Trojan.GenericKD.2679499_bf58aa5686 – Adaware

Trojan.GenericKD.2679499 (B) (Emsisoft), Trojan.GenericKD.2679499 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: bf58aa5686eb7d006bc92225d0cdaa30

SHA1: 6ae324bd8210d5295743b1acbd74425d5f2d00d8

SHA256: 7359cefe56ff4a06858663c8c535f63febbdff3384def5b097143119112d3ff0

SSDeep: 12288:dXmV2U7VG5fNTShJADr88jBaEuPpOaEWzPtp7l3AnWqH4AUwWe:dWJVg5SADrr1uB/zPtwnWqH4

Size: 856064 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: ASPackv212, UPolyXv05_v6

Company: no certificate found

Created at: 2015-08-25 00:26:14

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):

%original file name%.exe:660

Mutexes

The following mutexes were created/opened:

CTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003ZonesLockedCacheCounterMutexZonesCounterMutexZonesCacheCounterMutexWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_RasPbFileShimCacheMutex

File activity

The process %original file name%.exe:660 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR05OL6D\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KG969IO\youce[1].htm (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ELKZ81OR\more[1].png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR05OL6D\style_dao[1].css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ELKZ81OR\jquery-1.8.2.min[1].js (2122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KG969IO\main[1].js (915 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ELKZ81OR\jquery-1.4.2.min[1].js (2989 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KG969IO\select_topbg[1].png (946 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHOY79JB\logo[1].jpg (541 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHOY79JB\common[1].js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ELKZ81OR\youce_a[1].htm (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR05OL6D\tu[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR05OL6D\style[1].css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHOY79JB\youce[1].php (1349 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KG969IO\head_bg[1].htm (340 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ELKZ81OR\fulipao_banben[1].htm (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHOY79JB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR05OL6D\sou[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHOY79JB\bg[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KG969IO\more[1].png (162 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ELKZ81OR\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KG969IO\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHOY79JB\youce[1].php (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ELKZ81OR\more[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ELKZ81OR\fulipao_banben[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KG969IO\more[1].png (0 bytes)

Registry activity

The process %original file name%.exe:660 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 E5 52 DD 3F 1E 5D 6D 27 7B C4 B0 54 C8 A4 D8"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.2345.com/?kweige"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR05OL6D\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KG969IO\youce[1].htm (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ELKZ81OR\more[1].png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR05OL6D\style_dao[1].css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ELKZ81OR\jquery-1.8.2.min[1].js (2122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KG969IO\main[1].js (915 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ELKZ81OR\jquery-1.4.2.min[1].js (2989 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KG969IO\select_topbg[1].png (946 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHOY79JB\logo[1].jpg (541 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHOY79JB\common[1].js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ELKZ81OR\youce_a[1].htm (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR05OL6D\tu[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR05OL6D\style[1].css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHOY79JB\youce[1].php (1349 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KG969IO\head_bg[1].htm (340 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ELKZ81OR\fulipao_banben[1].htm (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHOY79JB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR05OL6D\sou[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHOY79JB\bg[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KG969IO\more[1].png (162 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ELKZ81OR\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KG969IO\desktop.ini (67 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name: ???????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: English

Company Name: Product Name: ???????Product Version: 1.0.0.0Legal Copyright: ?????? ????????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ?????Comments: ??????????(http://www.eyuyan.com)Language: English

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	1085440	431616	5.54479	6fed2ba5ac186723ef805a601c2dfd6c
.rdata	1089536	892928	276992	5.54459	fca440c72fb0a447c787d160db8aed84
.data	1982464	512000	31744	5.53878	e400f4b30aef7f3b14d2590164394137
.rsrc	2494464	126976	15872	4.98185	623323032f659af57887f5e19d401356
.aspack	2621440	102400	98816	2.73394	8b0b8c6aa6884ef0b7b0bd8b5933483d
.adata	2723840	4096	0	0	d41d8cd98f00b204e9800998ecf8427e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://www.lesouwuguojie.com/soft/fulipao_banben.php
hxxp://www.lesouwuguojie.com/sou.php?moban=3
hxxp://www.lesouwuguojie.com/skin/youce_a.php
hxxp://www.lesouwuguojie.com/skin/youce.php
hxxp://www.lesouwuguojie.com/skin/js/jquery-1.8.2.min.js
hxxp://www.lesouwuguojie.com/skin/js/jquery-1.4.2.min.js
hxxp://www.lesouwuguojie.com/skin/css/style_dao.css
hxxp://www.lesouwuguojie.com/skin/js/common.js
hxxp://www.lesouwuguojie.com/skin/js/main.js
hxxp://www.lesouwuguojie.com/skin/images/tu.png
hxxp://www.lesouwuguojie.com/skin/css/style.css
hxxp://www.lesouwuguojie.com/skin/ecms041/images/logo.jpg
hxxp://www.lesouwuguojie.com/skin/images/more.png
hxxp://www.lesouwuguojie.com/skin/images/head_bg.gif
hxxp://www.lesouwuguojie.com/skin/images/bg.png
hxxp://www.lesouwuguojie.com/skin/images/select_topbg.png
hxxp://www.fulipao.com/skin/youce_a.php
hxxp://www.fulipao.com/skin/js/jquery-1.4.2.min.js
hxxp://www.fulipao.com/skin/images/more.png
hxxp://www.fulipao.com/skin/images/bg.png
hxxp://www.fulipao.com/skin/ecms041/images/logo.jpg
hxxp://www.fulipao.com/skin/images/head_bg.gif
hxxp://www.fulipao.com/skin/js/common.js
hxxp://www.fulipao.com/skin/css/style.css
hxxp://www.fulipao.com/skin/images/tu.png
hxxp://www.fulipao.com/skin/youce.php
hxxp://www.fulipao.com/skin/js/jquery-1.8.2.min.js
hxxp://www.fulipao.com/skin/css/style_dao.css
hxxp://www.fulipao.com/sou.php?moban=3
hxxp://www.fulipao.com/skin/js/main.js

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /skin/css/style_dao.css HTTP/1.1

Accept: */*

Referer: hXXp://VVV.fulipao.com/skin/youce.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.fulipao.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 03 Sep 2015 22:31:53 GMT

Server: Apache

Last-Modified: Sun, 16 Aug 2015 21:24:22 GMT

ETag: "444aa7-ab2-51d744efa6d80"

Accept-Ranges: bytes

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 943

Connection: close

Content-Type: text/css

...........U.n.8..n.....JI.(.t....../0.P.p..c..L..y.=.!.'....($6..............}...R.........U3....w........}.[.)du....F.,I.R\R4>........^G.>q..SG....m...B..*k.'U...G..Z..U............R...pF...4g.N.. L...}..V.a},. 8......j.^.w.)t....B.*....S.F........P...........wV..g{.......w`Gj..}DLT....D.......4.H..Vr.UTJ..F..|.....,zn.....R..:."@.e.Q..Q/9.........:......}....u....`G...~...3D.).(.......!.o.....rP=,u..MU~...............N.k$d.hG.v.Kj....F.T...m.'..........j|A...C.@7.........O#..........'...P:....\.3g.t.$.....*#Iw.^..e./jKA..9....(.{..@nK.M.......h.m....(L./7...^...M>.z.v. =T'....=.o.1.,{.n^...~.@..vo....2t}.\...BJ.!..Y....r.LL}I.e&5Z..../`.=..,6E9T..t.........m>.CVw{..].:....2.o.2...........4.y...7.......]%..1...Jo...0.:A.L..$/K...nG.nE.v..-!UK.L....L..7]G.....".....t..V #'%.....pfj.f|..T ..d...5y.:..Z....U.r....5..n6..fAq..d...b.c.....90.....! .....W.q.....q...p*........9.,..k..7.s.s....~...b1..W..Tg.-......:@o.}N&3.x....{........

GET /skin/images/more.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.fulipao.com/skin/youce.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.fulipao.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 03 Sep 2015 22:31:55 GMT

Server: Apache

Last-Modified: Tue, 09 Jun 2015 00:57:22 GMT

ETag: "444ab3-c3f-5180b3dace080"

Accept-Ranges: bytes

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 3158

Connection: close

Content-Type: image/png

...........?....PNG........IHDR.............;..J....pHYs................MiCCPPhotoshop ICC profile..x..SwX...>..e.VB....l.."#....Y....a...@....V....HU....H....(.gA..Z.U\8.....}z............y.....&...j.9R.<:...OH......H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>..................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0...._p..H.......K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l.....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0..>.3.o..~..@...z..q.@......qanv.R....B1n..#......)..4.\,...X..P"M.y.R.D!......2......w....O.N....l.~.....X.v.@~.-......g42y.......@ ...........\...L....D..*.A..............a.D@.$.<.B........A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ...Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@.......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$....N.!%.2I.IkH.H-.S.>..i.L&..m....... ......O.......:...L..$R...J5e?....2B...Q.......:.ZIm.vP/S...4u.%...C..-....igi.h/.t.....E....k.......w......Hb(.k.{...../.L......T0.2..g...oUX*.*|.....:.V.~...TUsU?.y..T.U..^V}.FU.P.........U..6..RwR.P.Q_.._...c....F..H.Tc....!..2e.XB.rV..,k.Mb[...Lv...v/{LSCs.f.f.f..q.......9..J.!...{-.-?-..j.f.~.7.z...b.r......up.@.,..:m:.u..6.Q....u..>.c.y.........G.m..........704.6..l18c...c.k.i........h...h..I.'.&..g.5x.>f.o.b.4.e.k<abi2.......)..k.f....t...,.......9..k.a........E..J.6.....|...

<<< skipped >>>

GET /sou.php?moban=3 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.fulipao.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 03 Sep 2015 22:31:52 GMT

Server: Apache

X-Powered-By: PHP/5.3.29

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 1618

Connection: close

Content-Type: text/html

...........X.o.V.....pw.P.p.'i.J,...J.Um.m.*..M.:v.o.....*MH........e!U..A..h..m.@[Ac...#Mc..E....9.....k7.Q.'.=_t.Fi.QQ...w.7#...g.f.o.iA.....@B .z.I3........s..4..F...........{....g..2.@.&.x.H..8.Q53............d4C...7G....8n.5J4...f.F.=.cJF(.........x*1...@.BU"N,/|.0qwkece......L....5.....{y/....^M..8.$....4....'."..$..p..2....e@...%K.i.q...........1F9!P...2...0...m^.]R....^^U..Q. ...l..IGU...F.Q....iB(F.b...b....`pL.....:{..L.9...L[O#.rTo:z.Y.8.z.v.........`v..C...,...*).1.$.*......U....H..QF....vm..y..&Y%....i.J......5...:.oO.<..7oB..L.<|D..... .)EL^.Sz` .B.@..JC... F. ...Q.. ..,a8Z..{4..w.....KO......_^z..1yw|..e@.....W..D4.".....5.0.C...b..*.P.&.FN.%.. 8fV..-..S..%RV..F%...G.a..?......F...G...k..DF.P......iQ=..{.iZ1O4A...(f..P%....*.'.Y...xI....,....*.).g.,&3......O...#.m.....bfUi.Q.5......zV2....Z.Y.b..(`....5.3.....:....^x7W...~x/W.. .n.......b....T.z0i3U...^..yx..).h...Pe.*I..Ggb7.44..a4$.9.FJYt |.t.V..0...C...V]....o.Q.F....>._|y.........W.3./.?....x.Mqw.j...e255M..j.{....'...S.g..n.k ?...H.......57q..C.l...i.K).%Y..Si...J......snn.v.gY.kp.(_...A.$....II..............`]]..........*..'N.".c..7w._M.Y_..C...N..HaQ.../.%....<........KM..\...a...^)......7..3.P...n.U...P..2...0.../....J....o..........[.s.....h....ru..._....@|8].l..\....!b.j.ZN............"\C......%@c...a.q...k......<.......#~R..S,.d..@F|.....{;3,....8.)...w...#>.8.=..s.....c_.Cv...|..`].......::}..B..u*.2......=....hm->........O.Y.....u=..q...Y.d...r..O;.z.}c.....?.a.....A2.............'.O.j.<x...........z.}.a.s"

<<< skipped >>>

GET /skin/youce_a.php HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.fulipao.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 03 Sep 2015 22:31:52 GMT

Server: Apache

X-Powered-By: PHP/5.3.29

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 405

Connection: close

Content-Type: text/html

..........m..n.0.....w`..(.NNq......n ........dI..9....e..m..b...~..?...j.iW~....[.w....w@(c...c.r.....n!KR(=7.Be....|$@.D.3..}./..kV..s`e.|.._8...l..M.xn...W8.j...S.."..D....o'.. ;kP....$.j.....Yp..j..$..a....X..B-...~...I....-.G..Pu].~E.|v.b.......Z........_H.#>.~.g..3....[.2.BH.=o%(Q... =...Vke...K ......$%./t$.d....al...M^..!..q!FX.B..6y..o....7R....4......>.x..q.T.e.We.`O.L\..v....f...7.._....Y.....

GET /skin/ecms041/images/logo.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.fulipao.com/sou.php?moban=3

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.fulipao.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 03 Sep 2015 22:31:54 GMT

Server: Apache

Last-Modified: Fri, 10 Jul 2015 06:36:40 GMT

ETag: "4440e9-2244-51a7f982fee00"

Accept-Ranges: bytes

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 8420

Connection: close

Content-Type: image/jpeg

...........ygT.Q.n..H.J....4QJB....t.)..Ho..H.U..i.B.t........Q. . ......o.......z~.......}.s.s9{........ !..H.....@.@MIIEIAMEEu..5...u:ZZ:vF& 37...........->q~..ay...R... ......$ed..1...k..h..._g......_.e;...0..'#...2..1.\v.@WqR......HH..)(.....^9..........QP.._.._....(.y.T).....<...R.....:X..1.2.=.^.a....q[PHXDTV........54..ut.M.<553..wptz..........@`.........................}.....o............`brjz.5......{}csk{.{px.;>...............p..........HH....@N. E..jHe...'.F...._.q._.....s..U@v.6.......F...... .....:2...G....N...Bi...Wg.rJ..<....0..o`c..L`U...F3j......s1$4...g.......;.._H..*g..,x....Z..#..g.../....NDQ.U....d.O. ...$....PU.....W...l.|...3..v.....?.a.Z5...4...J....gS..........i..B.....1Iq .....\..b.i...].y..G{...].5P.z....,.:.f,...A=j.5|F..{:W...7....F....|....:.....}.d.2.39JgUY...3_}...Z...r6.5.D.6i........v.j....K.Qc........U.....~o..._...3.....D..k...fg<<.>......|..h....o..y....1.-{.@......../.^..S.).E.h}%..!.r.Q..r...lJ\....c....[XT.`0...LW.F...........a'?..p.gx2.......J..2.z.m..p.W..M....7L2!:..p .S......x.......m..0......... m.X....u&;... .$...=}.W..,4.Y....}.O.[.5..=1<...........,J..{....@.[8....X....T....s...`....5.h[.0.6.......$?U...n..._..$.m...v.o..<.my.A...........|..;....*..`.[..6...4....y.x@.x..L..P..Rk.T.&V....Xa......,Q.q.,.*F..-..A....G..o..m.....(....T.._.\..;<.U?..8...%[....%.G.V..R.9..v..(.....=............*.0.=w.a.$.R...'....E.[...nU_.H".;.,zh...z..jC.-...I..{./>O.(.....K.k.....3D4uJ.P.,.............MI...%].....Y.%C....,...vl.c...qr.....&..".>

<<< skipped >>>

GET /skin/images/more.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.fulipao.com/skin/youce.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.fulipao.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 03 Sep 2015 22:31:55 GMT

Server: Apache

Last-Modified: Tue, 09 Jun 2015 00:57:22 GMT

ETag: "444ab3-c3f-5180b3dace080"

Accept-Ranges: bytes

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 3158

Connection: close

Content-Type: image/png

<<< skipped >>>

GET /skin/images/more.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.fulipao.com/skin/youce.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.fulipao.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 03 Sep 2015 22:31:55 GMT

Server: Apache

Last-Modified: Tue, 09 Jun 2015 00:57:22 GMT

ETag: "444ab3-c3f-5180b3dace080"

Accept-Ranges: bytes

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 3158

Connection: close

Content-Type: image/png

<<< skipped >>>

GET /skin/js/jquery-1.8.2.min.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.fulipao.com/sou.php?moban=3

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.fulipao.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 03 Sep 2015 22:31:52 GMT

Server: Apache

Last-Modified: Fri, 11 Oct 2013 02:09:50 GMT

ETag: "44415e-17243-4e86d9d00d780"

Accept-Ranges: bytes

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 33546

Connection: close

Content-Type: application/javascript

.............v.F.7..... .kd.....=.4(..\....m\.m.P..n$A.."...".Y.Y..6~.......9....D ........?.[..b..c.....,.....&..m.g.^...Xf.{J..a.[.....u.E...q/.'.]..{....qo.o..NJ...CU..j-&~'...q..>..%Q.KV...E.....q.{...x........*..^...^Vl.e....Yo./V.s?.P....\-so..g/xLo.{?....M.../.|A...b............6Y......v3<..b:.E.@%.'.gE.Q}.^'-.....U..e.#q.........W..g.e.I.e.~S.r....w..j...x..f..z......>....K/..u.k~.....0.^Z....,.Km.1g@..@2...g5S...pe^.p..VQ~........t..i.x.Lzy...t.A........XQ..,...S.@Y.....f.v...``.q.."..(q.6...wo.E.....V....h`K...)PP......e~...^......'....}[...v5..~...........;.....T6k..ev......|.k/..d..#m.x..Y..|s~......J^...`....*iK..xPS5S...2_Nw35W.Q6..U..j.Vj=..6.4..L.......7..q.....XR.i....jv...V...m..nS,...-..z..7..|.:...*9.F.q0(.[n}:.....{...Q9..m~Fie.....p.<.....y.[....bL.v.=G.W.Y...(.....<x.G...iA.t..&..p.-.....R.|4.]..~.n.<.(u5V ......:\.#.p...AB{..@.u......9..fC.{...d.[..d.ZP...%.a.......V..@-;..4Z..~..k.E?Ap8..u.hP.l.\..hb.&.....&..W.m.e....k.%..*0C...24>...............j..........t.P.........]....G..WyL...t...#4R..,....p05w~....m..N.J.n)..f.)':.......%...L..|.i..Z.k..c.C.k......0...=.0.......4..[....cgc&....b..t...l.........a%..1....e.t*fT>.B...F^.....#o....&......%Bvf.tRt.e...*.S....I.[...$.|.UIE..bgT...0..F....y..&..h{o{.2.}.F..~..M.eh)..Q6..x.Sz.s.`.....z.......@......$8....85=QS..h.....t5..hZMG.1...v...F.....l8.8.......oT.}...s. .@.$.$.WF3.@....^....:.}:*..2JB.....2P...|I.'....~.......Z6JCF.b.3..p....hmt.....4JT..u...KS....g....F...8..4..h`\!.._O.9M......<....{i...32..!.Pg..`.G'

<<< skipped >>>

GET /skin/images/more.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.fulipao.com/skin/youce.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.fulipao.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 03 Sep 2015 22:31:54 GMT

Server: Apache

Last-Modified: Tue, 09 Jun 2015 00:57:22 GMT

ETag: "444ab3-c3f-5180b3dace080"

Accept-Ranges: bytes

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 3158

Connection: close

Content-Type: image/png

<<< skipped >>>

GET /skin/js/common.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.fulipao.com/sou.php?moban=3

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.fulipao.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 03 Sep 2015 22:31:54 GMT

Server: Apache

Last-Modified: Mon, 17 Aug 2015 21:58:38 GMT

ETag: "44415c-1828-51d88e75ddf80"

Accept-Ranges: bytes

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 1745

Connection: close

Content-Type: application/javascript

...........X.S.f................3.....B...:!.-..&k..LeF[...8..*...2..>XE,............^..>..<.l....9.N.y...#...Plo..kw...._*.....?..\3g.T.^7....V0dA....b..|.K.R(hX..w.m....*.r^.U.AyE0JX.c.....<..U.e.L.r.i....uq....ZK..<.....uC..!cM....g...."....].\.(..}^.0..R...n...\.6.....sK...."..!7....p.8-.8....<.c.^..t.nY..h...l..dNM[.....>.WG/......./...^.....z.2.....x.....`.\.=d..b......Q.C.l....:.dC.|......f..2...........Y17....R.E9.....M.O]........_...6......hX0T......#.....P<.[.....<e.X.z../.......m...6..4,.0...u~s..G.C.D"..e^W..>....d.....SO ...q..B.s.A..I.@..].<9<D.......F<yn.........Rl~z. .`g......v2.H.........o....m.rZ...:..@S.wS..(.....H@7J.L./@@A.`.m.....2..#[..N...p....*..ium...6'..5.z{..;......M.A.[.......'>qf.|1.l(7..*?dz:D:.I..M`P.,93qf..........qh.....p...E.#VD...=/\.y....5;..I....b.:......fmm.[..Z..YS...[.$B.U/...K..w..j..=..='.>I..*.k...Q1......h....#..={X1.E%.4....../...C.s$.`%.]...... .cX.v.GY.b>.......sw...k...sV.E....lH......ZQ...#C.......N......A@...d.."..C..%L...f..)@h...cyQ C...0.f.D. ..v.4 .iX.....\.hd|.xz'..=.q."..2p..4j. ......I~..\...AR..Ic......KE...E_Ot}.Q..F...E__t}.Q..G.7.E.@t}.....]..(..D..LDj..Gh.6b>b.$#....O.r..C.E..ce..Z......t.#....IXj.L..5..#zN.s.....(=e.ak3.m..7...I....z(..B.!.1.6HH......A....1.....?.......O..z.G.....*.wk. [.^...G.O..6......k~.v!.1....>5Hy....M.<~.9..........Ek~...............CA...e....O..dA..vns.D..-.^/m...^.....i.^8b..S'R.u1.B.e2.>..."..G-r...K{[.../..J......`.R.B{.<.m.AF'.-....e...l....{..<m`u.Y......

<<< skipped >>>

GET /skin/images/tu.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.fulipao.com/skin/youce.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.fulipao.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 03 Sep 2015 22:31:54 GMT

Server: Apache

Last-Modified: Mon, 08 Jun 2015 08:45:24 GMT

ETag: "444ab6-b5a-517fda9a6d100"

Accept-Ranges: bytes

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 2929

Connection: close

Content-Type: image/png

...........Z....PNG........IHDR.............;..J....pHYs................MiCCPPhotoshop ICC profile..x..SwX...>..e.VB....l.."#....Y....a...@....V....HU....H....(.gA..Z.U\8.....}z............y.....&...j.9R.<:...OH......H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>..................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0...._p..H.......K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l.....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0..>.3.o..~..@...z..q.@......qanv.R....B1n..#......)..4.\,...X..P"M.y.R.D!......2......w....O.N....l.~.....X.v.@~.-......g42y.......@ ...........\...L....D..*.A..............a.D@.$.<.B........A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ...Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@.......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$....N.!%.2I.IkH.H-.S.>..i.L&..m....... ......O.......:...L..$R...J5e?....2B...Q.......:.ZIm.vP/S...4u.%...C..-....igi.h/.t.....E....k.......w......Hb(.k.{...../.L......T0.2..g...oUX*.*|.....:.V.~...TUsU?.y..T.U..^V}.FU.P.........U..6..RwR.P.Q_.._...c....F..H.Tc....!..2e.XB.rV..,k.Mb[...Lv...v/{LSCs.f.f.f..q.......9..J.!...{-.-?-..j.f.~.7.z...b.r......up.@.,..:m:.u..6.Q....u..>.c.y.........G.m..........704.6..l18c...c.k.i........h...h..I.'.&..g.5x.>f.o.b.4.e.k<abi2.......)..k.f....t...,.......9..k.a........E..J.6.....|...

<<< skipped >>>

GET /skin/css/style.css HTTP/1.1

Accept: */*

Referer: hXXp://VVV.fulipao.com/sou.php?moban=3

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.fulipao.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 03 Sep 2015 22:31:54 GMT

Server: Apache

Last-Modified: Mon, 17 Aug 2015 22:39:38 GMT

ETag: "4440bd-b86-51d8979fe7e80"

Accept-Ranges: bytes

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 1096

Connection: close

Content-Type: text/css

...........V]o.8.}...`.Zi[....db^...n..M..c..`.V.f.I&A...k....D...H....{.5?e%.-7.Mg.`.&y...=...W.Ae].k....~.*v.... \..\.r..3\j..T....N.....`.p'..X..h.s. ....=.K^....3F.X.Mg..;C5.........5...2&....=.>SRi.6.....T..&..&IivSh.......uZ.xrr**Z.....]..I!.wH..S...Q...1..K........V..4:. CKUQL.........:.......(JC..C...m.....(...9...m.3...5....z.i.%'...J.....h.C5.....*.Ti........k#2*..*..t.^.}...T.a..FC...dl$.@..l.8 ....%.."..gJS#T....HQ.XQR*..nA3#n.m...-...m.....p.:<...."..F......p..NZNuV^.j..\*j....3%....]R.q.....13.Y.5u...*.fC......`.m.....8...........Qx.cB..........T.>.t..z.....u..j4J.......#.. x............{S....o..`...........!.gggK.Gbnm..y...........@X....<..........*.......>:._..l.GYSZ.....w0...%....d......o``w[...\.......`.n...k.........A_........A..DIP..`T.2...g.....[D..a^....^....;k.;R......M.)...Y...&^...!.a....o............SK...6..M...J[k]..:z.is <....7...MX..4..m....Y.=......u.L.Y2.......<p...x..H.......&3.[..zhG....*m.pT....}..9c.t}_.I.......1..3...Z....S.jM{Re..*.yJ..\A...I.:........>..........{....q./.WW...u]]~q.K".{.D&.6@j...9.%c....g....a..Q....f.Y._v{M.. ..w^X...\.P6......

GET /skin/images/bg.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.fulipao.com/sou.php?moban=3

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.fulipao.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 03 Sep 2015 22:31:55 GMT

Server: Apache

Last-Modified: Mon, 17 Aug 2015 22:31:14 GMT

ETag: "44414e-5e1-51d895bf41080"

Accept-Ranges: bytes

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length:

GET /skin/js/jquery-1.4.2.min.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.fulipao.com/skin/youce.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.fulipao.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 03 Sep 2015 22:31:53 GMT

Server: Apache

Last-Modified: Fri, 05 Sep 2014 02:02:40 GMT

ETag: "444ab7-139a3-50247dd29f000"

Accept-Ranges: bytes

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 26732

Connection: close

Content-Type: application/javascript

............iw.F.0....?H._.-...... ..%...o..m(:O...q.Am&y..[Kw...e'3.9oN,........../~.J.w.....ig9.M.yp!V.m....a......O.....rq...ug..I:]>.....g..l<..q.[zb......b.....I:.Z.W......j1.tj......im.. ....-:.NM^.[.u.......n..{r..AW....y.zYg1./...;..x....k9...2.]...{:.....:.N....o^...'..6....v.M...7..dv..........3.f........Z..F....i.9.`....Yo/....%.i.&d..-|.....{..J. iem.'...'7PC......x.|p.?8.......beY....Q.U*..K.)..............a....Q........y..|..`.9.?Mo...e*j}^K....L.=Z..............X..l.' ..c.Zz..4...8...||.c....B..$$.-.>.....O....`.#..................3Xv.j..lx......,..X..G..>....\-......~..v.....be......$......~..j.K59>. 2..[.......j.......6.K(...@&...6...U6.G.,..,.."<.esj`R........f.s..E.3.ei.....u......S...`.......?...h.Pt.Wa...E.t.zh.i.....'Q?.^..XbT./..j.&..,....o...2N.u..>.f.......c.Z...u...}./.Hy.V..0....%..h.h&.zZ..j.....0]..G#.....H..n...4QV^\....P....=\d.5...!J.-.6z{&.v|....x.d^....0x..k..W.B..Jb`.~^.....z"O.........T..M.U.K...B...,.8.?j.....R...]..T'.T..0..........`..y.6....d.u......J[....r..p?...g...U..u.....G=.%^m"......B....5n..zd..M..Lo......H.X.....Q..$DI..)..l.....(.3E0..AZx...4.g..@Q....#..b8.{89P.g<...1.......Oa.............|.X.:..3:....v...l0.=.....LaN{..'....m...QG....._H..Z. s..q.P.|.u`s.rJ..GT..zb..x...G.......t.NR....g.....`.:.O.a....]........E:.X...p!.....g.._r.G.....3.....ap.2.6........./...7...u8..n.=.`.;....q.....L...2...f2........G.5..]...?.......C..u~s.k..D.>>i.>Z....I.vE<..o _..1..y.....z0.q....<.e.......U...!*k... ..!..c..."....z........GOD....x*.

<<< skipped >>>

GET /skin/js/main.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.fulipao.com/skin/youce.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.fulipao.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 03 Sep 2015 22:31:54 GMT

Server: Apache

Last-Modified: Tue, 09 Jun 2015 02:54:54 GMT

ETag: "444ab9-393-5180ce201db80"

Accept-Ranges: bytes

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 258

Connection: close

Content-Type: application/javascript

............... ...u.....nX[.n.. ...E..[.....E.,...}.9.?.~.Gx_...Rar.|.#.!M9. )`a!....a.z.EM!4.,...i........2....N..?.{.2.>.U.X..@.C=./6....}!2....D...3e..w.|..85E.l^.`...4..N`q...."Ev....J..s...... ..={.o2n.a..i.....Q.....H~?...y....mY..i.zu.{G..K.....[......

GET /skin/youce.php HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://VVV.fulipao.com/skin/youce_a.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.fulipao.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 03 Sep 2015 22:31:52 GMT

Server: Apache

X-Powered-By: PHP/5.3.29

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 1349

Connection: close

Content-Type: text/html

............mS.H.._..~.\...D..p..P;....un...WN..`.X..|g..pV..UG9....u.=.."_...oq...8...z./.....O...n\...2....=...........8L.....>.0#......k..Q.,..`$...s.g....4.=.LMMY...H.1....H!......[.......R.ig...g)(...l.%o...M....s%q...`.......C..Q*..?..'..p$,.a.....i...s........|..*..;&.Y.hF.E...PQ^p..4-.b..%..P...>Q..@..s.......s...@..i..(..V.1....(....cO.E!..rq....=r&.............eh.G........`.....P....!..-6.c..-6..3MQ..}.t.G..\...... S..)xz..]......p\.6`........r.......:..Q.z. /..........R.....'........V{U.s.p.DYO...,..k.....Vf.x.....t.....pc....P *.O..[......tsbt[.....g.ja..(.1f...`... .".1...M.l .2.........M=`.0-G6.(...9..TK......4.Z.|.H....z..4n..A...v.~Qr...Op}W......V.R..g.q~0.t....9..dh.].._..9.&.........{..&1L.p.9%.<...b.=..;....l......[..s..)4.H............&5.jN.............0.@....I(Q.;.j...^(.D......o5...n...H....uz.YMo..FO........>..z.2.m..$....v...q.\=81S.*.j..m.*...0vW*....-J..m/.....\X.....q[v...\...-..@1..<.../_...&.B.....y...Kd....e.w.._..l.......m,...4Fab...F\L.....Z.C....Q..P...6.I..:p....0.w~......v...W....u........o.(.9.d.d.h9.....;0_"..:.3..LVN...a*J..:1....AS....Z...9......H.g..../....J...9B......u..i,.v.%ey.ti#..LA....h.3Xz_.V.rB.....\....b........[e4...\[J..9x..dgQ....n...'6..c..W...%.\......@.,Hf/G....mu!om.......o....M.........[.?Uh......R....D_48!....s..~.....M............ k....qQ.L..c...w..&ES..W=....?...Z......

<<< skipped >>>

GET /skin/images/head_bg.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.fulipao.com/sou.php?moban=3

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.fulipao.com

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Date: Thu, 03 Sep 2015 22:31:55 GMT

Server: Apache

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 256

Connection: close

Content-Type: text/html; charset=iso-8859-1

..........U.AO.0.....fg...1..k'&.1....e..D..H\..{...v....g...u..o xn^j......fw...Y!.My.<.s.j3 2.....I.X.....|....r.U./b&p2..Sc../.yb..S.h.O_..&....0|....-....o....,...8&.8..M.@..|..4...2l..]7....d.y..."{....[..t..Gc[`.C ...d..a..r...*..".....xS.L....?.T.....

GET /soft/fulipao_banben.php HTTP/1.1

Referer: hXXp://VVV.lesouwuguojie.com/soft/fulipao_banben.php

Accept: */*

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Host: VVV.lesouwuguojie.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 03 Sep 2015 22:31:51 GMT

Server: Apache

X-Powered-By: PHP/5.3.29

Vary: Accept-Encoding

Content-Length: 1607

Connection: close

Content-Type: text/html

........1.1|||............hXXp://VVV.lesouwuguojie.com/soft/lesou.zip|||............hXXp://pan.baidu.com/s/1o6GELnG|||............BT_id......v2.63.exe|||..ap..cangjiao1588216@163.com|||........hXXp://38.103.161.182/|||..po..hXXp://b.v3p.co/|||..........hXXp://VVV.fulipao.com/|||..henhenlu..hXXp://VVV.henhenpa.us/|||..mysql..148.163.3.212|||........|||........1000|||........hXXp://VVV.youtu888.com/#tui|||............http://VVV.lesouwuguojie.com/#tui|||..chaopeng..hXXp://men70.com/|||.............. .............................. 1.......................BT....8000......24.......................................... 2............................................................. 3.......................................pptv..........CNTV............................................ 4.....VIP........VIP......VIP..................VIP........VIP.......................................... 5.......................................MP3............................QQ........ 6........................................... 7................................................................................. 8..................................................... N.........................2.2.......... .. 1....................................... 2............... 3.....av.................................. 4............................... 5.........BUG....2.3.......... 1.....3.......................... 2................................... 3.........bug.... 4...............................2.5.......... 1.......bt2........

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_660:

.text

`.rdata

@.data

.rsrc

.aspack

.adata

t%SVh

t$(SSh

|$D.tm

huDP

~%UVW

u$SShe

wininet.dll

kernel32.dll

advapi32.dll

ole32.dll

user32.dll

Kernel32.dll

shlwapi.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

EnumWindows

MsgWaitForMultipleObjects

CreateIoCompletionPort

{B6F7542F-B8FE-46a8-9605-98856A687097}

WebBrowser

b@hXXp://

\\hXXp://

4@alipay.com

pay/115.php

pay/115.php?

hXXp://115.com/lixian/?ct=lixian&ac=add_task_url

hXXp://115.com/?tab=offline&mode=wangpan

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

http=

https

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

hXXps://

%S4WD

hg%fpM

S.Ac9SR

0.I%3s

,wAe.kI

aiUy'4xu

%c*@j

.eH'y

{&%U)

lj%4U

xe%CNs

9F.cLe

hJK.ZH

O.qt0

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

SkinH_EL.dll

%Program Files%\Windowsid\id.id

hXXp://VVV.2345.com/?kweige

X-X-X-X-X-X

SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%s\Connection

\\.\PhysicalDrive%u

hXXp://hao123.7654.com/?app_key=%s&tt=%u

%s_%u

%s,%s,6llX

startup_urls

Google\Chrome\User Data\Default\Preferences

user_pref("browser.startup.homepage", "%s");

user.js

Profile%u

profiles.ini

Mozilla\Firefox

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe

SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

SOFTWARE\Clients\StartMenuInternet\Firefox.exe\shell\open\command

Applications\firefox.exe\shell\open\command

Internet Explorer\iexplore.exe

Function not supported

Broken pipe

Inappropriate I/O control operation

Operation not permitted

KERNEL32.dll

RegOpenKeyExA

RegCloseKey

ADVAPI32.dll

SHELL32.dll

SHLWAPI.dll

IPHLPAPI.DLL

GdiplusShutdown

gdiplus.dll

$gp.ub

hXXp://VVV.usertrust.com1

1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05

hXXp://ocsp.usertrust.com0

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D

hXXps://VVV.verisign.com/rpa0

hXXp://ocsp.verisign.com0;

/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0

hXXps://VVV.verisign.com/cps0*

#hXXp://logo.verisign.com/vslogo.gif04

#hXXp://crl.verisign.com/pca3-g5.crl04

hXXp://ocsp.verisign.com0

hXXp://VVV.7654.com/0

%Program Files%\Windowsid\hao123_7654_20392.exe

@/shouye-3.html

pep.ini

XLPZk.mRsK

seed = parseInt(seed, 10).toString(16); // to hex str

if (reqWidth

return seed.slice(seed.length - reqWidth);

if (reqWidth > seed.length) { // so short we pad

return Array(1 (reqWidth - seed.length)).join('0') seed;

if (!this.php_js) {

this.php_js = {};

if (!this.php_js.uniqidSeed) { // init seed with big random int

this.php_js.uniqidSeed = Math.floor(Math.random() * 0x75bcd15);

this.php_js.uniqidSeed ;

retId = formatSeed(parseInt(new Date().getTime() / 1000, 10), 8);

retId = formatSeed(this.php_js.uniqidSeed, 5); // add seed hex string

retId = (Math.random() * 10).toFixed(8).toString();

hXXp://passport.115.com/?ct=login&ac=ajax&is_ssl=1

&login[time]=1&goto=http://115.com&login[country]=

&login[ssovcode]=

&login[ssopw]=

&login[ssoln]=

hXXp://115.com/?mode=wangpan

hXXp://115.com/?ct=offline&ac=space&_=1420374241470

ji.ini

/yonghu.php?api_ming=

/pep.ini

hXXp://VVV.lesouwuguojie.com/jiqing

%u y2

0.du./

.K.cW

}.Dkn

OkC.xL

hXXp://VVV.fulipao.com/sou.php?moban=3

hXXp://VVV.fulipao.com

/skin/youce_a.php

Adobe Photoshop CS3 Windows

2010:12:04 00:55:19

urlTEXT

MsgeTEXT

hXXp://ns.adobe.com/xap/1.0/

" id="W5M0MpCehiHzreSzNTczkc9d"?>

IEC hXXp://VVV.iec.ch

.IEC 61966-2.1 Default RGB colour space - sRGB

CRT curv

hXXp://VVV.lesouwuguojie.com/soft/fulipao_banben.php

hXXp://VVV.youtu888.com/soft/fulipao_banben.php

hXXp://VVV.youtu88888.com/soft/fulipao_banben.php

favicon.ico

hXXp://VVV.yuanlai.com/

\lesou.zip

update1.bat

lesou.zip

@ExecuteStatement

hXXp://evip.sinaapp.com/wangpan.php

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Y@.Config

1970-01-01 08:00:00

1970-01-01 00:00:00

0gz.cn/FS

DownUrl

!BT.Config

115.com/file

hXXp://pv.sohu.com/cityjson?ie=gb2312

hXXp://int.dpool.sina.com.cn/iplookup/iplookup.php?format=js&ip=

115.com

hXXp://get115.sinaapp.com/ed/index.php?pick_code=

hXXp://pro.api.115.com/default/index.php

hXXp://get115.sinaapp.com/ed/index.php?ct=1

"Url":"(.*?)",

2,147,483,647

pan.baidu.com

kuaipan.cn

kuaipan.com.cn

kuai.xunlei.com

kupan.cc/

hXXp://pan.baidu.com/netdisk/singlepublic?fid=

server_filename\\":\\"(.*?)\\",\\"s3_handle\\":\\"(http:.*?)"

hXXp://VVV.kuaipan.com.cn/file/id_

hXXp://VVV.kuaipan.com.cn/file/

hXXp://kuai.xunlei.com/d/

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727)

.html

hXXp://dx.kupan.cc//ukupanccfile/userdir/

hXXp://wtll.kupan.cc//ukupanccfile/userdir/

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; 360SE)

MSXML2.ServerXMLHTTP

WinHttp.WinHttpRequest.5.1

Microsoft.XMLHTTP

MSXML2.XMLHTTP

VBScript.RegExp

ls.cu

2010:12:19 02:00:04

" id="W5M0MpCehiHzreSzNTczkc9d"?>

2010:12:19 02:01:02

" id="W5M0MpCehiHzreSzNTczkc9d"?>

2010:12:19 02:26:20

" id="W5M0MpCehiHzreSzNTczkc9d"?>

2010:12:19 00:51:58

" id="W5M0MpCehiHzreSzNTczkc9d"?>

2010:12:19 00:54:57

" id="W5M0MpCehiHzreSzNTczkc9d"?>

2010:12:19 00:57:13

" id="W5M0MpCehiHzreSzNTczkc9d"?>

2010:11:28 23:25:17

" id="W5M0MpCehiHzreSzNTczkc9d"?>

%d&&'

123456789

00003333

1.2.18

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

MSH_SCROLL_LINES_MSG

MSWHEEL_ROLLMSG

__MSVCRT_HEAP_SELECT

AVIFIL32.dll

RASAPI32.dll

iphlpapi.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

GetProcessHeap

WinExec

GetWindowsDirectoryA

GetCPInfo

GetKeyState

SetWindowsHookExA

UnhookWindowsHookEx

EnumChildWindows

RegisterHotKey

UnregisterHotKey

CreateDialogIndirectParamA

GetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

WINSPOOL.DRV

comdlg32.dll

RegCreateKeyA

RegCreateKeyExA

ShellExecuteA

OLEAUT32.dll

oledlg.dll

DeleteUrlCacheEntry

FindNextUrlCacheEntryA

FindFirstUrlCacheEntryA

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

VVV.dywt.com.cn-MenuEx-Mask

VVV.dywt.com.cn-MenuEx-OldProc

VVV.dywt.com.cn-MenuEx-MenuShown

VVV.dywt.com.cn-MenuEx-ActiveBarItem

(*.avi)|*.avi

RICHED32.DLL

RICHED20.DLL

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

operator

keywords

HTTP/1.0

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

VVV.dywt.com.cn

index.dat

desktop.ini

%d%d%d

rundll32.exe shell32.dll,

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

zcÃ

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

msvfw32.dll

avifil32.dll

rasapi32.dll

winmm.dll

ws2_32.dll

gdi32.dll

msimg32.dll

winspool.drv

shell32.dll

oleaut32.dll

comctl32.dll

!"7$#7"!

3//22//0

222222222252

1, 0, 6, 6

- Skin.dll

(*.*)

1.0.0.0

(hXXp://VVV.eyuyan.com)

%original file name%.exe_660_rwx_00680000_00002000:

kernel32.dll

user32.dll

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

msvfw32.dll

avifil32.dll

rasapi32.dll

winmm.dll

ws2_32.dll

gdi32.dll

msimg32.dll

winspool.drv

comdlg32.dll

advapi32.dll

shell32.dll

ole32.dll

oleaut32.dll

comctl32.dll

oledlg.dll

wininet.dll

RegCreateKeyExA

InternetCanonicalizeUrlA

1.0.0.0

(hXXp://VVV.eyuyan.com)

%original file name%.exe_660_rwx_10000000_0003E000:

`.rsrc

L$(h%f

SSh0j

msctls_hotkey32

TVCLHotKey

THotKey

\skinh.she

}uo,x6l5k%x-l h

9p%s m)t4`#b

e"m?c&y1`Ã

SetViewportOrgEx

SetViewportExtEx

SetWindowsHookExA

UnhookWindowsHookEx

EnumThreadWindows

EnumChildWindows

`c%US.4/

!#$

.text

`.rdata

@.data

.rsrc

@.UPX0

`.UPX1

`.reloc

hJK.ZH

O.qt0

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

SkinH_EL.dll

1, 0, 6, 6

- Skin.dll