Gen:Variant.Strictor.58115 (B) (Emsisoft), Gen:Variant.Strictor.58115 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: c0c73eaf2bb3a41131599a1eb447f1e7
SHA1: 6d0ae3f5741f5c8f3c4a7aafcbfae56e7c9bcb6e
SHA256: 75369d0327c1ac86a2c900d47d1e31f838120feb941fd356ab6740ff23786546
SSDeep: 24576:RUz67U0SHuQpjuC9GWbjEdl2CLS54HpQTrv762jGkINf4:RXCFj2X2qHpQb9CP
Size: 1560576 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: VenusApp Software
Created at: 2014-03-18 04:44:09
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:664
Mutexes
The following mutexes were created/opened:
CTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003ZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutexWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_RasPbFileShimCacheMutex
File activity
The process %original file name%.exe:664 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bd_bg[1].gif (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CA98G7TP.html (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\³É¹¦ÃÂÂÅâ[1].htm (943 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\slave[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CACDY72N.html?partner=bd3 (621 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\³É¹¦ÃÂÂÅâ[1].htm (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\domains[1].js (7262 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAC9KN0N.htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\t_141_201401111[1].css (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\parking_caf_141_1402251[1].js (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\secondtier_caf[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\slave[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\caf[1].js (258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CARY3VYG.htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\caf[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\³É¹¦ÃÂÂÅâ[1].htm (761 bytes)
C:\SkinH_EL.dll (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\search_language_1[1].jpg (2 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\slave[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CA98G7TP.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\slave[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\caf[1].gif (0 bytes)
Registry activity
The process %original file name%.exe:664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1024x768x32(BGR 0)" = "31,31,31,31"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 04 6E 69 89 F7 03 29 59 39 02 20 20 AF 60 D2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
| MD5 | File path |
|---|---|
| 147127382e001f495d1842ee7a9e7912 | c:\SkinH_EL.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bd_bg[1].gif (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CA98G7TP.html (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\³É¹¦ÃÂÂÅâ[1].htm (943 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\slave[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CACDY72N.html?partner=bd3 (621 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\³É¹¦ÃÂÂÅâ[1].htm (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\domains[1].js (7262 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAC9KN0N.htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\t_141_201401111[1].css (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\parking_caf_141_1402251[1].js (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\secondtier_caf[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\slave[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\caf[1].js (258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CARY3VYG.htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\caf[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\³É¹¦ÃÂÂÅâ[1].htm (761 bytes)
C:\SkinH_EL.dll (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\search_language_1[1].jpg (2 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 584183 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rdata | 589824 | 1187126 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .data | 1777664 | 317066 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 2097152 | 111928 | 98304 | 3.10511 | 3f3991c2d82ce214f293326a5d8d5c59 |
| .vmp0 | 2211840 | 16456 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .vmp1 | 2232320 | 1450954 | 1454080 | 5.45551 | ac8d8c815aaeee74b7b73dda68b0afa4 |
| .reloc | 3686400 | 92 | 4096 | 0.125139 | b40486e21d34f58b8e5be6e592a26b38 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://a1.dnbizcdn.com/css/t_141_201401111.css | 205.164.14.75 |
| hxxp://www.google.com/adsense/domains/caf.js | 173.194.39.114 |
| hxxp://www.google.com/ads/search/module/ads/1.0/76529756bd9c4808112d3445d4a637b160b572c9/n/domains.js | 173.194.39.114 |
| hxxp://a1.dnbizcdn.com/js/parking_caf_141_1402251.js | 205.164.14.75 |
| hxxp://a1.dnbizcdn.com/img/w300/search_language_1.jpg | 205.164.14.75 |
| hxxp://cdn.dopa.com.wscdns.com/img/w300/bd_bg.gif | 60.191.14.54 |
| hxxp://www.gstatic.com/domainads/tracking/caf.gif?ts=1410575496766&rid=1445466 | 173.194.39.119 |
| hxxp://pagead.l.doubleclick.net/static/caf/slave.html | |
| hxxp://pagead.l.doubleclick.net/apps/domainpark/domainpark.cgi?max_radlink_len=20&r=m&fexp=21404&client=dp-dopa15_3ph_js&channel=001623&hl=ru&adtest=off&type=0&optimize_terms=on&drid=as-drid-2246028460856896&uiopt=false&oe=UTF-8&ie=UTF-8&format=p6|r24|r12|s&ad=a6&adrep=2&num=0&output=caf&domain_name=www.cf089.com&v=3&allwcallad=1&adext=as1,sr1,ctc1&cd_oi=true&u_his=0&u_tz=180&dt=1410575496813&u_w=1024&u_h=768&biw=292&bih=140&psw=1020&psh=312&frm=0&uio=uv3cs1fa2sa20sl1sr1cc1-af3wi1000ff1st24sd12sv11sa12lt40ld40lv30-wi1010ff1st16sa12lt38-wi1010ff1st16sa12lt38-&rurl=http://www.cf089.com/³É¹¦ÃÂÅâ.html | |
| hxxp://cdn.dopa.com.wscdns.com/js/secondtier_caf.js | 60.191.14.54 |
| hxxp://65.19.157.196/³É¹¦ÃÂÅâ.html?partner=bd3 | |
| hxxp://www.gstatic.com/domainads/tracking/caf.gif?ts=1410575497829&rid=6549563 | 173.194.39.119 |
| hxxp://pagead.l.doubleclick.net/apps/domainpark/domainpark.cgi?max_radlink_len=20&r=m&fexp=21404&client=dp-dopa15_3ph_js&channel=001623&hl=ru&adtest=off&type=0&optimize_terms=on&drid=as-drid-2246028460856896&uiopt=false&oe=UTF-8&ie=UTF-8&format=p6|r24|r12|s&ad=a6&adrep=2&num=0&output=caf&domain_name=www.cf089.com&v=3&allwcallad=1&adext=as1,sr1,ctc1&cd_oi=true&u_his=1&u_tz=180&dt=1410575497844&u_w=1024&u_h=768&biw=292&bih=140&psw=1020&psh=312&frm=0&uio=uv3cs1fa2sa20sl1sr1cc1-af3wi1000ff1st24sd12sv11sa12lt40ld40lv30-wi1010ff1st16sa12lt38-wi1010ff1st16sa12lt38-&rurl=http://www.cf089.com/³É¹¦ÃÂÅâ.html?partner=bd3 | |
| hxxp://65.19.157.196/³É¹¦ÃÂÅâ.html?partner=bd3&sac=&format=json&oc=false&uc=undefined | |
| hxxp://cdn.dopa.com/js/secondtier_caf.js | 60.191.14.54 |
| hxxp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?max_radlink_len=20&r=m&fexp=21404&client=dp-dopa15_3ph_js&channel=001623&hl=ru&adtest=off&type=0&optimize_terms=on&drid=as-drid-2246028460856896&uiopt=false&oe=UTF-8&ie=UTF-8&format=p6|r24|r12|s&ad=a6&adrep=2&num=0&output=caf&domain_name=www.cf089.com&v=3&allwcallad=1&adext=as1,sr1,ctc1&cd_oi=true&u_his=0&u_tz=180&dt=1410575496813&u_w=1024&u_h=768&biw=292&bih=140&psw=1020&psh=312&frm=0&uio=uv3cs1fa2sa20sl1sr1cc1-af3wi1000ff1st24sd12sv11sa12lt40ld40lv30-wi1010ff1st16sa12lt38-wi1010ff1st16sa12lt38-&rurl=http://www.cf089.com/³É¹¦ÃÂÅâ.html | 173.194.39.90 |
| hxxp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?max_radlink_len=20&r=m&fexp=21404&client=dp-dopa15_3ph_js&channel=001623&hl=ru&adtest=off&type=0&optimize_terms=on&drid=as-drid-2246028460856896&uiopt=false&oe=UTF-8&ie=UTF-8&format=p6|r24|r12|s&ad=a6&adrep=2&num=0&output=caf&domain_name=www.cf089.com&v=3&allwcallad=1&adext=as1,sr1,ctc1&cd_oi=true&u_his=1&u_tz=180&dt=1410575497844&u_w=1024&u_h=768&biw=292&bih=140&psw=1020&psh=312&frm=0&uio=uv3cs1fa2sa20sl1sr1cc1-af3wi1000ff1st24sd12sv11sa12lt40ld40lv30-wi1010ff1st16sa12lt38-wi1010ff1st16sa12lt38-&rurl=http://www.cf089.com/³É¹¦ÃÂÅâ.html?partner=bd3 | 173.194.39.90 |
| hxxp://cdn.dopa.com/img/w300/bd_bg.gif | 60.191.14.54 |
| hxxp://www.cf089.com/³É¹¦ÃÂÅâ.html?partner=bd3&sac=&format=json&oc=false&uc=undefined | |
| hxxp://www.cf089.com/³É¹¦ÃÂÅâ.html?partner=bd3 | |
| hxxp://dp.g.doubleclick.net/static/caf/slave.html | 173.194.39.90 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /img/w300/bd_bg.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.cf089.com/.........html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.dopa.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Tengine/1.4.2
Date: Sat, 13 Sep 2014 02:31:36 GMT
Content-Type: image/gif
Content-Length: 72
Last-Modified: Sat, 07 Dec 2013 07:50:12 GMT
Connection: keep-alive
Accept-Ranges: bytes
GIF89a...............................!.......,...........(...c...T..M..;....
GET /js/secondtier_caf.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.cf089.com/.........html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.dopa.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Tengine/1.4.2
Date: Sat, 13 Sep 2014 02:31:36 GMT
Content-Type: application/x-javascript
Last-Modified: Wed, 25 Dec 2013 08:26:45 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip
2a3.............U[k.0.. A..E..e...-l..{.`tO..Y>.... .m....#.......8.|.;..hU).6ZE..-'.q. .D...q.R..,H.R...4p_.u4.APE..{9PR....xZ...U.8!.3.C.kQ?.^......$R8.E@{.....c.UF.\...NIerN2.........^W..I]L..Y...R...pr!X..7...p..EH.5.......$H..2-..............4......(t..1..&c@.e.......63.~.].\/!..;z...X.......s.]_..1B.6j...6#..p.N9..<.qK.kL......8".6] .J.jJ..ao..yVs._Edq........s.}.Q. ...ut...Ew.DwAj#}.}"I..1..}}....pv......qV......z.l....q..5P..V..3...c...)..%<m...n..GV.A%..F{...g.....2.....Z-.......z...Kx.eU..d.w.9.......o...d RB.{.F.r...0..~..l..Q.A..@ ...-sD.4.....Y#..D......'7....J.....F...H.xsDY.JO...:......#x.q6..q.X.5.-......u.k........WC....'..Y......F...... ....w.....ig.......0..
GET /domainads/tracking/caf.gif?ts=1410575496766&rid=1445466 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.cf089.com/.........html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.gstatic.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/gif
Last-Modified: Fri, 01 Jun 2012 22:49:22 GMT
Date: Sat, 13 Sep 2014 02:31:36 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 43
X-XSS-Protection: 1; mode=block
Alternate-Protocol: 80:quic,p=0.002
GIF89a.............!.......,........@..D..;....
GET /domainads/tracking/caf.gif?ts=1410575497829&rid=6549563 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.cf089.com/.........html?partner=bd3
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.gstatic.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/gif
Last-Modified: Fri, 01 Jun 2012 22:49:22 GMT
Date: Sat, 13 Sep 2014 02:31:37 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 43
X-XSS-Protection: 1; mode=block
Alternate-Protocol: 80:quic,p=0.002
GIF89a.............!.......,........@..D..;..
GET /³É¹¦ÃÂÅâ.html?partner=bd3 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.cf089.com
Connection: Keep-Alive
Cookie: PHPSESSID=d3r5ad3q9eou8nijgqkicflis1
HTTP/1.1 404 Not Found
Server: Tengine/1.4.2
Date: Sat, 13 Sep 2014 02:31:36 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Encoding: gzip
1191.............9gs....eo_..XFZ$.`.".&1....B-vg......R.. YV.;......,.=.[.EQ..............Lz..'.........N3.o....Zv..-E&.K.3Si....D..`f1C.N....t D,..jJ..........hYz*..T*.J$..Bp1..bJ4^.}.........A.[U.Us..*t2.t.cT.p.........h...CdZS-.Z....H......ZAL|.`E.0.5d[.?A...-...0......).A.0(Kj....wDa.....-.S1f.5..U..t!...!....F.H."M.SD."-....O.O...&j....!.....I....2....I..%..P..r.Eb...x.O........&kH.....x.)3....3.!.C........!......<.....N.L...x<..r.......q......]..y......m:E..45E..l.SVmY..9v.:x....,..6.N.f.}..9.G...y..p.2....<............~.Lf@dC.Rt4. ...e........VA..am..R..a1..VJ.....6.........r.....YZ@......$....V..... ..?7__k.......z..u.F..........7.7_?n.x5.d.)../.kI*..(..3.."#E..a.%P.....~.M........?...q..K.7....j...y.v........./.7o.m~.q....;p.T...../w...>..x.;.....O...@.c...d.s{_.h].Z..Q...0l].i.{Z......9,~..~.R....;W.....=....;{o.6....../..po.D{.Bx2.z.x~......_Z.....msg.....o.v............Z././...}.o...}[....o>k~{...qo.!..o......d..3..}.............=6...:.|o.{G..m7.{.w.!......\... .P.y...w.K?..>............on..z...........m.r............~........h...3x.[....._../9 .<.'..P1.......{_.u.=......7......A?...:.G_..x.z.Q......Ow.~..v.CX...=[.|...W`.]..7^......V..Q....._w....:...7/.m.x.............2F..9..w..'...S.>.....q...............{V..GG;.^...i.xX..s`...8.o...}V..j8v...\.g{.o.....]........N..|.N.8.L..$.J.|.i.M*..;.".^e.D..qIeT.......T..02...FH.iCduPDMAZ..0!k........l..m..2.F....Sg|..h........g.....s.k.<.H...DX.[B...B...^..............1.f..DtX9.m^.?.QA...M`e.D..............t~.H#..x.#.....5.>.
<<< skipped >>>
GET /³É¹¦ÃÂÅâ.html?partner=bd3&sac=&format=json&oc=false&uc=undefined HTTP/1.1
Accept: */*
Referer: hXXp://VVV.cf089.com/.........html?partner=bd3
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.cf089.com
Connection: Keep-Alive
Cookie: PHPSESSID=d3r5ad3q9eou8nijgqkicflis1
HTTP/1.1 404 Not Found
Server: Tengine/1.4.2
Date: Sat, 13 Sep 2014 02:31:37 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Encoding: gzip
120e.............:ks.W..e.l....5.eK...-Y.K.l....R.f.Fc.f.....*$q.....J !.....@......W<..u...}fF......IP.....Ow.~... 6.MgS.DQ/.Djy|v*J....@....cDf2..%h..H..... K...N..dQ....[.V=..GVyoz.[..h...t.=.=.......ZY...#...p...A...........F..P.!...#Iw..."Y{0B...{1.!.-2....C/.C.wtX.t...._(.a.........D.UT.....N.....0...4.......G..h...s....R..".......8<.e.i........N..,.~zB.........I...2.#oE.<e.UeM..xY.!......XUPt..K..L..g......8r......7T1B..FW....G)*.KC......$..lP.!.#....Z.^..O..o.~....7t]."Tg.-a..!...c.....N.a.U.1rJ."..L.#]d...']..#M.Pr.@..r....r....~.......E.~. o.#.j .b.:#.r.q..khx..f..Qy.R2.....aX...VQ...'i.....{......Mr....y..y.......K.._4o.!.??o...z............W......2......... G(..0..!5B....%.....f........].rQ.. {..i.....g.w..x.......s.i...<....u..y...W..j.....w[7..}....o.Dg.........J...,.7.k.../>m.;o>.l.4..5.~k.....7... ...._\j....[..._.7.zh.^_.}.e.9c......[./..{....}fv.O..O..}...7.a..tA.........//[..i...3....7A..o.1D..s.s...[[x..-.!..........[?.i?;c...Ks.%.cw............. ..wZ...vm.k~..y..y.F{s................ww......-......O....?.'.....m.......|....y........./@U..n............./,./....5/>no=...;..1.?h..Ri...M....y.'..u.......u..^.}.Y......{.m=l]}e.y..~d>.........}.H[.l.^}...J...K.W..~..y.A.[.....``^~...G.:..t.w.e........;;...A../.j^......f..O-.;...-}<......g.....@......!...6[_o7..o.........._..m...F... ......]..K.....c..)J.......FE>..T.vJL.Q.*.H.."..X.c.TBu.L1.......V-..\Fr..0!...a&j.*..:...xd......N.v9.....X..]jx.C-..q..-...A.H..]`KH..X...Q...h.........s...`..AtIY..Z.=.!Ar.64 .iD..*..L
<<< skipped >>>
GET /static/caf/slave.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.cf089.com/.........html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dp.g.doubleclick.net
Connection: Keep-Alive
Cookie: id=c21c6444d00007f||t=1360768149|et=730|cs=002213fd480b36e81315d0d96e
HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Type: text/html
Last-Modified: Wed, 18 Sep 2013 22:34:18 GMT
Date: Sat, 13 Sep 2014 02:20:06 GMT
Expires: Sat, 13 Sep 2014 03:20:06 GMT
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 706
X-XSS-Protection: 1; mode=block
Age: 690
Cache-Control: public, max-age=3600
Alternate-Protocol: 80:quic,p=0.002
X-Google-Cookies-Blocked: id=
...........U.n.@.}.WL.!.E.M.<T.S.K.$..8J J$.....v.k....]_..hS?...3g.\.4.u.m.......0zl.{m :.O.mJ;V....>\...(.......5....X].!.SkLS. ...9.p.K.g..q..,6O;..m=s. ...m...P...u..xK..C&....DH..w&...Y.:8...(.G.V.D..f.h...5..Jn.ao..~y.......>I<M.*n.....].../d..>F......o.p/. ..B..{i.V..H.1K..<.. #.6... ..2\A...j.1...j...9d..<.Cw.l...<.$...C.g.C..g.=.V.E....e.2......./.c.......,........q.*}Vc.^....i...R.~..d..$........'...|.o..X..e&o....*.......;]..>~..>c..Z:.m...:R....j"..D...@!.vL7..4.W*....#7W.r.@M}<....W.p7|ds...Z.0O..7G.Jq....c....o.uM.|.Q$.......|..d.E....w.u.Y.....c...c..Fe*..N....S..y/K.yz r....v...;ezX.cD.t..uo.OI..yK`0..yxK...W.'{....0J..VA.....!.qC'..Q..u}L..M.U..R...hx.!...j&`...k .....yv.....-n.......
GET /apps/domainpark/domainpark.cgi?max_radlink_len=20&r=m&fexp=21404&client=dp-dopa15_3ph_js&channel=001623&hl=ru&adtest=off&type=0&optimize_terms=on&drid=as-drid-2246028460856896&uiopt=false&oe=UTF-8&ie=UTF-8&format=p6|r24|r12|s&ad=a6&adrep=2&num=0&output=caf&domain_name=VVV.cf089.com&v=3&allwcallad=1&adext=as1,sr1,ctc1&cd_oi=true&u_his=1&u_tz=180&dt=1410575497844&u_w=1024&u_h=768&biw=292&bih=140&psw=1020&psh=312&frm=0&uio=uv3cs1fa2sa20sl1sr1cc1-af3wi1000ff1st24sd12sv11sa12lt40ld40lv30-wi1010ff1st16sa12lt38-wi1010ff1st16sa12lt38-&rurl=http://VVV.cf089.com/³É¹¦ÃÂÅâ.html?partner=bd3 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.cf089.com/.........html?partner=bd3
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dp.g.doubleclick.net
Connection: Keep-Alive
Cookie: id=c21c6444d00007f||t=1360768149|et=730|cs=002213fd480b36e81315d0d96e
HTTP/1.1 200 OK
P3P: policyref="hXXp://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Encoding: gzip
Date: Sat, 13 Sep 2014 02:31:37 GMT
Server: domainserver
Cache-Control: private
Content-Length: 621
X-XSS-Protection: 1; mode=block
Alternate-Protocol: 80:quic,p=0.002
...........Tmo.0.......4.....B..K;$J*....)r..\.8./....g...1._.{r..sw.[.zQ7.v.'3.Rr......6.{<.2..{.K|;$......G...bq..r.....6S.....`....H..]iy......V....l..R-B..9B.....J...)./..5..qc........(r.AH.Q'....F.`.....Qt.......D..cC..@....).3.C.k.d.Q..t.vb...oQ..DK.xMK.K..,r..........8B.V......f.m9.-.m.../D*....K,..(.R.;..s.0..GP.BvkR...H..2..!...YpCv.N....\.^X?.....du........`6....H..}*O)xa.G..P.*1G..\.SzI..P'T..uv%.....Vv..=0..:s.S..{`....Ke.<.;.On..f.O..........ux.cO..g...5..r.z1....A.O........./iE.^RZ...s..]RL....J...>..o.$.r.....;.Xn.C..m..%8.gg........!.&.....o....;....n........3.....&u.Un..........Z.o..........G.......
GET /static/caf/slave.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.cf089.com/.........html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dp.g.doubleclick.net
Connection: Keep-Alive
Cookie: id=c21c6444d00007f||t=1360768149|et=730|cs=002213fd480b36e81315d0d96e
HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Type: text/html
Last-Modified: Wed, 18 Sep 2013 22:34:18 GMT
Date: Sat, 13 Sep 2014 02:20:06 GMT
Expires: Sat, 13 Sep 2014 03:20:06 GMT
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 706
X-XSS-Protection: 1; mode=block
Age: 690
Cache-Control: public, max-age=3600
Alternate-Protocol: 80:quic,p=0.002
X-Google-Cookies-Blocked: id=
...........U.n.@.}.WL.!.E.M.<T.S.K.$..8J J$.....v.k....]_..hS?...3g.\.4.u.m.......0zl.{m :.O.mJ;V....>\...(.......5....X].!.SkLS. ...9.p.K.g..q..,6O;..m=s. ...m...P...u..xK..C&....DH..w&...Y.:8...(.G.V.D..f.h...5..Jn.ao..~y.......>I<M.*n.....].../d..>F......o.p/. ..B..{i.V..H.1K..<.. #.6... ..2\A...j.1...j...9d..<.Cw.l...<.$...C.g.C..g.=.V.E....e.2......./.c.......,........q.*}Vc.^....i...R.~..d..$........'...|.o..X..e&o....*.......;]..>~..>c..Z:.m...:R....j"..D...@!.vL7..4.W*....#7W.r.@M}<....W.p7|ds...Z.0O..7G.Jq....c....o.uM.|.Q$.......|..d.E....w.u.Y.....c...c..Fe*..N....S..y/K.yz r....v...;ezX.cD.t..uo.OI..yK`0..yxK...W.'{....0J..VA.....!.qC'..Q..u}L..M.U..R...hx.!...j&`...k .....yv.....-n.......
GET /static/caf/slave.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.cf089.com/.........html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dp.g.doubleclick.net
Connection: Keep-Alive
Cookie: id=c21c6444d00007f||t=1360768149|et=730|cs=002213fd480b36e81315d0d96e
HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Type: text/html
Last-Modified: Wed, 18 Sep 2013 22:34:18 GMT
Date: Sat, 13 Sep 2014 02:20:06 GMT
Expires: Sat, 13 Sep 2014 03:20:06 GMT
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 706
X-XSS-Protection: 1; mode=block
Age: 690
Cache-Control: public, max-age=3600
Alternate-Protocol: 80:quic,p=0.002
X-Google-Cookies-Blocked: id=
...........U.n.@.}.WL.!.E.M.<T.S.K.$..8J J$.....v.k....]_..hS?...3g.\.4.u.m.......0zl.{m :.O.mJ;V....>\...(.......5....X].!.SkLS. ...9.p.K.g..q..,6O;..m=s. ...m...P...u..xK..C&....DH..w&...Y.:8...(.G.V.D..f.h...5..Jn.ao..~y.......>I<M.*n.....].../d..>F......o.p/. ..B..{i.V..H.1K..<.. #.6... ..2\A...j.1...j...9d..<.Cw.l...<.$...C.g.C..g.=.V.E....e.2......./.c.......,........q.*}Vc.^....i...R.~..d..$........'...|.o..X..e&o....*.......;]..>~..>c..Z:.m...:R....j"..D...@!.vL7..4.W*....#7W.r.@M}<....W.p7|ds...Z.0O..7G.Jq....c....o.uM.|.Q$.......|..d.E....w.u.Y.....c...c..Fe*..N....S..y/K.yz r....v...;ezX.cD.t..uo.OI..yK`0..yxK...W.'{....0J..VA.....!.qC'..Q..u}L..M.U..R...hx.!...j&`...k .....yv.....-n.......
GET /apps/domainpark/domainpark.cgi?max_radlink_len=20&r=m&fexp=21404&client=dp-dopa15_3ph_js&channel=001623&hl=ru&adtest=off&type=0&optimize_terms=on&drid=as-drid-2246028460856896&uiopt=false&oe=UTF-8&ie=UTF-8&format=p6|r24|r12|s&ad=a6&adrep=2&num=0&output=caf&domain_name=VVV.cf089.com&v=3&allwcallad=1&adext=as1,sr1,ctc1&cd_oi=true&u_his=0&u_tz=180&dt=1410575496813&u_w=1024&u_h=768&biw=292&bih=140&psw=1020&psh=312&frm=0&uio=uv3cs1fa2sa20sl1sr1cc1-af3wi1000ff1st24sd12sv11sa12lt40ld40lv30-wi1010ff1st16sa12lt38-wi1010ff1st16sa12lt38-&rurl=http://VVV.cf089.com/³É¹¦ÃÂÅâ.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.cf089.com/.........html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dp.g.doubleclick.net
Connection: Keep-Alive
Cookie: id=c21c6444d00007f||t=1360768149|et=730|cs=002213fd480b36e81315d0d96e
HTTP/1.1 200 OK
P3P: policyref="hXXp://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Encoding: gzip
Date: Sat, 13 Sep 2014 02:31:36 GMT
Server: domainserver
Cache-Control: private
Content-Length: 621
X-XSS-Protection: 1; mode=block
Alternate-Protocol: 80:quic,p=0.002
...........Tmo.0.......4.....B..K;$J*....)r..\.8./....g...1._.{r..sw.[.zQ7.v.'3.Rr......6.{<.2..{.K|;$......G...bq..r.....6S.....`....H..]iy......V....l..R-B..9B.....J...)./..5..qc........(r.AH.Q'....F.`.....Qt.......D..cC..@....).3.C.k.d.Q..t.vb...oQ..DK.xMK.K..,r..........8B.V......f.m9.-.m.../D*....K,..(.R.;..s.0..GP.BvkR...H..2..!...YpCv.N....\.^X?.....du........`6....H..}*O)xa.G..P.*1G..\.SzI..P'T..uv%.....Vv..=0..:s.S..{`....Ke.<.;.On..f.O..........ux.cO..g...5..r.z1....A.O........./iE.^RZ...s..]RL....J...>..o.$.r.....;.Xn.C..m..%8.gg........!.&.....o....;....n........3.....&u.Un..........Z.o..........G.....HTTP/1.1 200 OK..P3P: policyref="hXXp://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"..Content-Type: text/html; charset=UTF-8..X-Content-Type-Options: nosniff..Content-Encoding: gzip..Date: Sat, 13 Sep 2014 02:31:36 GMT..Server: domainserver..Cache-Control: private..Content-Length: 621..X-XSS-Protection: 1; mode=block..Alternate-Protocol: 80:quic,p=0.002.............Tmo.0.......4.....B..K;$J*....)r..\.8./....g...1._.{r..sw.[.zQ7.v.'3.Rr......6.{<.2..{.K|;$......G...bq..r.....6S.....`....H..]iy......V....l..R-B..9B.....J...)./..5..qc........(r.AH.Q'....F.`.....Qt.......D..cC..@....).3.C.k.d.Q..t.vb...oQ..DK.xMK.K..,r..........8B.V......f.m9.-.m.../D*....K,..(.R.;..s.0..GP.BvkR...H..2..!...YpCv.N....\.^X?.....du........`6....H..}*O)xa.G..P.*1G..\.SzI..P'T..uv%.....Vv..=0..:s.S..{`....Ke.<.;.On..f
<<< skipped >>>
GET /adsense/domains/caf.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.cf089.com/.........html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/javascript; charset=UTF-8
Vary: Accept-Encoding
Date: Sat, 13 Sep 2014 02:31:34 GMT
Expires: Sat, 13 Sep 2014 02:31:34 GMT
Cache-Control: private, max-age=3600
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename="f.txt"
Content-Encoding: gzip
Server: amfe
Content-Length: 217
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic,p=0.002
..........m..j.0.F_..b{.....8..2.N.J)....`IAR...wo.....q..z.7Q...)....z<._.....u....$..E.f.g..8|.2[.....@r#....&.Xt.^e{/....;9..1.ELZ..=x.N...x[.w....m..k..{Y.....n...Z..n.m95]%{0.V.e<..4..W..@....]...a. ..b..._..........
GET /ads/search/module/ads/1.0/76529756bd9c4808112d3445d4a637b160b572c9/n/domains.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.cf089.com/.........html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/javascript; charset=UTF-8
Vary: Accept-Encoding
Date: Sat, 13 Sep 2014 02:31:34 GMT
Expires: Sun, 13 Sep 2015 02:31:34 GMT
Cache-Control: public, max-age=31536000
ETag: "m76529756bd9c4808112d3445d4a637b160b572c9"
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename="f.txt"
Content-Encoding: gzip
Server: amfe
Content-Length: 56691
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic,p=0.002
............i{...(.=..U.....vf..o..C:$mW.duS...S%;Cc.....(YN...>......&....A..A...z.0...f...E. ?.....P-W....fq....Vk...k....lT6............u..VqV.k.&/..{.........s/Y..!..wY....~.....a..b,.....M..3H/........]...r___...q$...^..!.K..9:..1{..c.a...3...=.......aP4.......vLx.<...=...........?.E=.......@..L..@pm.Z.D.a..,....(.....t.-...CP......9@....l.l...............;~.5l.......a...'..x.........hx{..A.~....}...h...s.7..}.{.on.....HXU...yc.wb. R{#....$.U...H.a.A.........L|.v..lbus..1.......j,.S.k..kD.#...E-.{o.[US..L~A../Q4.Ny0..e6.tn...J..L|.S..L,...l..{...X...(....~.XA.x.Vp!..M:`;.s....LB..kw....0...;.G6./.Ro....}..S.\..Ys..f...sF..S#..........O..^W..xg.R.)l....tpxt..y.....qn..}M...cWa....lBy.<m.......54..T..mV.r... ..@..0..........{.9.g.O....`fL.N^...}......%...qb]2{.k?.K.3.d.......,gK.._..s..>...~..A.FK.Cj6o..1.X..Y.....".Y....b..f..V..M.^ /...9.,.......Z..u...k..r....D...{..54X.. ..nNC^...s.R.TD.O..>~e...^..........C?...f.......U....g.Z..A.7..\...t......S...l..z.pt.....c..w..o..;....n*.E.....<T.....&.?....1.d............l....w~Z:[<./f.[;.[.,...c...Y..N.....3...$ ..u.F.(..a...eC.]..0....ua/.`0..........G.....(d6&V..;dL...}.....5Ls..5......l..rA.(H~[.Y..5..g...M..u..c1...^8..PXj.....c.....l....~.$..*...N...A....kJ.h...0r..}..._g!.t..\...*.X.;.2..}.XK.....................c..&......1......6...O.q...)w..Ak.t."...........G......h..dQV..,.E..gZ0...#.....>..v.a7M..$3...:O..c....../.KX.{....tN.Z..............`....`..A.K...Og.=:...c..=z..cD..>..q..7.mz.U*...XW.J.F..'x.........`....f=X.....s...7@l
<<< skipped >>>
GET /css/t_141_201401111.css HTTP/1.1
Accept: */*
Referer: hXXp://VVV.cf089.com/.........html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: a1.dnbizcdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Tengine/1.4.2
Date: Sat, 13 Sep 2014 02:31:34 GMT
Content-Type: text/css
Last-Modified: Tue, 22 Apr 2014 10:30:52 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip
5ff.............X...8...oG#.......^vvF...:2.. ..q.2Q.}.|..d..........S.. /...&.'..m.R2.lOY%..9.d.6.KUOO........i.....f. ...- ....z......u...I#.N.Iw...#......_<Y,...QQ...h....{V..-aJ..B..R..kY..y..J2....C...C...J4|...x...Y..}IA9.*....d:...>)....g..../..e..x6%.yB.;i....9c.....)f...J.d...Y....PJS..*.J.. .d%.2.)....{/^...\.a 9..7:y. w.....%$.d~LI.$..........E'2Q..gKQ..A..^P....mB...Y....c.9....#-..l....s[.F.......?j^.s.;`..NN......M...h.B.,.e=..a..S:....!:...W.x..&].dUA.hjs5.V...e J"mr7..i.L#.e$.7@N.....\..U.X%.M.C..BA.Z4..k...S..T..g.W ..H....m..a>|.T..xG.]b.....2......E.P......S....,s.....Z.G..D.....:v[2..*.7y.....NT. .5.(....}I,ba.^cZ...o......r.;p.j!.....>.....).y'.....Jz.<..#"3..Ya..%v.[C.3.}...|%@;....G.x_ @..V....R1..Pl..T.d.ICM...|^...m.`..jp'...ba#9U..EN@...@-........Vv...8..x.n.fZyp.D"...|......w...F.........|p.]...$...o..U.-...`...z.z'..#..\B/.....#....*X......(PQXT..-..X\A.0..@...W.9..)...(.Ik..ud.p`2..7w..P.8$.E.... ..n...(...mF..e..D..R.9....J.F.7.v....... DdY...8&...]......X...Tm...MH..@.......P`_2.%.W(.W7v...)...i.t...m...E.W....F.\gC....^.... .......t.......'..C.2@>.w....idWh...0..,.$._|..a....n..>..!..@.}...=.9...q...c6.9..W.@....8.|o,%:.... .:/..Bx.tz...'.H\.h. ..7.`......7=..:e.t....<Zve...zX........}t...8...........#..)..r:..6.xX..>L.p{(...g..M....~.35..f.p.T........QP.......a.....S....QG......c........W<.^...$.Yb'l.D]._p.2.*.....<.'di...[.(B....L.B.:.mJ ....j...<...]~..Q.wvxo!*v>...N....rs?.y!.............o...v6t..m...7.....p...>.0@...w.....|.@.N..3F.v
<<< skipped >>>
GET /js/parking_caf_141_1402251.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.cf089.com/.........html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: a1.dnbizcdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Tengine/1.4.2
Date: Sat, 13 Sep 2014 02:31:34 GMT
Content-Type: application/x-javascript
Last-Modified: Tue, 09 Sep 2014 02:04:48 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip
1e4b.............]{.....[..w.y...d.rW..V)K./....K.KJv.@..b........~..g.`@r%.I...#...........\.u4k..$.<x.....u....w .E..z.U..2/..r.$u....<m..ON...L.Y^f.pO4.mB.......... .........?..E...[.DY.d....0<..n......~...M.F.:....}...oVm^..X.H.......8....x...".....f...e....|......V..?...%k.....4..B?j.z.(.z..........4@......k....L.[.W......g@rx....2....y..u\.*1...S3.........k..p..E.,..bV....2/.=......{.*] KOl.x^...!......s...r..G..J.)B.$.8}^T...-.I.\V..8m......r...H.r..NN".8...z..'.kE^.^..<#~.O...r"..J_e.....&Z.G..?C..q...........J...k....:...y...Wu.F_A'.rn..ag..G.....hrpp..2h..u..._a.jjD n..Y..I\.Z....8........i\....}.......'JoD.\;I....n.b...e.i.x/..W./....4..d...U}....^.......A!.A V..g...*Z8GGG........G/....1K.u..L..I.@1a........z..Y"l.A.....UQT.......J.$..Uj.dE.@e.na......F..5L...'iyg......'...<.....#.lb....R....)..|...q...C..x.....c.G...1....47...K.c....s.....x.....c.3m...85..-. ..5....>c..N.l....=.:|...V7S2..<.#.^,..4s....,m..N..[c.....4...N....H 4.u..3.h.|d-.Y...:......."..c...M...........#..k.<..}....8.......b........3i...`....C........6....*.].>*.....v........Vp.........6v...........N.....j.u.....w8..`..wM.e.{..C..t...$v...9p,..o...w.U................x.;...v.Io....Js.;;......G...|.Mj......E.......<...o.KYli..........}.......C.....2..A....X....?z...~\....3.......0}.>...'..........?....o0{v...r......1........../.......:nA2...\.-.lh@.........rW5..t_.......,W...CG..V....m....?4./.w..,.. 8....W..h.qa.%.`.I..0.~o..X.R..d.6.fy....2^..8=..l...?.\C.......Vq../..."..!m2. i.g.):^#..z;o.?$.....5
<<< skipped >>>
GET /img/w300/search_language_1.jpg HTTP/1.1
Accept: */*
Referer: hXXp://VVV.cf089.com/.........html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: a1.dnbizcdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Tengine/1.4.2
Date: Sat, 13 Sep 2014 02:31:35 GMT
Content-Type: image/jpeg
Content-Length: 2374
Last-Modified: Tue, 09 Sep 2014 03:01:53 GMT
Connection: keep-alive
Accept-Ranges: bytes
......Exif..II*.................Ducky.......<.....ohXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:2ADDD9426D4511E39F35D78CF7C16A6F" xmpMM:DocumentID="xmp.did:A6AEF93D37CD11E4A238A243E0DA2DE9" xmpMM:InstanceID="xmp.iid:A6AEF93C37CD11E4A238A243E0DA2DE9" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:CC27718BCD37E4119925C95B4D010903" stRef:documentID="xmp.did:2ADDD9426D4511E39F35D78CF7C16A6F"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d.................................................................................................................................................................}......................................................................!1....A.."..Qq2r#.a..R.C.4DTt.57.................................?..@....................................................u.m(g....%<.c.H...U.J.o...b.<..s.5..lW..Y.!../...Uj.#f..N.c.D..(.)....w..2...K.R.....Q.......E]<P.....F.\.6......tD@)S.....b.N..j..|6!.$.....{UZ.....s.T.Kn.y.U...........9.Tj'..T
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_664:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.vmp0
@.vmp0
`.vmp1
`.vmp1
.reloc
.reloc
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
wininet.dll
wininet.dll
kernel32.dll
kernel32.dll
user32.dll
user32.dll
gdiplus.dll
gdiplus.dll
ole32.dll
ole32.dll
SkinH_EL.dll
SkinH_EL.dll
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
EnumWindows
EnumWindows
GdiplusShutdown
GdiplusShutdown
hXXp://ptlogin2.qq.com/getimage?aid=11000101&0.24514092205448612
hXXp://ptlogin2.qq.com/getimage?aid=11000101&0.24514092205448612
hXXp://
hXXp://
hXXps://
hXXps://
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
http=
http=
HTTP/1.1
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
hXXp://pay.qq.com/cgi-bin/account/account_qqcard_save_qbqd.cgi
hXXp://pay.qq.com/cgi-bin/account/account_qqcard_save_qbqd.cgi
&CardPassword=
&CardPassword=
244077923
244077923
nidaye888kao@foxmail.com
nidaye888kao@foxmail.com
smtp.qq.com
smtp.qq.com
wushuzhuanyong168@foxmail.com
wushuzhuanyong168@foxmail.com
275535028
275535028
wushusheung@foxmail.com
wushusheung@foxmail.com
az87101588@qq.com
az87101588@qq.com
\jl.txt
\jl.txt
2088258269
2088258269
hXXp://url.cn/RtJuQx
hXXp://url.cn/RtJuQx
fJ.WM_
fJ.WM_
CX%xm
CX%xm
Õ6m*
Õ6m*
n.BjCw
n.BjCw
%s;7*
%s;7*
0%x@w
0%x@w
%C^L:
%C^L:
%s T5
%s T5
]E4%F(
]E4%F(
.Funr
.Funr
k%UPp
k%UPp
fg.VG
fg.VG
%C',@
%C',@
>Ùd
>Ùd
0'.Ll
0'.Ll
[I(3/#N0.bd
[I(3/#N0.bd
j"%u=w
j"%u=w
q%Xn`
q%Xn`
@|H.NI
@|H.NI
.wdd!
.wdd!
S|%u4
S|%u4
*.Ea]S
*.Ea]S
Q.CGo
Q.CGo
fTpe
fTpe
.LLbX
.LLbX
-.Mdl
-.Mdl
\-A}=3K
\-A}=3K
Y:.akpS
Y:.akpS
$.Zcqn
$.Zcqn
.WE= T!N
.WE= T!N
#?%s(C(
#?%s(C(
u.Jck~
u.Jck~
zx/%FN[
zx/%FN[
%s=\RI
%s=\RI
}j%c%Y)
}j%c%Y)
Rx.GR
Rx.GR
4o#.dM
4o#.dM
IeS`%C
IeS`%C
[n 4\.UY
[n 4\.UY
,4.qO,
,4.qO,
gQ'.Io
gQ'.Io
%cLur?
%cLur?
s%DHB
s%DHB
]I%%X
]I%%X
5r.US
5r.US
:mD].tB
:mD].tB
f%fUZ
f%fUZ
.fOuV12
.fOuV12
*_.dC
*_.dC
&-N}
&-N}
({?.cQm
({?.cQm
.Cqx~c
.Cqx~c
.`.Qw
.`.Qw
**.dU
**.dU
!n]%x
!n]%x
%X,Cr
%X,Cr
&.PFy{xh
&.PFy{xh
.um ZZE7L
.um ZZE7L
/^p%u$
/^p%u$
I.NoQY
I.NoQY
zu.ew
zu.ew
D/.nT
D/.nT
b\SkinH_EL.dll
b\SkinH_EL.dll
C$%cmb
C$%cmb
.ppM|
.ppM|
aZ.mO
aZ.mO
%-^
%-^
.hk;~
.hk;~
KERNEL32.DLL
KERNEL32.DLL
COMCTL32.dll
COMCTL32.dll
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
MSVCRT.dll
MSVCRT.dll
MSVFW32.dll
MSVFW32.dll
USER32.dll
USER32.dll
hXXp://dl.vmall.com/c0y5dhl31e
hXXp://dl.vmall.com/c0y5dhl31e
Adobe Photoshop CS5 Windows
Adobe Photoshop CS5 Windows
2013:09:07 18:22:27
2013:09:07 18:22:27
*%xLq
*%xLq
urlTEXT
urlTEXT
MsgeTEXT
MsgeTEXT
hXXp://ns.adobe.com/xap/1.0/
hXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
%sc;-
%sc;-
Ljj%FZ
Ljj%FZ
2013:09:07 18:41:37
2013:09:07 18:41:37
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
2013:09:07 18:48:37
2013:09:07 18:48:37
jkP.gN
jkP.gN
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
JQ #%X
JQ #%X
zt.vFM72G%
zt.vFM72G%
}/.OP?}
}/.OP?}
2013:09:07 18:31:24
2013:09:07 18:31:24
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
S%XW(=
S%XW(=
2013:11:02 22:34:01
2013:11:02 22:34:01
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
4.GRN
4.GRN
qW#Z%u
qW#Z%u
2014:01:08 17:17:20
2014:01:08 17:17:20
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
2014:01:08 17:12:43
2014:01:08 17:12:43
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
%2%(,-/0/
%2%(,-/0/
#484.7*./.
#484.7*./.
5].fk[
5].fk[
}35.RBRT
}35.RBRT
8EI%D
8EI%D
2013:06:08 18:11:32
2013:06:08 18:11:32
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
VVV.cf089.com/
VVV.cf089.com/
.htmlr
.htmlr
1258095550
1258095550
5|M%U8
5|M%U8
VVV.vdisk.cn/wushu8
VVV.vdisk.cn/wushu8
2755350288
2755350288
1314520.
1314520.
%*.*f
%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
MPR.dll
MPR.dll
VERSION.dll
VERSION.dll
WSOCK32.dll
WSOCK32.dll
.PAVCException@@
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
: %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
out.prn
out.prn
%d.%d
%d.%d
%d / %d
%d / %d
%d/%d
%d/%d
Bogus message code %d
Bogus message code %d
(%d-%d):
(%d-%d):
%ld%c
%ld%c
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
HELO %s
HELO %s
SMTP
SMTP
AUTH LOGIN
AUTH LOGIN
LOGIN
LOGIN
AUTH=LOGIN
AUTH=LOGIN
EHLO %s
EHLO %s
Content-Type: application/octet-stream; name=%s
Content-Type: application/octet-stream; name=%s
Content-Disposition: attachment; filename=%s
Content-Disposition: attachment; filename=%s
MAIL FROM:
MAIL FROM:
RCPT TO:
RCPT TO:
VVV.dywt.com.cn
VVV.dywt.com.cn
(*.htm;*.html)|*.htm;*.html
(*.htm;*.html)|*.htm;*.html
.PAVCOleException@@
.PAVCOleException@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÃ
zcÃ
c:\%original file name%.exe
c:\%original file name%.exe
hX&%suz~
hX&%suz~
WU%syz~
WU%syz~
5551444
5551444
1111111111111141
1111111111111141
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
$;.zSx
$;.zSx
SetViewportExtEx
SetViewportExtEx
WS2_32.dll
WS2_32.dll
KERNEL32.dll
KERNEL32.dll
GetViewportOrgEx
GetViewportOrgEx
WinExec
WinExec
GetViewportExtEx
GetViewportExtEx
WININET.dll
WININET.dll
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryA
GetWindowsDirectoryA
RegCloseKey
RegCloseKey
ScaleViewportExtEx
ScaleViewportExtEx
SetWindowsHookExA
SetWindowsHookExA
H{[.yYw
H{[.yYw
,T
,T
'.leD]s
'.leD]s
:e5%CG
:e5%CG
/.Yiw
/.Yiw
bo.jb]fU.
bo.jb]fU.
ADVAPI32.dll
ADVAPI32.dll
UWINMM.dll
UWINMM.dll
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
GetCPInfo
GetCPInfo
RASAPI32.dll
RASAPI32.dll
CreateDialogIndirectParamA
CreateDialogIndirectParamA
n;Kd%x
n;Kd%x
.DmK/j
.DmK/j
x|x.xk
x|x.xk
.Yj?G
.Yj?G
I.Zg
I.Zg
ß&wM;
ß&wM;
EL%C(
EL%C(
.rGmRg
.rGmRg
K.Nn>*&I_/E
K.Nn>*&I_/E
%SlRJ
%SlRJ
TZx.Wv
TZx.Wv
,".Wa*2E
,".Wa*2E
2w.MD
2w.MD
2n/.QfH
2n/.QfH
KX5%x
KX5%x
x#.vg
x#.vg
3.jx(
3.jx(
``.jE:
``.jE:
.NAN)
.NAN)
T^L.vD8
T^L.vD8
isql
isql
W.WV0
W.WV0
F,.hD
F,.hD
%F)ww
%F)ww
%u&xS
%u&xS
PR.Az
PR.Az
.gy{i
.gy{i
4G.vw5
4G.vw5
.VI M
.VI M
I%C- G
I%C- G
P.ZW4x
P.ZW4x
NSl.zs
NSl.zs
^%CNwv|
^%CNwv|
7.kWf1
7.kWf1
H3?%X
H3?%X
[ŸT
[ŸT
%X&J|
%X&J|
es.tC
es.tC
-5}sB
-5}sB
}d.UI
}d.UI
~.vo\
~.vo\
.sswo
.sswo
}.ul`
}.ul`
UOP%X!
UOP%X!
#W%u$
#W%u$
.RcD7
.RcD7
$%XYy0
$%XYy0
m-Yi}
m-Yi}
DS.Ei 4
DS.Ei 4
gU%d'9
gU%d'9
.eO21
.eO21
_.vAw,
_.vAw,
lt.hA
lt.hA
?.Amn
?.Amn
89>?
89>?
O%dX^
O%dX^
.iM4x
.iM4x
%XeSY
%XeSY
e.lD7
e.lD7
K].Rv
K].Rv
.YTM'g
.YTM'g
G0%UG
G0%UG
[.yY6
[.yY6
]$Gs.xS
]$Gs.xS
^.XCZh
^.XCZh
N%c;o
N%c;o
,.DR3
,.DR3
se.Jy
se.Jy
/; %dw
/; %dw
WINSPOOL.DRV
WINSPOOL.DRV
oledlg.dll
oledlg.dll
GetKeyState
GetKeyState
SHELL32.dll
SHELL32.dll
]Þ?
]Þ?
(='fuqg.Cg
(='fuqg.Cg
8.BBS
8.BBS
n%uJoN
n%uJoN
#.klH
#.klH
%DK )
%DK )
]%DIb
]%DIb
)u^e.JO
)u^e.JO
.Kt*?
.Kt*?
e
e
5%Cw3
5%Cw3
M%ubdt
M%ubdt
U'K.kj
U'K.kj
pA"%c
pA"%c
/ÔT!
/ÔT!
z.dS
z.dS
Þo!
Þo!
{D%f$
{D%f$
'0SSh
'0SSh
,.Hq_w
,.Hq_w
Z.Wd4
Z.Wd4
/%dQ/ngt
/%dQ/ngt
d[[.kU
d[[.kU
O%uvl$
O%uvl$
n^.ot
n^.ot
`gbuJ*%D
`gbuJ*%D
>ag%dW
>ag%dW
W1@.xVo
W1@.xVo
zd)%s(m
zd)%s(m
pm%U%!
pm%U%!
O %cJ3
O %cJ3
ke%Cng
ke%Cng
U.uC
U.uC
'%d!2>=
'%d!2>=
.aTpe
.aTpe
1eÛ
1eÛ
g9.gqJo
g9.gqJo
".nGlJ
".nGlJ
y%Dg>:#B
y%Dg>:#B
w(KN`k%F
w(KN`k%F
SetViewportOrgEx
SetViewportOrgEx
ShellExecuteA
ShellExecuteA
vU.IS
vU.IS
UnhookWindowsHookEx
UnhookWindowsHookEx
OffsetViewportOrgEx
OffsetViewportOrgEx
D].hN:
D].hN:
comdlg32.dll
comdlg32.dll
OLEAUT32.dll
OLEAUT32.dll
1, 0, 6, 6
1, 0, 6, 6
20130907181933
20130907181933
(*.*)
(*.*)
%original file name%.exe_664_rwx_00621000_00001000:
SetViewportExtEx
SetViewportExtEx
WS2_32.dll
WS2_32.dll
KERNEL32.dll
KERNEL32.dll
GetViewportOrgEx
GetViewportOrgEx
WinExec
WinExec
GetViewportExtEx
GetViewportExtEx
WININET.dll
WININET.dll
GetProcessHeap
GetProcessHeap
%original file name%.exe_664_rwx_0077B000_00001000:
ShellExecuteA
ShellExecuteA
%original file name%.exe_664_rwx_10001000_00039000:
L$(h%f
L$(h%f
SSh0j
SSh0j
msctls_hotkey32
msctls_hotkey32
TVCLHotKey
TVCLHotKey
THotKey
THotKey
\skinh.she
\skinh.she
}uo,x6l5k%x-l h
}uo,x6l5k%x-l h
9p%s m)t4`#b
9p%s m)t4`#b
e"m?c&y1`Ã
e"m?c&y1`Ã
SetViewportOrgEx
SetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
EnumThreadWindows
EnumThreadWindows
EnumChildWindows
EnumChildWindows
`c%US.4/
`c%US.4/
!#$
!#$
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.UPX0
@.UPX0
`.UPX1
`.UPX1
`.reloc
`.reloc