Skip to main content

Gen.Variant.Graftor.2540_1c0f9025e8


HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Graftor.2540 (B) (Emsisoft), Gen:Variant.Graftor.2540 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 1c0f9025e87aae814eb87ab32e49bf4e

SHA1: 7ff4aef8e15cd33219ac41e78f4b90e847a6a597

SHA256: 11ce55c9af9384dc3ac15d2a33c1597b80efdd15876125707b9e7539a5a6807c

SSDeep: 49152:m6SodEuj8VwcZmOuEJgjF7ktFWezv20lK2AlppMRm1X1SQ0dynDS:JSouuj8eCmOuEJ6kqW2ZpL1leyDS

Size: 4104192 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: PolyEnE001byLennartHedlund, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6

Company: no certificate found

Created at: 2014-08-11 10:27:40

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan-PSW. Trojan program intended for stealing users passwords.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:584
5336¼«¿Í.exe:1724

The Trojan injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:584 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Fonts\5336¼«¿Í.exe (17629 bytes)
%Documents and Settings%\%current user%\My Documents\SVCHOST.exe (3699 bytes)

The process 5336¼«¿Í.exe:1724 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Õâ¸ö.sys (18 bytes)

Registry activity

The process %original file name%.exe:584 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 52 41 EF 94 AF 14 15 EF ED FE 16 D4 98 63 B7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\My Documents]
"svchost.exe" = "易语言程序"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process 5336¼«¿Í.exe:1724 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 D6 AD 1B D8 DC B5 47 07 EB 40 2A FE E9 8E 29"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.2345.com/?ktt659189"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"HomePage" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ÎÒµÄÆô¶¯Ïî" = "%Documents and Settings%\Administrator\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯\IEXPLORE.exe"

Dropped PE files

MD5 File path
42b23743e20c12d6e101e513bf87097fc:\Documents and Settings\"%CurrentUserName%"\Application Data\Õâ¸ö.sys
659c2355c7bfc03e20bf94cfc9d7db80c:\Documents and Settings\"%CurrentUserName%"\My Documents\SVCHOST.exe
65236a140ef2f52fc8691148f74a2fd4c:\WINDOWS\Fonts\5336¼«¿Í.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following kernel-mode hooks:

ZwQuerySystemInformation
ZwReadVirtualMemory
ZwWriteVirtualMemory

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:584
    5336¼«¿Í.exe:1724

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %WinDir%\Fonts\5336¼«¿Í.exe (17629 bytes)
    %Documents and Settings%\%current user%\My Documents\SVCHOST.exe (3699 bytes)
    %Documents and Settings%\%current user%\Application Data\Õâ¸ö.sys (18 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ÎÒµÄÆô¶¯Ïî" = "%Documents and Settings%\Administrator\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯\IEXPLORE.exe"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: English (United States)

Company Name: Product Name: ?????Product Version: 1.0.0.0Legal Copyright: ?????? ????????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ?????Comments: ??????????(http://www.eyuyan.com)Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40964330064341764.54187dfcd456bcb66c166cb0bb21c298e969f
.rdata438272357298235758084.9519933c56e5cbea00b9379f44961a4c6ff18
.data4014080199722614403.323144cac040f4174f6f8ea5d0f7b8dab95b6
.rsrc421478426868286723.6679162ae8c11e5b2b5f2992eea32881ea50d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://yy.com/183.61.179.207
hxxp://cc00077.h.cnc.ccgslb.com.cn/js/plugins.js
hxxp://cc00077.h.cnc.ccgslb.com.cn/img/loading.gif
hxxp://cc00077.h.cnc.ccgslb.com.cn/js/webyy.js?v20.js
hxxp://cc00077.h.cnc.ccgslb.com.cn/js/index.js?v15.0.js
hxxp://cc00077.h.cnc.ccgslb.net/duowan.js
hxxp://ylog.hiido.com/c.gif?act=web&zd=_2b1acc1@yy|_e3d75f1@yy|www@yy|&ui=0.15621836609516887&sp=0&fl=11&sl=0&ss=2&bs=6&mb=0&nw=0&fd=0&hiido=0&sn=0&ls=0&vr=15&ut=1415470029326&wd=0&passport=&sns=null222.186.49.20
hxxp://hm.e.shifen.com/h.js?34a908ea88275f6ef0a72588f9c0be86
hxxp://hm.e.shifen.com/hm.gif?cc=1&ck=1&cl=32-bit&ds=1276x846&et=0&fl=11.6&ja=1&ln=en-us&lo=0&nv=1&rnd=1182576063&si=34a908ea88275f6ef0a72588f9c0be86&st=1&v=1.0.68&lv=1&tt=频道 : 5336 | YY语音
hxxp://cc00077.h.cnc.ccgslb.com.cn/img/close.jpg
hxxp://cc00077.h.cnc.ccgslb.com.cn/r/rc/main/main/1/43/main.swf
hxxp://yy.com/crossdomain.xml183.61.179.207
hxxp://yy.com//get-data/5336?subSid=1705313832&type=main&_=39769061183.61.179.207
hxxp://c3.web.yy.com/img/close.jpg183.95.152.108
hxxp://www.duowan.com/duowan.js61.240.138.8
hxxp://c2.web.yy.com/js/plugins.js222.161.226.8
hxxp://hm.baidu.com/hm.gif?cc=1&ck=1&cl=32-bit&ds=1276x846&et=0&fl=11.6&ja=1&ln=en-us&lo=0&nv=1&rnd=1182576063&si=34a908ea88275f6ef0a72588f9c0be86&st=1&v=1.0.68&lv=1&tt=频道 : 5336 | YY语音61.135.185.140
hxxp://c3.web.yy.com/img/loading.gif183.95.152.108
hxxp://hm.baidu.com/h.js?34a908ea88275f6ef0a72588f9c0be8661.135.185.140
hxxp://c1.web.yy.com/js/webyy.js?v20.js222.161.226.9
hxxp://c1.web.yy.com/js/index.js?v15.0.js222.161.226.9
hxxp://c1.web.yy.com/r/rc/main/main/1/43/main.swf222.161.226.9

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /js/plugins.js HTTP/1.1

Accept: */*

Referer: hXXp://yy.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c2.web.yy.com

Connection: Keep-Alive

Cookie: JSESSIONID=yf318d5bhhcj05o91xcm2ied6c6wa.yf3

HTTP/1.1 200 OK

Content-Type: application/x-javascript; charset=utf-8

Content-Encoding: gzip

Server: nginx

Date: Sat, 08 Nov 2014 15:48:23 GMT

Last-Modified: Thu, 28 Aug 2014 08:29:53 GMT

Expires: Sun, 09 Nov 2014 15:48:23 GMT

Cache-Control: max-age=86400

Age: 8284

Content-Length: 41729

Powered-By-ChinaCache: HIT from CNC-CC-b-3g7.3

............{_...7...U`.y.:.........hb.3..A2..V.Ap..@.....j].p..y..9{.&..W.k..W..' ..{......?..m}o}>..o...v.oQ....K....o.kk............V.v.o_].sOK..Q.m....=....v....u..iw.^....i?7.Ns...s.~.......?h.......8.a....^.~......t....L:i.........................ZC.....v...H.\..v.ku/x...0y..aZ...r.z.s.r./....O....ji.T.jk........|r.....[.\..N........;...x.....Z.^?J.x...y..|....i#..m...d#.....~7.M....e......2Jv.Y...a..(y.._.M...k...r...6.O.....g.......u../...Q..|....E..x..3.=........J.._..;.uA....f..G!<.<9[....7...._.U....7..Q.~v6.>.. }z.Q.gggk.e.?lN...._[........,\.....Z...Z..~.I0.....e.3H...Ng.Z=.(PKg...'a.m.;.F...7a........iy...K.l.......i.W{.6rgkM...,`.G..w..[.....@qX..;.z7.v..../(.M......../..4.(...V.....9....Z.....k.f.J....z>.(.AX...ni|[..y.x)N~...i.v..v.%;Q.%........x...{..mJ.~...].o...uk..G.S.......Z...;5n...Q.a.|...%.....a.}.%../.t.G./.d...*..1.k*......6..NK9....eo]^F..uN.G. >..V......9(...`Fe..b.w..R..=...t..h...Qj.....w....:^.....q......G ..G.ZwE<f.k.Ut....; ....cG.~.2'..xA..^.p~.....R.w.4.[F....u~.Z.J....$y.7pv"Z=.m.R:N(N...(=.6B...G....zs:....;....q.2...iu.y.{..%.....$....$=.{?.i.[a..4yYn...d#N.LW. @7.....O.V. P..^i.........N'E[......)...~....(..........._.T...]r..\..[W\...mF.m.F..f.A=._....V..y..MQz......m.....m0S[K.....4.=..... ..U:T..../..O..6.h._.o[}z..d.^... q,.4.'/..t.x.}.2..j..N=.t!Q....%6.(.."#...m.\.i...`...i..}...:t'D.w1.....Pi....9.7. .<qB......RFI..T'<.?/.A$s-..#..,e.........NV*..a..]P-. ..0P..i.].f .....r...|X.:.%.l8]..g.2...j.8...u...6a...;.-....x.f.U.....[...zz.*.`V..*

<<< skipped >>>

GET /img/close.jpg HTTP/1.1

Accept: */*

Referer: hXXp://yy.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c3.web.yy.com

Connection: Keep-Alive

Cookie: JSESSIONID=yf318d5bhhcj05o91xcm2ied6c6wa.yf3; hiido_ui=0.15621836609516887; Hm_lvt_34a908ea88275f6ef0a72588f9c0be86=1415470045; Hm_lpvt_34a908ea88275f6ef0a72588f9c0be86=1415470045

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 08 Nov 2014 11:48:43 GMT

Content-Type: image/jpeg

Content-Length: 604

Last-Modified: Thu, 20 Feb 2014 07:37:14 GMT

Expires: Sun, 09 Nov 2014 11:48:43 GMT

Cache-Control: max-age=86400

Age: 22699

Powered-By-ChinaCache: HIT from CNC-DX-2-3g3.9

HTTP/1.1 200 OK..Server: nginx..Date: Sat, 08 Nov 2014 11:48:43 GMT..Content-Type: image/jpeg..Content-Length: 604..Last-Modified: Thu, 20 Feb 2014 07:37:14 GMT..Expires: Sun, 09 Nov 2014 11:48:43 GMT..Cache-Control: max-age=86400..Age: 22699..Powered-By-ChinaCache: HIT from CNC-DX-2-3g3.9........JFIF.....d.d......Ducky.......<......Adobe.d.................................................................................................................................................................l.................................................................A.!1.2...R3.a...."..s................................?.....t...r.roNMsy..U......g...y.ZK.- ii.C. .......Q.....F...F.Dpy..|N.&........ ........i....J.ZJ\B.))"..r.T.d..J...I.....s.N. z...r....UT....N...x.3oJ..(......`.6.ms.t...$O...Z )qlq.Z.N.J.ZM.............6..Ba%....F..A.ms...@%tT....)!~....}d.I....0.{...'.....V.l.r<.i..L.....

GET / HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: yy.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 08 Nov 2014 18:06:24 GMT

Content-Type: text/html;charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: JSESSIONID=yf318d5bhhcj05o91xcm2ied6c6wa.yf3;Path=/

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Content-Language: zh-CN

Content-Encoding: gzip

a..............596...VQo.6.~.....E.{.D;NZG..li....bK..if..e1.DM...I.bX_...h........0.}..?3.m.....(..5CmC&E.w.............5..(D.o|z..*..!7[..\Z..n]Y...j.....8.......}....L,B...9h.".../...j*.rh....I./..A.....q.L.i.--iq..Qo.3m...G.DW....,Lu27..Dr.0.K. .6.....Ehjj.cO..P.T.0....A.^...hq.xz.............D...h.|}nz.6Y.....G..$ . ..m......q..B...,..IX.:...NY..$...U.:....p..2w.[9....H.7.79.q...%.....b..Yi.............F...0......"J.Z/."]]s..gsn..3.....e.._.|p.....h.ml.y.........Zb.R....D.e.....M....`..._..'.$...3..o.:........x.......<}...w...:|.D...xzp...........zT..xF...........Q..C=....9?..vEo....'...h.....@..]...../.<C{H.2.1.b.3......."..yl5l.P..q_...K.P...{..m...4...r.v...G.;.T..g."........@...G..$Ot....L..&,.d\Z....@..*.)-#E... O.Zy...9`..d...IA.......I.. ......{.5..V4....X.Z.m,&gS\..=.k..a.....X...=.;*.....R....2RM....7`.......L9-.....S.@).{?......#]\E.d.2_...J.*..V..8..c..B....o..U.....i.4...B......|~.......hgOH)"...q.L.BN....n.H.m..cQ4..'.....`.=.G.@.....0g.D_.$u....M..*Ff6........p`.J..*1...Xg....;.E{..s.le."...5j.....e.;n.n.dXK%f....P..bM...*.q...F.e..n....2...m....W.mg$.s.Tfng.......y..f0..Vv.....: .-p...id..2|.....u....v..p.....g.w.{M..M<....]\..x...6.n..b@...rx&......n..........K5}..,...y.z"..G....ZG .#.....r.&..2...\.Z.C....WfZ.%/e.,F.Op8.7...Q...q..5...Z.K.6...<........b../...k_..v...sv...*K..........^..,OX..C#.a.'F...h..E../,@uSY..u.i/6....8. ..tU...Q...S..t..w..q....J.W.k.n......Q.....U.(.../....Z.?Q .H.\].......:-V.y.....0......

<<< skipped >>>

GET /crossdomain.xml HTTP/1.1

Accept: */*

Accept-Language: en-US

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: yy.com

Connection: Keep-Alive

Cookie: JSESSIONID=yf318d5bhhcj05o91xcm2ied6c6wa.yf3; hiido_ui=0.15621836609516887; Hm_lvt_34a908ea88275f6ef0a72588f9c0be86=1415470045; Hm_lpvt_34a908ea88275f6ef0a72588f9c0be86=1415470045

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 08 Nov 2014 18:07:14 GMT

Content-Type: application/xml

Transfer-Encoding: chunked

Connection: keep-alive

Last-Modified: Thu, 20 Feb 2014 07:37:13 GMT

Content-Encoding: gzip

a..............a4..m.K..0.D. q.(K$S.'.,Q...........H\.....n4.7.../S.STW.....t8.........J..0P..Q... ..z....9..l`...V..u5qE..:..2^Fd..]S.B.)...z....4..3Z.....r.#..%....,s..7...>Q$.O......0......

GET //get-data/5336?subSid=1705313832&type=main&_=39769061 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://c1.web.yy.com/r/rc/main/main/1/43/main.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: yy.com

Connection: Keep-Alive

Cookie: JSESSIONID=yf318d5bhhcj05o91xcm2ied6c6wa.yf3; hiido_ui=0.15621836609516887; Hm_lvt_34a908ea88275f6ef0a72588f9c0be86=1415470045; Hm_lpvt_34a908ea88275f6ef0a72588f9c0be86=1415470045

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 08 Nov 2014 18:07:16 GMT

Content-Type: text/plain;charset=UTF-8

Content-Length: 695

Connection: keep-alive

Set-Cookie: __wyy=d5707d6ff3d24401a7e02f7f2d1602fc;Path=/;Domain=.yy.com;Expires=Sun, 08-Nov-2015 18:07:16 GMT

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Accept-Charset: big5, big5-hkscs, compound_text, euc-jp, euc-kr, gb18030, gb2312, gbk, ibm-thai, ibm00858, ibm01140, ibm01141, ibm01142, ibm01143, ibm01144, ibm01145, ibm01146, ibm01147, ibm01148, ibm01149, ibm037, ibm1026, ibm1047, ibm273, ibm277, ibm278, ibm280, ibm284, ibm285, ibm297, ibm420, ibm424, ibm437, ibm500, ibm775, ibm850, ibm852, ibm855, ibm857, ibm860, ibm861, ibm862, ibm863, ibm864, ibm865, ibm866, ibm868, ibm869, ibm870, ibm871, ibm918, iso-2022-cn, iso-2022-jp, iso-2022-jp-2, iso-2022-kr, iso-8859-1, iso-8859-13, iso-8859-15, iso-8859-2, iso-8859-3, iso-8859-4, iso-8859-5, iso-8859-6, iso-8859-7, iso-8859-8, iso-8859-9, jis_x0201, jis_x0212-1990, koi8-r, koi8-u, shift_jis, tis-620, us-ascii, utf-16, utf-16be, utf-16le, utf-32, utf-32be, utf-32le, utf-8, windows-1250, windows-1251, windows-1252, windows-1253, windows-1254, windows-1255, windows-1256, windows-1257, windows-1258, windows-31j, x-big5-hkscs-2001, x-big5-solaris, x-euc-jp-linux, x-euc-tw, x-eucjp-open, x-ibm1006, x-ibm1025, x-ibm1046, x-ibm1097, x-ibm1098, x-ibm1112, x-ibm1122, x-ibm1123, x-ibm1124, x-ibm1364, x-ibm1381, x-ibm1383, x-ibm33722, x-ibm737, x-ibm833, x-ibm834, x-ibm856, x-ibm874, x-ibm875, x-ibm921, x-ibm922, x-ibm930, x-ibm933, x-ibm935, x-ibm937, x-ibm939, x-ibm942, x-ibm942c, x-ibm943, x-ibm943c, x-ibm948, x-ibm949, x-ibm949c, x-ibm950, x-ibm964, x-ibm970, x-iscii91, x-iso-2022-cn-cns, x-iso-2022-cn-gb, x-iso-8859-11, x-jis0208, x-jisautodetect, x-johab, x-macarabic, x-maccentraleurope, x-maccroatian, x-maccyrillic, x-macdingbat, x-macgreek, x-machebrew, x-maciceland, x-macroman, x-macromania, x-macsymbol, x-macthai, x-macturkish, x-macukraine, x-ms932_0213, x-ms950-hkscs, x-ms950-hkscs-xp, x-mswin-936, x-pck, x-sjis_0213, x-utf-16le-bom, x-utf-32be-bom, x-utf-32le-bom, x-windows-50220, x-windows-50221, x-windows-

<<< skipped >>>

GET /img/loading.gif HTTP/1.1

Accept: */*

Referer: hXXp://yy.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c3.web.yy.com

Connection: Keep-Alive

Cookie: JSESSIONID=yf318d5bhhcj05o91xcm2ied6c6wa.yf3

HTTP/1.1 200 OK

Content-Type: image/gif

Content-Length: 8543

Server: nginx

Date: Sat, 08 Nov 2014 09:24:13 GMT

Last-Modified: Thu, 20 Feb 2014 07:37:14 GMT

Expires: Sun, 09 Nov 2014 09:24:13 GMT

Cache-Control: max-age=86400

Age: 31337

Powered-By-ChinaCache: HIT from CNC-DX-2-3g3.8

GIF89a$.#.......|...............................................................................................................................................z........................................................}...................................................................................x.....y....................................................................~..............................................................................................................y..................................................................................................v..............................................................w.....w...........z.......................z.........................................................................................!..NETSCAPE2.0.....!.......,....$.#.....i..(.W/a...C....a.|..H...a..1.f...g....Hr.A`..A.0... '.1;&LbI.'.=30..._@..X...M..........A.4.y...h..A.*.j.....c...V...~...X3...n.f..ZZI.IC 7@.o..- ...[b..p.#..........Y1......y.I`z...@.4....);.,...;...=;..^...xAdt......&..Q..b.1.#..@...#.l..P.A....u..h.m.ID~...b.)A1.....fD3..uE.F...."Gta.H#./...K*C.u.AvpC......-.....$d..|4.G.I".1..G.P./...A&,r..3..v./.... \pA......#Wp0..WHU.}8.3..Q.`B.x@.#4_.pE...c..%%E..qP.G#&.F.Xz\....\..3.`v...P....P....53G......t..SR.......@...-...@.r..R .L.....2..2.......(.U..]...&.@......bP..,..-^x..-.`a(.).". A....|01.0..#-0...L.^ ...~Xp...%e.8....%P8....(..1..s.1.<.@.d(...5......%.9_l..>_.cE..<.L3.0........rTbE7..tPJ.8.L.$W.L....2......&.`C.!ED.I)i r.%..3.'.....}...6....=.

<<< skipped >>>

GET /h.js?34a908ea88275f6ef0a72588f9c0be86 HTTP/1.1

Accept: */*

Referer: hXXp://yy.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: hm.baidu.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Set-Cookie: HMVT=34a908ea88275f6ef0a72588f9c0be86|1415470016|; Path=/; Domain=hm.baidu.com

Set-Cookie: HMACCOUNT=1030A188B5FEFB46; Path=/; Domain=hm.baidu.com; Expires=Sun, 18 Jan 2038 00:00:00 GMT

P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Etag: 5b6992daf5016061c987b5d17dd4cf17

Cache-Control: max-age=0, must-revalidate

Content-Encoding: gzip

Content-Type: application/javascript

Connection: Keep-Alive

Content-Length: 6962

Date: Sat, 08 Nov 2014 18:06:56 GMT

Server: apache

HTTP/1.1 200 OK..Set-Cookie: HMVT=34a908ea88275f6ef0a72588f9c0be86|1415470016|; Path=/; Domain=hm.baidu.com..Set-Cookie: HMACCOUNT=1030A188B5FEFB46; Path=/; Domain=hm.baidu.com; Expires=Sun, 18 Jan 2038 00:00:00 GMT..P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"..Etag: 5b6992daf5016061c987b5d17dd4cf17..Cache-Control: max-age=0, must-revalidate..Content-Encoding: gzip..Content-Type: application/javascript..Connection: Keep-Alive..Content-Length: 6962..Date: Sat, 08 Nov 2014 18:06:56 GMT..Server: apache...............%.(function(){var c={id:"34a908ea88275f6ef0a72588f9c0be86",dm:["yy.com","yy.com"],etrk:[],js:"tongji.baidu.com/hm-web/js/",icon:'',br:false,ctrk:true,align:1,nv:1,vdur:1800000,age:31536000000,rec:0,rp:[],trust:0,vcard:0,.Zm..6...OA..A1.v.f-D.....mIw..............N.....H<.!].".GB:::..sD*..hc.-y...I...h..F...l$..=}..E.fA....hj..._..MA....m?Nt|.a].c..E4.&.s..N.M....t.).p`.,.r...b&..,.....?.I..:.....qy.Nt..."..f"^d.c....l.D.`j..x,2......'..w...oA..H$}...rX"f.Rl.....W.q.!-........q9.Z ..;.o.Z.....g.Pd.0.jKq....g..WB..4:.#9(.A..Gc.KS....j..%.,<..=.....U.&.Th..c2...4.d/..*..x..B....Qp...dW;...1Q..r.C...Tb."..L.|........Y.V.z..WUl....Tc..j....HS.C.%.."..e...2...%y..8....p8..v..w=..13.f...............Q...(...|d.|..s...L.bK.bO.g%.0...%. .ML?....N...Y.!K.h..C[w~..mh1.>.o.6..[6../....}.Kp...yO...`i..d..f..H6#l...c3.......?..} .%.~6.N...*.#...E.k@p9h.YD........_Ql5$Z.....Z.... .0i?..G-.............%.(function(){var c={id:"34a908ea88275f6ef0a72588f9c0be86",dm:[

<<< skipped >>>

GET /hm.gif?cc=1&ck=1&cl=32-bit&ds=1276x846&et=0&fl=11.6&ja=1&ln=en-us&lo=0&nv=1&rnd=1182576063&si=34a908ea88275f6ef0a72588f9c0be86&st=1&v=1.0.68&lv=1&tt=频道 : 5336 | YY语音 HTTP/1.1

Accept: */*

Referer: hXXp://yy.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: hm.baidu.com

Connection: Keep-Alive

Cookie: HMVT=34a908ea88275f6ef0a72588f9c0be86|1415470016|; HMACCOUNT=1030A188B5FEFB46

HTTP/1.1 200 OK

Cache-Control: private, max-age=0, no-cache

Pragma: no-cache

Content-Type: image/gif

X-Content-Type-Options: nosniff

Connection: Keep-Alive

Content-Length: 43

Date: Sat, 08 Nov 2014 18:07:02 GMT

Server: apache

GIF89a.............!.......,...........L..;HTTP/1.1 200 OK..Cache-Control: private, max-age=0, no-cache..Pragma: no-cache..Content-Type: image/gif..X-Content-Type-Options: nosniff..Connection: Keep-Alive..Content-Length: 43..Date: Sat, 08 Nov 2014 18:07:02 GMT..Server: apache..GIF89a.............!.......,...........L..;..

GET /js/webyy.js?v20.js HTTP/1.1

Accept: */*

Referer: hXXp://yy.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c1.web.yy.com

Connection: Keep-Alive

Cookie: JSESSIONID=yf318d5bhhcj05o91xcm2ied6c6wa.yf3

HTTP/1.1 200 OK

Content-Type: application/x-javascript; charset=utf-8

Content-Encoding: gzip

Server: nginx

Date: Sat, 08 Nov 2014 17:08:27 GMT

Last-Modified: Thu, 28 Aug 2014 08:29:53 GMT

Expires: Sun, 09 Nov 2014 17:08:27 GMT

Cache-Control: max-age=86400

Age: 3492

Content-Length: 4645

Powered-By-ChinaCache: HIT from CNC-CC-b-3g8.1

...........Z...D..*.&...F.....e*$pp.6..c.&..%.m.....y.q..w.&@x..r..b.nkS..l..E.v.....oq.~.a......iu........4.^a...-...?....Jv......B.,7.e...4.....yv...S..?|......\>].=..^?...i...k..hx..ZM3.9r...A..3f..d(t...^d........4....I..GA..........S .. ...8..gI...{......-r....>.'.x..o.....[?..|.......im..a.DY."._|p......x?.qx.....8~.......y'A.o~}..Ww....t8d.a.w...................8..].3......y..W...y............Y....>}.....5.sg>d.. *......~x.....M..z....kW.o.!.....{}C}.Q...X9A.D{.............n....1_p..n.=..X....(...49...z.?..h.....n.={}.....Z....v..............{..s......$dbf.Xy....~.2c....Fe...w ..8....5[.4.....l.P.~...p.[.....6.by..>.}@o.686..$..O..I..........m{..dK...{.m..w-y...$....0..z..n...x..N>a.km'ftk2.Y:.C...5.L&.... :JLt.$5O....O..g7t..3..u.JcC_..cm..... 1.W].`!.]....M..0g.O. .V..15.......p.j.l.`..g.V...\....j...o..uc.a:..N..H...x..e.N..}V...p....p..R...v/uu.F.!M}'`.Xi.j..j}.....h...4...j..}QM...X.\.8........1<..M..-0..z .........(e.X.......-..q..d......`....9i....$f.4....p...k..O...(..,.S..'/.g.hU7..it.O....l..M.iS.....~...W....j..s.2......".=..>..}....~..s..p.H=....._....g..._...v..r=......F.~..1..\.X....A..G.._i..T.qL$4i-....E.H......DH..b....V;....QH;..QA...11.5<.....c..4..#...# {..=qi..u..OJ...t..X...<u.L..c.......(.Z..hJ.'\......a[R....\.9....@.:C..}..4....l.}.r....(._Ni..BR.u. u../T..VsWI.K.M..B3.......<z...i.a.....j.....<.....-..v..o...........~...od.r.............#MCC<e/...".Y.Z?f]....N...X.....d.p......=.7.....6.80)[DK......A.....}..'..ok...aKkj..w..;....#?LY.&g.=..

<<< skipped >>>

GET /js/index.js?v15.0.js HTTP/1.1

Accept: */*

Referer: hXXp://yy.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c1.web.yy.com

Connection: Keep-Alive

Cookie: JSESSIONID=yf318d5bhhcj05o91xcm2ied6c6wa.yf3

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 08 Nov 2014 13:08:12 GMT

Content-Type: application/x-javascript; charset=utf-8

Last-Modified: Thu, 30 Oct 2014 09:19:08 GMT

Expires: Sun, 09 Nov 2014 13:08:12 GMT

Cache-Control: max-age=86400

Content-Encoding: gzip

Age: 17909

Content-Length: 1326

Powered-By-ChinaCache: HIT from CNC-CC-b-3g8.1

...........V[..4.. ...&.l&......P*@...T.*FN...u...l..H}.../ ...$x-/...9-...8.\;S..;.....;.9..Q.B..*4..^...V".L..m....=....r.r.......3.?.L...!(.I4q..M.....#Xk.9.5.....3_...f....fn..........6.}?......N.s.....d........J.Q..[.`.i]..q....!5W....\.6.R.......ZU4...Ob@.Qp......2R~(gL.t.....I.dM....F.xc...5...%I..M.)4.F.r....q..,.......T.A...W.S.?..6W....>....s.J.......`bRf..X...*%..in....x[....fB....x9..*6C........v).=.... .q>....p...D.@/...?....r..... .... .-.Q.....Ls..@{....p...el.!/.%.K.Bh......>K. .[IB.2D...)..[...M....-..\.4D. .f.SQ....u.....Jo..n...V@........E.2..6{.F.*..[.8eC.!.U..Pe..06^...q....:._~2uP..C..>:.33.6.c....c.....d... .>..C.A...gS;..z<.=....O...T&...}m....j.........zY...-..e..J_V...'.u..Y..oK......8..........K'.8pm3IqI.m. .L....]V.....o..B...5?......m..V[.5.F..1.B8....-...v64..]o... ..E..F.....C.xF..}.. .S.h%L.Z.Fz`..SR..3g.I...GO....._.~...._......................}...7.Y.S..t .C...;...lh..e....\...."...A..le....IY.T..y...i.R.{IO =os"..=....M.<........1....2X>b.a..J....d1..Fn..v(.Z.a.. ..{o#.......&.m}>............D......M3.[.....Cg.....,.7N...... ..iW....S1....UH..nX #x..V..R7P..f..B........8.*.*...(.4...J0:.5....c... .F.)..%......^.;Ua..nt....=z..........O.V....X...Tm....e.5o......1.K.xN..n......U...\..9.|z&L.......2..........%.Eh.Y7.n....d..t...Ym.. . YA$.sal..^X...F.y...... RxK.......c.....

<<< skipped >>>

GET /duowan.js HTTP/1.1

Accept: */*

Referer: hXXp://yy.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.duowan.com

Connection: Keep-Alive

HTTP/1.0 200 OK

Content-Type: application/x-javascript; charset=utf-8

Vary: Accept-Encoding

Content-Encoding: gzip

Server: nginx

Date: Sat, 08 Nov 2014 18:05:12 GMT

Last-Modified: Tue, 04 Nov 2014 03:03:52 GMT

ETag: "54584218-27b2"

Expires: Sat, 08 Nov 2014 18:10:12 GMT

Cache-Control: max-age=300

X-UA-Compatible: IE=EmulateIE7

Age: 90

Content-Length: 4690

Powered-By-ChinaCache: HIT from CNC-LQ-h-3W7.11

Connection: keep-alive

..........}Z{w.<......@}..]\.....]d..\.@.6..1...c._ $.w.....'.......hf4..c*.J'.k..E..6T...T...r..'.........S. ...|...O..5...].5t.$.K./....8t..2...>1C=...[.._j.o..A.K..mO=........}..F.........kK*..N...-'....V..{]4>.........A'.......;......{..7w$..*.3.L.. .T.TAIz].a.B;TfflM.3I&..}u ....=7F.X.v@......|5...E.......b..e.........n.<.........E.6.....N.7.tw...~.<....Jo.r..}&_Jo..c..j.$...l.......P.Bg.d....c...V.sy....I..._..29M!r.M..YS:........P..q.y,.4=...Q....2...T.~......}..q`....=....@2....R.*..$iUJ@.GM..Y......0...v....Z......J.....jo.%s.=(.|~i...\@G.....D9....o....S.k....K..`...>Tn..... .....Q...LG,.G.V...@?.q......D....BF....[...3....M..S......m<.b\......e.[.T..(..3S....j.... ....J... .>g<....W....Rk...S\....#KD..l'.......f..z.........9.. r.-#*i.rZ..8[..ZU.......-.....$...3..j.(.8W.."........25.7o.sI...r.@...i..!...]..6(d\ ..5f\ .#"....H.ld...W.RW...yL.[..Rk..6&k.W..6"..A.:E..:6...*..Lp...4..G.a.6.}...f...uT..(.j.a.4.......1C ws... tt....... ...).P....^..... .'.CO..%l..kT?I......C.T...9..D.._...|]...|].d........4..,...Q,H.... .....4.D..~..H_..,O...(.=A..}...u.g.K.6.Q..P.........r.,.W.6.....|...o./..........$cXm..r.w..$.@....h.p).....7...........0.H{....{...*.Z.._gZ.........]0.....A.YW7Y..u.C..B..|.AU....5.H.-.>c.......w...vF0.t.....L.I.s....`i..P#..(.{....<.2MG...#....r.0....V... I.!..K...K'..'_.;'......0.O.....B...H;V..............N_...<...).)/.v-....K.E..=...........U?<.e.8....;.....y.`..P.y.p...6=.)...F.....T.?.........D...$....w....Y.c:.#t.....0j...^N|'...#f.`.I.*...:..

<<< skipped >>>

GET /c.gif?act=web&zd=_2b1acc1@yy|_e3d75f1@yy|www@yy|&ui=0.15621836609516887&sp=0&fl=11&sl=0&ss=2&bs=6&mb=0&nw=0&fd=0&hiido=0&sn=0&ls=0&vr=15&ut=1415470029326&wd=0&passport=&sns=null HTTP/1.1

Accept: */*

Referer: hXXp://yy.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ylog.hiido.com

Connection: Keep-Alive

HTTP/1.1 200 OK

GET /r/rc/main/main/1/43/main.swf HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://yy.com/

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c1.web.yy.com

Connection: Keep-Alive

Cookie: JSESSIONID=yf318d5bhhcj05o91xcm2ied6c6wa.yf3; hiido_ui=0.15621836609516887; Hm_lvt_34a908ea88275f6ef0a72588f9c0be86=1415470045; Hm_lpvt_34a908ea88275f6ef0a72588f9c0be86=1415470045

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 08 Nov 2014 09:09:47 GMT

Content-Type: application/x-shockwave-flash;charset=UTF-8

Content-Length: 10735

Last-Modified: Wed, 20 Nov 2013 02:27:55 GMT

Expires: Sun, 09 Nov 2014 09:09:47 GMT

Cache-Control: max-age=86400

Age: 32238

Powered-By-ChinaCache: HIT from CNC-CC-b-3g8.2

CWS.QG..x..<.t[..w.{zWO.-......$&N..d!..!.....`;d."..%.%.I..RL...-4.........[..oi..&...B..F........}O^...o<...s....3s.>s....c3......q.c..........k;...mC.h.....C..pmu...[..............5.../........w[e41.|.`..H....d8.u....F.....\...L.G...r._......d.zQ."d4.....C.....p$.....m..P...V..@e0.M.....Hs..d$..n ..8...6.Rg..|1Z.B..&.]1EM/...........?..DVb..).bx...'B........V}..^..........>.G.....``ES..M.BFo2..#.......h....^X}...........|!k.2..F..;."(...L..r.;Q.;.5..7.eo.].....wF>.^b.~.!........._|w....?:.j._.\}.z...R.....N/|`......g.>......yv={k{[1....,...........d.....n.p.3..PjsW.......Cm//e.,..ji.`.=.......Vo.".V...)..(J`....f...Kes..J.....i.....)a=w..\.k.8.-......E......R..F_...o.z.=.i.........=.;.. ...^......:?..Jy...#U...oI.......6...=...U.[y...T....$...XA. .v..9C_$...G.......S0..{.....U....~...266:..:z...w..........#.$ *7k.k._~.#>..og.h.....-..@.......vS..,...@\4..d....V}.H2.Ih.....x..=wM<6..$.bpN..)...3.....x8.}.K.G..>....Qe....Dg=.N.G..M]I.6 >.#:[...,.O..#C.@..3A...o.v]............]..*d3.k.W...m..6.iC.....J4...v..}8@o......<.5.a@{..,.P...hm......,&.4.Q...H...0.6.$.9.H...V.y:...6.Rk.m...".a%..'U...".. .M..f.@~<0.N$...D.7..y....C...Y......z....fb...[...f...fl_....,F'.m.E.bC.....D.".-.H..Y....MQ.$..0...2....t.e.y4jm..kB...."\.A.i.aF..N[..........n.y..@....`.k.gt..D;J.....N..\...I(.............jE....R7l ..u:...iÜ...5...{..af.......cj.c...)...G8O.......cO.}.[6.,.%......<k......R,eIy1.3YT.....k......'M[.k.$E.zh<w"..3.~-....}y....G.6......(....h.1.w...d..}80.3....!!e.....%.(.m...

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_584:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

t$(SSh

t$(SSh

~%UVW

~%UVW

u$SShe

u$SShe

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

|$D.tm

|$D.tm

KERNEL32.DLL

KERNEL32.DLL

kernel32.dll

kernel32.dll

ntdll.dll

ntdll.dll

psapi.dll

psapi.dll

GetAsyncKeyState

GetAsyncKeyState

{E5000198-4471-40e2-92BC-D0BA075BDBB2}

{E5000198-4471-40e2-92BC-D0BA075BDBB2}

\rsr.ini

\rsr.ini

\EyLogin.dll

\EyLogin.dll

.upx0

.upx0

.upx1

.upx1

.reloc

.reloc

@.rsrc

@.rsrc

u[K^.tW

u[K^.tW

3.WL8^

3.WL8^

.zf38

.zf38

.lG;O

.lG;O

^%7s*j

^%7s*j

.>%U$

.>%U$

=a6%u7

=a6%u7

.Kb3|6

.Kb3|6

#;%C

#;%C

_.jp[

_.jp[

CMD]z

CMD]z

k.wR:H2

k.wR:H2

Y>4s%C

Y>4s%C

U`.yX

U`.yX

-j}PM

-j}PM

xIC^6*%F

xIC^6*%F

JgJ%F

JgJ%F

-Km492:-B}a

-Km492:-B}a

P@.LL?:

P@.LL?:

5.PsWF

5.PsWF

.Vb

.Vb

4.IJ:'

4.IJ:'

Hic.uF|)}

Hic.uF|)}

[I.NXRL

[I.NXRL

].zFb

].zFb

9.Oq2K

9.Oq2K

ZNf%d

ZNf%d

7a.QO!

7a.QO!

AP.HO

AP.HO

&kÞ

&kÞ

4\Ï

4\Ï

#=-

#=-

h%u@8

h%u@8

W::%d

W::%d

fn.mz

fn.mz

.lH))

.lH))

.IPbD>)

.IPbD>)

\_Eß

\_Eß

.Kh$

.Kh$

w_o%F

w_o%F

".ol%

".ol%

-ZKPf}

-ZKPf}

;.GO?q

;.GO?q

.RC6)

.RC6)

%S!z

%S!z

}oI.du

}oI.du

4%u8*

4%u8*

'.aG~{

'.aG~{

\.jNP'

\.jNP'

IPHLPAPI.DLL

IPHLPAPI.DLL

ADVAPI32.dll

ADVAPI32.dll

CKERNEL32.dll

CKERNEL32.dll

RegEnumKeyExW

RegEnumKeyExW

ole32.dll

ole32.dll

}..RfyK

}..RfyK

%DH!U

%DH!U

{%dMMcbtMxY

{%dMMcbtMxY

%S,D9@p,l

%S,D9@p,l

9%9SE

9%9SE

OLEAUT32.dll

OLEAUT32.dll

.laWZNI

.laWZNI

%USER32.dll

%USER32.dll

.li}\

.li}\

.toSZZ]({L

.toSZZ]({L

WLDAP32.dll

WLDAP32.dll

.KT\B

.KT\B

c.Muk

c.Muk

di[%D

di[%D

[d!%dl

[d!%dl

.JR'j

.JR'j

4.nr7=

4.nr7=

;)

;)

6S%S=

6S%S=

:.bwJ

:.bwJ

w.qh)

w.qh)

Fy.Jsw Qg

Fy.Jsw Qg

.cZf{K

.cZf{K

k.kGO

k.kGO

K^%s,

K^%s,

JjÂ

JjÂ

IL.JDb

IL.JDb

.KxkNGv

.KxkNGv

k.iA.

k.iA.

sc|eO%SN

sc|eO%SN

8{.Vb

8{.Vb

8.Tef

8.Tef

3.mJ{;

3.mJ{;

.Nq

.Nq

*.wJa

*.wJa

{\%.UG

{\%.UG

U| S%UL'

U| S%UL'

[".iL

[".iL

M3M!*#

M3M!*#

g.xwM

g.xwM

.kFR*

.kFR*

1YK,M.LG

1YK,M.LG

E647%C

E647%C

".aO!

".aO!

{.Pj7

{.Pj7

Pm!.CO

Pm!.CO

N.KI?8

N.KI?8

>.ZgJ

>.ZgJ

%D&O[

%D&O[

d.zL#

d.zL#

Q2.rJ

Q2.rJ

^Q.rV

^Q.rV

k.Rh

k.Rh

g{Z%s

g{Z%s

5.jTt

5.jTt

.gERS

.gERS

Q%XL?a

Q%XL?a

a.Uq@

a.Uq@

q&.Pz

q&.Pz

.rAuz0

.rAuz0

7;J3$.NP@

7;J3$.NP@

Rj.Jf

Rj.Jf

Psr%UG7

Psr%UG7

%SUi2

%SUi2

r:.YC

r:.YC

fv\b.nff

fv\b.nff

%u]Q\=

%u]Q\=

: :$:(:,:0:4:8:<:>

: :$:(:,:0:4:8:<:>

3,4044484

3,4044484

9â„¢9C9U9

9â„¢9C9U9

9 9$9(9,9094989

9 9$9(9,9094989

7%7S7p7

7%7S7p7

2 2$2(2,2

2 2$2(2,2

9-9}9

9-9}9

6!7?7]7{7

6!7?7]7{7

9 =1=7=@=1>8>

9 =1=7=@=1>8>

9':,:(;-;

9':,:(;-;

=!>3>;?@?

=!>3>;?@?

3$3/363=3

3$3/363=3

2 3?3L3

2 3?3L3

9!: :0:?:

9!: :0:?:

=%>*>5>>>

=%>*>5>>>

: :(:0:|:

: :(:0:|:

0 0@0`0|0

0 0@0`0|0

0$0(0,0004080

0$0(0,0004080

1 1$1(1,181|4

1 1$1(1,181|4

d.hJq|

d.hJq|

user32.dll

user32.dll

:.NA5

:.NA5

WS2_32.dll

WS2_32.dll

GetCpuID

GetCpuID

SetAppKey

SetAppKey

UserLogin

UserLogin

UserLoginSingle

UserLoginSingle

EyLogin.DLL

EyLogin.DLL

%x,3;

%x,3;

9XVs8%u?

9XVs8%u?

.Rewv

.Rewv

T.oc >

T.oc >

.KmrK

.KmrK

%SA{MT"

%SA{MT"

H.Lc4u,L

H.Lc4u,L

L(#%f>I

L(#%f>I

%uf`[x

%uf`[x

\fuwuw\trunk\EyLogin\Vs2008\EyLogin\EyLogin\Release\EyLogin.pdb

\fuwuw\trunk\EyLogin\Vs2008\EyLogin\EyLogin\Release\EyLogin.pdb

'%APPID%' = s 'EyLogin'

'%APPID%' = s 'EyLogin'

'EyLogin.DLL'

'EyLogin.DLL'

EyLogin.EyLoginSoft.1 = s 'EyLoginSoft Class'

EyLogin.EyLoginSoft.1 = s 'EyLoginSoft Class'

CLSID = s '{C691BF80-87AF-43A7-AD56-28D5DA857FBD}'

CLSID = s '{C691BF80-87AF-43A7-AD56-28D5DA857FBD}'

EyLogin.EyLoginSoft = s 'EyLoginSoft Class'

EyLogin.EyLoginSoft = s 'EyLoginSoft Class'

CurVer = s 'EyLogin.EyLoginSoft.1'

CurVer = s 'EyLogin.EyLoginSoft.1'

ForceRemove {C691BF80-87AF-43A7-AD56-28D5DA857FBD} = s 'EyLoginSoft Class'

ForceRemove {C691BF80-87AF-43A7-AD56-28D5DA857FBD} = s 'EyLoginSoft Class'

ProgID = s 'EyLogin.EyLoginSoft.1'

ProgID = s 'EyLogin.EyLoginSoft.1'

VersionIndependentProgID = s 'EyLogin.EyLoginSoft'

VersionIndependentProgID = s 'EyLogin.EyLoginSoft'

'TypeLib' = s '{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}'

'TypeLib' = s '{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}'

stdole2.tlbWWW

stdole2.tlbWWW

O~EyLoginW

O~EyLoginW

EyLoginSoftWd

EyLoginSoftWd

IEyLoginSoftd

IEyLoginSoftd

SetAppKeyWWW

SetAppKeyWWW

appKeyWWd

appKeyWWd

UserLoginWWW

UserLoginWWW

interfaceKeyd

interfaceKeyd

9UserLoginSingleW

9UserLoginSingleW

@LGetCpuIDd

@LGetCpuIDd

keyWd

keyWd

EyLogin 1.0

EyLogin 1.0

EyLoginSoft ClassW

EyLoginSoft ClassW

IEyLoginSoft

IEyLoginSoft

Created by MIDL version 7.00.0500 at Tue May 20 12:58:25 2014

Created by MIDL version 7.00.0500 at Tue May 20 12:58:25 2014

1.8.8

1.8.8

\EyLogin.dll"

\EyLogin.dll"

EyLogin.EyLoginSoft

EyLogin.EyLoginSoft

hXXp://VVV.2345.com/?ktt659189

hXXp://VVV.2345.com/?ktt659189

DNF.exe

DNF.exe

hXXp://yy.com/#9050/373700640

hXXp://yy.com/#9050/373700640

commctrl_DragListMsg

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

Afx:%x:%x

COMCTL32.DLL

COMCTL32.DLL

CNotSupportedException

CNotSupportedException

%*.*f

%*.*f

CCmdTarget

CCmdTarget

__MSVCRT_HEAP_SELECT

__MSVCRT_HEAP_SELECT

GetProcessHeap

GetProcessHeap

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

GetKeyState

GetKeyState

USER32.dll

USER32.dll

GetViewportOrgEx

GetViewportOrgEx

GDI32.dll

GDI32.dll

WINMM.dll

WINMM.dll

WINSPOOL.DRV

WINSPOOL.DRV

RegCloseKey

RegCloseKey

RegOpenKeyExA

RegOpenKeyExA

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

COMCTL32.dll

COMCTL32.dll

oledlg.dll

oledlg.dll

GetCPInfo

GetCPInfo

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookExA

SetWindowsHookExA

CreateDialogIndirectParamA

CreateDialogIndirectParamA

SetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

SetViewportExtEx

ScaleViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

GetViewportExtEx

comdlg32.dll

comdlg32.dll

RegCreateKeyExA

RegCreateKeyExA

Shell32.dll

Shell32.dll

Mpr.dll

Mpr.dll

Advapi32.dll

Advapi32.dll

User32.dll

User32.dll

Gdi32.dll

Gdi32.dll

Kernel32.dll

Kernel32.dll

.PAVCException@@

.PAVCException@@

%s:%d

%s:%d

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

(*.CUR)|*.CUR|

(*.*)|*.*||

(*.*)|*.*||

windows

windows

?? / %d]

?? / %d]

%d / %d]

%d / %d]

.PAVCFileException@@

.PAVCFileException@@

: %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.txt)|*.txt|

%d / %d

%d / %d

%d/%d

%d/%d

out.prn

out.prn

(*.prn)|*.prn|

(*.prn)|*.prn|

%d.%d

%d.%d

.PAVCNotSupportedException@@

.PAVCNotSupportedException@@

(%d-%d):

(%d-%d):

Bogus message code %d

Bogus message code %d

(&07-034/)7 '

(&07-034/)7 '

%ld%c

%ld%c

(*.htm;*.html)|*.htm;*.html

(*.htm;*.html)|*.htm;*.html

.?AVCCmdTarget@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.?AVCTestCmdUI@@

.PAVCUserException@@

.PAVCUserException@@

.PAVCArchiveException@@

.PAVCArchiveException@@

.PAVCObject@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCResourceException@@

.PAVCOleException@@

.PAVCOleException@@

.PAVCOleDispatchException@@

.PAVCOleDispatchException@@

zcÁ

zcÁ

#include "l.chs\afxres.rc" // Standard components

#include "l.chs\afxres.rc" // Standard components

\IEXPLORE.exe

\IEXPLORE.exe

software\microsoft\windows\CurrentVersion\Run\

software\microsoft\windows\CurrentVersion\Run\

h.rdata

h.rdata

H.data

H.data

.vmp0

.vmp0

b.kjlkasj

b.kjlkasj

".reloc

".reloc

DNF.EXE

DNF.EXE

ntoskrnl.exe

ntoskrnl.exe

HAL.dll

HAL.dll

I:\!S

I:\!S

hXXp://VVV.2345.com/?kyy9050

hXXp://VVV.2345.com/?kyy9050

shlwapi.dll

shlwapi.dll

TenSafe.exe

TenSafe.exe

QQDL.exe

QQDL.exe

TXPlatform.exe

TXPlatform.exe

QQLogin.exe

QQLogin.exe

SOFTWARE\DNF\TerSafe.dll\

SOFTWARE\DNF\TerSafe.dll\

SOFTWARE\DNF\TerSafe.EXE\

SOFTWARE\DNF\TerSafe.EXE\

taskkill /f /im DNF.exe.manifest

taskkill /f /im DNF.exe.manifest

WINDOWS\svstem32\TesSafe.svs\

WINDOWS\svstem32\TesSafe.svs\

WINDOWS\svstem32\TesSafe.sys\

WINDOWS\svstem32\TesSafe.sys\

\DNF.cfg.spk

\DNF.cfg.spk

\BugTrace.ini

\BugTrace.ini

\BugTrace.log

\BugTrace.log

\DNF.exe.manifest.spk

\DNF.exe.manifest.spk

\start\BugTrace.cfg

\start\BugTrace.cfg

\start\BugTrace.log

\start\BugTrace.log

\start\BugTrace.dll.spk

\start\BugTrace.dll.spk

\start\TenProtect\BugTrace.cfg

\start\TenProtect\BugTrace.cfg

\start\TenProtect\BugTrace.ini

\start\TenProtect\BugTrace.ini

\start\TenProtect\BugTrace.dll.spk

\start\TenProtect\BugTrace.dll.spk

\loginInfo.inf

\loginInfo.inf

\DNF_CHINA.cfg

\DNF_CHINA.cfg

\Tenio.ini

\Tenio.ini

\TenioCs.ini

\TenioCs.ini

\TenioPath.ini

\TenioPath.ini

\TenioTS.ini

\TenioTS.ini

\version.inf

\version.inf

\DNF.cfg

\DNF.cfg

\start\InstallPerformance.txt

\start\InstallPerformance.txt

\start\BugTrace.ini

\start\BugTrace.ini

\start\Tenio.ini

\start\Tenio.ini

\start\UserSetting.ini

\start\UserSetting.ini

WChannelScript.pvf

WChannelScript.pvf

\DNF.exe.manifest

\DNF.exe.manifest

\*.keyset

\*.keyset

\start\TenProtect\*.dmp

\start\TenProtect\*.dmp

\*.trc

\*.trc

\*.zip

\*.zip

Tensp.dll

Tensp.dll

2039389

2039389

1044950

1044950

1044980

1044980

dnf.exe

dnf.exe

Super-EChXXp://VVV.super-ec.cnhXXp://VVV.eyybc.com/forum-17-1.html/forum-12-1.html/memcp.php/ip.asp/time.asp/gonggao.txt/ec-user6.php/ec-bd.php/ec-jh.php

Super-EChXXp://VVV.super-ec.cnhXXp://VVV.eyybc.com/forum-17-1.html/forum-12-1.html/memcp.php/ip.asp/time.asp/gonggao.txt/ec-user6.php/ec-bd.php/ec-jh.php

hXXp://VVV.super-ec.cn

hXXp://VVV.super-ec.cn

" class="txt" />Function Getcpuid()

" class="txt" />Function Getcpuid()

Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")

Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")

getcpuid=cpu.ProcessorId

getcpuid=cpu.ProcessorId

\Device\\\.\

\Device\\\.\

F%*.*f

F%*.*f

MSWHEEL_ROLLMSG

MSWHEEL_ROLLMSG

iphlpapi.dll

iphlpapi.dll

SHLWAPI.dll

SHLWAPI.dll

MPR.dll

MPR.dll

VERSION.dll

VERSION.dll

GetWindowsDirectoryA

GetWindowsDirectoryA

RegisterHotKey

RegisterHotKey

UnregisterHotKey

UnregisterHotKey

RegCreateKeyA

RegCreateKeyA

WININET.dll

WININET.dll

Y%d

Y%d

X%d

X%d

Height%d

Height%d

Width%d

Width%d

RECT(%d, %d)-(%d, %d)

RECT(%d, %d)-(%d, %d)

Styles0xX

Styles0xX

Control ID%d

Control ID%d

Handle0xX

Handle0xX

.comment {color:green}

.comment {color:green}

burlywood

burlywood

\winhlp32.exe

\winhlp32.exe

%d%d%d

%d%d%d

rundll32.exe shell32.dll,

rundll32.exe shell32.dll,

\SVCHOST.exe

\SVCHOST.exe

u.hh{G

u.hh{G

hXXp://yy.com/#5336/1705313832

hXXp://yy.com/#5336/1705313832

YY.exe

YY.exe

hXXp://VVV.yy.com/go.html#5336

hXXp://VVV.yy.com/go.html#5336

EnumWindows

EnumWindows

VVV.dywt.com.cn

VVV.dywt.com.cn

SVCHOST.EXE

SVCHOST.EXE

AE814EB87AB32E49BF4E.EXE

AE814EB87AB32E49BF4E.EXE

c:\%original file name%.exe

c:\%original file name%.exe

&-.TXLpzs 2,

&-.TXLpzs 2,

"* 15!'#

"* 15!'#

1, 0, 2, 2

1, 0, 2, 2

EyLogin.dll

EyLogin.dll

(*.*)

(*.*)

1.0.0.0

1.0.0.0

(hXXp://VVV.eyuyan.com)

(hXXp://VVV.eyuyan.com)

\SystemRoot\system32\ntkrnlpa.exe

\SystemRoot\system32\ntkrnlpa.exe

\SystemRoot\system32\ntoskrnl.exe

\SystemRoot\system32\ntoskrnl.exe

SVCHOST.exe_892:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

t$(SSh

t$(SSh

~%UVW

~%UVW

u.hh{G

u.hh{G

u$SShe

u$SShe

hXXp://yy.com/#5336/1705313832

hXXp://yy.com/#5336/1705313832

commctrl_DragListMsg

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

Afx:%x:%x

COMCTL32.DLL

COMCTL32.DLL

CNotSupportedException

CNotSupportedException

%*.*f

%*.*f

CCmdTarget

CCmdTarget

ole32.dll

ole32.dll

__MSVCRT_HEAP_SELECT

__MSVCRT_HEAP_SELECT

user32.dll

user32.dll

GetProcessHeap

GetProcessHeap

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

GetKeyState

GetKeyState

USER32.dll

USER32.dll

GetViewportOrgEx

GetViewportOrgEx

GDI32.dll

GDI32.dll

WINMM.dll

WINMM.dll

WINSPOOL.DRV

WINSPOOL.DRV

RegCloseKey

RegCloseKey

RegOpenKeyExA

RegOpenKeyExA

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

OLEAUT32.dll

OLEAUT32.dll

COMCTL32.dll

COMCTL32.dll

oledlg.dll

oledlg.dll

WS2_32.dll

WS2_32.dll

GetCPInfo

GetCPInfo

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookExA

SetWindowsHookExA

CreateDialogIndirectParamA

CreateDialogIndirectParamA

SetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

SetViewportExtEx

ScaleViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

GetViewportExtEx

comdlg32.dll

comdlg32.dll

RegCreateKeyExA

RegCreateKeyExA

Shell32.dll

Shell32.dll

Mpr.dll

Mpr.dll

Advapi32.dll

Advapi32.dll

User32.dll

User32.dll

Gdi32.dll

Gdi32.dll

Kernel32.dll

Kernel32.dll

.PAVCException@@

.PAVCException@@

%s:%d

%s:%d

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

(*.CUR)|*.CUR|

(*.*)|*.*||

(*.*)|*.*||

windows

windows

?? / %d]

?? / %d]

%d / %d]

%d / %d]

.PAVCFileException@@

.PAVCFileException@@

: %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.txt)|*.txt|

%d / %d

%d / %d

%d/%d

%d/%d

out.prn

out.prn

(*.prn)|*.prn|

(*.prn)|*.prn|

%d.%d

%d.%d

.PAVCNotSupportedException@@

.PAVCNotSupportedException@@

(%d-%d):

(%d-%d):

Bogus message code %d

Bogus message code %d

(&07-034/)7 '

(&07-034/)7 '

%ld%c

%ld%c

(*.htm;*.html)|*.htm;*.html

(*.htm;*.html)|*.htm;*.html

.?AVCCmdTarget@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.?AVCTestCmdUI@@

.PAVCUserException@@

.PAVCUserException@@

.PAVCArchiveException@@

.PAVCArchiveException@@

.PAVCObject@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCResourceException@@

.PAVCOleException@@

.PAVCOleException@@

.PAVCOleDispatchException@@

.PAVCOleDispatchException@@

zcÁ

zcÁ

%Documents and Settings%\%current user%\My Documents\SVCHOST.exe

%Documents and Settings%\%current user%\My Documents\SVCHOST.exe

#include "l.chs\afxres.rc" // Standard components

#include "l.chs\afxres.rc" // Standard components

(*.*)

(*.*)

1.0.0.0

1.0.0.0

(hXXp://VVV.eyuyan.com)

(hXXp://VVV.eyuyan.com)