UDS:DangerousObject.Multi.Generic (Kaspersky), Gen:Variant.Zusy.97797 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericInjector.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 88b64b50f8cd2c8d4cca3576af96b18f
SHA1: f79e4ed08c0848d6577ac77d355ee0b802035102
SHA256: 0654efc1d48f92c7ed559738714e7125a6d8ef4302fcf1f562128a73af09d359
SSDeep: 49152:K3yZofCH6JJ7A4A7lDhTzPORV/tPnY/4c:2yZH6J9LAphTzPARtPCv
Size: 2363392 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC50, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2014-11-04 18:37:56
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):
mscorsvw.exe:1912
The Trojan injects its code into the following process(es):
%original file name%.exe:1320
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1320 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\logger[1].js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\core[1].php (748 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YniCc.dll (3716 bytes)
%System%\BackInC.sys (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\bds_s_v2[1].js (378 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\yni[1].htm (899 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.yni[1].txt (161 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\getnum[1]._getShare&type=load&t=1417253630007 (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.yni[2].txt (418 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bdsstyle[1].css (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\is[1].png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\shell_v2[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\myrar.exe (148 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (196 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (5880 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\sc[1].png (579 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].php (1074 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041720130418 (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.yni[1].txt (0 bytes)
%System%\BackInC.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041720130418\index.dat (0 bytes)
Registry activity
The process mscorsvw.exe:1912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "2340000"
The process %original file name%.exe:1320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014112920141130]
"CacheLimit" = "8192"
"CacheRepair" = "0"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014112920141130]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014112920141130\"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014112920141130]
"CachePrefix" = ":2014112920141130:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 BB AA 1B D1 AA D5 F5 D6 D2 F5 46 1E 3F FC 86"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014112920141130]
"CacheOptions" = "11"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013041720130418]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
523276b0dae10cc57c08737029682c3b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\YniCc.dll |
95668cbcb37a29e1554c5e3472bf9188 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\myrar.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
mscorsvw.exe:1912
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\logger[1].js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\core[1].php (748 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YniCc.dll (3716 bytes)
%System%\BackInC.sys (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\bds_s_v2[1].js (378 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\yni[1].htm (899 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.yni[1].txt (161 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\getnum[1]._getShare&type=load&t=1417253630007 (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.yni[2].txt (418 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bdsstyle[1].css (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\is[1].png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\shell_v2[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\myrar.exe (148 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (196 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (5880 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\sc[1].png (579 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].php (1074 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral
Company Name: Product Name: ?????Product Version: 1.0.0.0Legal Copyright: ?????? ????????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ?????Comments: ??????????(http://www.eyuyan.com)Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 732887 | 733184 | 4.46952 | 38feab9ef898399b2cd1af2e8ffb929d |
.rdata | 737280 | 1529236 | 1531904 | 4.81032 | 981033196f1b0a9af25e77019d824189 |
.data | 2269184 | 267306 | 65536 | 3.51456 | 9c1d794defd9257d4cfd4cfc4bea4cd1 |
.vmp0 | 2539520 | 2616 | 4096 | 4.08184 | 3f2cba4134905abcd4317a20fd68557e |
.rsrc | 2543616 | 23796 | 24576 | 3.44479 | ea066d14470af9b1be5f5645e48965b8 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://www.yni.cc/yni.txt | 58.218.211.239 |
hxxp://www.yni.cc/?admin | 58.218.211.239 |
hxxp://www.yni.cc/images/bt_in.jpg | 58.218.211.239 |
hxxp://bae.jomodns.com/static/js/shell_v2.js?cdnversion=11 | |
hxxp://all.cnzz.com.danuoyi.tbcache.com/stat.php?id=5903035&web_id=5903035 | |
hxxp://bae.jomodns.com/static/js/logger.js?cdnversion=393682 | |
hxxp://bae.jomodns.com/static/js/bds_s_v2.js?cdnversion=393682 | |
hxxp://bae.jomodns.com/static/css/bdsstyle.css?cdnversion=20131219 | |
hxxp://api.share.n.shifen.com/getnum?url=http://www.yni.cc/?admin&callback=bdShare.fn._getShare&type=load&t=1417253630007 | |
hxxp://bae.jomodns.com/static/images/is.png?cdnversion=20131219 | |
hxxp://z6.cnzz.com/stat.htm?id=5903035&r=&lg=en-us&ntime=none&cnzz_eid=1893028559-1417272088-&showp=1024x768&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&h=1&rnd=1953223682 | 42.156.140.19 |
hxxp://bae.jomodns.com/static/images/sc.png?cdnversion=20120720 | |
hxxp://all.cnzz.com.danuoyi.tbcache.com/core.php?web_id=5903035&t=z | |
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=250415370 | 42.120.219.171 |
hxxp://cnzz.mmstat.com/app.gif?&cna=HckADfcAVj4CAbhrJiYkNkni | 42.120.219.171 |
hxxp://static.n.shifen.com/v.gif?pid=307&type=3071&sc=80,48,1024,740&desturl=&apitype=1&linkid=i32s7vmxc4i&velo_load=1531&velo_cssload=703&velo_jsLoad=984&cite_uid=771984&cite_type=1&cite_mini=0 | |
hxxp://bdimg.share.baidu.com/static/js/shell_v2.js?cdnversion=11 | 211.90.25.48 |
hxxp://pcookie.cnzz.com/app.gif?&cna=HckADfcAVj4CAbhrJiYkNkni | 42.120.219.171 |
hxxp://bdimg.share.baidu.com/static/css/bdsstyle.css?cdnversion=20131219 | 211.90.25.48 |
hxxp://bdimg.share.baidu.com/static/js/bds_s_v2.js?cdnversion=393682 | 211.90.25.48 |
hxxp://v1.cnzz.com/stat.php?id=5903035&web_id=5903035 | 1.99.192.15 |
hxxp://bdimg.share.baidu.com/static/js/logger.js?cdnversion=393682 | 211.90.25.48 |
hxxp://bdimg.share.baidu.com/static/images/sc.png?cdnversion=20120720 | 211.90.25.48 |
hxxp://bdimg.share.baidu.com/static/images/is.png?cdnversion=20131219 | 211.90.25.48 |
hxxp://api.share.baidu.com/getnum?url=http://www.yni.cc/?admin&callback=bdShare.fn._getShare&type=load&t=1417253630007 | 61.135.162.115 |
hxxp://nsclick.baidu.com/v.gif?pid=307&type=3071&sc=80,48,1024,740&desturl=&apitype=1&linkid=i32s7vmxc4i&velo_load=1531&velo_cssload=703&velo_jsLoad=984&cite_uid=771984&cite_type=1&cite_mini=0 | 115.239.211.92 |
hxxp://c.cnzz.com/core.php?web_id=5903035&t=z | 66.102.255.55 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /v.gif?pid=307&type=3071&sc=80,48,1024,740&desturl=&apitype=1&linkid=i32s7vmxc4i&velo_load=1531&velo_cssload=703&velo_jsLoad=984&cite_uid=771984&cite_type=1&cite_mini=0 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yni.cc/?admin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: nsclick.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=AE58B413FC36C05AA33E2F1482B73605:FG=1
HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: max-age=0
Content-Type: image/gif
ETag: "4280832337"
Accept-Ranges: bytes
Last-Modified: Fri, 23 Oct 2009 08:06:04 GMT
Expires: Sat, 29 Nov 2014 14:41:35 GMT
Content-Length: 0
Date: Sat, 29 Nov 2014 14:41:35 GMT
Server: BWS/1.0
Connection: Keep-Alive
HTTP/1.1 200 OK..Pragma: no-cache..Cache-Control: max-age=0..Content-Type: image/gif..ETag: "4280832337"..Accept-Ranges: bytes..Last-Modified: Fri, 23 Oct 2009 08:06:04 GMT..Expires: Sat, 29 Nov 2014 14:41:35 GMT..Content-Length: 0..Date: Sat, 29 Nov 2014 14:41:35 GMT..Server: BWS/1.0..Connection: Keep-Alive..
GET /static/js/logger.js?cdnversion=393682 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yni.cc/?admin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: bdimg.share.baidu.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: JSP3/2.0.4
Date: Sat, 29 Nov 2014 14:41:29 GMT
Content-Type: text/javascript
Content-Length: 2404
Connection: close
ETag: "1772769857"
Last-Modified: Wed, 26 Nov 2014 05:56:07 GMT
Expires: Sat, 29 Nov 2014 15:10:16 GMT
Age: 73
Cache-Control: max-age=1800
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
...........X.o.8.. .Q.....d.......{..E.6...1.E.l52..('...~....;mq(....9.o..zjp.|^{J...(v...;..'..I....E.X.v.e.}.7. .."....DZ.... ...t..u./..0Q...A$..!..!.I8....Eg...d84.....5&.Y{......T(.`):.J'...%l....&... Z*.s%....D."CB.N..........he.\8.. ..Mg.....hT. ..r...B9........#y......r.....1.r..-..-.zC;.n{........mwd.....1v.u3.V..-K:k.q._...*.....b...~1.;.a.>..4lB.......|1a......g.\.b...../Y.P..R...,..n8."._`.......eMH.VuJ}..3..2[G..H.!bGfw..}.o..z*....BG.....M ...)e...,Z.....1?.0.....^.`u.Aw..W.F$........%...Z...F3.5..L#...d....;...6........^.yF...g...Ar....GS...../vwe...w...?&...Jn.t3.&..-....A...".{Z.......(.j.?kO....;........yV......W...(.. m.. .../..d..~~1...N...V.N../...r..YF..?...;.M.8...3r......{.Y.p....[&}.oj..._bq .^V0E..-......"...M|.|......G@R........WI....kY..1d..O.wh..C.^.ca$2....J`...X2....U...z8.c....kj..`..<....D..J%..Y.......9...fs.?.p..mN..tU.....Qs....k$.U.F@...^QT...........%...P.....c!....QA..q .F.ub..|sE.../)...g .P..5b..X..c.kk.......,eA.p..jE.E.$..Y. _G..D0. .k....5dV..#. ...0......p.iq..ZdN(........A.*^.rd......L.....2!..y..>%...H.TH.c.e,a9u. .N.SI....x..H...kt{[.."...... .-........i.!\............r.J.'......C.>..)=ys...%..&n..E.c............$J.c8....(.aH#.....1.\l......~%0.{..;D*.FU....!Tz.h...... .p..8..z*.c.:........[..3..^..-...1z....0.....J6b.6..Ob..>u.M....S7Gh...Ai...Nd,.?.M..........y....#..|.....n...............j.......s........k}R....?.3.@....'........`UW.3X,.dv...!...U.|b.......L.k..g._."..&G.|..f...$....P. I/.#6..0$...............~...O6.....}.Zx... x...}.h.B.').y}..
<<< skipped >>>
GET /yni.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.yni.cc
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 7
Content-Type: text/plain
Last-Modified: Sun, 10 Aug 2014 16:26:42 GMT
Accept-Ranges: bytes
ETag: "c126bdeb7b4cf1:8a8"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 29 Nov 2014 14:42:27 GMT
v0808.1....
GET /?admin HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.yni.cc
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 5684
Content-Type: text/html
Content-Location: hXXp://VVV.yni.cc/index.htm
Last-Modified: Tue, 18 Nov 2014 15:35:09 GMT
Accept-Ranges: bytes
ETag: "7c15a43c453d01:8a8"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 29 Nov 2014 14:42:29 GMT
<style type="text/css">..<!--..body {...background-color: #000000;..}...STYLE3 {color: #FF3300; }...STYLE4 {...color: #FF3300;...font-size: 12px;..}...STYLE5 {...color: #FF0000;...font-size: 12px;...font-weight: bold;..}...STYLE6 {color: #FFFFFF}...STYLE88 {...color: #00FF66;...font-size: 12px;...font-weight: bold;..}...STYLE89 {color: #CCCCCC; font-size: 12px; }...STYLE90 {font-size: 12px}...STYLE91 {color: #FFFFFF; font-size: 12px; }...STYLE93 {font-weight: bold; font-family: "...."; color: #ffffff;}...STYLE98 {color: #CCCCCC}...STYLE100 {color: #FF0000}...STYLE99 {color: #00FF66}...STYLE115 {color: #99FF33; font-size: 20px; font-weight: bold; }...STYLE116 {color: #FF6633}..body,td,th {...color: #FFFFFF;..}...STYLE117 {color: #FF0066; font-size: 20px; font-weight: bold; }...STYLE118 {color: #9900CC}..-->..</style><title>CF........,CF....,CF........,CF..........Www.Yni.Cc</title>..<div align="center">.. <p class="STYLE115">CF..................Www.Yni.Cc</p>.. <p class="STYLE117"><a href="hXXp://VVV.yni.cc/tz.htm" class="STYLE118">319CF........QQ..122319319</a></p>.. <meta name="keywords" content="CF........,CF....,CF........,CF........" />..<meta name="description" content="CF........,CF....,CF........,CF........" />....<br />..</div>..<div align="center">.. <table width="385" height="205" border="1" bordercolor="#CCFF99">.. <tbody>.. <tr>.. <td bgcolor="#000000" height=
<<< skipped >>>
GET /images/bt_in.jpg HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yni.cc/?admin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.yni.cc
Connection: Keep-Alive
HTTP/1.1 404 Not Found
Content-Length: 1308
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 29 Nov 2014 14:42:30 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.org/TR/html4/strict.dtd">..<HTML><HEAD><TITLE>............</TITLE>..<META HTTP-EQUIV="Content-Type" Content="text/html; charset=GB2312">..<STYLE type="text/css">.. BODY { font: 9pt/12pt .... }.. H1 { font: 12pt/15pt .... }.. H2 { font: 9pt/12pt .... }.. A:link { color: red }.. A:visited { color: maroon }..</STYLE>..</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>..<h1>............</h1>....................................................<hr>..<p>................</p>..<ul>..<li>........................................................</li>..<li>..................................................................................</li>..<li>....<a href="javascript:history.back(1)">....</a>....................</li>..</ul>..<h2>HTTP .... 404 - ..................<br>Internet ........ (IIS)</h2>..<hr>..<p>..............................</p>..<ul>..<li>.... <a href="hXXp://go.microsoft.com/fwlink/?linkid=8180">Microsoft ............</a>..........“HTTP”..“404”........</li>..<li>....“IIS ....”...... IIS ...... (inetmgr) ........................“........”..“............”..“..................”........</li>..</ul>..</TD><
<<< skipped >>>
GET /core.php?web_id=5903035&t=z HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yni.cc/?admin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c.cnzz.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Content-Length: 748
Connection: keep-alive
Date: Sat, 29 Nov 2014 14:41:33 GMT
Last-Modified: Sat, 29 Nov 2014 14:41:33 GMT
Expires: Sat, 29 Nov 2014 14:56:33 GMT
Via: cache23.l2de1[1787,200-0,M], cache54.l2de1[1788,0], cache2.us1[1939,200-0,M], cache2.us1[1940,0]
X-Cache: MISS TCP_REFRESH_MISS dirn:7:682641498
X-Swift-SaveTime: Sat, 29 Nov 2014 14:41:33 GMT
X-Swift-CacheTime: 900
!function(){var p,q,r,a=encodeURIComponent,b="5903035",c="",d="",e="online_v3.php",f="z6.cnzz.com",g="1",h="text",i="z",j="站长统计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="0",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k.callRequest([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k.createScriptIcon(n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/website.php?web_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.cnzz.com/img/" c ".gif",p="<a href='" q "' target=_blank title='" j "'><img border=0 hspace=0 vspace=0 src='" r "'></a>"):p="<a href='" q "' target=_blank title='" j "'>" j "</a>",k.createIcon([p])))}();)..
GET /static/images/is.png?cdnversion=20131219 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yni.cc/?admin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: bdimg.share.baidu.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: JSP3/2.0.4
Date: Sat, 29 Nov 2014 14:41:30 GMT
Content-Type: image/png
Content-Length: 12294
Connection: close
ETag: "1643694967"
Last-Modified: Thu, 20 Nov 2014 04:28:35 GMT
Expires: Sun, 30 Nov 2014 16:04:55 GMT
Age: 238539
Cache-Control: max-age=604800
Accept-Ranges: bytes
.PNG........IHDR.......<.......5*....tEXtSoftware.Adobe ImageReadyq.e<...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:FB2478DF60B711E38EB0C15A38F52D2D" xmpMM:DocumentID="xmp.did:FB2478E060B711E38EB0C15A38F52D2D"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FB2478DD60B711E38EB0C15A38F52D2D" stRef:documentID="xmp.did:FB2478DE60B711E38EB0C15A38F52D2D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.Yl.....PLTE......."..j0..o............hm.. ..N......k.1...P.dW.G/....D2....e..xV..0..........{..u.%y..............LlG...-0\....!v............C.....q.f.....667...#..6y.Kl.....p.X...............OM.30..........Y............oo."......q..........T5..........Ug..... .....4d.......Z.?.WW-..4.L7..B........Y..J.1.....ii.........87...c...Z.....ts2..E..T..n.i .....N._.../1.H......OM.9T.wv..&.."...v..!..K....J.........U........B...U..................*B....E..................]__K........A..........Q#Y...G.......n.R..Y......R...............t..W..5[.........j...........}.r..U....}......y....3r...h2p.5
<<< skipped >>>
GET /getnum?url=http://VVV.yni.cc/?admin&callback=bdShare.fn._getShare&type=load&t=1417253630007 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yni.cc/?admin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: api.share.baidu.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Set-Cookie: BAIDUID=AE58B413FC36C05AA33E2F1482B73605:FG=1; max-age=31536000; expires=Sun, 29-Nov-15 14:41:30 GMT; domain=.baidu.com; path=/; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
Content-Type: application/javascript
Content-Length: 50
Date: Sat, 29 Nov 2014 14:41:30 GMT
Server: apache
bdShare.fn._getShare({"errno":0,"num":[24,"24"]})...
GET /stat.php?id=5903035&web_id=5903035 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yni.cc/?admin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: v1.cnzz.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Transfer-Encoding: chunked
Connection: keep-alive
Date: Sat, 29 Nov 2014 14:41:28 GMT
Last-Modified: Sat, 29 Nov 2014 14:41:28 GMT
Cache-Control: max-age=5400,s-maxage=5400
Via: cache29.l2hk1[208,200-0,M], cache15.l2hk1[210,0], cache4.us1[547,200-0,M], cache5.us1[549,0]
X-Cache: MISS TCP_REFRESH_MISS dirn:7:510277739
X-Swift-SaveTime: Sat, 29 Nov 2014 14:41:29 GMT
X-Swift-CacheTime: 5399
5a2..(function(){function k(){this.c="5903035";this.R="z";this.N="";this.K="";this.M="";this.r="1417272088";this.P="z6.cnzz.com";this.L="";this.u="CNZZDATA" this.c;this.t="_CNZZDbridge_" this.c;this.F="_cnzz_CV" this.c;this.G="CZ_UUID" this.c;this.v="0";this.A={};this.a={};this.la()}function g(a,b){try{var c=.[];c.push("siteid=5903035");c.push("name=" f(a.name));c.push("msg=" f(a.message));c.push("r=" f(h.referrer));c.push("page=" f(e.location.href));c.push("agent=" f(e.navigator.userAgent));c.push("ex=" f(b));c.push("rnd=" Math.floor(2147483648*Math.random()));(new Image).src="hXXp://jserr.cnzz.com/log.php?" c.join("&")}catch(d){}}var h=document,e=window,f=encodeURIComponent,l=decodeURIComponent,n=unescape,p=escape;k.prototype={la:function(){try{this.U(),this.J(),this.ia(),this.H(),this.o(),.this.ga(),this.fa(),this.ja(),this.j(),this.ea(),this.ha(),this.ka(),this.ca(),this.aa(),this.da(),this.qa(),e[this.t]=e[this.t]||{},this.ba("_cnzz_CV")}catch(a){g(a,"i failed")}},oa:function(){try{var a=this;e._czc={push:function(){return a.B.apply(a,arguments)}}}catch(b){g(b,"oP failed")}},aa:function(){try{var a=e._czc;if("[object Array]"==={}.toString.call(a))for(var b=0;b<a.length;b ){var c=a[b];switch(c[0]){case "_setAccount":e._cz_account="[object String]"==={}.toString.call(c[1])?c[1]:String(c[1]);.break;case "_setAutoPageview":"boolean"===typeof c[1]&&(e._cz_autoPageview=c[1])}}}catch(d){g(d,"cS failed")}},qa:function(){try{i..b50..f("undefined"===typeof e._cz_account||e._cz_account===this.c){e._cz_account=thi
<<< skipped >>>
GET /app.gif?&cna=HckADfcAVj4CAbhrJiYkNkni HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yni.cc/?admin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: pcookie.cnzz.com
HTTP/1.1 200 OK
Server: Tengine
Date: Sat, 29 Nov 2014 14:41:34 GMT
Content-Type: image/gif
Content-Length: 43
Connection: keep-alive
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: cna=HckADfcAVj4CAbhrJiYkNkni; expires=Tue, 26-Nov-24 14:41:34 GMT; path=/; domain=.cnzz.com
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;..
GET /static/js/shell_v2.js?cdnversion=11 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yni.cc/?admin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: bdimg.share.baidu.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: JSP3/2.0.4
Date: Sat, 29 Nov 2014 14:41:28 GMT
Content-Type: text/javascript
Content-Length: 571
Connection: close
ETag: "3685372755"
Last-Modified: Wed, 26 Nov 2014 05:56:07 GMT
Expires: Wed, 30 Jul 2014 21:06:50 GMT
Cache-Control: max-age=1800
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
...........SQk.0.. ...D..n...3...A..Z.RJQ..."[F.x...}..7i;..........s .d..J. ;..].........I...........n..%.d......|.SVn*.1.k.H[5.......{......%e=..]H..P....k..jpl..]#8...@..U.#.=....7.....B."..l-B6...6L..^&`.".....!.....j59.A...VVm..w.Yc(1.F.z)P...u.p.........R..(..R..0;..~..P....B..?%..#.aDY...2;!@...[9...`...........}..=vPc4..P...@.I.. ,]p.d.|.....K........(nE..B..G...5.Z.\4..*/.Qt1.1l..c]O..w.k..{..7a..`..... .......0R..aL[4...k[..........H...U.}.^..6<....i.<.........>.@.9..Xr....=e.....a...V..7E.J.VO...(.....'..~.?&}....|.._._.1._...H....i<N.uP......`.o...;o...HTTP/1.1 200 OK..Server: JSP3/2.0.4..Date: Sat, 29 Nov 2014 14:41:28 GMT..Content-Type: text/javascript..Content-Length: 571..Connection: close..ETag: "3685372755"..Last-Modified: Wed, 26 Nov 2014 05:56:07 GMT..Expires: Wed, 30 Jul 2014 21:06:50 GMT..Cache-Control: max-age=1800..Accept-Ranges: bytes..Vary: Accept-Encoding..Content-Encoding: gzip.............SQk.0.. ...D..n...3...A..Z.RJQ..."[F.x...}..7i;..........s .d..J. ;..].........I...........n..%.d......|.SVn*.1.k.H[5.......{......%e=..]H..P....k..jpl..]#8...@..U.#.=....7.....B."..l-B6...6L..^&`.".....!.....j59.A...VVm..w.Yc(1.F.z)P...u.p.........R..(..R..0;..~..P....B..?%..#.aDY...2;!@...[9...`...........}..=vPc4..P...@.I.. ,]p.d.|.....K........(nE..B..G...5.Z.\4..*/.Qt1.1l..c]O..w.k..{..7a..`..... .......0R..aL[4...k[..........H...U.}.^..6<....i.<.........>.@.9..Xr....=e.....a...V..7E.J.VO...(.....'..~.?&}....|.._._.1._...H....i<N.uP......`.o...;o...HTTP/1.1 200 OK..Serv
<<< skipped >>>
GET /stat.htm?id=5903035&r=&lg=en-us&ntime=none&cnzz_eid=1893028559-1417272088-&showp=1024x768&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&h=1&rnd=1953223682 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yni.cc/?admin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: z6.cnzz.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Tengine/1.4.1
Date: Sat, 29 Nov 2014 14:41:30 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Tue, 28 May 2013 02:57:17 GMT
Connection: close
Accept-Ranges: bytes
GIF89a.............!.......,...........D..;..
GET /static/js/bds_s_v2.js?cdnversion=393682 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yni.cc/?admin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: bdimg.share.baidu.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: JSP3/2.0.4
Date: Sat, 29 Nov 2014 14:41:29 GMT
Content-Type: text/javascript
Content-Length: 9992
Connection: close
ETag: "1764475539"
Last-Modified: Wed, 26 Nov 2014 05:56:07 GMT
Expires: Sat, 29 Nov 2014 14:46:10 GMT
Age: 1519
Cache-Control: max-age=1800
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
...........|.r.......;liQ.7.`d..2x.._.Mw..!@...@..4.1..11....m>ab.i>g..gLfU......9...RUVUVVVV.J..{0..Nt.P...f.`....5.(...".W....QZ?@...m<.4t..%...[.....z..........G.#.....jn.>..~.....|....i.......wU..K..M.2.D...{,...[..Qx....H..#.gx7..I.}.5. ..........{..yp...2....?.......3..=.#.{.w..........p}{[.....z .P.Y.V....K..b.H./..=..`\oa...... (..L..U..-g.#.7....R.'.1V..?....;..;{.z..w..o.....cAI..0.....@8....?......j.C.C..K..c..E.......q,.=....Os....h..h..h;..2'.eND.......;....a.,...'...Da.....a?X-U..Iw.-....[.o......>@w5..;..F.Vs.6...m^Uj.3(z...h....g@a.ya@........1..d.xP.....K[..5..: ..{.SC..s.@ .'...<.........K[...O.............{9......fS`..Z...q.5Z2.j......L6.[s!.....m..he..D?.CD.-:.L.......{.M.ax..q.......S.&8.@\..4..g{d.5.]......s...`..pIM.......F0?.b'.ts.....|..a..{../B.4....fX./.........KooW....K|M."..........U..=.....2.....|o....H-.*..yc"...6......]..{..[...N....$.... .A.2R..[]...8k..)a..v.........!..d..M...L[.>...........:.T>....8.......T.....f..h^..]...g.7...0.....5......H\...\...Z.. ..>N..?....xXa...<..s.:$X.@3.|2.B.H.....xX.c...X..X......p.c-.....S.UGe.......#F#g5.qV..)bsj.#.....d.t<-...4*$..M..&..H..H.qq.....J-..p.(..vvQi`G...".m..s>...H8y.EgM....a......v..T._...p...2a.8...t..W*..i...e. 2....:....^....#.oY....C..8f............H.......2aK.b.XN.....~....8..8%..?..U.|^.(...i..d....8.Q.!}....!.s....~.s$C.<.N.g.2....L......."..l...N ..RiPd.DX.TZ...P*...3.-....H......].S...\..j...M.@...ge..}.s..\..G...".I."..i.(...V.....q.........:..a.........j.X.R.._...8....A............
<<< skipped >>>
GET /9.gif?abc=1&rnd=250415370 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yni.cc/?admin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cnzz.mmstat.com
Connection: Keep-Alive
HTTP/1.1 302 Found
Server: Tengine
Date: Sat, 29 Nov 2014 14:41:33 GMT
Content-Type: image/gif
Content-Length: 43
Connection: keep-alive
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: cna=HckADfcAVj4CAbhrJiYkNkni; expires=Tue, 26-Nov-24 14:41:33 GMT; path=/; domain=.mmstat.com
Set-Cookie: sca=3f406078; path=/; domain=.cnzz.mmstat.com
Set-Cookie: atpsida=89409adb1a04822d96666676_1417272093; expires=Tue, 26-Nov-24 14:41:33 GMT; path=/; domain=.cnzz.mmstat.com
Location: hXXp://pcookie.cnzz.com/app.gif?&cna=HckADfcAVj4CAbhrJiYkNkni
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;..
GET /static/css/bdsstyle.css?cdnversion=20131219 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yni.cc/?admin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: bdimg.share.baidu.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: JSP3/2.0.4
Date: Sat, 29 Nov 2014 14:41:29 GMT
Content-Type: text/css
Content-Length: 2021
Connection: close
ETag: "2645184860"
Last-Modified: Wed, 26 Nov 2014 05:56:04 GMT
Expires: Sat, 29 Nov 2014 15:09:43 GMT
Age: 61
Cache-Control: max-age=1800
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
...........Z.....~.5.E...../..6...w.A...EY.H...3.1........m.....ER.x.. ...L.....U..........|..........].699P.X<...F.$......@...C.|...vF.Y,9..i..})hT...%9.Y.9qM..U....R.-.....?..(giJ...fUJO........-/#.>.......Fn........qKO.M......ae..-.....a.z.ET......}R....2^.8v.C..Q.Y....U.K....P.m?x..Bl......d...h..3V.]#R.9.f..v.|..a....C*V9...~.RU-_..Y....8.;*#7.O.=A............{"....".e..3e...V.....-.#W.6.`...K.5N.&S.....8!............RM9..........j.~...Vv..L.H....wy#D.#...x;...i...NKlol...04:C...`...)k...DI.w...rD........0._.!w..C....O...l......3`O_^....X.Q..Z{p..I...|a......I.Z..V.9.].s..`... ..kyA...b..V&.^3rl....R.a......*8..7{]..y..4D........(zG.lf........gL.B.y..l..#.K}..*O.6......C..b...dO...Y...o........z......`U.>...v<U.<e...r.......3B..`2zQ..u.{.4....5F7S..8P...-.4B..[.. >.b,.8...V..>..P.'...Q..@..H..j...]\fJ4j..E...p......m....B8;iQ.K...BpZ......_..o)>a..-pV.BIST.x.|KO^j_.V.........:h..4..19.8.u...ug!..-.,3<.sV..x. ........l.....&.z...p. .e.7:.....B.F.t%. ,...T{.(..5j'.W.".j....I67Z.../OC....B.'.....o79...r?..]..q.,..[......?.#.UFl.....D.........i.<;..qv_..h.....=x. .x|p......[.w....lwg...;`...;..P....Z..m.........G).....].y!.E.z.t.<#% ^.....;0R.*{....s.U.0..!k.&.2._4........no'...p..c5.... ..lv_7$`...".E!4..u..v........`55S9..^...^p?.].P....Zo*}.j..~....P......P....?*.=.M...c.p..x.v..O.&U.............tX.I3.^hM.Wg....^..j......2%.X.:.On.34;.q..(p..qJ.....I8.. ....a..E:$..3aGq...j=......h...^zm.....v _.9........oPE.}0h.|.<O..........]A..-.-b.!.N.....M... 3..7?.Q_....KW`.5 b.].~.
<<< skipped >>>
GET /static/images/sc.png?cdnversion=20120720 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yni.cc/?admin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: bdimg.share.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=AE58B413FC36C05AA33E2F1482B73605:FG=1
HTTP/1.1 200 OK
Server: JSP3/2.0.4
Date: Sat, 29 Nov 2014 14:41:31 GMT
Content-Type: image/png
Content-Length: 579
Connection: close
ETag: "2645188378"
Last-Modified: Wed, 26 Nov 2014 05:56:06 GMT
Expires: Fri, 05 Dec 2014 07:41:56 GMT
Age: 111575
Cache-Control: max-age=604800
Accept-Ranges: bytes
.PNG........IHDR...`...\.......@.....tEXtSoftware.Adobe ImageReadyq.e<...*PLTE.............................................;....tRNS..............E.......IDATx....n.0..a.MI....n.C.....@........l........y....~..,.........p.J.$P...j.w.(.......P9....#..7.........p.....`m...1f.A ...0.s....3.^x..W.g.TH..g.P..d....w....n W.:........c.q)....E*]......A.(....L.6.........,...F._.s>......s.:..G........h..>;...H/...3E& ..A.?.q]^..(@...!.X......v.........]m..&..:@]...)..........A.a.....r............o.....o..s.?.F<.......@g...*R.EH....o......{....n0.8.@......y9||..`.tm>.........IEND.B`.HTTP/1.1 200 OK..Server: JSP3/2.0.4..Date: Sat, 29 Nov 2014 14:41:31 GMT..Content-Type: image/png..Content-Length: 579..Connection: close..ETag: "2645188378"..Last-Modified: Wed, 26 Nov 2014 05:56:06 GMT..Expires: Fri, 05 Dec 2014 07:41:56 GMT..Age: 111575..Cache-Control: max-age=604800..Accept-Ranges: bytes...PNG........IHDR...`...\.......@.....tEXtSoftware.Adobe ImageReadyq.e<...*PLTE.............................................;....tRNS..............E.......IDATx....n.0..a.MI....n.C.....@........l........y....~..,.........p.J.$P...j.w.(.......P9....#..7.........p.....`m...1f.A ...0.s....3.^x..W.g.TH..g.P..d....w....n W.:........c.q)....E*]......A.(....L.6.........,...F._.s>......s.:..G........h..>;...H/...3E& ..A.?.q]^..(@...!.X......v.........]m..&..:@]...)..........A.a.....r............o.....o..s.?.F<.......@g...*R.EH....o......{....n0.8.@......y9||..`.tm>.........IEND.B`.HTTP/1.1 200 OK..Server: JSP3/2.0.4..
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1320:
.text
.text
`.rdata
`.rdata
@.data
@.data
.vmp0
.vmp0
`.rsrc
`.rsrc
t%SVh
t%SVh
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
kernel32.dll
kernel32.dll
shlwapi.dll
shlwapi.dll
wininet.dll
wininet.dll
user32.dll
user32.dll
KERNEL32.DLL
KERNEL32.DLL
imm32.dll
imm32.dll
helpsrf.ime
helpsrf.ime
ntdll.dll
ntdll.dll
gdiplus.dll
gdiplus.dll
GdiPlus.dll
GdiPlus.dll
Kernel32.dll
Kernel32.dll
Ole32.dll
Ole32.dll
gdi32.dll
gdi32.dll
Gdiplus.dll
Gdiplus.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
dwmapi.dll
dwmapi.dll
ole32.dll
ole32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
CreatePipe
CreatePipe
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
ShellExecuteA
ShellExecuteA
UnloadKeyboardLayout
UnloadKeyboardLayout
GetKeyboardLayoutList
GetKeyboardLayoutList
EnumThreadWindows
EnumThreadWindows
GetKeyboardLayout
GetKeyboardLayout
ActivateKeyboardLayout
ActivateKeyboardLayout
GetKeyboardLayoutNameA
GetKeyboardLayoutNameA
GdipGetStringFormatHotkeyPrefix
GdipGetStringFormatHotkeyPrefix
GdipSetStringFormatHotkeyPrefix
GdipSetStringFormatHotkeyPrefix
#in_password
#in_password
Client.exe
Client.exe
BaiduAn.Setup.youqian.3.0.0.3971_1000118039.exe
BaiduAn.Setup.youqian.3.0.0.3971_1000118039.exe
hXXp://dlsw.br.baidu.com/ditui/zujian/BaiduAn.Setup.youqian.3.0.0.3971_1000118039.exe
hXXp://dlsw.br.baidu.com/ditui/zujian/BaiduAn.Setup.youqian.3.0.0.3971_1000118039.exe
lssdjt_10033-0.rar
lssdjt_10033-0.rar
hXXp://down.lssdjt.org/down/lssdjt_10033-0.rar
hXXp://down.lssdjt.org/down/lssdjt_10033-0.rar
lssdjt_10033-0.exe
lssdjt_10033-0.exe
cmd.exe /c
cmd.exe /c
command.exe /c
command.exe /c
mylist.lst
mylist.lst
myrar.exe
myrar.exe
?hXXp://w.x.baidu.com/go/mini/2/30077
?hXXp://w.x.baidu.com/go/mini/2/30077
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
http=
https
https
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
hXXp://
hXXp://
hXXp://VVV.yni.cc/?admin
hXXp://VVV.yni.cc/?admin
hXXp://VVV.yni.cc/yni.txt
hXXp://VVV.yni.cc/yni.txt
hXXp://VVV.yni.cc/?gxing
hXXp://VVV.yni.cc/?gxing
\YniCc.dll
\YniCc.dll
`.reloc
`.reloc
@.rsrc
@.rsrc
winmm.dll
winmm.dll
GetAsyncKeyState
GetAsyncKeyState
127.0.0.1
127.0.0.1
F%*.*f
F%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
MPR.dll
MPR.dll
WINMM.dll
WINMM.dll
WS2_32.dll
WS2_32.dll
VERSION.dll
VERSION.dll
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
USER32.dll
USER32.dll
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
OLEAUT32.dll
OLEAUT32.dll
COMCTL32.dll
COMCTL32.dll
oledlg.dll
oledlg.dll
WININET.dll
WININET.dll
GetCPInfo
GetCPInfo
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
comdlg32.dll
comdlg32.dll
mogui.dll
mogui.dll
.PAVCException@@
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
: %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
out.prn
out.prn
%d.%d
%d.%d
%d / %d
%d / %d
%d/%d
%d/%d
Bogus message code %d
Bogus message code %d
(%d-%d):
(%d-%d):
%ld%c
%ld%c
(*.htm;*.html)|*.htm;*.html
(*.htm;*.html)|*.htm;*.html
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÃ
zcÃ
=0=4=8=
=0=4=8=
6$7(7,7074787
6$7(7,7074787
1%2S5g5
1%2S5g5
9%9S:g:
9%9S:g:
> >$>(>,>0>4>8>
> >$>(>,>0>4>8>
3
:$:(:,:0:4:8:<:>:/;:;@;^;2!2F2[2n26-6U6i6}66 6$6(6,6064686=$=(=,=0=4=8=#include "l.chs\afxres.rc" // Standard componentshXXp://VVV.wz123.com/?shgehXXp://VVV.yni.cc/?jsKeyboard Layout\Preload\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\S-1-5-21-1060284298-606747145-682003330-500\Keyboard Layout\Preloadcrossfire.execalc.exe.idata.rdataP.relocP.rsrcAssertion "%s" failed in file "%s" at line %dMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; Kew;)Winlogon.exe1.1.4GetKeyboardTypeadvapi32.dlloleaut32.dllwsock32.dll:!:%:):-:1:5:9:MZ.nR-.Tqz?Mi.BpL.JÓKWindowsPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADnotepad.exe.rsrc!"#$%&'()* ,-./012345l.ccUTF-8USER32.DLLw.
X-
Yo/.pdb
re.LtdJALL RIGHTS
hXXp://w
CTCPCliJ
MSVCRTd
?QGET %s HTTP/1.1
*gzip,.fl
uRlp
n%c$Eo!y
.OVWc
.DCQ_(
p%u7V
. .UT
2%ScG
%u;)C&>
G6C.kwFt
v#%I%f
PF.gc g
PMsg
v%*.*
>X-
b.do5p
.np|@
`.Rb_
a,&.xml
ucmdn0epy
mtrp.cb85
p.Dl7;d
aTUrlMk*
=iM.Mj(
v.Vnsg1
4?..cB
urlmon{
$;(;,;0;4
= =$=(=,={=
$ÕX
vOJ%C
MEK%C
3MHL.TX
.kIIlzx
Q{.UPC
`.INC`*K@4F
5.Sw,5
6%F;%2
T.Zfl
Z.wiK.
Z7i.ct
%^&*()_
=xzgWEBe
.Sa3X
.toLowe
O1.rwdns
d.xB;
zwsp.fQ
NETAPI32.dll
PSAPI.DLL
xxx.exe
eee.exe
@.reloc
IMM32.dll
imehost.dll
ImeProcessKey
:):3:9:|:
= =$=(=,=0=4=8=
? ?$?(?,?
9 9$9(9,90949@9
.RP0)
.yy(,
I@.WmQJ#
9Ak%D
>3.dd
u*%u$
]P.KG;
%x:u2
y8%U;
6I.fdf5
.bFt
4b{%f
=E.If#w
.*s(%d)V
mpÜMT|
%Xs5E
!"#$%&'(
m/%d/%yA, ·x[
~7\*V%s
.gegk
`P.iyJ
ADVAPI32.DLL
SHELL32.DLL
USER32.DLL
10/05/12
\.YVV
Ã[H
L\BackInC.sysh.rdataH.dataB.relocd:\work\envoy\backin\curr2\backinc\objfre_wlh_x86\i386\BackInC.pdbntoskrnl.exeHAL.dllkeybd_eventMapVirtualKeyWBackInDll.dllAppKbVkSendKeyAndStatus2StringKeyDownKeyPressKeyUpVKSendAkeysAsync_KBVKSendAkeysSeq_KBVKSendAkeysSingle_KBVKSendAkeysSync_KBVKSendKeyAction_MUVKSendKeyEx_KBVKSendKeyEx_MUVKSendMsVirtualKeyAsync_KBVKSendMsVirtualKeySingle_KBVKSendMsVirtualKeySync_KB7"8(8,80848*00040800 3$3(3,30343833h3x3>09/27/12{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}Ex_DirectUI_MsgBoxRASAPI32.dllGetWindowsDirectoryARegCreateKeyARegDeleteKeyAWSOCK32.dllInternetCrackUrlAInternetCanonicalizeUrlAVVV.dywt.com.cnMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)HTTP/1.0%sReply-To: %sFrom: %sTo: %sSubject: %sDate: %sCc: %s%a, %d %b %Y %H:%M:%SSMTP.PAVCOleException@@.PAVCOleDispatchException@@8d4cca3576af96b18f.exec:\%original file name%.exe(*.*)1.0.0.01, 0, 0, 0hXXp://blog.163.com/envoy_0769@yeah/1.0.0.1 built by: WinDDKBackInC.sys1.0.0.1Unknown key: x!"#$%&'()* ,\\.\BackInC_DeviceRight WindowsWindows1, 0, 0, 1BackInDll.Dll(hXXp://VVV.eyuyan.com)