Trojan-Dropper.Win32.Injector.jksa (Kaspersky), Gen:Variant.Graftor.388 (B) (Emsisoft), Gen:Variant.Graftor.150978 (AdAware), Trojan.Win32.IEDummy.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 9a6906c9aa2a87cced21082f05ff175e
SHA1: d15b9fb4edd52ee74f94e37358a1e8f0045994b4
SHA256: 3026e2155a959c7ba61c1a12026a65bf600060908fb99b35a22f0a85cfeac9f7
SSDeep: 49152:Gc//////ZTsG/IQHLL1 lLcSRhUX9kiJBG428fBRhlsT7DZ3:Gc//////tLL1SLcoeNki/G428nsT7x
Size: 2117120 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6
Company: Be Or
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
sc.exe:244
net1.exe:1748
net.exe:1948
cj1.exe:540
%original file name%.exe:1848
%original file name%.exe:1820
gamedmon.exe:1712
The Trojan injects its code into the following process(es):
svohost.exe:1360
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process svohost.exe:1360 makes changes in the file system.
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\cj1.exe (0 bytes)
%System%\svohost.txt (0 bytes)
The process cj1.exe:540 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\svohost.exe (2105 bytes)
%System%\s_svost.ini (11 bytes)
%System%\svohost.txt (38 bytes)
The process %original file name%.exe:1848 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Start Menu\Æô¶¯\å¸载.lnk (663 bytes)
%Program Files%\Æô¶¯\Uninstall.exe (202 bytes)
%Program Files%\Æô¶¯\Æô¶¯.exe (3 bytes)
%Documents and Settings%\%current user%\Start Menu\Æô¶¯\Æô¶¯.lnk (636 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gamedmon.exe (176 bytes)
The process %original file name%.exe:1820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\ÎÒ»¹»îÃâ€â€ÃƒÆ’…ÈýÃÂÂîÃÂÂÞ¸ÄÆ÷ v1.0.1.zip (9606 bytes)
The process gamedmon.exe:1712 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tj1[1].jpg (296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cj1.jpg (174475 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cj1.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\tj1[1].jpg (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\updatetimezone.ini (1776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\cj1[1].exe (174329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KB1024FB11 (68 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KB1024FB13 (80 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tj1[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cj1.jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\tj1[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\updatetimezone.ini (0 bytes)
Registry activity
The process sc.exe:244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 82 30 B8 31 78 5D 18 11 30 34 D8 39 E1 E0 16"
The process net1.exe:1748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA DE 0B A4 CF DC 25 28 74 05 5C AF E2 C8 16 90"
The process net.exe:1948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 6E 9F 7E AB 2D D6 C0 FC 86 B3 26 3B 30 76 40"
The process svohost.exe:1360 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 61 43 6C 15 EC 9A 83 1E B0 96 19 47 3B DC 43"
The process %original file name%.exe:1848 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Æô¶¯]
"InstallLocation" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Æô¶¯]
"UninstallString" = "%Program Files%\Æô¶¯\Uninstall.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Æô¶¯]
"DisplayName" = "Æô¶¯.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 6B D4 A6 9F 87 54 4E 61 98 47 B0 EC 8B 7F 8D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Æô¶¯]
"DisplayIcon" = "%Program Files%\Æô¶¯\Æô¶¯.exe"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process %original file name%.exe:1820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 5A C2 A9 44 3B 27 B7 28 B6 57 1E 9C F9 63 6A"
The process gamedmon.exe:1712 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D AF F3 CD EA C1 36 C5 0C C8 35 7D FE 70 74 A4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
| MD5 | File path |
|---|---|
| ceef802c5f0704313fa75ab44dfd2fdb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\gamedmon.exe |
| 161c564e115202dd0779a6c104173b59 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\cj1[1].exe |
| 255397a0bde4c291da77d608653d111c | c:\Program Files\Æô¶¯\Uninstall.exe |
| 161c564e115202dd0779a6c104173b59 | c:\WINDOWS\system32\svohost.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
sc.exe:244
net1.exe:1748
net.exe:1948
cj1.exe:540
%original file name%.exe:1848
%original file name%.exe:1820
gamedmon.exe:1712 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%System%\svohost.exe (2105 bytes)
%System%\s_svost.ini (11 bytes)
%System%\svohost.txt (38 bytes)
%Documents and Settings%\%current user%\Start Menu\Æô¶¯\å¸载.lnk (663 bytes)
%Program Files%\Æô¶¯\Uninstall.exe (202 bytes)
%Program Files%\Æô¶¯\Æô¶¯.exe (3 bytes)
%Documents and Settings%\%current user%\Start Menu\Æô¶¯\Æô¶¯.lnk (636 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gamedmon.exe (176 bytes)
C:\ÎÒ»¹»îÃâ€â€ÃƒÆ’…ÈýÃÂÂîÃÂÂÞ¸ÄÆ÷ v1.0.1.zip (9606 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tj1[1].jpg (296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cj1.jpg (174475 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cj1.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\tj1[1].jpg (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\updatetimezone.ini (1776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\cj1[1].exe (174329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KB1024FB11 (68 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KB1024FB13 (80 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| CODE | 4096 | 40132 | 40448 | 4.51817 | b5cbfd0d0dcc543841c6045b1279a73a |
| DATA | 45056 | 15632 | 15872 | 5.26127 | 1fb0fcf0a8c302fd1e7df6150f434d7e |
| BSS | 61440 | 1825 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 65536 | 1730 | 2048 | 2.91217 | 9e9581a6aeb1c6de49e8280941f8bb34 |
| .tls | 69632 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rdata | 73728 | 24 | 512 | 0.142404 | 996c4942e3a4d2795a22f3ace698d094 |
| .reloc | 77824 | 1792 | 2048 | 4.24404 | d645c969d7346a611453d5e9e94c66f4 |
| .rsrc | 81920 | 2055152 | 2055168 | 5.54509 | 31a968748061fb9468d7b7c3cb7ec690 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://js.users.51.la/17119807.js | 113.107.42.34 |
| web.51.la | 117.21.224.131 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /17119807.js HTTP/1.1
Accept: */*
Referer: hXXp://162.218.30.90:801/51tj/tj1.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: js.users.51.la
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: max-age=300
Content-Length: 1931
Content-Type: application/x-javascript
Last-Modified: Wed, 16 Jul 2014 03:30:40 GMT
Accept-Ranges: bytes
ETag: "b6206c51a6a0cf1:1818"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 25 Sep 2014 13:01:47 GMT
Connection: close
document.write ('<a href="hXXp://VVV.51.la/?17119807" target="_blank" title="51.la 专业、免费、强健的访问统计">网站统计</a>\n');..var a9807tf="51la";var a9807pu="";var a9807pf="51la";var a9807su=window.location;var a9807sf=document.referrer;var a9807of="";var a9807op="";var a9807ops=1;var a9807ot=1;var a9807d=new Date();var a9807color="";if (navigator.appName=="Netscape"){a9807color=screen.pixelDepth;} else {a9807color=screen.colorDepth;}..try{a9807tf=top.document.referrer;}catch(e){}..try{a9807pu =window.parent.location;}catch(e){}..try{a9807pf=window.parent.document.referrer;}catch(e){}..try{a9807ops=document.cookie.match(new RegExp("(^| )a9807_pages=([^;]*)(;|$)"));a9807ops=(a9807ops==null)?1: (parseInt(unescape((a9807ops)[2])) 1);var a9807oe =new Date();a9807oe.setTime(a9807oe.getTime() 60*60*1000);document.cookie="a9807_pages=" a9807ops ";path=/;expires=" a9807oe.toGMTString();a9807ot=document.cookie.match(new RegExp("(^| )a9807_times=([^;]*)(;|$)"));if(a9807ot==null){a9807ot=1;}else{a9807ot=parseInt(unescape((a9807ot)[2])); a9807ot=(a9807ops==1)?(a9807ot 1):(a9807ot);}a9807oe.setTime(a9807oe.getTime() 365*24*60*60*1000);document.cookie="a9807_times=" a9807ot ";path=/;expires=" a9807oe.toGMTString();}catch(e){}..try{if(document.cookie==""){a9807ops=-1;a9807ot=-1;}}catch(e){}..a9807of=a9807sf;if(a9807pf!=="51la"){a9807of=a9807pf;}if(a9807tf!=="51la"){a9807of=a9807t
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
gamedmon.exe_1712:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
SSSSh
SSSSh
.hL!B
.hL!B
Uxs.Ux!
Uxs.Ux!
RVxt.Vx
RVxt.Vx
Applications\iexplore.exe\shell\open\command
Applications\iexplore.exe\shell\open\command
kernel32.dll
kernel32.dll
HTTP ANALYZER
HTTP ANALYZER
MALWAREDEFENDER.EXE
MALWAREDEFENDER.EXE
OD.EXE
OD.EXE
WSEXPLORER.EXE
WSEXPLORER.EXE
WIRESHARK.EXE
WIRESHARK.EXE
SNIFFER.EXE
SNIFFER.EXE
FIDDLER.EXE
FIDDLER.EXE
HTTPANALYZERSTDV3.EXE
HTTPANALYZERSTDV3.EXE
Windows update
Windows update
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
HTTP/1.0
HTTP/1.0
password
password
Failed to set an internet option (%u)
Failed to set an internet option (%u)
Failed to connect to server (%s:%u)
Failed to connect to server (%s:%u)
Failed to read from network (%u bytes)
Failed to read from network (%u bytes)
Failed to write to network (%u bytes)
Failed to write to network (%u bytes)
updatetimezone.ini
updatetimezone.ini
%d.%d
%d.%d
nopasswd
nopasswd
name%d
name%d
url%d
url%d
urlbind%d
urlbind%d
XXXXXX
XXXXXX
System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
Unknown operating system
Unknown operating system
Windows 2000
Windows 2000
Windows XP
Windows XP
Windows Server 2003
Windows Server 2003
Windows XP Professional x64 Edition
Windows XP Professional x64 Edition
Windows Storage Server 2003
Windows Storage Server 2003
Windows Server 2003 R2
Windows Server 2003 R2
Windows Server 2008 R2
Windows Server 2008 R2
Windows 7
Windows 7
Windows Server 2008
Windows Server 2008
Windows Vista
Windows Vista
1620127iso_646.irv:19911351932windows-519320920001x-cp20001
1620127iso_646.irv:19911351932windows-519320920001x-cp20001
1000932csshiftjis
1000932csshiftjis
1350221windows-502210712000cp12000
1350221windows-502210712000cp12000
1028597iso_8859-70628605latin90501200utf160700154ptcp1541410010x-mac-romanian
1028597iso_8859-70628605latin90501200utf160700154ptcp1541410010x-mac-romanian
1410001x-mac-japanese1200932cswindows31j
1410001x-mac-japanese1200932cswindows31j
0601251cp12511201258windows-12580601125cp1125
0601251cp12511201258windows-12580601125cp1125
1201257windows-12570601250cp12500601133cp1133
1201257windows-12570601250cp12500601133cp1133
1201256windows-12561100932windows-31j
1201256windows-12561100932windows-31j
1000936csgb2312801201255windows-1255
1000936csgb2312801201255windows-1255
1201254windows-1254
1201254windows-1254
1052936hz-gb-23121201253windows-12531400949ks_c_5601_19871528599iso_8859-9:19890601201cp1201
1052936hz-gb-23121201253windows-12531400949ks_c_5601_19871528599iso_8859-9:19890601201cp1201
0601200cp12001201252windows-1252
0601200cp12001201252windows-1252
0810029x-mac-ce1201251windows-12511528598iso_8859-8:19880900949ks_c_56011110000csmacintosh
0810029x-mac-ce1201251windows-12511528598iso_8859-8:19880900949ks_c_56011110000csmacintosh
1201250windows-12501300932shifft_jis-ms
1201250windows-12501300932shifft_jis-ms
1528597csisolatingreek1100874windows-874
1528597csisolatingreek1100874windows-874
1100936windows-9360520127ascii
1100936windows-9360520127ascii
1100932windows-9321100437codepage437
1100932windows-9321100437codepage437
0928596iso8859-60900154csptcp154
0928596iso8859-60900154csptcp154
=\/?!"';
=\/?!"';
http-equiv
http-equiv
SELECT * FROM Win32_OperatingSystem
SELECT * FROM Win32_OperatingSystem
\\.\%s#{ad498944-762f-11d0-8dcb-00c04fc3358c}
\\.\%s#{ad498944-762f-11d0-8dcb-00c04fc3358c}
deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
inflate 1.1.4 Copyright 1995-2002 Mark Adler
inflate 1.1.4 Copyright 1995-2002 Mark Adler
UrlUnescapeA
UrlUnescapeA
SHLWAPI.dll
SHLWAPI.dll
MSVCR90.dll
MSVCR90.dll
_amsg_exit
_amsg_exit
_acmdln
_acmdln
_crt_debugger_hook
_crt_debugger_hook
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
EnumWindows
EnumWindows
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegOpenKeyA
RegOpenKeyA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
ShellExecuteExA
ShellExecuteExA
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
InternetOpenUrlA
InternetOpenUrlA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpQueryInfoA
HttpQueryInfoA
HttpEndRequestA
HttpEndRequestA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestExA
HttpSendRequestExA
WININET.dll
WININET.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
NETAPI32.dll
NETAPI32.dll
.?AVCHttpFile@@
.?AVCHttpFile@@
.?AVCHttpConnection@@
.?AVCHttpConnection@@
1.1.4
1.1.4
\www\jpg\hXXp://122.226.56.132:808/img/tj1.jpg\hXXp://tj.yuemar.com/count.asp\0\0
\www\jpg\hXXp://122.226.56.132:808/img/tj1.jpg\hXXp://tj.yuemar.com/count.asp\0\0
00u0
00u0
6 6$6(60646
6 6$6(60646
eHTTP/1.1
eHTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
User-Agent: %s/%s (Windows %s)
User-Agent: %s/%s (Windows %s)
dd.yuemar.net
dd.yuemar.net
/verify/verify.php
/verify/verify.php
OperatingSystem
OperatingSystem
WindowsDirectory
WindowsDirectory
2, 0, 0, 0
2, 0, 0, 0
Microsoft(R) Windows(R) Operating System
Microsoft(R) Windows(R) Operating System
usb3mon.exe
usb3mon.exe
svohost.exe_1360:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.aspack
@.aspack
.adata
.adata
.aspack
.aspack
SSSSh
SSSSh
L$TQSSh
L$TQSSh
aSSSh
aSSSh
FTPjK
FTPjK
FtPj;
FtPj;
C.PjRV
C.PjRV
FTPQ
FTPQ
kernel32.dll
kernel32.dll
mscoree.dll
mscoree.dll
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
KERNEL32.DLL
KERNEL32.DLL
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler
deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler
1.2.8
1.2.8
inflate 1.2.8 Copyright 1995-2013 Mark Adler
inflate 1.2.8 Copyright 1995-2013 Mark Adler
svohost.log
svohost.log
svohost.exe
svohost.exe
s_svost.ini
s_svost.ini
net stop %s
net stop %s
sc.exe delete %s
sc.exe delete %s
svohost1.exe
svohost1.exe
svohost.txt
svohost.txt
sc.exe create %s binpath= "%s internal_start" DisplayName= %s start= auto
sc.exe create %s binpath= "%s internal_start" DisplayName= %s start= auto
net start %s
net start %s
192.168.1.15
192.168.1.15
\svohost.txt
\svohost.txt
taskh0st.exe
taskh0st.exe
svch0st.exe
svch0st.exe
service.exe
service.exe
win1ogon.exe
win1ogon.exe
rund1132.exe
rund1132.exe
"%s" "%s"
"%s" "%s"
client.log
client.log
WS2_32.dll
WS2_32.dll
1234567890
1234567890
Windows NT
Windows NT
[%d,%d.%d]
[%d,%d.%d]
Windows 95
Windows 95
Windows 98
Windows 98
Windows Me
Windows Me
XXXXXX
XXXXXX
e:\work\WebTools\bin\client_ex.pdb
e:\work\WebTools\bin\client_ex.pdb
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
ReportEventA
ReportEventA
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
WTSAPI32.dll
WTSAPI32.dll
iphlpapi.dll
iphlpapi.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
GetConsoleOutputCP
GetConsoleOutputCP
zcÃ
zcÃ
.?AVCClientTcpSocket@@
.?AVCClientTcpSocket@@
%System%\svohost.exe
%System%\svohost.exe
.rdata
.rdata
.data
.data
EØ)
EØ)
!M6%s
!M6%s
V\%sK
V\%sK
uc.hZ
uc.hZ
.WfGI
.WfGI
.zk.NU
.zk.NU
[Q.eN
[Q.eN
.Vs8?)
.Vs8?)
(,'-&.%/$
(,'-&.%/$
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
user32.dll
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
advapi32.dll
advapi32.dll
ole32.dll
ole32.dll
oleaut32.dll
oleaut32.dll
ws2_32.dll
ws2_32.dll
wtsapi32.dll
wtsapi32.dll
svohost.exe_1360_rwx_00487000_00006000:
kernel32.dll
kernel32.dll
user32.dll
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
advapi32.dll
advapi32.dll
ws2_32.dll
ws2_32.dll
wtsapi32.dll
wtsapi32.dll
iphlpapi.dll
iphlpapi.dll
iexplore.exe_644:
%?9-*09,*19}*09
%?9-*09,*19}*09
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
USER32.dll
USER32.dll
SHLWAPI.dll
SHLWAPI.dll
SHDOCVW.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
IE-X-X
rsabase.dll
rsabase.dll
System\CurrentControlSet\Control\Windows
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
dw15 -x -s %u
watson.microsoft.com
watson.microsoft.com
IEWatsonURL
IEWatsonURL
%s -h %u
%s -h %u
iedw.exe
iedw.exe
Iexplore.XPExceptionFilter
Iexplore.XPExceptionFilter
jscript.DLL
jscript.DLL
mshtml.dll
mshtml.dll
mlang.dll
mlang.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
shdocvw.DLL
shdocvw.DLL
browseui.DLL
browseui.DLL
comctl32.DLL
comctl32.DLL
IEXPLORE.EXE
IEXPLORE.EXE
iexplore.pdb
iexplore.pdb
ADVAPI32.dll
ADVAPI32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
IExplorer.EXE
IExplorer.EXE
IIIIIB(II<.fg>
IIIIIB(II<.fg>
7?_____ZZSSH%
7?_____ZZSSH%
)z.UUUUUUUU
)z.UUUUUUUU
,....Qym
,....Qym
````2```
````2```
{.QLQIIIKGKGKGKGKGKG
{.QLQIIIKGKGKGKGKGKG
;33;33;0
;33;33;0
8888880
8888880
8887080
8887080
browseui.dll
browseui.dll
shdocvw.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
6.00.2900.5512 (xpsp.080413-2105)
Windows
Windows
Operating System
Operating System
6.00.2900.5512
6.00.2900.5512