Trojan.Win32.Fsysna.axws (Kaspersky), Trojan.GenericKD.2516841 (B) (Emsisoft), Trojan.GenericKD.2516841 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 064d77d58fae967ff1355f273e54eabb
SHA1: 392ffe32af04f6495c92a2a10fdc3d941fea5806
SHA256: 978598e68d4179a7fe03bfc8eaa7ebde8425b65105d24acca00b8b4c0faafa2a
SSDeep: 49152:T96cerrBSnQYGnwykD/v0cfKYjsRutGoTXvda4TdNAEn7cjOaFjZ8V VIFE4aqKS:wrrwnQPwyI/v0Way
Size: 2547712 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2014-10-24 15:50:08
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:928
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\winlogon.exe (7386 bytes)
Registry activity
The process %original file name%.exe:928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 09 01 24 36 74 42 BA 92 64 8E EF 8F 60 ED 57"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
Dropped PE files
MD5 | File path |
---|---|
d2674d35cfc3afe2be0e12869392c1b2 | c:\WINDOWS\winlogon.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:928
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\winlogon.exe (7386 bytes)
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
Company Name: ???
Product Name: ???????????V5.0
Product Version: 1.0.0.0
Legal Copyright: ???????????V5.0
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ???????
Comments: ???????????V5.0
Language: English (United States)
Company Name: ???Product Name: ???????????V5.0Product Version: 1.0.0.0Legal Copyright: ???????????V5.0Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ???????Comments: ???????????V5.0Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 987339 | 991232 | 4.4118 | 3bc12589397eb05b34715495866dfe8d |
.rdata | 995328 | 1462098 | 1462272 | 4.47932 | c284adc9f7fc8b30e7e1ed10d2524a59 |
.data | 2457600 | 267690 | 65536 | 3.54521 | d34df20ba756b03586ae36dc6cb776ac |
.rsrc | 2727936 | 23824 | 24576 | 3.65377 | b67f0a0ef83a5a994dca5dac3c6c014e |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://www.yy.com/ | 113.107.236.195 |
hi.baidu.com | 180.76.2.41 |
lgn.yy.com | 120.132.133.53 |
aq.yy.com | 113.108.228.234 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.yy.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 13 Jul 2015 12:35:27 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
P3P: CP="NON DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONa HISa TELa OTPa OUR UNRa IND UNI COM NAV INT DEM CNT PRE LOC"
Content-Language: en-US
Expires: Mon, 13 Jul 2015 12:35:57 GMT
Cache-Control: max-age=30
Content-Encoding: gzip
47b7..............ks.G....q. 0.9..!.y...-...........>g....(..$l.`..h.e..n..$%..J...mI.%..ER..|....6..O....B..... H. ....%...7....7....z2...7......w...@$.....&!$.t!8....XB7>..7..~...8....-...Ri#s`......|.|).I..3.......y&..vH....<.....3Z.w.-..}l.....I..._h.c....#F.......YO.......RF....H..SF..DF.......P(.....#.....'RF..Gbc.HZ}(......L..NNN....I-..c.O...i...U/,=Z...F&....?.8..E...`v..ym-.8m.}..z...x..Y.Z~.l.. ....O..o>7.\.g....6.,.DB.....b.D0....CF*..E.L,...D......Cb.g.../.....!.D>3.&.)=]..-...?.d..[^...K...0..2./TK./.`.\\.._.3.=..b..2_].N.3...W.dW......N= ^;Z8|>....x2./...'....V...(.>i.}TN.\>f~y/..qa......B..77r'..".^^....'J.x.....5..nX*_[Zv..X..7w.i.../7..].VSR...X..?..y(^z(.y.h.;m...[\)g..l..].`...p..9g....3O>.K..[.{.........W.'....7.........e...gn..]X....N=..Z.0..uv.........-..Tr.He....).........(..R....bF.$4.~....i....J B..iZ.D!.8&.5..A..F.2..J...k...l.k.#R..D&..... ..8.....r..@md....CQ...:,.....>..T.H..F.>.H:.*].....3.....b.@<c.~...../........31&.j....|.........k..FR.... ).GZd......ic_&5a...o.......co./........H........n&N.,.D'......{.RS...&'E5........#.a...H<&>.#.gF......>U}....GKi.n '.........F..=I..........<'.}...`....Dq.F.K$-....W...>....9C....*m.utX...2.T,<!.wH.2ZP.b...V.d..........K.|..v....l...@l{.dD.&...o...6E..:.....A......-\:Y}.xW2..YT.;...c..Wd..a-e[ .........H*..#C.0...........Hhv.*g.|.4l.....;$...us.Qv.b....!..E.Qx...k..'.Z\..!...D.zp\K.....g........D.9....C.Q}....H.>9*.o\di..>#.F.UP......Y..4...f...!.T>D../.et.....{Y...SX..l..9((..&l
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_928:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
t%SVh
t%SVh
t$(SSh
t$(SSh
|$D.tm
|$D.tm
~%UVW
~%UVW
u$SShe
u$SShe
kernel32.dll
kernel32.dll
ole32.dll
ole32.dll
winmm.dll
winmm.dll
wininet.dll
wininet.dll
ws2_32.dll
ws2_32.dll
WinINet.dll
WinINet.dll
shlwapi.dll
shlwapi.dll
User32.dll
User32.dll
user32.dll
user32.dll
gdiplus.dll
gdiplus.dll
advapi32.dll
advapi32.dll
rasapi32.dll
rasapi32.dll
Wininet.dll
Wininet.dll
urlmon.dll
urlmon.dll
psapi.dll
psapi.dll
shell32.dll
shell32.dll
OLEACC.DLL
OLEACC.DLL
gdi32.dll
gdi32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
GetWindowsDirectoryA
GetWindowsDirectoryA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
GdiplusShutdown
GdiplusShutdown
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
keybd_event
keybd_event
RegCloseKey
RegCloseKey
RegCreateKeyA
RegCreateKeyA
RegOpenKeyA
RegOpenKeyA
UrlMkSetSessionOption
UrlMkSetSessionOption
GetProcessHeap
GetProcessHeap
RegEnumKeyA
RegEnumKeyA
RegFlushKey
RegFlushKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyA
ShellExecuteA
ShellExecuteA
WinExec
WinExec
%System%\ntdll.dll
%System%\ntdll.dll
%System%\kernel32.dll
%System%\kernel32.dll
%System%\USER32.dll
%System%\USER32.dll
%System%\GDI32.dll
%System%\GDI32.dll
%System%\ADVAPI32.dll
%System%\ADVAPI32.dll
%System%\RPCRT4.dll
%System%\RPCRT4.dll
%System%\Secur32.dll
%System%\Secur32.dll
%System%\IMM32.DLL
%System%\IMM32.DLL
%System%\LPK.DLL
%System%\LPK.DLL
%System%\USP10.dll
%System%\USP10.dll
%System%\WINMM.dll
%System%\WINMM.dll
%System%\comdlg32.dll
%System%\comdlg32.dll
%System%\msvcrt.dll
%System%\msvcrt.dll
%System%\SHLWAPI.dll
%System%\SHLWAPI.dll
%System%\SHELL32.dll
%System%\SHELL32.dll
%System%\WINSPOOL.DRV
%System%\WINSPOOL.DRV
%System%\ole32.dll
%System%\ole32.dll
%System%\OLEPRO32.DLL
%System%\OLEPRO32.DLL
%System%\OLEAUT32.dll
%System%\OLEAUT32.dll
%System%\WS2_32.dll
%System%\WS2_32.dll
%System%\WS2HELP.dll
%System%\WS2HELP.dll
%System%\uxtheme.dll
%System%\uxtheme.dll
%System%\MSIMG32.dll
%System%\MSIMG32.dll
%System%\MSVCP60.dll
%System%\MSVCP60.dll
%System%\WININET.dll
%System%\WININET.dll
%System%\CRYPT32.dll
%System%\CRYPT32.dll
%System%\MSASN1.dll
%System%\MSASN1.dll
%System%\PSAPI.DLL
%System%\PSAPI.DLL
%System%\VERSION.dll
%System%\VERSION.dll
%System%\urlmon.dll
%System%\urlmon.dll
Web.dll
Web.dll
hXXp://VVV.yy.com/
hXXp://VVV.yy.com/
hXXp://wpa.qq.com/msgrd?v=3&uin=1152259123
hXXp://wpa.qq.com/msgrd?v=3&uin=1152259123
software\microsoft\windows\CurrentVersion\Run\
software\microsoft\windows\CurrentVersion\Run\
hXXp://hi.baidu.com/dthtkjmcmpejkle/item/dc19bbe50299ca0a5a7cfb27
hXXp://hi.baidu.com/dthtkjmcmpejkle/item/dc19bbe50299ca0a5a7cfb27
Winmm.dll
Winmm.dll
dsound.dll
dsound.dll
@ping 127.0.0.1 -n
@ping 127.0.0.1 -n
\*.*"
\*.*"
@ping 127.0.0.1 -n 1 >nul
@ping 127.0.0.1 -n 1 >nul
del 123.bat
del 123.bat
\123.bat
\123.bat
\TEMP.TMP
\TEMP.TMP
{Reg}((?:src=)['"]?).*?\.js['"]
{Reg}((?:src=)['"]?).*?\.js['"]
{Reg}((?:hXXp://)['"]?).*?\.swf
{Reg}((?:hXXp://)['"]?).*?\.swf
{Reg}((?:url\()|(?:src=)['"]?).*?\.[jpg|gif|png]{3}
{Reg}((?:url\()|(?:src=)['"]?).*?\.[jpg|gif|png]{3}
http=
http=
scripting.FileSystemObject
scripting.FileSystemObject
bbs.125.la_Cookie
bbs.125.la_Cookie
hXXps://
hXXps://
hXXp://
hXXp://
Adodb.Stream
Adodb.Stream
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.1
HTTP/1.1
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
del C:\123.bat
del C:\123.bat
\Restart.bat
\Restart.bat
(*.*)|*.*
(*.*)|*.*
(*.txt)|*.txt|
(*.txt)|*.txt|
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Current
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Current
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
Software\Microsoft\Windows\CurrentVersion\Internet Settings\proxyserver
Software\Microsoft\Windows\CurrentVersion\Internet Settings\proxyserver
Software\Microsoft\Windows\CurrentVersion\Internet Settings\proxyenable
Software\Microsoft\Windows\CurrentVersion\Internet Settings\proxyenable
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
\data\Config.ini
\data\Config.ini
;http=
;http=
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT6.1)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT6.1)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT6.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT6.0)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT5.2)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT5.2)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT5.1)
>Mozilla/5.0 (compatible) AppleWebKit/534.21 (KHTML, like Gecko) Chrome/11.0.682.0 Safari/534.21
>Mozilla/5.0 (compatible) AppleWebKit/534.21 (KHTML, like Gecko) Chrome/11.0.682.0 Safari/534.21
>Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
>Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Mozilla/5.0(iPad; U; CPU iPhone OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B314 Safari/531.21.10
Mozilla/5.0(iPad; U; CPU iPhone OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B314 Safari/531.21.10
Mozilla/5.0 (iPhone; U; CPU OS 4_2_1 like Mac OS X) AppleWebKit/532.9 (KHTML, like Gecko) Version/5.0.3 Mobile/8B5097d Safari/6531.22.7
Mozilla/5.0 (iPhone; U; CPU OS 4_2_1 like Mac OS X) AppleWebKit/532.9 (KHTML, like Gecko) Version/5.0.3 Mobile/8B5097d Safari/6531.22.7
Mozilla/5.0 (Linux; U; Android 2.3.3; zh-tw; HTC_Pyramid Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Mozilla/5.0 (Linux; U; Android 2.3.3; zh-tw; HTC_Pyramid Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Opera/9.80 (compatible; U) Presto/2.7.39 Version/11.00
Opera/9.80 (compatible; U) Presto/2.7.39 Version/11.00
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12)Gecko/20080219 Firefox/2.0.0.12 Navigator/9.0.0.6
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12)Gecko/20080219 Firefox/2.0.0.12 Navigator/9.0.0.6
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_7) AppleWebKit/534.16 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_7) AppleWebKit/534.16 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4
{25336920-03F9-11CF-8FD0-00AA00686F13}
{25336920-03F9-11CF-8FD0-00AA00686F13}
document.all.retjs.innerText=
document.all.retjs.innerText=
hXXps://aq.yy.com/loginOut.do
hXXps://aq.yy.com/loginOut.do
hXXps://aq.yy.com/p/wklogin.do
hXXps://aq.yy.com/p/wklogin.do
&denyCallbackURL=hXXps://aq.yy.com/p/logincbk.do?cancel=1®CallbackURL=hXXps://aq.yy.com/welcome.do&UIStyle=xelogin&rdm=0.26365254551226436
&denyCallbackURL=hXXps://aq.yy.com/p/logincbk.do?cancel=1®CallbackURL=hXXps://aq.yy.com/welcome.do&UIStyle=xelogin&rdm=0.26365254551226436
hXXps://lgn.yy.com/lgn/oauth/authorize.do?oauth_token=
hXXps://lgn.yy.com/lgn/oauth/authorize.do?oauth_token=
hXXps://lgn.yy.com/lgn/oauth/x/s/login_asyn.do
hXXps://lgn.yy.com/lgn/oauth/x/s/login_asyn.do
&denyCallbackURL=https://aq.yy.com/p/logincbk.do?cancel=1&UIStyle=xelogin&appid=1
&denyCallbackURL=https://aq.yy.com/p/logincbk.do?cancel=1&UIStyle=xelogin&appid=1
&password=
&password=
callbackURL
callbackURL
yy.com
yy.com
VVV.yy.com
VVV.yy.com
wyy.com
wyy.com
v1.0.1
v1.0.1
hXXp://hi.baidu.com/tyjsz/item/0c087c4d03a2d387823ae162
hXXp://hi.baidu.com/tyjsz/item/0c087c4d03a2d387823ae162
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
https
https
hXXp://hi.baidu.com/onukxtwlnubgpz/item/eaadd32b867e0444087508e6
hXXp://hi.baidu.com/onukxtwlnubgpz/item/eaadd32b867e0444087508e6
hXXp://hi.baidu.com/uczlldnyeubmnue/item/288ca03af758d9cdb80c030d
hXXp://hi.baidu.com/uczlldnyeubmnue/item/288ca03af758d9cdb80c030d
hXXp://hi.baidu.com/onukxtwlnubgpz/item/c8a74505a219af8d73e676d6
hXXp://hi.baidu.com/onukxtwlnubgpz/item/c8a74505a219af8d73e676d6
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Microsoft.XMLDOM
Microsoft.XMLDOM
adodb.stream
adodb.stream
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
text|password|file
text|password|file
comdlg32.dll
comdlg32.dll
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
WarnOnHTTPSToHTTPRedirect
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
VBScript.RegExp
VBScript.RegExp
application/x-www-form-urlencoded
application/x-www-form-urlencoded
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5.1
SetClientCertificate
SetClientCertificate
Set fso = CreateObject("Scripting.FileSystemObject")
Set fso = CreateObject("Scripting.FileSystemObject")
fso.DeleteFile("
fso.DeleteFile("
sc.vbs")
sc.vbs")
\sc.vbs
\sc.vbs
sc.vbs
sc.vbs
sc.bat"
sc.bat"
sc.bat
sc.bat
del Restart.bat
del Restart.bat
F%*.*f
F%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
RASAPI32.dll
RASAPI32.dll
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
MPR.dll
MPR.dll
WINMM.dll
WINMM.dll
WS2_32.dll
WS2_32.dll
VERSION.dll
VERSION.dll
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
USER32.dll
USER32.dll
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
WINSPOOL.DRV
WINSPOOL.DRV
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
OLEAUT32.dll
OLEAUT32.dll
COMCTL32.dll
COMCTL32.dll
oledlg.dll
oledlg.dll
WSOCK32.dll
WSOCK32.dll
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
WININET.dll
WININET.dll
GetCPInfo
GetCPInfo
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
.PAVCException@@
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
: %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
out.prn
out.prn
%d.%d
%d.%d
%d / %d
%d / %d
%d/%d
%d/%d
Bogus message code %d
Bogus message code %d
(%d-%d):
(%d-%d):
%ld%c
%ld%c
(*.htm;*.html)|*.htm;*.html
(*.htm;*.html)|*.htm;*.html
its:%s::%s
its:%s::%s
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
.PAVCOleException@@
.PAVCOleException@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÃ
zcÃ
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX%WinDir%\winlogon.exe
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX%WinDir%\winlogon.exe
FlashPlayerApp.exe
FlashPlayerApp.exe
SysWOW64\FlashPlayerApp.exe
SysWOW64\FlashPlayerApp.exe
FlashPlayerCPLApp.cpl
FlashPlayerCPLApp.cpl
1152259123
1152259123
11601235
11601235
11522598/11522598
11522598/11522598
.aGeAr
.aGeAr
-l.mc
-l.mc
hIh.bb
hIh.bb
7".Af
7".Af
VVV.dywt.com.cn
VVV.dywt.com.cn
c:\%original file name%.exe
c:\%original file name%.exe
246813579
246813579
(*.*)
(*.*)
1.0.0.0
1.0.0.0
winlogon.exe_968:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
t%SVh
t%SVh
t$(SSh
t$(SSh
|$D.tm
|$D.tm
~%UVW
~%UVW
u$SShe
u$SShe
kernel32.dll
kernel32.dll
ole32.dll
ole32.dll
winmm.dll
winmm.dll
wininet.dll
wininet.dll
ws2_32.dll
ws2_32.dll
WinINet.dll
WinINet.dll
shlwapi.dll
shlwapi.dll
User32.dll
User32.dll
user32.dll
user32.dll
gdiplus.dll
gdiplus.dll
advapi32.dll
advapi32.dll
rasapi32.dll
rasapi32.dll
Wininet.dll
Wininet.dll
urlmon.dll
urlmon.dll
psapi.dll
psapi.dll
shell32.dll
shell32.dll
OLEACC.DLL
OLEACC.DLL
gdi32.dll
gdi32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
GetWindowsDirectoryA
GetWindowsDirectoryA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
GdiplusShutdown
GdiplusShutdown
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
keybd_event
keybd_event
RegCloseKey
RegCloseKey
RegCreateKeyA
RegCreateKeyA
RegOpenKeyA
RegOpenKeyA
UrlMkSetSessionOption
UrlMkSetSessionOption
GetProcessHeap
GetProcessHeap
RegEnumKeyA
RegEnumKeyA
RegFlushKey
RegFlushKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyA
ShellExecuteA
ShellExecuteA
WinExec
WinExec
%System%\ntdll.dll
%System%\ntdll.dll
%System%\kernel32.dll
%System%\kernel32.dll
%System%\USER32.dll
%System%\USER32.dll
%System%\GDI32.dll
%System%\GDI32.dll
%System%\ADVAPI32.dll
%System%\ADVAPI32.dll
%System%\RPCRT4.dll
%System%\RPCRT4.dll
%System%\Secur32.dll
%System%\Secur32.dll
%System%\IMM32.DLL
%System%\IMM32.DLL
%System%\LPK.DLL
%System%\LPK.DLL
%System%\USP10.dll
%System%\USP10.dll
%System%\WINMM.dll
%System%\WINMM.dll
%System%\comdlg32.dll
%System%\comdlg32.dll
%System%\msvcrt.dll
%System%\msvcrt.dll
%System%\SHLWAPI.dll
%System%\SHLWAPI.dll
%System%\SHELL32.dll
%System%\SHELL32.dll
%System%\WINSPOOL.DRV
%System%\WINSPOOL.DRV
%System%\ole32.dll
%System%\ole32.dll
%System%\OLEPRO32.DLL
%System%\OLEPRO32.DLL
%System%\OLEAUT32.dll
%System%\OLEAUT32.dll
%System%\WS2_32.dll
%System%\WS2_32.dll
%System%\WS2HELP.dll
%System%\WS2HELP.dll
%System%\uxtheme.dll
%System%\uxtheme.dll
%System%\MSIMG32.dll
%System%\MSIMG32.dll
%System%\MSVCP60.dll
%System%\MSVCP60.dll
%System%\WININET.dll
%System%\WININET.dll
%System%\CRYPT32.dll
%System%\CRYPT32.dll
%System%\MSASN1.dll
%System%\MSASN1.dll
%System%\PSAPI.DLL
%System%\PSAPI.DLL
%System%\VERSION.dll
%System%\VERSION.dll
%System%\urlmon.dll
%System%\urlmon.dll
Web.dll
Web.dll
software\microsoft\windows\CurrentVersion\Run\
software\microsoft\windows\CurrentVersion\Run\
hXXp://hi.baidu.com/dthtkjmcmpejkle/item/dc19bbe50299ca0a5a7cfb27
hXXp://hi.baidu.com/dthtkjmcmpejkle/item/dc19bbe50299ca0a5a7cfb27
hXXp://VVV.yy.com/
hXXp://VVV.yy.com/
Winmm.dll
Winmm.dll
dsound.dll
dsound.dll
@ping 127.0.0.1 -n
@ping 127.0.0.1 -n
\*.*"
\*.*"
@ping 127.0.0.1 -n 1 >nul
@ping 127.0.0.1 -n 1 >nul
del 123.bat
del 123.bat
\123.bat
\123.bat
\TEMP.TMP
\TEMP.TMP
{Reg}((?:src=)['"]?).*?\.js['"]
{Reg}((?:src=)['"]?).*?\.js['"]
{Reg}((?:hXXp://)['"]?).*?\.swf
{Reg}((?:hXXp://)['"]?).*?\.swf
{Reg}((?:url\()|(?:src=)['"]?).*?\.[jpg|gif|png]{3}
{Reg}((?:url\()|(?:src=)['"]?).*?\.[jpg|gif|png]{3}
http=
http=
scripting.FileSystemObject
scripting.FileSystemObject
bbs.125.la_Cookie
bbs.125.la_Cookie
hXXps://
hXXps://
hXXp://
hXXp://
Adodb.Stream
Adodb.Stream
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.1
HTTP/1.1
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
del C:\123.bat
del C:\123.bat
\Restart.bat
\Restart.bat
(*.*)|*.*
(*.*)|*.*
(*.txt)|*.txt|
(*.txt)|*.txt|
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Current
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Current
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
Software\Microsoft\Windows\CurrentVersion\Internet Settings\proxyserver
Software\Microsoft\Windows\CurrentVersion\Internet Settings\proxyserver
Software\Microsoft\Windows\CurrentVersion\Internet Settings\proxyenable
Software\Microsoft\Windows\CurrentVersion\Internet Settings\proxyenable
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
\data\Config.ini
\data\Config.ini
;http=
;http=
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT6.1)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT6.1)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT6.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT6.0)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT5.2)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT5.2)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT5.1)
>Mozilla/5.0 (compatible) AppleWebKit/534.21 (KHTML, like Gecko) Chrome/11.0.682.0 Safari/534.21
>Mozilla/5.0 (compatible) AppleWebKit/534.21 (KHTML, like Gecko) Chrome/11.0.682.0 Safari/534.21
>Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
>Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Mozilla/5.0(iPad; U; CPU iPhone OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B314 Safari/531.21.10
Mozilla/5.0(iPad; U; CPU iPhone OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B314 Safari/531.21.10
Mozilla/5.0 (iPhone; U; CPU OS 4_2_1 like Mac OS X) AppleWebKit/532.9 (KHTML, like Gecko) Version/5.0.3 Mobile/8B5097d Safari/6531.22.7
Mozilla/5.0 (iPhone; U; CPU OS 4_2_1 like Mac OS X) AppleWebKit/532.9 (KHTML, like Gecko) Version/5.0.3 Mobile/8B5097d Safari/6531.22.7
Mozilla/5.0 (Linux; U; Android 2.3.3; zh-tw; HTC_Pyramid Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Mozilla/5.0 (Linux; U; Android 2.3.3; zh-tw; HTC_Pyramid Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Opera/9.80 (compatible; U) Presto/2.7.39 Version/11.00
Opera/9.80 (compatible; U) Presto/2.7.39 Version/11.00
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12)Gecko/20080219 Firefox/2.0.0.12 Navigator/9.0.0.6
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12)Gecko/20080219 Firefox/2.0.0.12 Navigator/9.0.0.6
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_7) AppleWebKit/534.16 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_7) AppleWebKit/534.16 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4
{25336920-03F9-11CF-8FD0-00AA00686F13}
{25336920-03F9-11CF-8FD0-00AA00686F13}
document.all.retjs.innerText=
document.all.retjs.innerText=
hXXps://aq.yy.com/loginOut.do
hXXps://aq.yy.com/loginOut.do
hXXps://aq.yy.com/p/wklogin.do
hXXps://aq.yy.com/p/wklogin.do
&denyCallbackURL=hXXps://aq.yy.com/p/logincbk.do?cancel=1®CallbackURL=hXXps://aq.yy.com/welcome.do&UIStyle=xelogin&rdm=0.26365254551226436
&denyCallbackURL=hXXps://aq.yy.com/p/logincbk.do?cancel=1®CallbackURL=hXXps://aq.yy.com/welcome.do&UIStyle=xelogin&rdm=0.26365254551226436
hXXps://lgn.yy.com/lgn/oauth/authorize.do?oauth_token=
hXXps://lgn.yy.com/lgn/oauth/authorize.do?oauth_token=
hXXps://lgn.yy.com/lgn/oauth/x/s/login_asyn.do
hXXps://lgn.yy.com/lgn/oauth/x/s/login_asyn.do
&denyCallbackURL=https://aq.yy.com/p/logincbk.do?cancel=1&UIStyle=xelogin&appid=1
&denyCallbackURL=https://aq.yy.com/p/logincbk.do?cancel=1&UIStyle=xelogin&appid=1
&password=
&password=
callbackURL
callbackURL
yy.com
yy.com
VVV.yy.com
VVV.yy.com
wyy.com
wyy.com
v1.0.1
v1.0.1
hXXp://hi.baidu.com/tyjsz/item/0c087c4d03a2d387823ae162
hXXp://hi.baidu.com/tyjsz/item/0c087c4d03a2d387823ae162
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
https
https
hXXp://hi.baidu.com/onukxtwlnubgpz/item/eaadd32b867e0444087508e6
hXXp://hi.baidu.com/onukxtwlnubgpz/item/eaadd32b867e0444087508e6
hXXp://hi.baidu.com/uczlldnyeubmnue/item/288ca03af758d9cdb80c030d
hXXp://hi.baidu.com/uczlldnyeubmnue/item/288ca03af758d9cdb80c030d
hXXp://hi.baidu.com/onukxtwlnubgpz/item/c8a74505a219af8d73e676d6
hXXp://hi.baidu.com/onukxtwlnubgpz/item/c8a74505a219af8d73e676d6
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Microsoft.XMLDOM
Microsoft.XMLDOM
adodb.stream
adodb.stream
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
text|password|file
text|password|file
comdlg32.dll
comdlg32.dll
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
WarnOnHTTPSToHTTPRedirect
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
VBScript.RegExp
VBScript.RegExp
application/x-www-form-urlencoded
application/x-www-form-urlencoded
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5.1
SetClientCertificate
SetClientCertificate
Set fso = CreateObject("Scripting.FileSystemObject")
Set fso = CreateObject("Scripting.FileSystemObject")
fso.DeleteFile("
fso.DeleteFile("
sc.vbs")
sc.vbs")
\sc.vbs
\sc.vbs
sc.vbs
sc.vbs
sc.bat"
sc.bat"
sc.bat
sc.bat
del Restart.bat
del Restart.bat
F%*.*f
F%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
RASAPI32.dll
RASAPI32.dll
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
MPR.dll
MPR.dll
WINMM.dll
WINMM.dll
WS2_32.dll
WS2_32.dll
VERSION.dll
VERSION.dll
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
USER32.dll
USER32.dll
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
WINSPOOL.DRV
WINSPOOL.DRV
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
OLEAUT32.dll
OLEAUT32.dll
COMCTL32.dll
COMCTL32.dll
oledlg.dll
oledlg.dll
WSOCK32.dll
WSOCK32.dll
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
WININET.dll
WININET.dll
GetCPInfo
GetCPInfo
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
.PAVCException@@
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
: %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
out.prn
out.prn
%d.%d
%d.%d
%d / %d
%d / %d
%d/%d
%d/%d
Bogus message code %d
Bogus message code %d
(%d-%d):
(%d-%d):
%ld%c
%ld%c
(*.htm;*.html)|*.htm;*.html
(*.htm;*.html)|*.htm;*.html
its:%s::%s
its:%s::%s
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
.PAVCOleException@@
.PAVCOleException@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÃ
zcÃ
i.baidu.com/dthtkjmcmpejkle/item/dc19bbe50299ca0a5a7cfb27
i.baidu.com/dthtkjmcmpejkle/item/dc19bbe50299ca0a5a7cfb27
du.com/dthtkjmcmpejkle/item/dc19bbe50299ca0a5a7cfb27
du.com/dthtkjmcmpejkle/item/dc19bbe50299ca0a5a7cfb27
%WinDir%\winlogon.exe
%WinDir%\winlogon.exe
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
246813579
246813579
(*.*)
(*.*)
1.0.0.0
1.0.0.0