_!SHMSFTHISTORY!_CTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003HGFSMUTEX00000000000240eeZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutexWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_RasPbFileShimCacheMutex

File activity

The process %original file name%.exe:800 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A9WRW5GJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR5MZNZI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
C:\ÃƒÆ’Ã¢â‚¬Â Ãƒâ€šÃ‚Â¤Ãƒâ€šÃ‚Â·ÃƒÆ’Ã‚Â´.she (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR5MZNZI\CAOVI5A7.htm (10 bytes)
C:\jedata.dll (88 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR5MZNZI\CAR2KVN1 (123 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GBE3DABB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PW0KY8DE\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ui.ptlogin2.qq[1].txt (180 bytes)

Registry activity

The process %original file name%.exe:800 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015060320150604]
"CacheLimit" = "8192"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015060320150604]
"CachePrefix" = ":2015060320150604:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015060320150604]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012015060320150604\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 3A ED BD 98 07 43 B9 3A 80 14 FC 13 56 3C 9C"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.2345.com/?k56330"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015060320150604]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015060320150604]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5	File path
114054313070472cd1a6d7d28f7c5002	c:\jedata.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A9WRW5GJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR5MZNZI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
C:\ÃƒÆ’Ã¢â‚¬Â Ãƒâ€šÃ‚Â¤Ãƒâ€šÃ‚Â·ÃƒÆ’Ã‚Â´.she (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR5MZNZI\CAOVI5A7.htm (10 bytes)
C:\jedata.dll (88 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR5MZNZI\CAR2KVN1 (123 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GBE3DABB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PW0KY8DE\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ui.ptlogin2.qq[1].txt (180 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: ?????
Product Name: ??V8????1.5
Product Version: 1.3.0.0
Legal Copyright: ????? ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.3.0.0
File Description: V8.0??????-????????
Comments: V8.0??????-????????
Language: Language Neutral

Company Name: ?????Product Name: ??V8????1.5Product Version: 1.3.0.0Legal Copyright: ????? ????Legal Trademarks: Original Filename: Internal Name: File Version: 1.3.0.0File Description: V8.0??????-????????Comments: V8.0??????-????????Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	1224704	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	1228800	466944	463872	5.54474	bb5fb09f867f7ad0b3f8c9d88ed3304f
.rsrc	1695744	73728	72192	1.60111	df070ca39aeed1d9da24c39021c5a6a8

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://ui.ptlogin2.qq.com/cgi-bin/login?link_target=blank&appid=15000101&s_url=http://php.qzone.qq.com/index.php?mod=portal&act=login&f_url=loginerroralert&target=top&qlogin_jumpname=jump&qlogin_param=u1=http://php.qzone.qq.com/index.php?mod=portal&act=login&r=2010-10-31 0:03:44	112.90.83.106

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /cgi-bin/login?link_target=blank&appid=15000101&s_url=http://php.qzone.qq.com/index.php?mod=portal&act=login&f_url=loginerroralert&target=top&qlogin_jumpname=jump&qlogin_param=u1=http://php.qzone.qq.com/index.php?mod=portal&act=login&r=2010-10-31 0:03:44 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ui.ptlogin2.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Connection: keep-alive

Keep-Alive: timeout=50, max=1024

Server: QZHTTP-2.38.20

Date: Tue, 02 Jun 2015 23:30:25 GMT

P3P: CP="CAO PSA OUR"

Cache-Control: max-age=86400

Set-Cookie: pt_user_id=9571227474957132143; EXPIRES=Fri, 30-May-2025 23:30:25 GMT; PATH=/; DOMAIN=ui.ptlogin2.qq.com;

Set-Cookie: pt_login_sig=1wwnglu-xtFLJACb1cmHXbTn*lznPQ3ojGXliU3-Otn*EI7GHzjCKv5jE98eRd0S; PATH=/; DOMAIN=ptlogin2.qq.com;

Set-Cookie: pt_clientip=90b0c18af4e71c53; PATH=/; DOMAIN=qq.com;

Set-Cookie: pt_serverip=0a940a85030cbd2d; PATH=/; DOMAIN=qq.com;

Set-Cookie: login_param=link_target=blank&appid=15000101&s_url=http%3A//php.qzone.qq.com/index.php%3Fmod%3Dportal%26act%3Dlogin&f_url=loginerroralert&target=top&qlogin_jumpname=jump&qlogin_param=u1%3Dhttp%3A//php.qzone.qq.com/index.php%3Fmod%3Dportal%26act%3Dlogin&r=2010-10-31%200:03:44; PATH=/; DOMAIN=ui.ptlogin2.qq.com;

Set-Cookie: uikey=bfa7ba82c4f1036bc6ed4e7d3044e759c921a524698327a61990af015fccfea6; PATH=/; DOMAIN=ptlog

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_800:

`.rsrc

t%SVh

t$(SSh

~%UVW

u$SShe

wininet.dll

kernel32.dll

shlwapi.dll

jedata.dll

user32.dll

gdiplus.dll

ole32.dll

GdiPlus.dll

Psapi.dll

advapi32.dll

ntdll.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

GdiplusShutdown

EnumChildWindows

WEBUI

WebUIControl

hXXp://qun.qzone.qq.com/cgi-bin/get_group_member?uin=

"nick":"

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

http=

https

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

hXXps://

hXXp://

hXXp://ui.ptlogin2.qq.com/cgi-bin/login?link_target=blank&appid=15000101&s_url=http://php.qzone.qq.com/index.php?mod=portal&act=login&f_url=loginerroralert&target=top&qlogin_jumpname=jump&qlogin_param=u1=http://php.qzone.qq.com/index.php?mod=portal&act=login&r=2010-10-31 0:03:44

.qzone.qq.com/jjb

hXXp://wenwen.qq.com/z/QzoneAppQuestionAndAnswer.htm

skey=

; skey=

VVV.baidu.com

hXXp://qun.qzone.qq.com/cgi-bin/get_group_list?uin=

hXXp://VVV.2345.com/?k56330

pei.jjb

\jedata.dll

.rsrc

%S4WD

hg%fpM

S.Ac9SR

0.I%3s

,wAe.kI

aiUy'4xu

%c*@j

.eH'y

{&%U)

lj%4U

xe%CNs

9F.cLe

hJK.ZH

O.qt0

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

SkinH_EL.dll

_y.qzone.qq.com

hXXp://w.qzone.qq.com/cgi-bin/likes/internal_dolike_app?g_tk=

&zb_url=http://i.gtimg.cn/qzone/space_item/pre/14/94110_1.gif

&curkey=http://user.qzone.qq.com/

&unikey=http://user.qzone.qq.com/

/main&appid=7030&face=0&fupdate=1&from=1&query_count=200&opuin=

qzreferrer=http://user.qzone.qq.com/

hXXp://user.qzone.qq.com/

:hXXp://VVV.tmd.la

hXXp://users.qzone.qq.com/cgi-bin/likes/get_like_list_app?uin=

VVV.29523472.cn/

2000-4000

WinHttp.WinHttpRequest.5.1

application/x-www-form-urlencoded

Adodb.Stream

MSScriptControl.ScriptControl

Scripting.Encoder

1, 2, 0, 1, 2, 0, 2, 0, 0, 2, 0, 2, 1, 0, 2, 0,

1, 0, 2, 0, 1, 1, 2, 0, 0, 2, 1, 0, 2, 0, 0, 2,

1, 1, 0, 2, 0, 2, 0, 1, 0, 1, 1, 2, 0, 1, 0, 2,

1, 0, 2, 0, 1, 1, 2, 0, 0, 1, 1, 2, 0, 1, 0, 2

digits["A".charCodeAt(0) i] = i

digits["a".charCodeAt(0) i] = i 26

for (var i=0; i

if (char.charCodeAt(0) > 126) return char

if (escapes.indexOf(char) != -1) return escaped.substr(escapes.indexOf(char), 1)

val = (digits[string.substr(0,1).charCodeAt(0)]

val = (digits[string.substr(1,1).charCodeAt(0)] >> 4)

val = (digits[string.substr(1,1).charCodeAt(0)] & 0xf)

val = ((digits[string.substr(2,1).charCodeAt(0)] >> 2)

val = ((digits[string.substr(2,1).charCodeAt(0)] & 0x3)

val = (digits[string.substr(3,1).charCodeAt(0)]

scriptIndex = encodingString.indexOf(marker, stringIndex)

unEncodingString = encodingString.substring(stringIndex, scriptIndex)

scriptIndex = marker.length

unEncodingString = encodingString.substr(stringIndex, encodingString.length)

encodingLength = encodingString.substr(scriptIndex, 6)

scriptIndex = (6 "==".length)

stringIndex = scriptIndex "DQgAAA==^#~@".length

char = encodingString.substr(scriptIndex, 1)

if (char.charCodeAt(0)

unEncodingString = String.fromCharCode(transformed[pick_encoding[unEncodingIndexd]][char.charCodeAt(0)])

unEncodingString = unescape(encodingString.substr( scriptIndex, 1))

re = new RegExp("(JScript|VBscript).encode", "gmi")

while(arr = re.exec(unEncodingString)) unEncodingString = RegExp.leftContext RegExp.$1 RegExp.rightContext

strdec(AdodbStream.ReadText);

0.0.0.0

0000000000

function encrypt(str,pass){

data = m_xxtea.encrypt(str, pass);

function decrypt(str,pass){

data = m_xxtea.decrypt(str, pass);

if (str.match(/^[\x00-\x7f]*$/) != null) {

return str.toString();

len = str.length;

c = str.charCodeAt(i);

out[j] = str.charAt(i);

out[j] = String.fromCharCode(0xc0 | (c >>> 6),

out[j] = String.fromCharCode(0xe0 | (c >>> 12),

c2 = str.charCodeAt(i);

out[j] = String.fromCharCode(0xf0 | ((c >>> 18) & 0x3f),

return out.join('');

if ((str.match(/^[\x00-\x7f]*$/) != null) ||

(str.match(/^[\x00-\xff]*$/) == null)) {

c = str.charCodeAt(i );

out[j ] = str.charAt(i - 1);

c2 = str.charCodeAt(i );

out[j ] = String.fromCharCode(((c & 0x1f)

c3 = str.charCodeAt(i );

out[j ] = String.fromCharCode(((c & 0x0f)

c4 = str.charCodeAt(i );

out[j ] = String.fromCharCode(((s >>> 10) & 0x03ff) | 0xd800,

var base64EncodeChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /'.split('');

len = str.length;

c = str.charCodeAt(i )

str.charCodeAt(i )

str.charCodeAt(i );

c = str.charCodeAt(i );

c = str.charCodeAt(i )

return out.join('');

-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,

-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63,

if (/[^ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\ \/\=]/.test(str)) {

if (str.charAt(len - 2) == '=') {

else if (str.charAt(len - 1) == '=') {

c1 = base64DecodeChars[str.charCodeAt(i )];

c2 = base64DecodeChars[str.charCodeAt(i )];

out[j ] = String.fromCharCode((c1 > 4));

c3 = base64DecodeChars[str.charCodeAt(i )];

out[j ] = String.fromCharCode(((c2 & 0x0f) > 2));

c4 = base64DecodeChars[str.charCodeAt(i )];

out[j ] = String.fromCharCode(((c3 & 0x03)

var length = data.length;

data[i] = String.fromCharCode(

return data.join('').substring(0, n);

return data.join('');

var length = string.length;

result[i >> 2] = string.charCodeAt(i) |

string.charCodeAt(i 1)

string.charCodeAt(i 2)

string.charCodeAt(i 3)

result[result.length] = length;

this.encrypt = function(string, key) {

var k = stringToLongArray(key, false);

if (k.length

k.length = 4;

var n = v.length - 1;

var mx, e, p, q = Math.floor(6 52 / (n 1)), sum = 0;

this.decrypt = function(string, key) {

var mx, e, p, q = Math.floor(6 52 / (n 1)), sum = q * delta & 0xffffffff;

* See hXXp://pajhome.org.uk/crypt/md5 for details.

function hex_sha1(s){return binb2hex(core_sha1(str2binb(s),s.length * chrsz));}

function b64_sha1(s){return binb2b64(core_sha1(str2binb(s),s.length * chrsz));}

function str_sha1(s){return binb2str(core_sha1(str2binb(s),s.length * chrsz));}

function hex_hmac_sha1(key, data){ return binb2hex(core_hmac_sha1(key, data));}

function b64_hmac_sha1(key, data){ return binb2b64(core_hmac_sha1(key, data));}

function str_hmac_sha1(key, data){ return binb2str(core_hmac_sha1(key, data));}

for(var i = 0; i

* Calculate the HMAC-SHA1 of a key and some data

function core_hmac_sha1(key, data)

var bkey = str2binb(key);

if(bkey.length > 16) bkey = core_sha1(bkey, key.length * chrsz);

ipad[i] = bkey[i] ^ 0x36363636;

opad[i] = bkey[i] ^ 0x5C5C5C5C;

var hash = core_sha1(ipad.concat(str2binb(data)), 512 data.length * chrsz);

return core_sha1(opad.concat(hash), 512 160);

* Add integers, wrapping at 2^32. This uses 16-bit operations internally

for(var i = 0; i

bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask)

for(var i = 0; i

str = String.fromCharCode((bin[i>>5] >>> (32 - chrsz - i2)) & mask);

for(var i = 0; i

str = hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 4)) & 0xF)

hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 )) & 0xF);

for(var i = 0; i

if(i * 8 j * 6 > binarray.length * 32) str = b64pad;

else str = tab.charAt((triplet >> 6*(3-j)) & 0x3F);

TempObj=JSON.parse(str);

var obj=JSON.parse(str);

Lobj.push(obj);

return Lobj.length;

function GetAllKey(){

Lobj = JSON.parse(str);

var str=JSON.stringify(Lobj);

return Lobj.str;

if (typeof Date.prototype.toJSON !== 'function') {

Date.prototype.toJSON = function (key) {

return isFinite(this.valueOf())

? this.getUTCFullYear() '-'

f(this.getUTCMonth() 1) '-'

f(this.getUTCDate()) 'T'

f(this.getUTCHours()) ':'

f(this.getUTCMinutes()) ':'

f(this.getUTCSeconds()) 'Z'

String.prototype.toJSON =

Number.prototype.toJSON =

Boolean.prototype.toJSON = function (key) {

return this.valueOf();

'"' : '\\"',

'\\': '\\\\'

escapable.lastIndex = 0;

return escapable.test(string) ? '"' string.replace(escapable, function (a) {

: '\\u' ('0000' a.charCodeAt(0).toString(16)).slice(-4);

function str(key, holder) {

k, // The member key.

value = holder[key];

typeof value.toJSON === 'function') {

value = value.toJSON(key);

value = rep.call(holder, key, value);

if (Object.prototype.toString.apply(value) === '[object Array]') {

length = value.length;

v = partial.length === 0

? '[\n' gap partial.join(',\n' gap) '\n' mind ']'

: '[' partial.join(',') ']';

length = rep.length;

partial.push(quote(k) (gap ? ': ' : ':') v);

if (Object.prototype.hasOwnProperty.call(value, k)) {

v = partial.length === 0

? '{\n' gap partial.join(',\n' gap) '\n' mind '}'

: '{' partial.join(',') '}';

if (typeof JSON.stringify !== 'function') {

JSON.stringify = function (value, replacer, space) {

typeof replacer.length !== 'number')) {

throw new Error('JSON.stringify');

if (typeof JSON.parse !== 'function') {

JSON.parse = function (text, reviver) {

function walk(holder, key) {

var k, v, value = holder[key];

if (Object.prototype.hasOwnProperty.call(value, k)) {

return reviver.call(holder, key, value);

cx.lastIndex = 0;

if (cx.test(text)) {

text = text.replace(cx, function (a) {

('0000' a.charCodeAt(0).toString(16)).slice(-4);

.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@')

.replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g, ']')

.replace(/(?:^|:|,)(?:\s*\[) /g, ''))) {

throw new SyntaxError('JSON.parse');

JSON.stringify(Lobj['

Lobj.push("

Lobj.push(

Lobj.push('

Lobj.length

JSON.stringify(Lobj[

Lobj.splice(

GetAllKey

Math.round(new Date().getTime()/1000)

Math.round(new Date().getTime())

Math.round(new Date().getTime() * 100)

7 9 10 5 8 4 2 1 6 3 7 9 10 5 8 4 2

WScript.Shell

rundll32.exe url.dll,FileProtocolHandler

function trim_output() {while (output.length && (output[output.length - 1] === " " || output[output.length - 1] === indent_string)) {output.pop();}}

function print_newline(ignore_repeated) {ignore_repeated = typeof ignore_repeated === "undefined" ? true : ignore_repeated;trim_output();if (!output.length) {return;}if (output[output.length - 1] !== "\n" || !ignore_repeated) {output.push("\n");}for (var i = 0; i

function print_space() {var last_output = output.length ? output[output.length - 1] : " ";if (last_output !== " " && last_output !== "\n" && last_output !== indent_string) {output.push(" ");}}

function print_token() {output.push(token_text);}

function remove_indent() {if (output.length && output[output.length - 1] === indent_string) {output.pop();}}

function set_mode(mode) {modes.push(current_mode);current_mode = mode;}

function restore_mode() {do_block_just_closed = current_mode === "DO_BLOCK";current_mode = modes.pop();}

function in_array(what, arr) {for (var i = 0; i

indent_character = indent_character || " ";indent_size = indent_size || 4;indent_string = "";while (indent_size--) {indent_string = indent_character;}input = js_source_text;last_word = "";last_type = "TK_START_EXPR";last_text = "";output = [];do_block_just_closed = false;var_line = false;var_line_tainted = false;whitespace = "\n\r\t ".split("");wordchar = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_$".split("");punct = " - * / % & -- = = -= *= /= $= == === != !== > = > >> >>>= >>=

x =a.replace(/^\s /, '')

1970/01/01 00:00:00

.htmlt

VVV.29523472.cn

287306383

VVV.29523472.cn

287306383

29523472

CCmdTarget

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CNotSupportedException

__MSVCRT_HEAP_SELECT

GetCPInfo

KERNEL32.dll

UnhookWindowsHookEx

SetWindowsHookExA

GetKeyState

CreateDialogIndirectParamA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

WINSPOOL.DRV

RegCloseKey

RegCreateKeyExA

RegOpenKeyExA

ADVAPI32.dll

SHELL32.dll

oledlg.dll

OLEPRO32.DLL

OLEAUT32.dll

WEBUI.fne

F%D,3

%*.*f

iphlpapi.dll

SHLWAPI.dll

MPR.dll

VERSION.dll

WSOCK32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

icmp.dll

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

VVV.dywt.com.cn

(*.htm;*.html)|*.htm;*.html

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

window.event

its:%s::%s

:bywayboy@126.com

:6225 8841 1439 1173

:6222 0234 0000 1901908

:95599 8137 08198 36418

hXXp://VVV.lifepj.cn

bywayboy@126.com

(0730)6672620

.?AVCCmdUI@@

.PAVCOleException@@

.PAVCObject@@

.PAVCOleDispatchException@@

.?AVCCmdTarget@@

.?AVCTestCmdUI@@

.PAVCUserException@@

.PAVCArchiveException@@

.PAVCSimpleException@@

.PAVCResourceException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

zcÃ

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

WinExec

GetProcessHeap

RegCreateKeyA

GetViewportOrgEx

ShellExecuteA

InternetCrackUrlA

InternetCanonicalizeUrlA

.text

`.rdata

@.data

RASAPI32.dll

WININET.dll

WINMM.dll

WS2_32.dll

1, 0, 6, 6

- Skin.dll

(*.*)

1.3.0.0

%original file name%.exe_800_rwx_00401000_0019B000:

t%SVh

t$(SSh

~%UVW

u$SShe

wininet.dll

kernel32.dll

shlwapi.dll

jedata.dll

user32.dll

gdiplus.dll

ole32.dll

GdiPlus.dll

Psapi.dll

advapi32.dll

ntdll.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

GdiplusShutdown

EnumChildWindows

WEBUI

WebUIControl

hXXp://qun.qzone.qq.com/cgi-bin/get_group_member?uin=

"nick":"

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

http=

https

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

hXXps://

hXXp://

hXXp://ui.ptlogin2.qq.com/cgi-bin/login?link_target=blank&appid=15000101&s_url=http://php.qzone.qq.com/index.php?mod=portal&act=login&f_url=loginerroralert&target=top&qlogin_jumpname=jump&qlogin_param=u1=http://php.qzone.qq.com/index.php?mod=portal&act=login&r=2010-10-31 0:03:44

.qzone.qq.com/jjb

hXXp://wenwen.qq.com/z/QzoneAppQuestionAndAnswer.htm

skey=

; skey=

VVV.baidu.com

hXXp://qun.qzone.qq.com/cgi-bin/get_group_list?uin=

hXXp://VVV.2345.com/?k56330

pei.jjb

\jedata.dll

.rsrc

%S4WD

hg%fpM

S.Ac9SR

0.I%3s

,wAe.kI

aiUy'4xu

%c*@j

.eH'y

{&%U)

lj%4U

xe%CNs

9F.cLe

hJK.ZH

O.qt0

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

SkinH_EL.dll

_y.qzone.qq.com

hXXp://w.qzone.qq.com/cgi-bin/likes/internal_dolike_app?g_tk=

&zb_url=http://i.gtimg.cn/qzone/space_item/pre/14/94110_1.gif

&curkey=http://user.qzone.qq.com/

&unikey=http://user.qzone.qq.com/

/main&appid=7030&face=0&fupdate=1&from=1&query_count=200&opuin=

qzreferrer=http://user.qzone.qq.com/

hXXp://user.qzone.qq.com/

:hXXp://VVV.tmd.la

hXXp://users.qzone.qq.com/cgi-bin/likes/get_like_list_app?uin=

VVV.29523472.cn/

2000-4000

WinHttp.WinHttpRequest.5.1

application/x-www-form-urlencoded

Adodb.Stream

MSScriptControl.ScriptControl

Scripting.Encoder

1, 2, 0, 1, 2, 0, 2, 0, 0, 2, 0, 2, 1, 0, 2, 0,

1, 0, 2, 0, 1, 1, 2, 0, 0, 2, 1, 0, 2, 0, 0, 2,

1, 1, 0, 2, 0, 2, 0, 1, 0, 1, 1, 2, 0, 1, 0, 2,

1, 0, 2, 0, 1, 1, 2, 0, 0, 1, 1, 2, 0, 1, 0, 2

digits["A".charCodeAt(0) i] = i

digits["a".charCodeAt(0) i] = i 26

for (var i=0; i

if (char.charCodeAt(0) > 126) return char

if (escapes.indexOf(char) != -1) return escaped.substr(escapes.indexOf(char), 1)

val = (digits[string.substr(0,1).charCodeAt(0)]

val = (digits[string.substr(1,1).charCodeAt(0)] >> 4)

val = (digits[string.substr(1,1).charCodeAt(0)] & 0xf)

val = ((digits[string.substr(2,1).charCodeAt(0)] >> 2)

val = ((digits[string.substr(2,1).charCodeAt(0)] & 0x3)

val = (digits[string.substr(3,1).charCodeAt(0)]

scriptIndex = encodingString.indexOf(marker, stringIndex)

unEncodingString = encodingString.substring(stringIndex, scriptIndex)

scriptIndex = marker.length

unEncodingString = encodingString.substr(stringIndex, encodingString.length)

encodingLength = encodingString.substr(scriptIndex, 6)

scriptIndex = (6 "==".length)

stringIndex = scriptIndex "DQgAAA==^#~@".length

char = encodingString.substr(scriptIndex, 1)

if (char.charCodeAt(0)

unEncodingString = String.fromCharCode(transformed[pick_encoding[unEncodingIndexd]][char.charCodeAt(0)])

unEncodingString = unescape(encodingString.substr( scriptIndex, 1))

re = new RegExp("(JScript|VBscript).encode", "gmi")

while(arr = re.exec(unEncodingString)) unEncodingString = RegExp.leftContext RegExp.$1 RegExp.rightContext

strdec(AdodbStream.ReadText);

0.0.0.0

0000000000

function encrypt(str,pass){

data = m_xxtea.encrypt(str, pass);

function decrypt(str,pass){

data = m_xxtea.decrypt(str, pass);

if (str.match(/^[\x00-\x7f]*$/) != null) {

return str.toString();

len = str.length;

c = str.charCodeAt(i);

out[j] = str.charAt(i);

out[j] = String.fromCharCode(0xc0 | (c >>> 6),

out[j] = String.fromCharCode(0xe0 | (c >>> 12),

c2 = str.charCodeAt(i);

out[j] = String.fromCharCode(0xf0 | ((c >>> 18) & 0x3f),

return out.join('');

if ((str.match(/^[\x00-\x7f]*$/) != null) ||

(str.match(/^[\x00-\xff]*$/) == null)) {

c = str.charCodeAt(i );

out[j ] = str.charAt(i - 1);

c2 = str.charCodeAt(i );

out[j ] = String.fromCharCode(((c & 0x1f)

c3 = str.charCodeAt(i );

out[j ] = String.fromCharCode(((c & 0x0f)

c4 = str.charCodeAt(i );

out[j ] = String.fromCharCode(((s >>> 10) & 0x03ff) | 0xd800,

var base64EncodeChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /'.split('');

len = str.length;

c = str.charCodeAt(i )

str.charCodeAt(i )

str.charCodeAt(i );

c = str.charCodeAt(i );

c = str.charCodeAt(i )

return out.join('');

-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,

-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63,

if (/[^ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\ \/\=]/.test(str)) {

if (str.charAt(len - 2) == '=') {

else if (str.charAt(len - 1) == '=') {

c1 = base64DecodeChars[str.charCodeAt(i )];

c2 = base64DecodeChars[str.charCodeAt(i )];

out[j ] = String.fromCharCode((c1 > 4));

c3 = base64DecodeChars[str.charCodeAt(i )];

out[j ] = String.fromCharCode(((c2 & 0x0f) > 2));

c4 = base64DecodeChars[str.charCodeAt(i )];

out[j ] = String.fromCharCode(((c3 & 0x03)

var length = data.length;

data[i] = String.fromCharCode(

return data.join('').substring(0, n);

return data.join('');

var length = string.length;

result[i >> 2] = string.charCodeAt(i) |

string.charCodeAt(i 1)

string.charCodeAt(i 2)

string.charCodeAt(i 3)

result[result.length] = length;

this.encrypt = function(string, key) {

var k = stringToLongArray(key, false);

if (k.length

k.length = 4;

var n = v.length - 1;

var mx, e, p, q = Math.floor(6 52 / (n 1)), sum = 0;

this.decrypt = function(string, key) {

var mx, e, p, q = Math.floor(6 52 / (n 1)), sum = q * delta & 0xffffffff;

* See hXXp://pajhome.org.uk/crypt/md5 for details.

function hex_sha1(s){return binb2hex(core_sha1(str2binb(s),s.length * chrsz));}

function b64_sha1(s){return binb2b64(core_sha1(str2binb(s),s.length * chrsz));}

function str_sha1(s){return binb2str(core_sha1(str2binb(s),s.length * chrsz));}

function hex_hmac_sha1(key, data){ return binb2hex(core_hmac_sha1(key, data));}

function b64_hmac_sha1(key, data){ return binb2b64(core_hmac_sha1(key, data));}

function str_hmac_sha1(key, data){ return binb2str(core_hmac_sha1(key, data));}

for(var i = 0; i

* Calculate the HMAC-SHA1 of a key and some data

function core_hmac_sha1(key, data)

var bkey = str2binb(key);

if(bkey.length > 16) bkey = core_sha1(bkey, key.length * chrsz);

ipad[i] = bkey[i] ^ 0x36363636;

opad[i] = bkey[i] ^ 0x5C5C5C5C;

var hash = core_sha1(ipad.concat(str2binb(data)), 512 data.length * chrsz);

return core_sha1(opad.concat(hash), 512 160);

* Add integers, wrapping at 2^32. This uses 16-bit operations internally

for(var i = 0; i

bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask)

for(var i = 0; i

str = String.fromCharCode((bin[i>>5] >>> (32 - chrsz - i2)) & mask);

for(var i = 0; i

str = hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 4)) & 0xF)

hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 )) & 0xF);

for(var i = 0; i

if(i * 8 j * 6 > binarray.length * 32) str = b64pad;

else str = tab.charAt((triplet >> 6*(3-j)) & 0x3F);

TempObj=JSON.parse(str);

var obj=JSON.parse(str);

Lobj.push(obj);

return Lobj.length;

function GetAllKey(){

Lobj = JSON.parse(str);

var str=JSON.stringify(Lobj);

return Lobj.str;

if (typeof Date.prototype.toJSON !== 'function') {

Date.prototype.toJSON = function (key) {

return isFinite(this.valueOf())

? this.getUTCFullYear() '-'

f(this.getUTCMonth() 1) '-'

f(this.getUTCDate()) 'T'

f(this.getUTCHours()) ':'

f(this.getUTCMinutes()) ':'

f(this.getUTCSeconds()) 'Z'

String.prototype.toJSON =

Number.prototype.toJSON =

Boolean.prototype.toJSON = function (key) {

return this.valueOf();

'"' : '\\"',

'\\': '\\\\'

escapable.lastIndex = 0;

return escapable.test(string) ? '"' string.replace(escapable, function (a) {

: '\\u' ('0000' a.charCodeAt(0).toString(16)).slice(-4);

function str(key, holder) {

k, // The member key.

value = holder[key];

typeof value.toJSON === 'function') {

value = value.toJSON(key);

value = rep.call(holder, key, value);

if (Object.prototype.toString.apply(value) === '[object Array]') {

length = value.length;

v = partial.length === 0

? '[\n' gap partial.join(',\n' gap) '\n' mind ']'

: '[' partial.join(',') ']';

length = rep.length;

partial.push(quote(k) (gap ? ': ' : ':') v);

if (Object.prototype.hasOwnProperty.call(value, k)) {

v = partial.length === 0

? '{\n' gap partial.join(',\n' gap) '\n' mind '}'

: '{' partial.join(',') '}';

if (typeof JSON.stringify !== 'function') {

JSON.stringify = function (value, replacer, space) {

typeof replacer.length !== 'number')) {

throw new Error('JSON.stringify');

if (typeof JSON.parse !== 'function') {

JSON.parse = function (text, reviver) {

function walk(holder, key) {

var k, v, value = holder[key];

if (Object.prototype.hasOwnProperty.call(value, k)) {

return reviver.call(holder, key, value);

cx.lastIndex = 0;

if (cx.test(text)) {

text = text.replace(cx, function (a) {

('0000' a.charCodeAt(0).toString(16)).slice(-4);

.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@')

.replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g, ']')

.replace(/(?:^|:|,)(?:\s*\[) /g, ''))) {

throw new SyntaxError('JSON.parse');

JSON.stringify(Lobj['

Lobj.push("

Lobj.push(

Lobj.push('

Lobj.length

JSON.stringify(Lobj[

Lobj.splice(

GetAllKey

Math.round(new Date().getTime()/1000)

Math.round(new Date().getTime())

Math.round(new Date().getTime() * 100)

7 9 10 5 8 4 2 1 6 3 7 9 10 5 8 4 2

WScript.Shell

rundll32.exe url.dll,FileProtocolHandler

function trim_output() {while (output.length && (output[output.length - 1] === " " || output[output.length - 1] === indent_string)) {output.pop();}}

function print_newline(ignore_repeated) {ignore_repeated = typeof ignore_repeated === "undefined" ? true : ignore_repeated;trim_output();if (!output.length) {return;}if (output[output.length - 1] !== "\n" || !ignore_repeated) {output.push("\n");}for (var i = 0; i

function print_space() {var last_output = output.length ? output[output.length - 1] : " ";if (last_output !== " " && last_output !== "\n" && last_output !== indent_string) {output.push(" ");}}

function print_token() {output.push(token_text);}

function remove_indent() {if (output.length && output[output.length - 1] === indent_string) {output.pop();}}

function set_mode(mode) {modes.push(current_mode);current_mode = mode;}

function restore_mode() {do_block_just_closed = current_mode === "DO_BLOCK";current_mode = modes.pop();}

function in_array(what, arr) {for (var i = 0; i

indent_character = indent_character || " ";indent_size = indent_size || 4;indent_string = "";while (indent_size--) {indent_string = indent_character;}input = js_source_text;last_word = "";last_type = "TK_START_EXPR";last_text = "";output = [];do_block_just_closed = false;var_line = false;var_line_tainted = false;whitespace = "\n\r\t ".split("");wordchar = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_$".split("");punct = " - * / % & -- = = -= *= /= $= == === != !== > = > >> >>>= >>=

x =a.replace(/^\s /, '')

1970/01/01 00:00:00

.htmlt

VVV.29523472.cn

287306383

VVV.29523472.cn

287306383

29523472

CCmdTarget

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CNotSupportedException

__MSVCRT_HEAP_SELECT

GetCPInfo

KERNEL32.dll

UnhookWindowsHookEx

SetWindowsHookExA

GetKeyState

CreateDialogIndirectParamA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

WINSPOOL.DRV

RegCloseKey

RegCreateKeyExA

RegOpenKeyExA

ADVAPI32.dll

SHELL32.dll

oledlg.dll

OLEPRO32.DLL

OLEAUT32.dll

WEBUI.fne

F%D,3

%*.*f

iphlpapi.dll

SHLWAPI.dll

MPR.dll

VERSION.dll

WSOCK32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

icmp.dll

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

VVV.dywt.com.cn

(*.htm;*.html)|*.htm;*.html

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

window.event

its:%s::%s

:bywayboy@126.com

:6225 8841 1439 1173

:6222 0234 0000 1901908

:95599 8137 08198 36418

hXXp://VVV.lifepj.cn

bywayboy@126.com

(0730)6672620

.?AVCCmdUI@@

.PAVCOleException@@

.PAVCObject@@

.PAVCOleDispatchException@@

.?AVCCmdTarget@@

.?AVCTestCmdUI@@

.PAVCUserException@@

.PAVCArchiveException@@

.PAVCSimpleException@@

.PAVCResourceException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

zcÃ

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

WinExec

GetProcessHeap

RegCreateKeyA

GetViewportOrgEx

ShellExecuteA

InternetCrackUrlA

InternetCanonicalizeUrlA

.text

`.rdata

@.data

1, 0, 6, 6

- Skin.dll

(*.*)

%original file name%.exe_800_rwx_10001000_00039000:

L$(h%f

SSh0j

msctls_hotkey32

TVCLHotKey

THotKey

\skinh.she

}uo,x6l5k%x-l h

9p%s m)t4`#b

e"m?c&y1`Ã

SetViewportOrgEx

SetViewportExtEx

SetWindowsHookExA

UnhookWindowsHookEx

EnumThreadWindows

EnumChildWindows

`c%US.4/

!#$

.text

`.rdata

@.data

.rsrc

@.UPX0

`.UPX1

`.reloc

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps