Trojan.GenericKD.2516841_064d77d58f – Adaware

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:928

The Trojan injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:928 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\winlogon.exe (7386 bytes)

Registry activity

The process %original file name%.exe:928 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 09 01 24 36 74 42 BA 92 64 8E EF 8F 60 ED 57"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

Dropped PE files

MD5	File path
d2674d35cfc3afe2be0e12869392c1b2	c:\WINDOWS\winlogon.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:928
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\winlogon.exe (7386 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: ???
Product Name: ???????????V5.0
Product Version: 1.0.0.0
Legal Copyright: ???????????V5.0
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ???????
Comments: ???????????V5.0
Language: English (United States)

Company Name: ???Product Name: ???????????V5.0Product Version: 1.0.0.0Legal Copyright: ???????????V5.0Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ???????Comments: ???????????V5.0Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	987339	991232	4.4118	3bc12589397eb05b34715495866dfe8d
.rdata	995328	1462098	1462272	4.47932	c284adc9f7fc8b30e7e1ed10d2524a59
.data	2457600	267690	65536	3.54521	d34df20ba756b03586ae36dc6cb776ac
.rsrc	2727936	23824	24576	3.65377	b67f0a0ef83a5a994dca5dac3c6c014e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://www.yy.com/	113.107.236.195
hi.baidu.com	180.76.2.41
lgn.yy.com	120.132.133.53
aq.yy.com	113.108.228.234

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET / HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.yy.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Mon, 13 Jul 2015 12:35:27 GMT

Content-Type: text/html;charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

P3P: CP="NON DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONa HISa TELa OTPa OUR UNRa IND UNI COM NAV INT DEM CNT PRE LOC"

Content-Language: en-US

Expires: Mon, 13 Jul 2015 12:35:57 GMT

Cache-Control: max-age=30

Content-Encoding: gzip

47b7..............ks.G....q. 0.9..!.y...-...........>g....(..$l.`..h.e..n..$%..J...mI.%..ER..|....6..O....B..... H. ....%...7....7....z2...7......w...@$.....&!$.t!8....XB7>..7..~...8....-...Ri#s`......|.|).I..3.......y&..vH....<.....3Z.w.-..}l.....I..._h.c....#F.......YO.......RF....H..SF..DF.......P(.....#.....'RF..Gbc.HZ}(......L..NNN....I-..c.O...i...U/,=Z...F&....?.8..E...`v..ym-.8m.}..z...x..Y.Z~.l.. ....O..o>7.\.g....6.,.DB.....b.D0....CF*..E.L,...D......Cb.g.../.....!.D>3.&.)=]..-...?.d..[^...K...0..2./TK./.`.\\.._.3.=..b..2_].N.3...W.dW......N= ^;Z8|>....x2./...'....V...(.>i.}TN.\>f~y/..qa......B..77r'..".^^....'J.x.....5..nX*_[Zv..X..7w.i.../7..].VSR...X..?..y(^z(.y.h.;m...[\)g..l..].`...p..9g....3O>.K..[.{.........W.'....7.........e...gn..]X....N=..Z.0..uv.........-..Tr.He....).........(..R....bF.$4.~....i....J B..iZ.D!.8&.5..A..F.2..J...k...l.k.#R..D&..... ..8.....r..@md....CQ...:,.....>..T.H..F.>.H:.*].....3.....b.@<c.~...../........31&.j....|.........k..FR.... ).GZd......ic_&5a...o.......co./........H........n&N.,.D'......{.RS...&'E5........#.a...H<&>.#.gF......>U}....GKi.n '.........F..=I..........<'.}...`....Dq.F.K$-....W...>....9C....*m.utX...2.T,<!.wH.2ZP.b...V.d..........K.|..v....l...@l{.dD.&...o...6E..:.....A......-\:Y}.xW2..YT.;...c..Wd..a-e[ .........H*..#C.0...........Hhv.*g.|.4l.....;$...us.Qv.b....!..E.Qx...k..'.Z\..!...D.zp\K.....g........D.9....C.Q}....H.>9*.o\di..>#.F.UP......Y..4...f...!.T>D../.et.....{Y...SX..l..9((..&l

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_928:

.text

`.rdata

@.data

.rsrc

t%SVh

t$(SSh

|$D.tm

~%UVW

u$SShe

kernel32.dll

ole32.dll

winmm.dll

wininet.dll

ws2_32.dll

WinINet.dll

shlwapi.dll

User32.dll

user32.dll

gdiplus.dll

advapi32.dll

rasapi32.dll

Wininet.dll

urlmon.dll

psapi.dll

shell32.dll

OLEACC.DLL

gdi32.dll

MsgWaitForMultipleObjects

GetWindowsDirectoryA

HttpAddRequestHeadersA

GdiplusShutdown

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

keybd_event

RegCloseKey

RegCreateKeyA

RegOpenKeyA

UrlMkSetSessionOption

GetProcessHeap

RegEnumKeyA

RegFlushKey

RegOpenKeyExA

RegCreateKeyExA

RegDeleteKeyA

ShellExecuteA

WinExec

%System%\ntdll.dll

%System%\kernel32.dll

%System%\USER32.dll

%System%\GDI32.dll

%System%\ADVAPI32.dll

%System%\RPCRT4.dll

%System%\Secur32.dll

%System%\IMM32.DLL

%System%\LPK.DLL

%System%\USP10.dll

%System%\WINMM.dll

%System%\comdlg32.dll

%System%\msvcrt.dll

%System%\SHLWAPI.dll

%System%\SHELL32.dll

%System%\WINSPOOL.DRV

%System%\ole32.dll

%System%\OLEPRO32.DLL

%System%\OLEAUT32.dll

%System%\WS2_32.dll

%System%\WS2HELP.dll

%System%\uxtheme.dll

%System%\MSIMG32.dll

%System%\MSVCP60.dll

%System%\WININET.dll

%System%\CRYPT32.dll

%System%\MSASN1.dll

%System%\PSAPI.DLL

%System%\VERSION.dll

%System%\urlmon.dll

Web.dll

hXXp://VVV.yy.com/

hXXp://wpa.qq.com/msgrd?v=3&uin=1152259123

software\microsoft\windows\CurrentVersion\Run\

hXXp://hi.baidu.com/dthtkjmcmpejkle/item/dc19bbe50299ca0a5a7cfb27

Winmm.dll

dsound.dll

@ping 127.0.0.1 -n

\*.*"

@ping 127.0.0.1 -n 1 >nul

del 123.bat

\123.bat

\TEMP.TMP

{Reg}((?:src=)['"]?).*?\.js['"]

{Reg}((?:hXXp://)['"]?).*?\.swf

{Reg}((?:url\()|(?:src=)['"]?).*?\.[jpg|gif|png]{3}

http=

scripting.FileSystemObject

bbs.125.la_Cookie

hXXps://

hXXp://

Adodb.Stream

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.1

Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Content-Type: application/x-www-form-urlencoded

del C:\123.bat

\Restart.bat

(*.*)|*.*

(*.txt)|*.txt|

HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Current

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

Software\Microsoft\Windows\CurrentVersion\Internet Settings\proxyserver

Software\Microsoft\Windows\CurrentVersion\Internet Settings\proxyenable

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\

\data\Config.ini

;http=

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT6.1)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT6.0)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT5.2)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT5.1)

>Mozilla/5.0 (compatible) AppleWebKit/534.21 (KHTML, like Gecko) Chrome/11.0.682.0 Safari/534.21

>Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2

Mozilla/5.0(iPad; U; CPU iPhone OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B314 Safari/531.21.10

Mozilla/5.0 (iPhone; U; CPU OS 4_2_1 like Mac OS X) AppleWebKit/532.9 (KHTML, like Gecko) Version/5.0.3 Mobile/8B5097d Safari/6531.22.7

Mozilla/5.0 (Linux; U; Android 2.3.3; zh-tw; HTC_Pyramid Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1

Opera/9.80 (compatible; U) Presto/2.7.39 Version/11.00

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12)Gecko/20080219 Firefox/2.0.0.12 Navigator/9.0.0.6

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_7) AppleWebKit/534.16 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4

{25336920-03F9-11CF-8FD0-00AA00686F13}

document.all.retjs.innerText=

hXXps://aq.yy.com/loginOut.do

hXXps://aq.yy.com/p/wklogin.do

&denyCallbackURL=hXXps://aq.yy.com/p/logincbk.do?cancel=1&regCallbackURL=hXXps://aq.yy.com/welcome.do&UIStyle=xelogin&rdm=0.26365254551226436

hXXps://lgn.yy.com/lgn/oauth/authorize.do?oauth_token=

hXXps://lgn.yy.com/lgn/oauth/x/s/login_asyn.do

&denyCallbackURL=https://aq.yy.com/p/logincbk.do?cancel=1&UIStyle=xelogin&appid=1

&password=

callbackURL

yy.com

VVV.yy.com

wyy.com

v1.0.1

hXXp://hi.baidu.com/tyjsz/item/0c087c4d03a2d387823ae162

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

https

hXXp://hi.baidu.com/onukxtwlnubgpz/item/eaadd32b867e0444087508e6

hXXp://hi.baidu.com/uczlldnyeubmnue/item/288ca03af758d9cdb80c030d

hXXp://hi.baidu.com/onukxtwlnubgpz/item/c8a74505a219af8d73e676d6

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

Microsoft.XMLDOM

adodb.stream

javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}

javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};

var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');

text|password|file

comdlg32.dll

{557CF400-1A04-11D3-9A73-0000F81EF32E}

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{557CF402-1A04-11D3-9A73-0000F81EF32E}

{557CF405-1A04-11D3-9A73-0000F81EF32E}

{557CF406-1A04-11D3-9A73-0000F81EF32E}

WarnOnHTTPSToHTTPRedirect

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

VBScript.RegExp

application/x-www-form-urlencoded

WinHttp.WinHttpRequest.5.1

SetClientCertificate

Set fso = CreateObject("Scripting.FileSystemObject")

fso.DeleteFile("

sc.vbs")

\sc.vbs

sc.vbs

sc.bat"

sc.bat

del Restart.bat

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

RASAPI32.dll

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

KERNEL32.dll

GetKeyState

USER32.dll

GetViewportOrgEx

GDI32.dll

WINSPOOL.DRV

ADVAPI32.dll

SHELL32.dll

OLEAUT32.dll

COMCTL32.dll

oledlg.dll

WSOCK32.dll

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

(*.htm;*.html)|*.htm;*.html

its:%s::%s

HTTP/1.0

%s

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

zcÃ

#include "l.chs\afxres.rc" // Standard components

PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX%WinDir%\winlogon.exe

FlashPlayerApp.exe

SysWOW64\FlashPlayerApp.exe

FlashPlayerCPLApp.cpl

1152259123

11601235

11522598/11522598

.aGeAr

-l.mc

hIh.bb

7".Af

VVV.dywt.com.cn

c:\%original file name%.exe

246813579

(*.*)

1.0.0.0

winlogon.exe_968:

.text

`.rdata

@.data

.rsrc

t%SVh

t$(SSh

|$D.tm

~%UVW

u$SShe

kernel32.dll

ole32.dll

winmm.dll

wininet.dll

ws2_32.dll

WinINet.dll

shlwapi.dll

User32.dll

user32.dll

gdiplus.dll

advapi32.dll

rasapi32.dll

Wininet.dll

urlmon.dll

psapi.dll

shell32.dll

OLEACC.DLL

gdi32.dll

MsgWaitForMultipleObjects

GetWindowsDirectoryA

HttpAddRequestHeadersA

GdiplusShutdown

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

keybd_event

RegCloseKey

RegCreateKeyA

RegOpenKeyA

UrlMkSetSessionOption

GetProcessHeap

RegEnumKeyA

RegFlushKey

RegOpenKeyExA

RegCreateKeyExA

RegDeleteKeyA

ShellExecuteA

WinExec

%System%\ntdll.dll

%System%\kernel32.dll

%System%\USER32.dll

%System%\GDI32.dll

%System%\ADVAPI32.dll

%System%\RPCRT4.dll

%System%\Secur32.dll

%System%\IMM32.DLL

%System%\LPK.DLL

%System%\USP10.dll

%System%\WINMM.dll

%System%\comdlg32.dll

%System%\msvcrt.dll

%System%\SHLWAPI.dll

%System%\SHELL32.dll

%System%\WINSPOOL.DRV

%System%\ole32.dll

%System%\OLEPRO32.DLL

%System%\OLEAUT32.dll

%System%\WS2_32.dll

%System%\WS2HELP.dll

%System%\uxtheme.dll

%System%\MSIMG32.dll

%System%\MSVCP60.dll

%System%\WININET.dll

%System%\CRYPT32.dll

%System%\MSASN1.dll

%System%\PSAPI.DLL

%System%\VERSION.dll

%System%\urlmon.dll

Web.dll

software\microsoft\windows\CurrentVersion\Run\

hXXp://hi.baidu.com/dthtkjmcmpejkle/item/dc19bbe50299ca0a5a7cfb27

hXXp://VVV.yy.com/

Winmm.dll

dsound.dll

@ping 127.0.0.1 -n

\*.*"

@ping 127.0.0.1 -n 1 >nul

del 123.bat

\123.bat

\TEMP.TMP

{Reg}((?:src=)['"]?).*?\.js['"]

{Reg}((?:hXXp://)['"]?).*?\.swf

{Reg}((?:url\()|(?:src=)['"]?).*?\.[jpg|gif|png]{3}

http=

scripting.FileSystemObject

bbs.125.la_Cookie

hXXps://

hXXp://

Adodb.Stream

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.1

Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Content-Type: application/x-www-form-urlencoded

del C:\123.bat

\Restart.bat

(*.*)|*.*

(*.txt)|*.txt|

HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Current

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

Software\Microsoft\Windows\CurrentVersion\Internet Settings\proxyserver

Software\Microsoft\Windows\CurrentVersion\Internet Settings\proxyenable

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\

\data\Config.ini

;http=

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT6.1)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT6.0)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT5.2)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT5.1)

>Mozilla/5.0 (compatible) AppleWebKit/534.21 (KHTML, like Gecko) Chrome/11.0.682.0 Safari/534.21

>Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2

Mozilla/5.0(iPad; U; CPU iPhone OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B314 Safari/531.21.10

Mozilla/5.0 (iPhone; U; CPU OS 4_2_1 like Mac OS X) AppleWebKit/532.9 (KHTML, like Gecko) Version/5.0.3 Mobile/8B5097d Safari/6531.22.7

Mozilla/5.0 (Linux; U; Android 2.3.3; zh-tw; HTC_Pyramid Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1

Opera/9.80 (compatible; U) Presto/2.7.39 Version/11.00

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12)Gecko/20080219 Firefox/2.0.0.12 Navigator/9.0.0.6

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_7) AppleWebKit/534.16 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4

{25336920-03F9-11CF-8FD0-00AA00686F13}

document.all.retjs.innerText=

hXXps://aq.yy.com/loginOut.do

hXXps://aq.yy.com/p/wklogin.do

&denyCallbackURL=hXXps://aq.yy.com/p/logincbk.do?cancel=1&regCallbackURL=hXXps://aq.yy.com/welcome.do&UIStyle=xelogin&rdm=0.26365254551226436

hXXps://lgn.yy.com/lgn/oauth/authorize.do?oauth_token=

hXXps://lgn.yy.com/lgn/oauth/x/s/login_asyn.do

&denyCallbackURL=https://aq.yy.com/p/logincbk.do?cancel=1&UIStyle=xelogin&appid=1

&password=

callbackURL

yy.com

VVV.yy.com

wyy.com

v1.0.1

hXXp://hi.baidu.com/tyjsz/item/0c087c4d03a2d387823ae162

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

https

hXXp://hi.baidu.com/onukxtwlnubgpz/item/eaadd32b867e0444087508e6

hXXp://hi.baidu.com/uczlldnyeubmnue/item/288ca03af758d9cdb80c030d

hXXp://hi.baidu.com/onukxtwlnubgpz/item/c8a74505a219af8d73e676d6

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

Microsoft.XMLDOM

adodb.stream

javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}

javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};

var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');

text|password|file

comdlg32.dll

{557CF400-1A04-11D3-9A73-0000F81EF32E}

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{557CF402-1A04-11D3-9A73-0000F81EF32E}

{557CF405-1A04-11D3-9A73-0000F81EF32E}

{557CF406-1A04-11D3-9A73-0000F81EF32E}

WarnOnHTTPSToHTTPRedirect

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

VBScript.RegExp

application/x-www-form-urlencoded

WinHttp.WinHttpRequest.5.1

SetClientCertificate

Set fso = CreateObject("Scripting.FileSystemObject")

fso.DeleteFile("

sc.vbs")

\sc.vbs

sc.vbs

sc.bat"

sc.bat

del Restart.bat

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

RASAPI32.dll

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

KERNEL32.dll

GetKeyState

USER32.dll

GetViewportOrgEx

GDI32.dll

WINSPOOL.DRV

ADVAPI32.dll

SHELL32.dll

OLEAUT32.dll

COMCTL32.dll

oledlg.dll

WSOCK32.dll

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

(*.htm;*.html)|*.htm;*.html

its:%s::%s

HTTP/1.0

%s

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

zcÃ

i.baidu.com/dthtkjmcmpejkle/item/dc19bbe50299ca0a5a7cfb27

du.com/dthtkjmcmpejkle/item/dc19bbe50299ca0a5a7cfb27

%WinDir%\winlogon.exe

#include "l.chs\afxres.rc" // Standard components

246813579

(*.*)

1.0.0.0

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps