Susp_Dropper (Kaspersky), Trojan.Generic.909324 (B) (Emsisoft), Trojan.Generic.909324 (AdAware), Backdoor.Win32.PcClient.FD, Trojan.Win32.BHO.FD, GenericInjector.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 130279a225bf50988513867465af07d6
SHA1: 987782dbeb610a0b8542a518d6cb99e981403d8a
SHA256: 77ba58684ea6a9e336f5c44ae8c0a280fed635d7f50f17193b518d59b49b082c
SSDeep: 24576:Kta1 qTG4a1aSfB j1qiEdeWgAbOdve E:KQ1y1FfBVBlkeWg42m E
Size: 832596 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2006-01-26 11:43:41
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
explor.exe:600
net.exe:824
net1.exe:372
small686.exe:784
sc.exe:1252
sc.exe:1080
regsvr32.exe:1072
ping.exe:632
ping.exe:292
setup.exe:1696
selvice.exe:508
%original file name%.exe:468
mpsvc.exe:1508
mpsvc.exe:1064
updateqq.exe:1988
rundll32.exe:1552
rundll32.exe:1504
svehost.exe:164
syseter.exe:140
lqbzse.exe:1992
The Trojan injects its code into the following process(es):
rundll32.exe:588
Explorer.EXE:1140
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process explor.exe:600 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Internet Explorer\IETimbar\Uninstall.exe (206 bytes)
%Program Files%\Internet Explorer\IETimbar\httpf.dat (107 bytes)
%Program Files%\Internet Explorer\IETimbar\cfg.dat (80 bytes)
%Program Files%\Internet Explorer\IETimbar\IETimbar.dll (3196 bytes)
%Program Files%\Internet Explorer\IETimbar\vercfg.dat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp (0 bytes)
The process small686.exe:784 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\dllcache\fly2997.dll (66 bytes)
%System%\fly2997.dll (66 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\afc9fe2f418b00a0.bat (2 bytes)
The process setup.exe:1696 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\mssrcid.ini (16 bytes)
The process selvice.exe:508 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\ufixnk.bat (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
The process %original file name%.exe:468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\updateqq.exe (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ColorPix.exe (20624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\svehost.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp (33145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\small686.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\selvice.exe (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\syseter.exe (11048 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\explor.exe (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lqbzse.exe (3312 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nst1.tmp (0 bytes)
The process mpsvc.exe:1064 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\mssrcid.ini (22 bytes)
The process updateqq.exe:1988 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Messenger\sysmain.dat (1837 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Messenger\sysvc.dat (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Messenger\setup.exe (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Messenger\nvsys.ini (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Messenger\mqtrig.dll (4274 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsa3.tmp (0 bytes)
The process rundll32.exe:588 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\Web.ini (59185 bytes)
The process syseter.exe:140 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\messenger\messenger.exe (2851 bytes)
The process lqbzse.exe:1992 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\dllcache\ipfltdrv.sys.sys (32 bytes)
%System%\esentprf.ini (120 bytes)
%WinDir%\repair\tgy7324 (6626 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp (41 bytes)
%System%\drivers\nsypfo.log (41 bytes)
%System%\drivers\ipfltdrv.sys.txt (41 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp (0 bytes)
%System%\drivers\ipfltdrv.sys (0 bytes)
Registry activity
The process explor.exe:600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 88 1E 61 27 99 0D 76 F2 BC A4 86 41 B8 C2 C4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\IETimbar]
"SoftVer" = "3.0.0.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\IETimbar]
"tm" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\IETimbar]
"AgentID" = "-50331499"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess]
"BrowseNewProcess" = "yes"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess]
"BrowseNewProcess" = "yes"
[HKLM\SOFTWARE\IETimbar]
"DataVer" = "3.0.0.0"
"Install_Dir" = "%Program Files%\Internet Explorer\IETimbar"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform]
"${UserAgent}"
The process net.exe:824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 FD 1C 71 E5 60 F1 CE FE 1B AF DC 6E 51 A9 41"
The process net1.exe:372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 0A 95 2F 64 A0 85 54 1D 7C CB 56 51 FA DA BE"
The process small686.exe:784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Softfy\PlugDown]
"PlugOne" = "1.0.0"
[HKLM\SOFTWARE\Softfy\Plug]
"PlugUpdate" = "1.6.7"
[HKLM\SOFTWARE\Softfy\WebIni]
"WebIniSection" = "5"
[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"Path" = "D:\FlySoft;C:\Perl\site\bin;C:\Perl\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Program Files\Wireshark"
[HKLM\SOFTWARE\Softfy\Plug]
"PlugUserName" = "fullman"
"PlugSoftName" = "C2"
"PlugSoftVer" = "1.0.1"
"PlugStat" = "0"
[HKLM\SOFTWARE\Softfy\PlugName]
"LogonMainName" = "fly2997.dll"
[HKLM\SOFTWARE\Softfy\Plug]
"CoreDll" = "0"
"PlugSendNum" = "0"
[HKLM\SOFTWARE\Softfy\WebIni]
"HitProbaby" = "0"
[HKLM\SOFTWARE\Softfy\PlugName]
"LogonName" = "fly2997.dll"
[HKLM\SOFTWARE\Softfy\PlugDown]
"PlugTwo" = "1.0.0"
[HKLM\SOFTWARE\Softfy\LockPage]
"NeedLockPage" = "0"
[HKLM\SOFTWARE\Softfy\WebIni]
"WebIniVer" = "1.0.0"
[HKLM\SOFTWARE\Softfy\LockPage]
"LockPageNum" = "0"
The Trojan adds the reference to itself to be executed when a user logs on:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,D:\FlySoft\micsoft.exe"
The process sc.exe:1252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD D6 FA 8D 12 94 6F E8 9D F1 50 B9 36 CB 8B 41"
The process sc.exe:1080 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB F8 C7 85 00 46 DD 04 E2 96 7F 14 97 7F 36 39"
The process regsvr32.exe:1072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\CLSID\{1163E531-B58E-4BB9-B877-0906A0A22AEC}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{5E7F36B2-E909-4C3F-8A47-A3F70D840720}\TypeLib]
"(Default)" = "{FF5795DC-245C-42C3-A882-7C0AAB708619}"
[HKCR\IETimbar.CRNP.1\CLSID]
"(Default)" = "{1163E531-B58E-4BB9-B877-0906A0A22AEC}"
[HKCR\CLSID\{1163E531-B58E-4BB9-B877-0906A0A22AEC}\InprocServer32]
"(Default)" = "%Program Files%\Internet Explorer\IETimbar\IETimbar.dll"
[HKCR\IETimbar.CRNP\CurVer]
"(Default)" = "IETimbar.CRNP.1"
[HKCR\TypeLib\{FF5795DC-245C-42C3-A882-7C0AAB708619}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\TypeLib\{FF5795DC-245C-42C3-A882-7C0AAB708619}\1.0]
"(Default)" = "IETimbar 1.0 Type Library"
[HKCR\Interface\{5E7F36B2-E909-4C3F-8A47-A3F70D840720}]
"(Default)" = "IIEBho"
[HKCR\CLSID\{1163E531-B58E-4BB9-B877-0906A0A22AEC}]
"(Default)" = "IETimbar"
[HKCR\Interface\{5E7F36B2-E909-4C3F-8A47-A3F70D840720}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{1163E531-B58E-4BB9-B877-0906A0A22AEC}\TypeLib]
"(Default)" = "{FF5795DC-245C-42C3-A882-7C0AAB708619}"
[HKCR\CLSID\{1163E531-B58E-4BB9-B877-0906A0A22AEC}\ProgID]
"(Default)" = "IETimbar.CRNP.1"
[HKCR\CLSID\{1163E531-B58E-4BB9-B877-0906A0A22AEC}\VersionIndependentProgID]
"(Default)" = "IETimbar.CRNP"
[HKCR\IETimbar.CRNP.1]
"(Default)" = "IETimbar"
[HKCR\TypeLib\{FF5795DC-245C-42C3-A882-7C0AAB708619}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Internet Explorer\IETimbar\"
[HKCR\IETimbar.CRNP]
"(Default)" = "IETimbar"
[HKCR\IETimbar.CRNP\CLSID]
"(Default)" = "{1163E531-B58E-4BB9-B877-0906A0A22AEC}"
[HKCR\Interface\{5E7F36B2-E909-4C3F-8A47-A3F70D840720}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{FF5795DC-245C-42C3-A882-7C0AAB708619}\1.0\0\win32]
"(Default)" = "%Program Files%\Internet Explorer\IETimbar\IETimbar.dll"
[HKCR\Interface\{5E7F36B2-E909-4C3F-8A47-A3F70D840720}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1163E531-B58E-4BB9-B877-0906A0A22AEC}]
"NoExplorer" = "1"
The process ping.exe:632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 72 B1 9B 5D 97 D3 20 B0 DA AC C4 A6 31 58 D6"
The process ping.exe:292 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 84 D8 A1 BC FA 0F FE 9C 76 20 7E 6B 7F E6 35"
The process setup.exe:1696 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 70 43 50 A4 B2 A9 3E 51 8E C1 B5 DD 41 ED 2A"
The process selvice.exe:508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC 22 ED A8 E0 A8 6C 9A A9 57 7B 82 05 4C E7 B6"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 05 4D 5F C5 D0 31 80 1C 57 B4 78 AE 00 86 D7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"explor.exe" = "explor"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"selvice.exe" = "selvice"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"small686.exe" = "Micronas Software"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"syseter.exe" = "Windows Messenger"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"updateqq.exe" = "updateqq"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"lqbzse.exe" = "lqbzse"
"svehost.exe" = "svehost"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process mpsvc.exe:1508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 77 E7 56 D8 14 06 FE 8B 7D 2A 60 F4 AB 0D 62"
[HKCR\AppID\{5733B228-03E6-4fdd-8686-B51B0E4D473F}]
"LocalService" = "usnsvc"
[HKCR\TypeLib\{5733B228-03E6-4FDD-8686-B51B0E4D473F}\1.0\HELPDIR]
"(Default)" = "%System%\"
[HKCR\AppID\{5733B228-03E6-4fdd-8686-B51B0E4D473F}]
"(Default)" = "DSPLALER"
"ServiceParameters" = "-Service"
[HKCR\TypeLib\{5733B228-03E6-4FDD-8686-B51B0E4D473F}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\AppID\usnsvc.EXE]
"AppID" = "{5733B228-03E6-4fdd-8686-B51B0E4D473F}"
[HKCR\TypeLib\{5733B228-03E6-4FDD-8686-B51B0E4D473F}\1.0\0\win32]
"(Default)" = "%System%\mpsvc.exe"
[HKCR\TypeLib\{5733B228-03E6-4FDD-8686-B51B0E4D473F}\1.0]
"(Default)" = "usnsvc 1.0 Type Library"
The Trojan deletes the following value(s) in system registry:
[HKCR\AppID\{5733B228-03E6-4fdd-8686-B51B0E4D473F}]
"LocalService"
The process mpsvc.exe:1064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 24 9E 71 A2 64 AC 8E CC A3 B4 B9 E7 FA 57 11"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"
The process updateqq.exe:1988 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 10 86 F9 B9 F8 3D CC 19 FA 57 8B 75 1E 7F 0D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process rundll32.exe:1552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 9D DE 4B F4 CF E4 E2 1B 34 99 95 8E 98 F6 16"
The process rundll32.exe:1504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 1F C0 D2 E5 1A 34 5C 60 04 B5 9C DB 1E 08 C0"
The process rundll32.exe:588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Softfy\Plug]
"PlugSendNum" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 69 F3 18 76 60 04 50 3A 73 6C D4 99 79 D8 42"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process svehost.exe:164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 0C 75 29 DF 90 AF A6 ED 5E 04 CF 91 61 16 F3"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process syseter.exe:140 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA C2 84 5F CD 0A 9B 03 F4 E1 49 7B D3 63 1E AA"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JSsetup" = "c:\windows\system\jssetup\JSsetup.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Messenger" = "c:\windows\messenger\messenger.exe"
The process lqbzse.exe:1992 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F C7 D8 5A C6 CF 6E D0 5A CE 58 C4 C6 A3 68 09"
Dropped PE files
| MD5 | File path |
|---|---|
| a9b2b7f281c9970360fbe11b59f81feb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ColorPix.exe |
| 46646cc7504aee8d3feb32d6df1a437b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Messenger\mqtrig.dll |
| b5896c52362e5f88817c2e70464e6a41 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Messenger\setup.exe |
| 5201080e5629ba964b41c1f747e3e08c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\explor.exe |
| 1dde84ecf031155375cf40b14cf5cb99 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\svehost.exe |
| 83ffb171e457b28074b6d235d228670a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\syseter.exe |
| 0b53e16b6c41b758f5152cd6e7342d16 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\updateqq.exe |
| a62da78ecdf01bef5d3898788fdcd314 | c:\Program Files\Internet Explorer\IETimbar\IETimbar.dll |
| 8dd7eda5261e98795212bbfd70259d2d | c:\Program Files\Internet Explorer\IETimbar\Uninstall.exe |
| 83ffb171e457b28074b6d235d228670a | c:\WINDOWS\messenger\messenger.exe |
| 31e55b358a0ebdd07474451f7e8b3407 | c:\WINDOWS\system32\dllcache\fly2997.dll |
| 731f22ba402ee4b62748adaf6363c182 | c:\WINDOWS\system32\dllcache\ipfltdrv.sys.sys |
| f36be33977a145e94bcb8e6faebb3104 | c:\WINDOWS\system32\drivers\nsypfo.sys |
| 31e55b358a0ebdd07474451f7e8b3407 | c:\WINDOWS\system32\fly2997.dll |
| 0a412ad8da58d93f0d0948825df1a32c | c:\WINDOWS\system32\mpsvc.exe |
| 1d9f85b2b8c7fc2f002cb8cd8d53b4c3 | c:\WINDOWS\system32\nkhex.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
explor.exe:600
net.exe:824
net1.exe:372
small686.exe:784
sc.exe:1252
sc.exe:1080
regsvr32.exe:1072
ping.exe:632
ping.exe:292
setup.exe:1696
selvice.exe:508
%original file name%.exe:468
mpsvc.exe:1508
mpsvc.exe:1064
updateqq.exe:1988
rundll32.exe:1552
rundll32.exe:1504
svehost.exe:164
syseter.exe:140
lqbzse.exe:1992 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Program Files%\Internet Explorer\IETimbar\Uninstall.exe (206 bytes)
%Program Files%\Internet Explorer\IETimbar\httpf.dat (107 bytes)
%Program Files%\Internet Explorer\IETimbar\cfg.dat (80 bytes)
%Program Files%\Internet Explorer\IETimbar\IETimbar.dll (3196 bytes)
%Program Files%\Internet Explorer\IETimbar\vercfg.dat (4 bytes)
%System%\dllcache\fly2997.dll (66 bytes)
%System%\fly2997.dll (66 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\afc9fe2f418b00a0.bat (2 bytes)
%System%\mssrcid.ini (16 bytes)
%System%\ufixnk.bat (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\updateqq.exe (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ColorPix.exe (20624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\svehost.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp (33145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\small686.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\selvice.exe (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\syseter.exe (11048 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\explor.exe (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lqbzse.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Messenger\sysmain.dat (1837 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Messenger\sysvc.dat (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Messenger\setup.exe (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Messenger\nvsys.ini (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Messenger\mqtrig.dll (4274 bytes)
%System%\Web.ini (59185 bytes)
%WinDir%\messenger\messenger.exe (2851 bytes)
%System%\dllcache\ipfltdrv.sys.sys (32 bytes)
%System%\esentprf.ini (120 bytes)
%WinDir%\repair\tgy7324 (6626 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp (41 bytes)
%System%\drivers\nsypfo.log (41 bytes)
%System%\drivers\ipfltdrv.sys.txt (41 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JSsetup" = "c:\windows\system\jssetup\JSsetup.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Messenger" = "c:\windows\messenger\messenger.exe" - Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,D:\FlySoft\micsoft.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 26044 | 26112 | 4.4578 | 7ad88049be53eeb66e1b9b03250958f4 |
| .rdata | 32768 | 4534 | 4608 | 3.64412 | db27e0a5d47aa7859fc2e5fd4bd7e85f |
| .data | 40960 | 297972 | 3072 | 3.54319 | 4dda1eff088551454feb2c2e0a87d9b1 |
| .ndata | 339968 | 270336 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 610304 | 4096 | 2048 | 2.14695 | e37cf438f05cea102159ea993a534fc1 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 3
6e30abc8876286898498ebd0a4637a2a
944c3a22503446e46ab36c912c65a309
63fef6d7da85d2cecd32e7b7c46e09c4
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://www.xz-2-vc.net.cn/news/image.jpg | 65.19.157.201 |
| hxxp://www.xz-2-vc.net.cn/nba/image.jpg | 65.19.157.201 |
| hxxp://www.xz-2-vc.net.cn/files/image.jpg | 65.19.157.201 |
| hxxp://www.xz-2-vc.net.cn/sports/image.jpg | 65.19.157.201 |
| hxxp://65.19.157.201/sports/image.jpg | |
| hxxp://65.19.157.201/nba/image.jpg |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /nba/image.jpg HTTP/1.1
Host: 65.19.157.201
HTTP/1.1 502 Bad Gateway
Server: Tengine/1.4.2
Date: Wed, 19 Nov 2014 11:05:29 GMT
Content-Type: text/html
Content-Length: 614
Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>502 Bad Gateway</title></head>..<body bgcolor="white">..<h1>502 Bad Gateway</h1>..<p>The proxy server received an invalid response from an upstream server. Sorry for the inconvenience.<br/>..Please report this message and include the following information to us.<br/>..Thank you very much!</p>..<table>..<tr>..<td>URL:</td>..<td>hXXp://65.19.157.201/nba/image.jpg</td>..</tr>..<tr>..<td>Server:</td>..<td>he11</td>..</tr>..<tr>..<td>Date:</td>..<td>2014/11/19 03:05:29</td>..</tr>..</table>..<hr/>Powered by Tengine/1.4.2..</body>..</html>..HTTP/1.1 502 Bad Gateway..Server: Tengine/1.4.2..Date: Wed, 19 Nov 2014 11:05:29 GMT..Content-Type: text/html..Content-Length: 614..Connection: keep-alive..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>502 Bad Gateway</title></head>..<body bgcolor="white">..<h1>502 Bad Gateway</h1>..<p>The proxy server received an invalid response from an upstream server. Sorry for the inconvenience.<br/>..Please report this message and include the following information to us.<br/>..Thank you very much!</p>..<table>..<tr>..<td>URL:</td>..<td>hXXp://65.19.157.201/nba/image.jpg</t
<<< skipped >>>
GET /sports/image.jpg HTTP/1.1
Host: 65.19.157.201
HTTP/1.1 502 Bad Gateway
Server: Tengine/1.4.2
Date: Wed, 19 Nov 2014 11:05:38 GMT
Content-Type: text/html
Content-Length: 617
Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>502 Bad Gateway</title></head>..<body bgcolor="white">..<h1>502 Bad Gateway</h1>..<p>The proxy server received an invalid response from an upstream server. Sorry for the inconvenience.<br/>..Please report this message and include the following information to us.<br/>..Thank you very much!</p>..<table>..<tr>..<td>URL:</td>..<td>hXXp://65.19.157.201/sports/image.jpg</td>..</tr>..<tr>..<td>Server:</td>..<td>he11</td>..</tr>..<tr>..<td>Date:</td>..<td>2014/11/19 03:05:38</td>..</tr>..</table>..<hr/>Powered by Tengine/1.4.2..</body>..</html>....
GET /news/image.jpg HTTP/1.1
Host: VVV.xz-2-vc.net.cn
Cache-Control: no-cache
HTTP/1.1 502 Bad Gateway
Server: Tengine/1.4.2
Date: Wed, 19 Nov 2014 11:05:29 GMT
Content-Type: text/html
Content-Length: 620
Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>502 Bad Gateway</title></head>..<body bgcolor="white">..<h1>502 Bad Gateway</h1>..<p>The proxy server received an invalid response from an upstream server. Sorry for the inconvenience.<br/>..Please report this message and include the following information to us.<br/>..Thank you very much!</p>..<table>..<tr>..<td>URL:</td>..<td>hXXp://VVV.xz-2-vc.net.cn/news/image.jpg</td>..</tr>..<tr>..<td>Server:</td>..<td>he11</td>..</tr>..<tr>..<td>Date:</td>..<td>2014/11/19 03:05:29</td>..</tr>..</table>..<hr/>Powered by Tengine/1.4.2..</body>..</html>..HTTP/1.1 502 Bad Gateway..Server: Tengine/1.4.2..Date: Wed, 19 Nov 2014 11:05:29 GMT..Content-Type: text/html..Content-Length: 620..Connection: keep-alive..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>502 Bad Gateway</title></head>..<body bgcolor="white">..<h1>502 Bad Gateway</h1>..<p>The proxy server received an invalid response from an upstream server. Sorry for the inconvenience.<br/>..Please report this message and include the following information to us.<br/>..Thank you very much!</p>..<table>..<tr>..<td>URL:</td>..<td>hXXp://VVV.xz-2-vc.net.cn/news/ima
<<< skipped >>>
GET /files/image.jpg HTTP/1.1
Host: VVV.xz-2-vc.net.cn
Cache-Control: no-cache
HTTP/1.1 502 Bad Gateway
Server: Tengine/1.4.2
Date: Wed, 19 Nov 2014 11:05:36 GMT
Content-Type: text/html
Content-Length: 621
Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>502 Bad Gateway</title></head>..<body bgcolor="white">..<h1>502 Bad Gateway</h1>..<p>The proxy server received an invalid response from an upstream server. Sorry for the inconvenience.<br/>..Please report this message and include the following information to us.<br/>..Thank you very much!</p>..<table>..<tr>..<td>URL:</td>..<td>hXXp://VVV.xz-2-vc.net.cn/files/image.jpg</td>..</tr>..<tr>..<td>Server:</td>..<td>he11</td>..</tr>..<tr>..<td>Date:</td>..<td>2014/11/19 03:05:36</td>..</tr>..</table>..<hr/>Powered by Tengine/1.4.2..</body>..</html>..HTTP/1.1 502 Bad Gateway..Server: Tengine/1.4.2..Date: Wed, 19 Nov 2014 11:05:36 GMT..Content-Type: text/html..Content-Length: 621..Connection: keep-alive..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>502 Bad Gateway</title></head>..<body bgcolor="white">..<h1>502 Bad Gateway</h1>..<p>The proxy server received an invalid response from an upstream server. Sorry for the inconvenience.<br/>..Please report this message and include the following information to us.<br/>..Thank you very much!</p>..<table>..<tr>..<td>URL:</td>..<td>hXXp://VVV.xz-2-vc.net.cn/files/i
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
syseter.exe_140:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
t.Ht4
t.Ht4
f9=N%D
f9=N%D
$f95L%D
$f95L%D
%s%s/test1/%s
%s%s/test1/%s
hXXp://VVV.sun
hXXp://VVV.sun
facepizza.cn
facepizza.cn
pizza.cn
pizza.cn
GET hXXp://%s%s HTTP/1.1
GET hXXp://%s%s HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
HOST:%s
HOST:%s
HOST:%s:%d
HOST:%s:%d
X-X-X-X-X-X
X-X-X-X-X-X
rpcrt4.dll
rpcrt4.dll
d/d/d d:d:d
d/d/d d:d:d
%Program Files%\Windows NT\fsdd.log
%Program Files%\Windows NT\fsdd.log
%WinDir%\inf\pp3.inf
%WinDir%\inf\pp3.inf
%System%\setup\licxnoc.dll
%System%\setup\licxnoc.dll
%WinDir%\Help\nvwcprz.hlp
%WinDir%\Help\nvwcprz.hlp
%System%\1033\test.log
%System%\1033\test.log
%System%\drivers\etc\service3.ini
%System%\drivers\etc\service3.ini
c:\windows\fdsdf\FlashsAssistant21.dll
c:\windows\fdsdf\FlashsAssistant21.dll
c:\windows\system\jssetup\JSsetup.log
c:\windows\system\jssetup\JSsetup.log
c:\windows\system\jssetup\JSsetup.temp
c:\windows\system\jssetup\JSsetup.temp
c:\windows\system\jssetup\JSsetup.dll
c:\windows\system\jssetup\JSsetup.dll
c:\windows\system\jssetup\JSsetup.exe
c:\windows\system\jssetup\JSsetup.exe
c:\windows\system32\JSsetup\JSsetup.ini
c:\windows\system32\JSsetup\JSsetup.ini
c:\windows\messenger\messenger.log
c:\windows\messenger\messenger.log
c:\windows\messenger\messenger.temp
c:\windows\messenger\messenger.temp
c:\windows\messenger\messenger.dll
c:\windows\messenger\messenger.dll
c:\windows\messenger\messenger.exe
c:\windows\messenger\messenger.exe
c:\windows\security\Messenger.ini
c:\windows\security\Messenger.ini
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
/Start.htm?AreaID=NaN&MediaID=50011&AdNo=%d&OriginalityID=%d&Url=InternetMonitor_Start_%d&Mac=%s&Version=%d&ValidateCode=%u&ParentName=%s
/Start.htm?AreaID=NaN&MediaID=50011&AdNo=%d&OriginalityID=%d&Url=InternetMonitor_Start_%d&Mac=%s&Version=%d&ValidateCode=%u&ParentName=%s
%d_%s
%d_%s
LastStartTime_%d
LastStartTime_%d
ddd
ddd
hXXp://888888.2288.org/Monitor_INI14/Messenger.txt
hXXp://888888.2288.org/Monitor_INI14/Messenger.txt
hXXp://VVV.gamedanji.cn/ExeIni14/Messenger.txt
hXXp://VVV.gamedanji.cn/ExeIni14/Messenger.txt
hXXp://88888888.7766.org/ExeIni14/Messenger.txt
hXXp://88888888.7766.org/ExeIni14/Messenger.txt
/Start.htm?AreaID=NaN&MediaID=50011&AdNo=%d&OriginalityID=%d&Url=InternetMonitor_Setup_1_0&Mac=%s&Version=%d&ValidateCode=%u&ParentName=%s
/Start.htm?AreaID=NaN&MediaID=50011&AdNo=%d&OriginalityID=%d&Url=InternetMonitor_Setup_1_0&Mac=%s&Version=%d&ValidateCode=%u&ParentName=%s
1_0_%s
1_0_%s
VVV.sina.com
VVV.sina.com
VVV.163.com
VVV.163.com
%s %s
%s %s
%d %d
%d %d
/Start.htm?AreaID=NaN&MediaID=50011&AdNo=%d&OriginalityID=%d&Url=error2-%d-%d-%d-%d-%d-%d&Mac=%s&Version=%d&ValidateCode=&ParentName=%s
/Start.htm?AreaID=NaN&MediaID=50011&AdNo=%d&OriginalityID=%d&Url=error2-%d-%d-%d-%d-%d-%d&Mac=%s&Version=%d&ValidateCode=&ParentName=%s
/Start.htm?AreaID=NaN&MediaID=50011&AdNo=%d&OriginalityID=%d&Url=warn1&Mac=%s&Version=%d&ValidateCode=&ParentName=%s
/Start.htm?AreaID=NaN&MediaID=50011&AdNo=%d&OriginalityID=%d&Url=warn1&Mac=%s&Version=%d&ValidateCode=&ParentName=%s
%s %d
%s %d
/Start.htm?AreaID=NaN&MediaID=50011&AdNo=%d&OriginalityID=%d&Url=InternetMonitor_Setup_0_%d&Mac=%s&Version=%d&ValidateCode=%u&ParentName=%s
/Start.htm?AreaID=NaN&MediaID=50011&AdNo=%d&OriginalityID=%d&Url=InternetMonitor_Setup_0_%d&Mac=%s&Version=%d&ValidateCode=%u&ParentName=%s
0_%d_%s
0_%d_%s
%WinDir%\Help
%WinDir%\Help
%System%\1033
%System%\1033
%WinDir%\Help\nvwdsbcprz.hlp
%WinDir%\Help\nvwdsbcprz.hlp
%System%\1033\disctinct.hlp
%System%\1033\disctinct.hlp
%d.exe
%d.exe
/Start.htm?AreaID=NaN&MediaID=50011&AdNo=%d&OriginalityID=%d&Url=InternetMonitor_Copy_error1&Mac=%s&Version=%d&ValidateCode=&ParentName=%s
/Start.htm?AreaID=NaN&MediaID=50011&AdNo=%d&OriginalityID=%d&Url=InternetMonitor_Copy_error1&Mac=%s&Version=%d&ValidateCode=&ParentName=%s
/Start.htm?AreaID=NaN&MediaID=50011&AdNo=%d&OriginalityID=%d&Url=error1-%d-%d-%d-%d-%d-%d&Mac=%s&Version=%d&ValidateCode=&ParentName=%s
/Start.htm?AreaID=NaN&MediaID=50011&AdNo=%d&OriginalityID=%d&Url=error1-%d-%d-%d-%d-%d-%d&Mac=%s&Version=%d&ValidateCode=&ParentName=%s
VVV.6666.8800.org
VVV.6666.8800.org
/Start.htm?AreaID=NaN&MediaID=50011&AdNo=%d&OriginalityID=%d&Url=test11&Mac=%s&Version=%d&ValidateCode=&ParentName=%s
/Start.htm?AreaID=NaN&MediaID=50011&AdNo=%d&OriginalityID=%d&Url=test11&Mac=%s&Version=%d&ValidateCode=&ParentName=%s
ntdll.dll
ntdll.dll
kernel32.dll
kernel32.dll
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
%s.dll
%s.dll
CCmdTarget
CCmdTarget
COMCTL32.DLL
COMCTL32.DLL
hhctrl.ocx
hhctrl.ocx
commctrl_DragListMsg
commctrl_DragListMsg
CNotSupportedException
CNotSupportedException
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
user32.dll
user32.dll
ole32.dll
ole32.dll
mscoree.dll
mscoree.dll
internal state. The program cannot safely continue execution and must
internal state. The program cannot safely continue execution and must
continue execution and must now be terminated.
continue execution and must now be terminated.
- This application cannot run using the active version of the Microsoft .NET Runtime
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
Please contact the application's support team for more information.
GetProcessWindowStation
GetProcessWindowStation
OLEACC.dll
OLEACC.dll
e:\JinZQ\pcGame\PageMonitor-p4\MainModule_2\Release\MainModule_2.pdb
e:\JinZQ\pcGame\PageMonitor-p4\MainModule_2\Release\MainModule_2.pdb
VERSION.dll
VERSION.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
WININET.dll
WININET.dll
WINMM.dll
WINMM.dll
WS2_32.dll
WS2_32.dll
GetCPInfo
GetCPInfo
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
SetWindowsHookExA
SetWindowsHookExA
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
USER32.dll
USER32.dll
GetViewportExtEx
GetViewportExtEx
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GDI32.dll
GDI32.dll
comdlg32.dll
comdlg32.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyA
RegEnumKeyA
RegOpenKeyA
RegOpenKeyA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
SHLWAPI.dll
SHLWAPI.dll
oledlg.dll
oledlg.dll
OLEAUT32.dll
OLEAUT32.dll
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.PAVCException@@
.PAVCException@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCUserException@@
.PAVCObject@@
.PAVCObject@@
.PAVCOleException@@
.PAVCOleException@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
.PAVCFileException@@
.PAVCFileException@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
zcÃ
zcÃ
%original file name%.exe
%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\syseter.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\syseter.exe
||}}}}~~~
||}}}}~~~
*)'4156,9..
*)'4156,9..
*'41567,-.0$
*'41567,-.0$
*'41568,-.0#"&
*'41568,-.0#"&
*)42567,9-/#"$
*)42567,9-/#"$
=*)'2
=*)'2
*'4157,9-/0#$""
*'4157,9-/0#$""
(4157,9-.0##"::
(4157,9-.0##"::
3568,-//#""%:
3568,-//#""%:
6669-./##"$:
6669-./##"$:
09-./0#"::
09-./0#"::
accKeyboardShortcut
accKeyboardShortcut
Windows Messenger
Windows Messenger
1.0.0.14008
1.0.0.14008
All Files (*.*)
All Files (*.*)
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
Access to %1 was denied..An invalid file handle was associated with %1.
Access to %1 was denied..An invalid file handle was associated with %1.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Disk full while accessing %1..An attempt was made to access %1 past its end.
Disk full while accessing %1..An attempt was made to access %1 past its end.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
#Unable to load mail system support.
#Unable to load mail system support.
svehost.exe_164:
.text
.text
`.itext
`.itext
`.data
`.data
.idata
.idata
.rdata
.rdata
@.reloc
@.reloc
B.rsrc
B.rsrc
regsvr32.exe /s "
regsvr32.exe /s "
00-00-00-00-00-00
00-00-00-00-00-00
NETAPI32.DLL
NETAPI32.DLL
NetWkstaTransportEnum
NetWkstaTransportEnum
TCPIP
TCPIP
hXXp://msg.0912345.com/html/downloader.gif
hXXp://msg.0912345.com/html/downloader.gif
hXXp://msg.0912345.com/html/downloader_
hXXp://msg.0912345.com/html/downloader_
hXXp://msg.0912345.com/html/agentcfg/news
hXXp://msg.0912345.com/html/agentcfg/news
hXXp://dlc.0912345.com:8080/4/
hXXp://dlc.0912345.com:8080/4/
tmpxw01Ex.ext
tmpxw01Ex.ext
system.ini
system.ini
2342349804112
2342349804112
spoolsv.exe
spoolsv.exe
oleaut32.dll
oleaut32.dll
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
user32.dll
user32.dll
GetKeyboardType
GetKeyboardType
kernel32.dll
kernel32.dll
WinExec
WinExec
GetWindowsDirectoryA
GetWindowsDirectoryA
wininet.dll
wininet.dll
DeleteUrlCacheEntry
DeleteUrlCacheEntry
URLMON.DLL
URLMON.DLL
URLDownloadToFileA
URLDownloadToFileA
ws2_32.dll
ws2_32.dll
4$5*505;5
4$5*505;5
9%9U9
9%9U9
?#? ?0?;?\?
?#? ?0?;?\?
4O4x4
4O4x4
7 7$7(7,7
7 7$7(7,7
KWindows
KWindows
rundll32.exe_588:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
IMAGEHLP.dll
IMAGEHLP.dll
rundll32.pdb
rundll32.pdb
.....eZXnnnnnnnnnnnn3
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
O3$dS7"%U9
.manifest
.manifest
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
RUNDLL.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
YThere is not enough memory to run the file %s.
YThere is not enough memory to run the file %s.
Please close other windows and try again.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Error in %s
Missing entry:%s
Missing entry:%s
Error loading %s
Error loading %s
rundll32.exe_588_rwx_10001000_00036000:
\System32\PlugOne.css
\System32\PlugOne.css
\System32\PlugTwo.css
\System32\PlugTwo.css
1.dll
1.dll
hXXp://VVV.sianm.com/MainDll/SoftSize.asp
hXXp://VVV.sianm.com/MainDll/SoftSize.asp
hXXp://VVV.sianm.com/MainDll/UpdateSoft.asp
hXXp://VVV.sianm.com/MainDll/UpdateSoft.asp
WebIniSection
WebIniSection
SOFTWARE\Softfy\WebIni
SOFTWARE\Softfy\WebIni
FloodCore.dll
FloodCore.dll
FloodCore.dll Has Run
FloodCore.dll Has Run
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
SHELL32.dll
SHELL32.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
WinSSLCore.dll
WinSSLCore.dll
hXXp://floodad.com/web/download/
hXXp://floodad.com/web/download/
hXXp://floodad.com/web/
hXXp://floodad.com/web/
GET %s HTTP/1.1
GET %s HTTP/1.1
Referer: %s
Referer: %s
Accept-Language: %s
Accept-Language: %s
User-Agent: %s
User-Agent: %s
Host: %s
Host: %s
Cookie: %s
Cookie: %s
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215)
%s-%x
%s-%x
%s%s&machinename=%s
%s%s&machinename=%s
runremote.asp?type=run
runremote.asp?type=run
get_ad.asp?type=loadall
get_ad.asp?type=loadall
%s\%s
%s\%s
ComCtl32.dll
ComCtl32.dll
Ole32.dll
Ole32.dll
Gdi32.dll
Gdi32.dll
Oleaut32.dll
Oleaut32.dll
AdvApi32.dll
AdvApi32.dll
GetKeyboardType
GetKeyboardType
User32.dll
User32.dll
Kernel32.dll
Kernel32.dll
ShellExecuteA
ShellExecuteA
Shell32.dll
Shell32.dll
URLDownloadToFileA
URLDownloadToFileA
urlmon.dll
urlmon.dll
Can not support PE file with no bind.
Can not support PE file with no bind.
This Version does not support system file.
This Version does not support system file.
This Version does not support terminal server aware.
This Version does not support terminal server aware.
This Version does not support windows driver model.
This Version does not support windows driver model.
This Version does not support dynamic link library.
This Version does not support dynamic link library.
This Version does not support COM Runtime structure.
This Version does not support COM Runtime structure.
Too much ImageImportDescriptors!
Too much ImageImportDescriptors!
\\.\PhysicalDrive0
\\.\PhysicalDrive0
\\.\SMARTVSD
\\.\SMARTVSD
\System32\HtmlPeek.dll
\System32\HtmlPeek.dll
Windows98,
Windows98,
360Safe.exe
360Safe.exe
WoptiClean.exe
WoptiClean.exe
webscanx.exe
webscanx.exe
vsstat.exe
vsstat.exe
UpLive.exe
UpLive.exe
UmxPol.exe
UmxPol.exe
UmxFwHlp.exe
UmxFwHlp.exe
UmxCfg.exe
UmxCfg.exe
UmxAttachment.exe
UmxAttachment.exe
UmxAgent.exe
UmxAgent.exe
UIHost.exe
UIHost.exe
TrojDie.kxp
TrojDie.kxp
Trojanwall.exe
Trojanwall.exe
TrojanDetector.exe
TrojanDetector.exe
SysSafe.exe
SysSafe.exe
symlcsvc.exe
symlcsvc.exe
SREng.exe
SREng.exe
SmartUp.exe
SmartUp.exe
shcfg32.exe
shcfg32.exe
scan32.exe
scan32.exe
safelive.exe
safelive.exe
runiep.exe
runiep.exe
rstray.exe
rstray.exe
rsnetsvr.exe
rsnetsvr.exe
Rsaupd.exe
Rsaupd.exe
RsAgent.exe
RsAgent.exe
rfwstub.exe
rfwstub.exe
rfwsrv.exe
rfwsrv.exe
rfwProxy.exe
rfwProxy.exe
rfwmain.exe
rfwmain.exe
rfwcfg.exe
rfwcfg.exe
RegTool.exe
RegTool.exe
regmon.exe
regmon.exe
RegClean.exe
RegClean.exe
RawCopy.exe
RawCopy.exe
RavStub.exe
RavStub.exe
RavMonD.exe
RavMonD.exe
Ras.exe
Ras.exe
QQKav.exe
QQKav.exe
QQDoctor.exe
QQDoctor.exe
QHSET.exe
QHSET.exe
procexp.exe
procexp.exe
PFWLiveUpdate.exe
PFWLiveUpdate.exe
PFW.exe
PFW.exe
OllyICE.exe
OllyICE.exe
OllyDBG.exe
OllyDBG.exe
NPFMntor.exe
NPFMntor.exe
nod32kui.exe
nod32kui.exe
nod32krn.exe
nod32krn.exe
nod32.exe
nod32.exe
Navapw32.exe
Navapw32.exe
Navapsvc.exe
Navapsvc.exe
mmsk.exe
mmsk.exe
mmqczj.exe
mmqczj.exe
mcconsol.exe
mcconsol.exe
MagicSet.exe
MagicSet.exe
KWatchX.exe
KWatchX.exe
KWatch9x.exe
KWatch9x.exe
KWatch.exe
KWatch.exe
KvXP_1.kxp
KvXP_1.kxp
KvXP.kxp
KvXP.kxp
kvwsc.exe
kvwsc.exe
kvupload.exe
kvupload.exe
KVStub.kxp
KVStub.kxp
KVSrvXP.exe
KVSrvXP.exe
KVScan.kxp
KVScan.kxp
KvReport.kxp
KvReport.kxp
kvolself.exe
kvolself.exe
kvol.exe
kvol.exe
KVMonXP_1.kxp
KVMonXP_1.kxp
KVMonXP.kxp
KVMonXP.kxp
KvfwMcl.exe
KvfwMcl.exe
KvDetect.exe
KvDetect.exe
KVCenter.kxp
KVCenter.kxp
KsLoader.exe
KsLoader.exe
KRepair.com
KRepair.com
KRegEx.exe
KRegEx.exe
KPfwSvc.exe
KPfwSvc.exe
KPFW32X.exe
KPFW32X.exe
KPFW32.exe
KPFW32.exe
KMFilter.exe
KMFilter.exe
KMailMon.exe
KMailMon.exe
KISLnchr.exe
KISLnchr.exe
KAVStart.exe
KAVStart.exe
KAVSetup.exe
KAVSetup.exe
KAVPFW.exe
KAVPFW.exe
KAVPF.exe
KAVPF.exe
KAVDX.exe
KAVDX.exe
KAV32.exe
KAV32.exe
KASTask.exe
KASTask.exe
KASMain.exe
KASMain.exe
KaScrScn.SCR
KaScrScn.SCR
kabaload.exe
kabaload.exe
isPwdSvc.exe
isPwdSvc.exe
Iparmor.exe
Iparmor.exe
iparmo.exe
iparmo.exe
IceSword.exe
IceSword.exe
HijackThis.exe
HijackThis.exe
FYFireWall.exe
FYFireWall.exe
FTCleanerShell.exe
FTCleanerShell.exe
filemon.exe
filemon.exe
FileDsty.exe
FileDsty.exe
EGHOST.exe
EGHOST.exe
ccSvcHst.exe
ccSvcHst.exe
CCenter.exe
CCenter.exe
avp.exe
avp.exe
avp.com
avp.com
AvMonitor.exe
AvMonitor.exe
avgrssvc.exe
avgrssvc.exe
avconsol.exe
avconsol.exe
autoruns.exe
autoruns.exe
AppSvc32.exe
AppSvc32.exe
AgentSvr.exe
AgentSvr.exe
adam.exe
adam.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
hXXp://VVV.hao12580.com
hXXp://VVV.hao12580.com
LockPageUrl
LockPageUrl
Test3 Loop Pass 1 Min
Test3 Loop Pass 1 Min
ravmond.exe
ravmond.exe
X:X:X:X:X:X
X:X:X:X:X:X
\System32\Web.ini
\System32\Web.ini
WebSection7
WebSection7
WebSection6
WebSection6
WebSection5
WebSection5
WebSection4
WebSection4
WebSection3
WebSection3
WebSection2
WebSection2
WebSection1
WebSection1
Web3Hit
Web3Hit
Web2Hit
Web2Hit
Web1Hit
Web1Hit
Web0Hit
Web0Hit
hXXp://VVV.fyyxyz.com
hXXp://VVV.fyyxyz.com
hXXp://VVV.woyaozhi.com
hXXp://VVV.woyaozhi.com
WebSection0
WebSection0
hXXp://VVV.softfy.com
hXXp://VVV.softfy.com
hXXp://VVV.codearticle.com
hXXp://VVV.codearticle.com
hXXp://VVV.superqqface.com
hXXp://VVV.superqqface.com
hXXp://VVV.fygamedown.com
hXXp://VVV.fygamedown.com
AleaxWeb
AleaxWeb
hXXp://VVV.fydownload.com
hXXp://VVV.fydownload.com
hXXp://VVV.hao12580.com/XueHu
hXXp://VVV.hao12580.com/XueHu
PlugTwoSizeUrl
PlugTwoSizeUrl
/PlugTwo/SoftSize.asp
/PlugTwo/SoftSize.asp
/PlugTwo/UpdateSoft.asp
/PlugTwo/UpdateSoft.asp
PlugOneSizeUrl
PlugOneSizeUrl
/PlugOne/SoftSize.asp
/PlugOne/SoftSize.asp
/PlugOne/UpdateSoft.asp
/PlugOne/UpdateSoft.asp
hXXp://VVV.sianm.com/CPA/
hXXp://VVV.sianm.com/CPA/
SoftAdsSizeUrl
SoftAdsSizeUrl
hXXp://VVV.sianm.com/plug/SoftSize.asp
hXXp://VVV.sianm.com/plug/SoftSize.asp
SoftAdsUrl
SoftAdsUrl
hXXp://VVV.sianm.com/plug/HtmlPeek.dll
hXXp://VVV.sianm.com/plug/HtmlPeek.dll
hXXp://VVV.fyyxyz.com/plug/HtmlPeek.dll
hXXp://VVV.fyyxyz.com/plug/HtmlPeek.dll
hXXp://VVV.fyyxyz.com/plug/SoftSize.asp
hXXp://VVV.fyyxyz.com/plug/SoftSize.asp
hXXp://VVV.fyyxyz.com/PlugOne/PlugOne.css
hXXp://VVV.fyyxyz.com/PlugOne/PlugOne.css
hXXp://VVV.fyyxyz.com/PlugTwo/PlugTwo.css
hXXp://VVV.fyyxyz.com/PlugTwo/PlugTwo.css
hXXp://VVV.fyyxyz.com/PlugOne/SoftSize.asp
hXXp://VVV.fyyxyz.com/PlugOne/SoftSize.asp
hXXp://VVV.fyyxyz.com/PlugTwo/SoftSize.asp
hXXp://VVV.fyyxyz.com/PlugTwo/SoftSize.asp
.PAVCInternetException@@
.PAVCInternetException@@
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Content-Length: %d
Content-Length: %d
1.0.0
1.0.0
VVV.k-fc.cn
VVV.k-fc.cn
//lin//lin.asp
//lin//lin.asp
%Program Files%\Internet Explorer\IEXPLORE.EXE
%Program Files%\Internet Explorer\IEXPLORE.EXE
Chrome_XPFrame
Chrome_XPFrame
MozillaUIWindowClass
MozillaUIWindowClass
Software\Microsoft\Internet Explorer\New Windows
Software\Microsoft\Internet Explorer\New Windows
-f1.4.0
-f1.4.0
VVV.hao12580.com
VVV.hao12580.com
wNowUrlNum=%d
wNowUrlNum=%d
mMin=%d
mMin=%d
CWebBrowser2
CWebBrowser2
WebIniVer
WebIniVer
hXXp://VVV.fyyxyz.com/WebIni3/WebIniUpdate.asp
hXXp://VVV.fyyxyz.com/WebIni3/WebIniUpdate.asp
\System32\Web.Ini
\System32\Web.Ini
\System32\WebNew.Ini
\System32\WebNew.Ini
\System32\WebNew.ini
\System32\WebNew.ini
hXXp://VVV.fyyxyz.com/WebIni3/WebIniSize.asp
hXXp://VVV.fyyxyz.com/WebIni3/WebIniSize.asp
00000000000000000010
00000000000000000010
%WinDir%\System32\Web.ini
%WinDir%\System32\Web.ini
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegEnumKeyA
RegEnumKeyA
RegDeleteKeyA
RegDeleteKeyA
OpenWindowStationA
OpenWindowStationA
SetProcessWindowStation
SetProcessWindowStation
GetProcessWindowStation
GetProcessWindowStation
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
`.PlugOne
`.PlugOne
`.ReadPluP
`.ReadPluP
`.ShellPrP
`.ShellPrP
`.UpdateP`
`.UpdateP`
`.UpdateP
`.UpdateP
`.Release
`.Release
`.GetMatc
`.GetMatc
`.GetHtml
`.GetHtml
`.ShellSo
`.ShellSo
`.LoadHtmP
`.LoadHtmP
`.FindSpc
`.FindSpc
`.ReadLoc
`.ReadLoc
`.GetHome
`.GetHome
`.CreateW
`.CreateW
`.GetWebU
`.GetWebU
`.GetWebH
`.GetWebH
`.IsSoftA
`.IsSoftA
`.PostReq
`.PostReq
`.ReadPlu
`.ReadPlu
`.PostMes
`.PostMes
`.LoadToW
`.LoadToW
`.OnInitDp
`.OnInitDp
`.PopupMgp
`.PopupMgp
`.OnDocum
`.OnDocum
`.EnumLin0
`.EnumLin0
`.GetEnte
`.GetEnte
`.JudgeFi
`.JudgeFi
`.WriteWe
`.WriteWe
`.UpdateW
`.UpdateW
`.GetServ
`.GetServ
`.GetFileP
`.GetFileP
`.InitWebp
`.InitWebp
.rsrc
.rsrc
@.reloc
@.reloc
\\.\Physi
\\.\Physi
Urlk
Urlk
{8856F961-340A-11D0-A96B-00C04FD705A2}
{8856F961-340A-11D0-A96B-00C04FD705A2}
mpsvc.exe_1064:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
InternetOpenUrlA
InternetOpenUrlA
WININET.dll
WININET.dll
MFC42.DLL
MFC42.DLL
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
GetWindowsDirectoryA
GetWindowsDirectoryA
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegDeleteKeyA
RegDeleteKeyA
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
RegEnumKeyExA
RegEnumKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
explorer.exe
explorer.exe
%s\%s.exe
%s\%s.exe
IETemp%s
IETemp%s
%s\kbietmp2.ini
%s\kbietmp2.ini
%s\mssrcid.ini
%s\mssrcid.ini
%s\%s.ini
%s\%s.ini
rundll32 "%s",DllCanUnloadNow
rundll32 "%s",DllCanUnloadNow
%s\%s.dll
%s\%s.dll
%s\sysmain.dat
%s\sysmain.dat
%s\nvsys.ini
%s\nvsys.ini
%s\sysvc.dat
%s\sysvc.dat
SYSTEM\CurrentControlSet\Services\Eventlog\Application\%s
SYSTEM\CurrentControlSet\Services\Eventlog\Application\%s
%s\aaaaaaa.ini
%s\aaaaaaa.ini
hXXp://%s/up/update.htm
hXXp://%s/up/update.htm
hXXp://%s/myconfig/index.htm
hXXp://%s/myconfig/index.htm
hXXp://
hXXp://
%Y-%m-%d %H:%M:%S
%Y-%m-%d %H:%M:%S
{5733B228-03E6-4fdd-8686-B51B0E4D473F}
{5733B228-03E6-4fdd-8686-B51B0E4D473F}
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
{5733B228-03E6-4fdd-8686-B51B0E4D473F} = s 'DSPLALER'
{5733B228-03E6-4fdd-8686-B51B0E4D473F} = s 'DSPLALER'
'usnsvc.EXE'
'usnsvc.EXE'
val AppID = s {5733B228-03E6-4fdd-8686-B51B0E4D473F}
val AppID = s {5733B228-03E6-4fdd-8686-B51B0E4D473F}
.REGISTRY
.REGISTRY
8, 1, 5467, 4655
8, 1, 5467, 4655
rundll32.exe_1504:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
IMAGEHLP.dll
IMAGEHLP.dll
rundll32.pdb
rundll32.pdb
.....eZXnnnnnnnnnnnn3
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
O3$dS7"%U9
.manifest
.manifest
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
RUNDLL.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
YThere is not enough memory to run the file %s.
YThere is not enough memory to run the file %s.
Please close other windows and try again.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Error in %s
Missing entry:%s
Missing entry:%s
Error loading %s
Error loading %s
Explorer.EXE_1140_rwx_01E80000_00003000:
user32.dll
user32.dll
shlwapi.dll
shlwapi.dll
%WinDir%\repair\tgy7324
%WinDir%\repair\tgy7324
{5D42434E-BCA3-4061-9FAC-C3ABEE0B82EC}
{5D42434E-BCA3-4061-9FAC-C3ABEE0B82EC}
\\.\{5D42434E-BCA3-4061-9FAC-C3ABEE0B82EC}
\\.\{5D42434E-BCA3-4061-9FAC-C3ABEE0B82EC}
Explorer.EXE_1140_rwx_01EB0000_00003000:
user32.dll
user32.dll
shlwapi.dll
shlwapi.dll
%WinDir%\repair\tgy7324
%WinDir%\repair\tgy7324
{5D42434E-BCA3-4061-9FAC-C3ABEE0B82EC}
{5D42434E-BCA3-4061-9FAC-C3ABEE0B82EC}
\\.\{5D42434E-BCA3-4061-9FAC-C3ABEE0B82EC}
\\.\{5D42434E-BCA3-4061-9FAC-C3ABEE0B82EC}
Explorer.EXE_1140_rwx_02140000_00008000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
433f4c96-d7dd-4262-a701-e9ead9ce9cce
433f4c96-d7dd-4262-a701-e9ead9ce9cce
\\.\%s
\\.\%s
\ntdll.dll
\ntdll.dll
ntdll.dll
ntdll.dll
explorer.exe
explorer.exe
\esentprf.ini
\esentprf.ini
%s.old
%s.old
64a6d595-ec37-4857-8350-8b4cdf4155d6
64a6d595-ec37-4857-8350-8b4cdf4155d6
\\.\PhysicalDrive%d
\\.\PhysicalDrive%d
\Internet Explorer\iexplore.exe
\Internet Explorer\iexplore.exe
&dt=%.16I64x&k=%.8x&idf=%.16I64x&hd=%s&ct=%d&v=%u&o=%u&d=%.4x&i=%.4d
&dt=%.16I64x&k=%.8x&idf=%.16I64x&hd=%s&ct=%d&v=%u&o=%u&d=%.4x&i=%.4d
upup.4pu.com
upup.4pu.com
hXXp://%s/up.php?%s%s
hXXp://%s/up.php?%s%s
%d-%d
%d-%d
hXXp://VVV.7xar.com/list.php?k=%u&v=%.8x&ml=%s&rl=%s&vk=%d
hXXp://VVV.7xar.com/list.php?k=%u&v=%.8x&ml=%s&rl=%s&vk=%d
VVV.baidu.com
VVV.baidu.com
%s\%s
%s\%s
&dt=%.16I64x&k=%.8x&idf=%.16I64x&hd=%s&ct=%d&v=%u&o=%u&res=%s
&dt=%.16I64x&k=%.8x&idf=%.16I64x&hd=%s&ct=%d&v=%u&o=%u&res=%s
down.upup.4pu.com
down.upup.4pu.com
hXXp://%s/down.php?%s
hXXp://%s/down.php?%s
d3a7b1e2-3b23-4390-9db7-d8487a307c4c
d3a7b1e2-3b23-4390-9db7-d8487a307c4c
b9fbd434-4e60-4a1d-8c5c-b6b73eb04630
b9fbd434-4e60-4a1d-8c5c-b6b73eb04630
msspref_1.tlb
msspref_1.tlb
msspref_2.tlb
msspref_2.tlb
msdpref.tlb
msdpref.tlb
&idf=%.16I64x&v=%u&o=%u
&idf=%.16I64x&v=%u&o=%u
URLDownloadToCacheFileA
URLDownloadToCacheFileA
urlmon.dll
urlmon.dll
WS2_32.dll
WS2_32.dll
SHLWAPI.dll
SHLWAPI.dll
imagehlp.dll
imagehlp.dll
PSAPI.DLL
PSAPI.DLL
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
daemon.dll
daemon.dll
{5D42434E-BCA3-4061-9FAC-C3ABEE0B82EC}
{5D42434E-BCA3-4061-9FAC-C3ABEE0B82EC}
%WinDir%\temp\
%WinDir%\temp\
%WinDir%\Help\tg8541.hlp
%WinDir%\Help\tg8541.hlp
%WinDir%\web\
%WinDir%\web\
%WinDir%\msapps\ej3309.nfo
%WinDir%\msapps\ej3309.nfo
%WinDir%\srchasst\af7910.lex
%WinDir%\srchasst\af7910.lex
%WinDir%\repair\tgy7324
%WinDir%\repair\tgy7324
4 565;5@5[5}5
4 565;5@5[5}5