HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Graftor.2540 (B) (Emsisoft), Gen:Variant.Graftor.2540 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 1c0f9025e87aae814eb87ab32e49bf4e
SHA1: 7ff4aef8e15cd33219ac41e78f4b90e847a6a597
SHA256: 11ce55c9af9384dc3ac15d2a33c1597b80efdd15876125707b9e7539a5a6807c
SSDeep: 49152:m6SodEuj8VwcZmOuEJgjF7ktFWezv20lK2AlppMRm1X1SQ0dynDS:JSouuj8eCmOuEJ6kqW2ZpL1leyDS
Size: 4104192 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PolyEnE001byLennartHedlund, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2014-08-11 10:27:40
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:584
5336¼«¿ÃÂÂ.exe:1724
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:584 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Fonts\5336¼«¿ÃÂÂ.exe (17629 bytes)
%Documents and Settings%\%current user%\My Documents\SVCHOST.exe (3699 bytes)
The process 5336¼«¿ÃÂÂ.exe:1724 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Õâ¸ö.sys (18 bytes)
Registry activity
The process %original file name%.exe:584 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 52 41 EF 94 AF 14 15 EF ED FE 16 D4 98 63 B7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\My Documents]
"svchost.exe" = "易è¯ÂÂ言程åºÂÂ"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The process 5336¼«¿ÃÂÂ.exe:1724 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 D6 AD 1B D8 DC B5 47 07 EB 40 2A FE E9 8E 29"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.2345.com/?ktt659189"
[HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"HomePage" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Î񵀮ô¶¯ÃÂÂî" = "%Documents and Settings%\Administrator\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÃÂÂò\Æô¶¯\IEXPLORE.exe"
Dropped PE files
MD5 | File path |
---|---|
42b23743e20c12d6e101e513bf87097f | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Õâ¸ö.sys |
659c2355c7bfc03e20bf94cfc9d7db80 | c:\Documents and Settings\"%CurrentUserName%"\My Documents\SVCHOST.exe |
65236a140ef2f52fc8691148f74a2fd4 | c:\WINDOWS\Fonts\5336¼«¿ÃÂ.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan installs the following kernel-mode hooks:
ZwQuerySystemInformation
ZwReadVirtualMemory
ZwWriteVirtualMemory
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:584
5336¼«¿ÃÂÂ.exe:1724 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\Fonts\5336¼«¿ÃÂÂ.exe (17629 bytes)
%Documents and Settings%\%current user%\My Documents\SVCHOST.exe (3699 bytes)
%Documents and Settings%\%current user%\Application Data\Õâ¸ö.sys (18 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Î񵀮ô¶¯ÃÂÂî" = "%Documents and Settings%\Administrator\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÃÂÂò\Æô¶¯\IEXPLORE.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: English (United States)
Company Name: Product Name: ?????Product Version: 1.0.0.0Legal Copyright: ?????? ????????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ?????Comments: ??????????(http://www.eyuyan.com)Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 433006 | 434176 | 4.54187 | dfcd456bcb66c166cb0bb21c298e969f |
.rdata | 438272 | 3572982 | 3575808 | 4.95199 | 33c56e5cbea00b9379f44961a4c6ff18 |
.data | 4014080 | 199722 | 61440 | 3.32314 | 4cac040f4174f6f8ea5d0f7b8dab95b6 |
.rsrc | 4214784 | 26868 | 28672 | 3.66791 | 62ae8c11e5b2b5f2992eea32881ea50d |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://yy.com/ | 183.61.179.207 |
hxxp://cc00077.h.cnc.ccgslb.com.cn/js/plugins.js | |
hxxp://cc00077.h.cnc.ccgslb.com.cn/img/loading.gif | |
hxxp://cc00077.h.cnc.ccgslb.com.cn/js/webyy.js?v20.js | |
hxxp://cc00077.h.cnc.ccgslb.com.cn/js/index.js?v15.0.js | |
hxxp://cc00077.h.cnc.ccgslb.net/duowan.js | |
hxxp://ylog.hiido.com/c.gif?act=web&zd=_2b1acc1@yy|_e3d75f1@yy|www@yy|&ui=0.15621836609516887&sp=0&fl=11&sl=0&ss=2&bs=6&mb=0&nw=0&fd=0&hiido=0&sn=0&ls=0&vr=15&ut=1415470029326&wd=0&passport=&sns=null | 222.186.49.20 |
hxxp://hm.e.shifen.com/h.js?34a908ea88275f6ef0a72588f9c0be86 | |
hxxp://hm.e.shifen.com/hm.gif?cc=1&ck=1&cl=32-bit&ds=1276x846&et=0&fl=11.6&ja=1&ln=en-us&lo=0&nv=1&rnd=1182576063&si=34a908ea88275f6ef0a72588f9c0be86&st=1&v=1.0.68&lv=1&tt=频é“ : 5336 | YYè¯Â音 | |
hxxp://cc00077.h.cnc.ccgslb.com.cn/img/close.jpg | |
hxxp://cc00077.h.cnc.ccgslb.com.cn/r/rc/main/main/1/43/main.swf | |
hxxp://yy.com/crossdomain.xml | 183.61.179.207 |
hxxp://yy.com//get-data/5336?subSid=1705313832&type=main&_=39769061 | 183.61.179.207 |
hxxp://c3.web.yy.com/img/close.jpg | 183.95.152.108 |
hxxp://www.duowan.com/duowan.js | 61.240.138.8 |
hxxp://c2.web.yy.com/js/plugins.js | 222.161.226.8 |
hxxp://hm.baidu.com/hm.gif?cc=1&ck=1&cl=32-bit&ds=1276x846&et=0&fl=11.6&ja=1&ln=en-us&lo=0&nv=1&rnd=1182576063&si=34a908ea88275f6ef0a72588f9c0be86&st=1&v=1.0.68&lv=1&tt=频é“ : 5336 | YYè¯Â音 | 61.135.185.140 |
hxxp://c3.web.yy.com/img/loading.gif | 183.95.152.108 |
hxxp://hm.baidu.com/h.js?34a908ea88275f6ef0a72588f9c0be86 | 61.135.185.140 |
hxxp://c1.web.yy.com/js/webyy.js?v20.js | 222.161.226.9 |
hxxp://c1.web.yy.com/js/index.js?v15.0.js | 222.161.226.9 |
hxxp://c1.web.yy.com/r/rc/main/main/1/43/main.swf | 222.161.226.9 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /js/plugins.js HTTP/1.1
Accept: */*
Referer: hXXp://yy.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c2.web.yy.com
Connection: Keep-Alive
Cookie: JSESSIONID=yf318d5bhhcj05o91xcm2ied6c6wa.yf3
HTTP/1.1 200 OK
Content-Type: application/x-javascript; charset=utf-8
Content-Encoding: gzip
Server: nginx
Date: Sat, 08 Nov 2014 15:48:23 GMT
Last-Modified: Thu, 28 Aug 2014 08:29:53 GMT
Expires: Sun, 09 Nov 2014 15:48:23 GMT
Cache-Control: max-age=86400
Age: 8284
Content-Length: 41729
Powered-By-ChinaCache: HIT from CNC-CC-b-3g7.3
............{_...7...U`.y.:.........hb.3..A2..V.Ap..@.....j].p..y..9{.&..W.k..W..' ..{......?..m}o}>..o...v.oQ....K....o.kk............V.v.o_].sOK..Q.m....=....v....u..iw.^....i?7.Ns...s.~.......?h.......8.a....^.~......t....L:i.........................ZC.....v...H.\..v.ku/x...0y..aZ...r.z.s.r./....O....ji.T.jk........|r.....[.\..N........;...x.....Z.^?J.x...y..|....i#..m...d#.....~7.M....e......2Jv.Y...a..(y.._.M...k...r...6.O.....g.......u../...Q..|....E..x..3.=........J.._..;.uA....f..G!<.<9[....7...._.U....7..Q.~v6.>.. }z.Q.gggk.e.?lN...._[........,\.....Z...Z..~.I0.....e.3H...Ng.Z=.(PKg...'a.m.;.F...7a........iy...K.l.......i.W{.6rgkM...,`.G..w..[.....@qX..;.z7.v..../(.M......../..4.(...V.....9....Z.....k.f.J....z>.(.AX...ni|[..y.x)N~...i.v..v.%;Q.%........x...{..mJ.~...].o...uk..G.S.......Z...;5n...Q.a.|...%.....a.}.%../.t.G./.d...*..1.k*......6..NK9....eo]^F..uN.G. >..V......9(...`Fe..b.w..R..=...t..h...Qj.....w....:^.....q......G ..G.ZwE<f.k.Ut....; ....cG.~.2'..xA..^.p~.....R.w.4.[F....u~.Z.J....$y.7pv"Z=.m.R:N(N...(=.6B...G....zs:....;....q.2...iu.y.{..%.....$....$=.{?.i.[a..4yYn...d#N.LW. @7.....O.V. P..^i.........N'E[......)...~....(..........._.T...]r..\..[W\...mF.m.F..f.A=._....V..y..MQz......m.....m0S[K.....4.=..... ..U:T..../..O..6.h._.o[}z..d.^... q,.4.'/..t.x.}.2..j..N=.t!Q....%6.(.."#...m.\.i...`...i..}...:t'D.w1.....Pi....9.7. .<qB......RFI..T'<.?/.A$s-..#..,e.........NV*..a..]P-. ..0P..i.].f .....r...|X.:.%.l8]..g.2...j.8...u...6a...;.-....x.f.U.....[...zz.*.`V..*
<<< skipped >>>
GET /img/close.jpg HTTP/1.1
Accept: */*
Referer: hXXp://yy.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c3.web.yy.com
Connection: Keep-Alive
Cookie: JSESSIONID=yf318d5bhhcj05o91xcm2ied6c6wa.yf3; hiido_ui=0.15621836609516887; Hm_lvt_34a908ea88275f6ef0a72588f9c0be86=1415470045; Hm_lpvt_34a908ea88275f6ef0a72588f9c0be86=1415470045
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 08 Nov 2014 11:48:43 GMT
Content-Type: image/jpeg
Content-Length: 604
Last-Modified: Thu, 20 Feb 2014 07:37:14 GMT
Expires: Sun, 09 Nov 2014 11:48:43 GMT
Cache-Control: max-age=86400
Age: 22699
Powered-By-ChinaCache: HIT from CNC-DX-2-3g3.9
HTTP/1.1 200 OK..Server: nginx..Date: Sat, 08 Nov 2014 11:48:43 GMT..Content-Type: image/jpeg..Content-Length: 604..Last-Modified: Thu, 20 Feb 2014 07:37:14 GMT..Expires: Sun, 09 Nov 2014 11:48:43 GMT..Cache-Control: max-age=86400..Age: 22699..Powered-By-ChinaCache: HIT from CNC-DX-2-3g3.9........JFIF.....d.d......Ducky.......<......Adobe.d.................................................................................................................................................................l.................................................................A.!1.2...R3.a...."..s................................?.....t...r.roNMsy..U......g...y.ZK.- ii.C. .......Q.....F...F.Dpy..|N.&........ ........i....J.ZJ\B.))"..r.T.d..J...I.....s.N. z...r....UT....N...x.3oJ..(......`.6.ms.t...$O...Z )qlq.Z.N.J.ZM.............6..Ba%....F..A.ms...@%tT....)!~....}d.I....0.{...'.....V.l.r<.i..L.....
GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yy.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 08 Nov 2014 18:06:24 GMT
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: JSESSIONID=yf318d5bhhcj05o91xcm2ied6c6wa.yf3;Path=/
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Language: zh-CN
Content-Encoding: gzip
a..............596...VQo.6.~.....E.{.D;NZG..li....bK..if..e1.DM...I.bX_...h........0.}..?3.m.....(..5CmC&E.w.............5..(D.o|z..*..!7[..\Z..n]Y...j.....8.......}....L,B...9h.".../...j*.rh....I./..A.....q.L.i.--iq..Qo.3m...G.DW....,Lu27..Dr.0.K. .6.....Ehjj.cO..P.T.0....A.^...hq.xz.............D...h.|}nz.6Y.....G..$ . ..m......q..B...,..IX.:...NY..$...U.:....p..2w.[9....H.7.79.q...%.....b..Yi.............F...0......"J.Z/."]]s..gsn..3.....e.._.|p.....h.ml.y.........Zb.R....D.e.....M....`..._..'.$...3..o.:........x.......<}...w...:|.D...xzp...........zT..xF...........Q..C=....9?..vEo....'...h.....@..]...../.<C{H.2.1.b.3......."..yl5l.P..q_...K.P...{..m...4...r.v...G.;.T..g."........@...G..$Ot....L..&,.d\Z....@..*.)-#E... O.Zy...9`..d...IA.......I.. ......{.5..V4....X.Z.m,&gS\..=.k..a.....X...=.;*.....R....2RM....7`.......L9-.....S.@).{?......#]\E.d.2_...J.*..V..8..c..B....o..U.....i.4...B......|~.......hgOH)"...q.L.BN....n.H.m..cQ4..'.....`.=.G.@.....0g.D_.$u....M..*Ff6........p`.J..*1...Xg....;.E{..s.le."...5j.....e.;n.n.dXK%f....P..bM...*.q...F.e..n....2...m....W.mg$.s.Tfng.......y..f0..Vv.....: .-p...id..2|.....u....v..p.....g.w.{M..M<....]\..x...6.n..b@...rx&......n..........K5}..,...y.z"..G....ZG .#.....r.&..2...\.Z.C....WfZ.%/e.,F.Op8.7...Q...q..5...Z.K.6...<........b../...k_..v...sv...*K..........^..,OX..C#.a.'F...h..E../,@uSY..u.i/6....8. ..tU...Q...S..t..w..q....J.W.k.n......Q.....U.(.../....Z.?Q .H.\].......:-V.y.....0......
<<< skipped >>>
GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yy.com
Connection: Keep-Alive
Cookie: JSESSIONID=yf318d5bhhcj05o91xcm2ied6c6wa.yf3; hiido_ui=0.15621836609516887; Hm_lvt_34a908ea88275f6ef0a72588f9c0be86=1415470045; Hm_lpvt_34a908ea88275f6ef0a72588f9c0be86=1415470045
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 08 Nov 2014 18:07:14 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
Last-Modified: Thu, 20 Feb 2014 07:37:13 GMT
Content-Encoding: gzip
a..............a4..m.K..0.D. q.(K$S.'.,Q...........H\.....n4.7.../S.STW.....t8.........J..0P..Q... ..z....9..l`...V..u5qE..:..2^Fd..]S.B.)...z....4..3Z.....r.#..%....,s..7...>Q$.O......0......
GET //get-data/5336?subSid=1705313832&type=main&_=39769061 HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://c1.web.yy.com/r/rc/main/main/1/43/main.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yy.com
Connection: Keep-Alive
Cookie: JSESSIONID=yf318d5bhhcj05o91xcm2ied6c6wa.yf3; hiido_ui=0.15621836609516887; Hm_lvt_34a908ea88275f6ef0a72588f9c0be86=1415470045; Hm_lpvt_34a908ea88275f6ef0a72588f9c0be86=1415470045
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 08 Nov 2014 18:07:16 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 695
Connection: keep-alive
Set-Cookie: __wyy=d5707d6ff3d24401a7e02f7f2d1602fc;Path=/;Domain=.yy.com;Expires=Sun, 08-Nov-2015 18:07:16 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Accept-Charset: big5, big5-hkscs, compound_text, euc-jp, euc-kr, gb18030, gb2312, gbk, ibm-thai, ibm00858, ibm01140, ibm01141, ibm01142, ibm01143, ibm01144, ibm01145, ibm01146, ibm01147, ibm01148, ibm01149, ibm037, ibm1026, ibm1047, ibm273, ibm277, ibm278, ibm280, ibm284, ibm285, ibm297, ibm420, ibm424, ibm437, ibm500, ibm775, ibm850, ibm852, ibm855, ibm857, ibm860, ibm861, ibm862, ibm863, ibm864, ibm865, ibm866, ibm868, ibm869, ibm870, ibm871, ibm918, iso-2022-cn, iso-2022-jp, iso-2022-jp-2, iso-2022-kr, iso-8859-1, iso-8859-13, iso-8859-15, iso-8859-2, iso-8859-3, iso-8859-4, iso-8859-5, iso-8859-6, iso-8859-7, iso-8859-8, iso-8859-9, jis_x0201, jis_x0212-1990, koi8-r, koi8-u, shift_jis, tis-620, us-ascii, utf-16, utf-16be, utf-16le, utf-32, utf-32be, utf-32le, utf-8, windows-1250, windows-1251, windows-1252, windows-1253, windows-1254, windows-1255, windows-1256, windows-1257, windows-1258, windows-31j, x-big5-hkscs-2001, x-big5-solaris, x-euc-jp-linux, x-euc-tw, x-eucjp-open, x-ibm1006, x-ibm1025, x-ibm1046, x-ibm1097, x-ibm1098, x-ibm1112, x-ibm1122, x-ibm1123, x-ibm1124, x-ibm1364, x-ibm1381, x-ibm1383, x-ibm33722, x-ibm737, x-ibm833, x-ibm834, x-ibm856, x-ibm874, x-ibm875, x-ibm921, x-ibm922, x-ibm930, x-ibm933, x-ibm935, x-ibm937, x-ibm939, x-ibm942, x-ibm942c, x-ibm943, x-ibm943c, x-ibm948, x-ibm949, x-ibm949c, x-ibm950, x-ibm964, x-ibm970, x-iscii91, x-iso-2022-cn-cns, x-iso-2022-cn-gb, x-iso-8859-11, x-jis0208, x-jisautodetect, x-johab, x-macarabic, x-maccentraleurope, x-maccroatian, x-maccyrillic, x-macdingbat, x-macgreek, x-machebrew, x-maciceland, x-macroman, x-macromania, x-macsymbol, x-macthai, x-macturkish, x-macukraine, x-ms932_0213, x-ms950-hkscs, x-ms950-hkscs-xp, x-mswin-936, x-pck, x-sjis_0213, x-utf-16le-bom, x-utf-32be-bom, x-utf-32le-bom, x-windows-50220, x-windows-50221, x-windows-
<<< skipped >>>
GET /img/loading.gif HTTP/1.1
Accept: */*
Referer: hXXp://yy.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c3.web.yy.com
Connection: Keep-Alive
Cookie: JSESSIONID=yf318d5bhhcj05o91xcm2ied6c6wa.yf3
HTTP/1.1 200 OK
Content-Type: image/gif
Content-Length: 8543
Server: nginx
Date: Sat, 08 Nov 2014 09:24:13 GMT
Last-Modified: Thu, 20 Feb 2014 07:37:14 GMT
Expires: Sun, 09 Nov 2014 09:24:13 GMT
Cache-Control: max-age=86400
Age: 31337
Powered-By-ChinaCache: HIT from CNC-DX-2-3g3.8
GIF89a$.#.......|...............................................................................................................................................z........................................................}...................................................................................x.....y....................................................................~..............................................................................................................y..................................................................................................v..............................................................w.....w...........z.......................z.........................................................................................!..NETSCAPE2.0.....!.......,....$.#.....i..(.W/a...C....a.|..H...a..1.f...g....Hr.A`..A.0... '.1;&LbI.'.=30..._@..X...M..........A.4.y...h..A.*.j.....c...V...~...X3...n.f..ZZI.IC 7@.o..- ...[b..p.#..........Y1......y.I`z...@.4....);.,...;...=;..^...xAdt......&..Q..b.1.#..@...#.l..P.A....u..h.m.ID~...b.)A1.....fD3..uE.F...."Gta.H#./...K*C.u.AvpC......-.....$d..|4.G.I".1..G.P./...A&,r..3..v./.... \pA......#Wp0..WHU.}8.3..Q.`B.x@.#4_.pE...c..%%E..qP.G#&.F.Xz\....\..3.`v...P....P....53G......t..SR.......@...-...@.r..R .L.....2..2.......(.U..]...&.@......bP..,..-^x..-.`a(.).". A....|01.0..#-0...L.^ ...~Xp...%e.8....%P8....(..1..s.1.<.@.d(...5......%.9_l..>_.cE..<.L3.0........rTbE7..tPJ.8.L.$W.L....2......&.`C.!ED.I)i r.%..3.'.....}...6....=.
<<< skipped >>>
GET /h.js?34a908ea88275f6ef0a72588f9c0be86 HTTP/1.1
Accept: */*
Referer: hXXp://yy.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: hm.baidu.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Set-Cookie: HMVT=34a908ea88275f6ef0a72588f9c0be86|1415470016|; Path=/; Domain=hm.baidu.com
Set-Cookie: HMACCOUNT=1030A188B5FEFB46; Path=/; Domain=hm.baidu.com; Expires=Sun, 18 Jan 2038 00:00:00 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Etag: 5b6992daf5016061c987b5d17dd4cf17
Cache-Control: max-age=0, must-revalidate
Content-Encoding: gzip
Content-Type: application/javascript
Connection: Keep-Alive
Content-Length: 6962
Date: Sat, 08 Nov 2014 18:06:56 GMT
Server: apache
HTTP/1.1 200 OK..Set-Cookie: HMVT=34a908ea88275f6ef0a72588f9c0be86|1415470016|; Path=/; Domain=hm.baidu.com..Set-Cookie: HMACCOUNT=1030A188B5FEFB46; Path=/; Domain=hm.baidu.com; Expires=Sun, 18 Jan 2038 00:00:00 GMT..P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"..Etag: 5b6992daf5016061c987b5d17dd4cf17..Cache-Control: max-age=0, must-revalidate..Content-Encoding: gzip..Content-Type: application/javascript..Connection: Keep-Alive..Content-Length: 6962..Date: Sat, 08 Nov 2014 18:06:56 GMT..Server: apache...............%.(function(){var c={id:"34a908ea88275f6ef0a72588f9c0be86",dm:["yy.com","yy.com"],etrk:[],js:"tongji.baidu.com/hm-web/js/",icon:'',br:false,ctrk:true,align:1,nv:1,vdur:1800000,age:31536000000,rec:0,rp:[],trust:0,vcard:0,.Zm..6...OA..A1.v.f-D.....mIw..............N.....H<.!].".GB:::..sD*..hc.-y...I...h..F...l$..=}..E.fA....hj..._..MA....m?Nt|.a].c..E4.&.s..N.M....t.).p`.,.r...b&..,.....?.I..:.....qy.Nt..."..f"^d.c....l.D.`j..x,2......'..w...oA..H$}...rX"f.Rl.....W.q.!-........q9.Z ..;.o.Z.....g.Pd.0.jKq....g..WB..4:.#9(.A..Gc.KS....j..%.,<..=.....U.&.Th..c2...4.d/..*..x..B....Qp...dW;...1Q..r.C...Tb."..L.|........Y.V.z..WUl....Tc..j....HS.C.%.."..e...2...%y..8....p8..v..w=..13.f...............Q...(...|d.|..s...L.bK.bO.g%.0...%. .ML?....N...Y.!K.h..C[w~..mh1.>.o.6..[6../....}.Kp...yO...`i..d..f..H6#l...c3.......?..} .%.~6.N...*.#...E.k@p9h.YD........_Ql5$Z.....Z.... .0i?..G-.............%.(function(){var c={id:"34a908ea88275f6ef0a72588f9c0be86",dm:[
<<< skipped >>>
GET /hm.gif?cc=1&ck=1&cl=32-bit&ds=1276x846&et=0&fl=11.6&ja=1&ln=en-us&lo=0&nv=1&rnd=1182576063&si=34a908ea88275f6ef0a72588f9c0be86&st=1&v=1.0.68&lv=1&tt=频é“ : 5336 | YYè¯Â音 HTTP/1.1
Accept: */*
Referer: hXXp://yy.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: hm.baidu.com
Connection: Keep-Alive
Cookie: HMVT=34a908ea88275f6ef0a72588f9c0be86|1415470016|; HMACCOUNT=1030A188B5FEFB46
HTTP/1.1 200 OK
Cache-Control: private, max-age=0, no-cache
Pragma: no-cache
Content-Type: image/gif
X-Content-Type-Options: nosniff
Connection: Keep-Alive
Content-Length: 43
Date: Sat, 08 Nov 2014 18:07:02 GMT
Server: apache
GIF89a.............!.......,...........L..;HTTP/1.1 200 OK..Cache-Control: private, max-age=0, no-cache..Pragma: no-cache..Content-Type: image/gif..X-Content-Type-Options: nosniff..Connection: Keep-Alive..Content-Length: 43..Date: Sat, 08 Nov 2014 18:07:02 GMT..Server: apache..GIF89a.............!.......,...........L..;..
GET /js/webyy.js?v20.js HTTP/1.1
Accept: */*
Referer: hXXp://yy.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c1.web.yy.com
Connection: Keep-Alive
Cookie: JSESSIONID=yf318d5bhhcj05o91xcm2ied6c6wa.yf3
HTTP/1.1 200 OK
Content-Type: application/x-javascript; charset=utf-8
Content-Encoding: gzip
Server: nginx
Date: Sat, 08 Nov 2014 17:08:27 GMT
Last-Modified: Thu, 28 Aug 2014 08:29:53 GMT
Expires: Sun, 09 Nov 2014 17:08:27 GMT
Cache-Control: max-age=86400
Age: 3492
Content-Length: 4645
Powered-By-ChinaCache: HIT from CNC-CC-b-3g8.1
...........Z...D..*.&...F.....e*$pp.6..c.&..%.m.....y.q..w.&@x..r..b.nkS..l..E.v.....oq.~.a......iu........4.^a...-...?....Jv......B.,7.e...4.....yv...S..?|......\>].=..^?...i...k..hx..ZM3.9r...A..3f..d(t...^d........4....I..GA..........S .. ...8..gI...{......-r....>.'.x..o.....[?..|.......im..a.DY."._|p......x?.qx.....8~.......y'A.o~}..Ww....t8d.a.w...................8..].3......y..W...y............Y....>}.....5.sg>d.. *......~x.....M..z....kW.o.!.....{}C}.Q...X9A.D{.............n....1_p..n.=..X....(...49...z.?..h.....n.={}.....Z....v..............{..s......$dbf.Xy....~.2c....Fe...w ..8....5[.4.....l.P.~...p.[.....6.by..>.}@o.686..$..O..I..........m{..dK...{.m..w-y...$....0..z..n...x..N>a.km'ftk2.Y:.C...5.L&.... :JLt.$5O....O..g7t..3..u.JcC_..cm..... 1.W].`!.]....M..0g.O. .V..15.......p.j.l.`..g.V...\....j...o..uc.a:..N..H...x..e.N..}V...p....p..R...v/uu.F.!M}'`.Xi.j..j}.....h...4...j..}QM...X.\.8........1<..M..-0..z .........(e.X.......-..q..d......`....9i....$f.4....p...k..O...(..,.S..'/.g.hU7..it.O....l..M.iS.....~...W....j..s.2......".=..>..}....~..s..p.H=....._....g..._...v..r=......F.~..1..\.X....A..G.._i..T.qL$4i-....E.H......DH..b....V;....QH;..QA...11.5<.....c..4..#...# {..=qi..u..OJ...t..X...<u.L..c.......(.Z..hJ.'\......a[R....\.9....@.:C..}..4....l.}.r....(._Ni..BR.u. u../T..VsWI.K.M..B3.......<z...i.a.....j.....<.....-..v..o...........~...od.r.............#MCC<e/...".Y.Z?f]....N...X.....d.p......=.7.....6.80)[DK......A.....}..'..ok...aKkj..w..;....#?LY.&g.=..
<<< skipped >>>
GET /js/index.js?v15.0.js HTTP/1.1
Accept: */*
Referer: hXXp://yy.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c1.web.yy.com
Connection: Keep-Alive
Cookie: JSESSIONID=yf318d5bhhcj05o91xcm2ied6c6wa.yf3
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 08 Nov 2014 13:08:12 GMT
Content-Type: application/x-javascript; charset=utf-8
Last-Modified: Thu, 30 Oct 2014 09:19:08 GMT
Expires: Sun, 09 Nov 2014 13:08:12 GMT
Cache-Control: max-age=86400
Content-Encoding: gzip
Age: 17909
Content-Length: 1326
Powered-By-ChinaCache: HIT from CNC-CC-b-3g8.1
...........V[..4.. ...&.l&......P*@...T.*FN...u...l..H}.../ ...$x-/...9-...8.\;S..;.....;.9..Q.B..*4..^...V".L..m....=....r.r.......3.?.L...!(.I4q..M.....#Xk.9.5.....3_...f....fn..........6.}?......N.s.....d........J.Q..[.`.i]..q....!5W....\.6.R.......ZU4...Ob@.Qp......2R~(gL.t.....I.dM....F.xc...5...%I..M.)4.F.r....q..,.......T.A...W.S.?..6W....>....s.J.......`bRf..X...*%..in....x[....fB....x9..*6C........v).=.... .q>....p...D.@/...?....r..... .... .-.Q.....Ls..@{....p...el.!/.%.K.Bh......>K. .[IB.2D...)..[...M....-..\.4D. .f.SQ....u.....Jo..n...V@........E.2..6{.F.*..[.8eC.!.U..Pe..06^...q....:._~2uP..C..>:.33.6.c....c.....d... .>..C.A...gS;..z<.=....O...T&...}m....j.........zY...-..e..J_V...'.u..Y..oK......8..........K'.8pm3IqI.m. .L....]V.....o..B...5?......m..V[.5.F..1.B8....-...v64..]o... ..E..F.....C.xF..}.. .S.h%L.Z.Fz`..SR..3g.I...GO....._.~...._......................}...7.Y.S..t .C...;...lh..e....\...."...A..le....IY.T..y...i.R.{IO =os"..=....M.<........1....2X>b.a..J....d1..Fn..v(.Z.a.. ..{o#.......&.m}>............D......M3.[.....Cg.....,.7N...... ..iW....S1....UH..nX #x..V..R7P..f..B........8.*.*...(.4...J0:.5....c... .F.)..%......^.;Ua..nt....=z..........O.V....X...Tm....e.5o......1.K.xN..n......U...\..9.|z&L.......2..........%.Eh.Y7.n....d..t...Ym.. . YA$.sal..^X...F.y...... RxK.......c.....
<<< skipped >>>
GET /duowan.js HTTP/1.1
Accept: */*
Referer: hXXp://yy.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.duowan.com
Connection: Keep-Alive
HTTP/1.0 200 OK
Content-Type: application/x-javascript; charset=utf-8
Vary: Accept-Encoding
Content-Encoding: gzip
Server: nginx
Date: Sat, 08 Nov 2014 18:05:12 GMT
Last-Modified: Tue, 04 Nov 2014 03:03:52 GMT
ETag: "54584218-27b2"
Expires: Sat, 08 Nov 2014 18:10:12 GMT
Cache-Control: max-age=300
X-UA-Compatible: IE=EmulateIE7
Age: 90
Content-Length: 4690
Powered-By-ChinaCache: HIT from CNC-LQ-h-3W7.11
Connection: keep-alive
..........}Z{w.<......@}..]\.....]d..\.@.6..1...c._ $.w.....'.......hf4..c*.J'.k..E..6T...T...r..'.........S. ...|...O..5...].5t.$.K./....8t..2...>1C=...[.._j.o..A.K..mO=........}..F.........kK*..N...-'....V..{]4>.........A'.......;......{..7w$..*.3.L.. .T.TAIz].a.B;TfflM.3I&..}u ....=7F.X.v@......|5...E.......b..e.........n.<.........E.6.....N.7.tw...~.<....Jo.r..}&_Jo..c..j.$...l.......P.Bg.d....c...V.sy....I..._..29M!r.M..YS:........P..q.y,.4=...Q....2...T.~......}..q`....=....@2....R.*..$iUJ@.GM..Y......0...v....Z......J.....jo.%s.=(.|~i...\@G.....D9....o....S.k....K..`...>Tn..... .....Q...LG,.G.V...@?.q......D....BF....[...3....M..S......m<.b\......e.[.T..(..3S....j.... ....J... .>g<....W....Rk...S\....#KD..l'.......f..z.........9.. r.-#*i.rZ..8[..ZU.......-.....$...3..j.(.8W.."........25.7o.sI...r.@...i..!...]..6(d\ ..5f\ .#"....H.ld...W.RW...yL.[..Rk..6&k.W..6"..A.:E..:6...*..Lp...4..G.a.6.}...f...uT..(.j.a.4.......1C ws... tt....... ...).P....^..... .'.CO..%l..kT?I......C.T...9..D.._...|]...|].d........4..,...Q,H.... .....4.D..~..H_..,O...(.=A..}...u.g.K.6.Q..P.........r.,.W.6.....|...o./..........$cXm..r.w..$.@....h.p).....7...........0.H{....{...*.Z.._gZ.........]0.....A.YW7Y..u.C..B..|.AU....5.H.-.>c.......w...vF0.t.....L.I.s....`i..P#..(.{....<.2MG...#....r.0....V... I.!..K...K'..'_.;'......0.O.....B...H;V..............N_...<...).)/.v-....K.E..=...........U?<.e.8....;.....y.`..P.y.p...6=.)...F.....T.?.........D...$....w....Y.c:.#t.....0j...^N|'...#f.`.I.*...:..
<<< skipped >>>
GET /c.gif?act=web&zd=_2b1acc1@yy|_e3d75f1@yy|www@yy|&ui=0.15621836609516887&sp=0&fl=11&sl=0&ss=2&bs=6&mb=0&nw=0&fd=0&hiido=0&sn=0&ls=0&vr=15&ut=1415470029326&wd=0&passport=&sns=null HTTP/1.1
Accept: */*
Referer: hXXp://yy.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ylog.hiido.com
Connection: Keep-Alive
HTTP/1.1 200 OK
GET /r/rc/main/main/1/43/main.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://yy.com/
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c1.web.yy.com
Connection: Keep-Alive
Cookie: JSESSIONID=yf318d5bhhcj05o91xcm2ied6c6wa.yf3; hiido_ui=0.15621836609516887; Hm_lvt_34a908ea88275f6ef0a72588f9c0be86=1415470045; Hm_lpvt_34a908ea88275f6ef0a72588f9c0be86=1415470045
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 08 Nov 2014 09:09:47 GMT
Content-Type: application/x-shockwave-flash;charset=UTF-8
Content-Length: 10735
Last-Modified: Wed, 20 Nov 2013 02:27:55 GMT
Expires: Sun, 09 Nov 2014 09:09:47 GMT
Cache-Control: max-age=86400
Age: 32238
Powered-By-ChinaCache: HIT from CNC-CC-b-3g8.2
CWS.QG..x..<.t[..w.{zWO.-......$&N..d!..!.....`;d."..%.%.I..RL...-4.........[..oi..&...B..F........}O^...o<...s....3s.>s....c3......q.c..........k;...mC.h.....C..pmu...[..............5.../........w[e41.|.`..H....d8.u....F.....\...L.G...r._......d.zQ."d4.....C.....p$.....m..P...V..@e0.M.....Hs..d$..n ..8...6.Rg..|1Z.B..&.]1EM/...........?..DVb..).bx...'B........V}..^..........>.G.....``ES..M.BFo2..#.......h....^X}...........|!k.2..F..;."(...L..r.;Q.;.5..7.eo.].....wF>.^b.~.!........._|w....?:.j._.\}.z...R.....N/|`......g.>......yv={k{[1....,...........d.....n.p.3..PjsW.......Cm//e.,..ji.`.=.......Vo.".V...)..(J`....f...Kes..J.....i.....)a=w..\.k.8.-......E......R..F_...o.z.=.i.........=.;.. ...^......:?..Jy...#U...oI.......6...=...U.[y...T....$...XA. .v..9C_$...G.......S0..{.....U....~...266:..:z...w..........#.$ *7k.k._~.#>..og.h.....-..@.......vS..,...@\4..d....V}.H2.Ih.....x..=wM<6..$.bpN..)...3.....x8.}.K.G..>....Qe....Dg=.N.G..M]I.6 >.#:[...,.O..#C.@..3A...o.v]............]..*d3.k.W...m..6.iC.....J4...v..}8@o......<.5.a@{..,.P...hm......,&.4.Q...H...0.6.$.9.H...V.y:...6.Rk.m...".a%..'U...".. .M..f.@~<0.N$...D.7..y....C...Y......z....fb...[...f...fl_....,F'.m.E.bC.....D.".-.H..Y....MQ.$..0...2....t.e.y4jm..kB...."\.A.i.aF..N[..........n.y..@....`.k.gt..D;J.....N..\...I(.............jE....R7l ..u:...iÜ...5...{..af.......cj.c...)...G8O.......cO.}.[6.,.%......<k......R,eIy1.3YT.....k......'M[.k.$E.zh<w"..3.~-....}y....G.6......(....h.1.w...d..}80.3....!!e.....%.(.m...
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_584:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
|$D.tm
|$D.tm
KERNEL32.DLL
KERNEL32.DLL
kernel32.dll
kernel32.dll
ntdll.dll
ntdll.dll
psapi.dll
psapi.dll
GetAsyncKeyState
GetAsyncKeyState
{E5000198-4471-40e2-92BC-D0BA075BDBB2}
{E5000198-4471-40e2-92BC-D0BA075BDBB2}
\rsr.ini
\rsr.ini
\EyLogin.dll
\EyLogin.dll
.upx0
.upx0
.upx1
.upx1
.reloc
.reloc
@.rsrc
@.rsrc
u[K^.tW
u[K^.tW
3.WL8^
3.WL8^
.zf38
.zf38
.lG;O
.lG;O
^%7s*j
^%7s*j
.>%U$
.>%U$
=a6%u7
=a6%u7
.Kb3|6
.Kb3|6
#;%C
#;%C
_.jp[
_.jp[
CMD]z
CMD]z
k.wR:H2
k.wR:H2
Y>4s%C
Y>4s%C
U`.yX
U`.yX
-j}PM
-j}PM
xIC^6*%F
xIC^6*%F
JgJ%F
JgJ%F
-Km492:-B}a
-Km492:-B}a
P@.LL?:
P@.LL?:
5.PsWF
5.PsWF
.Vb
.Vb
4.IJ:'
4.IJ:'
Hic.uF|)}
Hic.uF|)}
[I.NXRL
[I.NXRL
].zFb
].zFb
9.Oq2K
9.Oq2K
ZNf%d
ZNf%d
7a.QO!
7a.QO!
AP.HO
AP.HO
&kÞ
&kÞ
4\Ã
4\Ã
#=-
#=-
h%u@8
h%u@8
W::%d
W::%d
fn.mz
fn.mz
.lH))
.lH))
.IPbD>)
.IPbD>)
\_Eß
\_Eß
.Kh$
.Kh$
w_o%F
w_o%F
".ol%
".ol%
-ZKPf}
-ZKPf}
;.GO?q
;.GO?q
.RC6)
.RC6)
%S!z
%S!z
}oI.du
}oI.du
4%u8*
4%u8*
'.aG~{
'.aG~{
\.jNP'
\.jNP'
IPHLPAPI.DLL
IPHLPAPI.DLL
ADVAPI32.dll
ADVAPI32.dll
CKERNEL32.dll
CKERNEL32.dll
RegEnumKeyExW
RegEnumKeyExW
ole32.dll
ole32.dll
}..RfyK
}..RfyK
%DH!U
%DH!U
{%dMMcbtMxY
{%dMMcbtMxY
%S,D9@p,l
%S,D9@p,l
9%9SE
9%9SE
OLEAUT32.dll
OLEAUT32.dll
.laWZNI
.laWZNI
%USER32.dll
%USER32.dll
.li}\
.li}\
.toSZZ]({L
.toSZZ]({L
WLDAP32.dll
WLDAP32.dll
.KT\B
.KT\B
c.Muk
c.Muk
di[%D
di[%D
[d!%dl
[d!%dl
.JR'j
.JR'j
4.nr7=
4.nr7=
;)
;)
6S%S=
6S%S=
:.bwJ
:.bwJ
w.qh)
w.qh)
Fy.Jsw Qg
Fy.Jsw Qg
.cZf{K
.cZf{K
k.kGO
k.kGO
K^%s,
K^%s,
JjÂ
JjÂ
IL.JDb
IL.JDb
.KxkNGv
.KxkNGv
k.iA.
k.iA.
sc|eO%SN
sc|eO%SN
8{.Vb
8{.Vb
8.Tef
8.Tef
3.mJ{;
3.mJ{;
.Nq
.Nq
*.wJa
*.wJa
{\%.UG
{\%.UG
U| S%UL'
U| S%UL'
[".iL
[".iL
M3M!*#
M3M!*#
g.xwM
g.xwM
.kFR*
.kFR*
1YK,M.LG
1YK,M.LG
E647%C
E647%C
".aO!
".aO!
{.Pj7
{.Pj7
Pm!.CO
Pm!.CO
N.KI?8
N.KI?8
>.ZgJ
>.ZgJ
%D&O[
%D&O[
d.zL#
d.zL#
Q2.rJ
Q2.rJ
^Q.rV
^Q.rV
k.Rh
k.Rh
g{Z%s
g{Z%s
5.jTt
5.jTt
.gERS
.gERS
Q%XL?a
Q%XL?a
a.Uq@
a.Uq@
q&.Pz
q&.Pz
.rAuz0
.rAuz0
7;J3$.NP@
7;J3$.NP@
Rj.Jf
Rj.Jf
Psr%UG7
Psr%UG7
%SUi2
%SUi2
r:.YC
r:.YC
fv\b.nff
fv\b.nff
%u]Q\=
%u]Q\=
: :$:(:,:0:4:8:<:>
: :$:(:,:0:4:8:<:>
3,4044484
3,4044484
9â„¢9C9U9
9â„¢9C9U9
9 9$9(9,9094989
9 9$9(9,9094989
7%7S7p7
7%7S7p7
2 2$2(2,2
2 2$2(2,2
9-9}9
9-9}9
6!7?7]7{7
6!7?7]7{7
9 =1=7=@=1>8>
9 =1=7=@=1>8>
9':,:(;-;
9':,:(;-;
=!>3>;?@?
=!>3>;?@?
3$3/363=3
3$3/363=3
2 3?3L3
2 3?3L3
9!: :0:?:
9!: :0:?:
=%>*>5>>>
=%>*>5>>>
: :(:0:|:
: :(:0:|:
0 0@0`0|0
0 0@0`0|0
0$0(0,0004080
0$0(0,0004080
1 1$1(1,181|4
1 1$1(1,181|4
d.hJq|
d.hJq|
user32.dll
user32.dll
:.NA5
:.NA5
WS2_32.dll
WS2_32.dll
GetCpuID
GetCpuID
SetAppKey
SetAppKey
UserLogin
UserLogin
UserLoginSingle
UserLoginSingle
EyLogin.DLL
EyLogin.DLL
%x,3;
%x,3;
9XVs8%u?
9XVs8%u?
.Rewv
.Rewv
T.oc >
T.oc >
.KmrK
.KmrK
%SA{MT"
%SA{MT"
H.Lc4u,L
H.Lc4u,L
L(#%f>I
L(#%f>I
%uf`[x
%uf`[x
\fuwuw\trunk\EyLogin\Vs2008\EyLogin\EyLogin\Release\EyLogin.pdb
\fuwuw\trunk\EyLogin\Vs2008\EyLogin\EyLogin\Release\EyLogin.pdb
'%APPID%' = s 'EyLogin'
'%APPID%' = s 'EyLogin'
'EyLogin.DLL'
'EyLogin.DLL'
EyLogin.EyLoginSoft.1 = s 'EyLoginSoft Class'
EyLogin.EyLoginSoft.1 = s 'EyLoginSoft Class'
CLSID = s '{C691BF80-87AF-43A7-AD56-28D5DA857FBD}'
CLSID = s '{C691BF80-87AF-43A7-AD56-28D5DA857FBD}'
EyLogin.EyLoginSoft = s 'EyLoginSoft Class'
EyLogin.EyLoginSoft = s 'EyLoginSoft Class'
CurVer = s 'EyLogin.EyLoginSoft.1'
CurVer = s 'EyLogin.EyLoginSoft.1'
ForceRemove {C691BF80-87AF-43A7-AD56-28D5DA857FBD} = s 'EyLoginSoft Class'
ForceRemove {C691BF80-87AF-43A7-AD56-28D5DA857FBD} = s 'EyLoginSoft Class'
ProgID = s 'EyLogin.EyLoginSoft.1'
ProgID = s 'EyLogin.EyLoginSoft.1'
VersionIndependentProgID = s 'EyLogin.EyLoginSoft'
VersionIndependentProgID = s 'EyLogin.EyLoginSoft'
'TypeLib' = s '{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}'
'TypeLib' = s '{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}'
stdole2.tlbWWW
stdole2.tlbWWW
O~EyLoginW
O~EyLoginW
EyLoginSoftWd
EyLoginSoftWd
IEyLoginSoftd
IEyLoginSoftd
SetAppKeyWWW
SetAppKeyWWW
appKeyWWd
appKeyWWd
UserLoginWWW
UserLoginWWW
interfaceKeyd
interfaceKeyd
9UserLoginSingleW
9UserLoginSingleW
@LGetCpuIDd
@LGetCpuIDd
keyWd
keyWd
EyLogin 1.0
EyLogin 1.0
EyLoginSoft ClassW
EyLoginSoft ClassW
IEyLoginSoft
IEyLoginSoft
Created by MIDL version 7.00.0500 at Tue May 20 12:58:25 2014
Created by MIDL version 7.00.0500 at Tue May 20 12:58:25 2014
1.8.8
1.8.8
\EyLogin.dll"
\EyLogin.dll"
EyLogin.EyLoginSoft
EyLogin.EyLoginSoft
hXXp://VVV.2345.com/?ktt659189
hXXp://VVV.2345.com/?ktt659189
DNF.exe
DNF.exe
hXXp://yy.com/#9050/373700640
hXXp://yy.com/#9050/373700640
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CNotSupportedException
CNotSupportedException
%*.*f
%*.*f
CCmdTarget
CCmdTarget
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
USER32.dll
USER32.dll
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
WINMM.dll
WINMM.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
oledlg.dll
oledlg.dll
GetCPInfo
GetCPInfo
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
CreateDialogIndirectParamA
CreateDialogIndirectParamA
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
comdlg32.dll
comdlg32.dll
RegCreateKeyExA
RegCreateKeyExA
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
.PAVCException@@
.PAVCException@@
%s:%d
%s:%d
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
(*.*)|*.*||
(*.*)|*.*||
windows
windows
?? / %d]
?? / %d]
%d / %d]
%d / %d]
.PAVCFileException@@
.PAVCFileException@@
: %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
%d / %d
%d / %d
%d/%d
%d/%d
out.prn
out.prn
(*.prn)|*.prn|
(*.prn)|*.prn|
%d.%d
%d.%d
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
(%d-%d):
(%d-%d):
Bogus message code %d
Bogus message code %d
(&07-034/)7 '
(&07-034/)7 '
%ld%c
%ld%c
(*.htm;*.html)|*.htm;*.html
(*.htm;*.html)|*.htm;*.html
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCUserException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCOleException@@
.PAVCOleException@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
zcÃ
zcÃ
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
\IEXPLORE.exe
\IEXPLORE.exe
software\microsoft\windows\CurrentVersion\Run\
software\microsoft\windows\CurrentVersion\Run\
h.rdata
h.rdata
H.data
H.data
.vmp0
.vmp0
b.kjlkasj
b.kjlkasj
".reloc
".reloc
DNF.EXE
DNF.EXE
ntoskrnl.exe
ntoskrnl.exe
HAL.dll
HAL.dll
I:\!S
I:\!S
hXXp://VVV.2345.com/?kyy9050
hXXp://VVV.2345.com/?kyy9050
shlwapi.dll
shlwapi.dll
TenSafe.exe
TenSafe.exe
QQDL.exe
QQDL.exe
TXPlatform.exe
TXPlatform.exe
QQLogin.exe
QQLogin.exe
SOFTWARE\DNF\TerSafe.dll\
SOFTWARE\DNF\TerSafe.dll\
SOFTWARE\DNF\TerSafe.EXE\
SOFTWARE\DNF\TerSafe.EXE\
taskkill /f /im DNF.exe.manifest
taskkill /f /im DNF.exe.manifest
WINDOWS\svstem32\TesSafe.svs\
WINDOWS\svstem32\TesSafe.svs\
WINDOWS\svstem32\TesSafe.sys\
WINDOWS\svstem32\TesSafe.sys\
\DNF.cfg.spk
\DNF.cfg.spk
\BugTrace.ini
\BugTrace.ini
\BugTrace.log
\BugTrace.log
\DNF.exe.manifest.spk
\DNF.exe.manifest.spk
\start\BugTrace.cfg
\start\BugTrace.cfg
\start\BugTrace.log
\start\BugTrace.log
\start\BugTrace.dll.spk
\start\BugTrace.dll.spk
\start\TenProtect\BugTrace.cfg
\start\TenProtect\BugTrace.cfg
\start\TenProtect\BugTrace.ini
\start\TenProtect\BugTrace.ini
\start\TenProtect\BugTrace.dll.spk
\start\TenProtect\BugTrace.dll.spk
\loginInfo.inf
\loginInfo.inf
\DNF_CHINA.cfg
\DNF_CHINA.cfg
\Tenio.ini
\Tenio.ini
\TenioCs.ini
\TenioCs.ini
\TenioPath.ini
\TenioPath.ini
\TenioTS.ini
\TenioTS.ini
\version.inf
\version.inf
\DNF.cfg
\DNF.cfg
\start\InstallPerformance.txt
\start\InstallPerformance.txt
\start\BugTrace.ini
\start\BugTrace.ini
\start\Tenio.ini
\start\Tenio.ini
\start\UserSetting.ini
\start\UserSetting.ini
WChannelScript.pvf
WChannelScript.pvf
\DNF.exe.manifest
\DNF.exe.manifest
\*.keyset
\*.keyset
\start\TenProtect\*.dmp
\start\TenProtect\*.dmp
\*.trc
\*.trc
\*.zip
\*.zip
Tensp.dll
Tensp.dll
2039389
2039389
1044950
1044950
1044980
1044980
dnf.exe
dnf.exe
Super-EChXXp://VVV.super-ec.cnhXXp://VVV.eyybc.com/forum-17-1.html/forum-12-1.html/memcp.php/ip.asp/time.asp/gonggao.txt/ec-user6.php/ec-bd.php/ec-jh.php
Super-EChXXp://VVV.super-ec.cnhXXp://VVV.eyybc.com/forum-17-1.html/forum-12-1.html/memcp.php/ip.asp/time.asp/gonggao.txt/ec-user6.php/ec-bd.php/ec-jh.php
hXXp://VVV.super-ec.cn
hXXp://VVV.super-ec.cn
" class="txt" />Function Getcpuid()
" class="txt" />Function Getcpuid()
Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")
Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")
getcpuid=cpu.ProcessorId
getcpuid=cpu.ProcessorId
\Device\\\.\
\Device\\\.\
F%*.*f
F%*.*f
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
MPR.dll
MPR.dll
VERSION.dll
VERSION.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
RegisterHotKey
RegisterHotKey
UnregisterHotKey
UnregisterHotKey
RegCreateKeyA
RegCreateKeyA
WININET.dll
WININET.dll
Y%d Y%d X%d X%d Height%d Height%d Width%dWidth%dRECT(%d, %d)-(%d, %d)RECT(%d, %d)-(%d, %d)Styles0xXStyles0xXControl ID%dControl ID%dHandle0xXHandle0xX.comment {color:green}
.comment {color:green}
burlywood
burlywood
\winhlp32.exe
\winhlp32.exe
%d%d%d
%d%d%d
rundll32.exe shell32.dll,
rundll32.exe shell32.dll,
\SVCHOST.exe
\SVCHOST.exe
u.hh{G
u.hh{G
hXXp://yy.com/#5336/1705313832
hXXp://yy.com/#5336/1705313832
YY.exe
YY.exe
hXXp://VVV.yy.com/go.html#5336
hXXp://VVV.yy.com/go.html#5336
EnumWindows
EnumWindows
VVV.dywt.com.cn
VVV.dywt.com.cn
SVCHOST.EXE
SVCHOST.EXE
AE814EB87AB32E49BF4E.EXE
AE814EB87AB32E49BF4E.EXE
c:\%original file name%.exe
c:\%original file name%.exe
&-.TXLpzs 2,
&-.TXLpzs 2,
"* 15!'#
"* 15!'#
1, 0, 2, 2
1, 0, 2, 2
EyLogin.dll
EyLogin.dll
(*.*)
(*.*)
1.0.0.0
1.0.0.0
(hXXp://VVV.eyuyan.com)
(hXXp://VVV.eyuyan.com)
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\ntoskrnl.exe
SVCHOST.exe_892:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
t$(SSh
t$(SSh
~%UVW
~%UVW
u.hh{G
u.hh{G
u$SShe
u$SShe
hXXp://yy.com/#5336/1705313832
hXXp://yy.com/#5336/1705313832
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CNotSupportedException
CNotSupportedException
%*.*f
%*.*f
CCmdTarget
CCmdTarget
ole32.dll
ole32.dll
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
USER32.dll
USER32.dll
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
WINMM.dll
WINMM.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
OLEAUT32.dll
OLEAUT32.dll
COMCTL32.dll
COMCTL32.dll
oledlg.dll
oledlg.dll
WS2_32.dll
WS2_32.dll
GetCPInfo
GetCPInfo
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
CreateDialogIndirectParamA
CreateDialogIndirectParamA
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
comdlg32.dll
comdlg32.dll
RegCreateKeyExA
RegCreateKeyExA
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
.PAVCException@@
.PAVCException@@
%s:%d
%s:%d
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
(*.*)|*.*||
(*.*)|*.*||
windows
windows
?? / %d]
?? / %d]
%d / %d]
%d / %d]
.PAVCFileException@@
.PAVCFileException@@
: %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
%d / %d
%d / %d
%d/%d
%d/%d
out.prn
out.prn
(*.prn)|*.prn|
(*.prn)|*.prn|
%d.%d
%d.%d
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
(%d-%d):
(%d-%d):
Bogus message code %d
Bogus message code %d
(&07-034/)7 '
(&07-034/)7 '
%ld%c
%ld%c
(*.htm;*.html)|*.htm;*.html
(*.htm;*.html)|*.htm;*.html
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCUserException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCOleException@@
.PAVCOleException@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
zcÃ
zcÃ
%Documents and Settings%\%current user%\My Documents\SVCHOST.exe
%Documents and Settings%\%current user%\My Documents\SVCHOST.exe
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
(*.*)
(*.*)
1.0.0.0
1.0.0.0
(hXXp://VVV.eyuyan.com)
(hXXp://VVV.eyuyan.com)