Gen:Variant.Graftor.8297 (B) (Emsisoft), Gen:Variant.Graftor.8297 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 6cd206861b4db3a83667a7b14de4b58d
SHA1: ae18c729391d1744b705ec93f0160605477061c9
SHA256: c9e0f1c6c794a929f331dd5e7f6d4d5800766e73b14f129d8224d6c04949d6f9
SSDeep: 24576:3vPhP6i9K0wfkAUTZaqdiXSp0c02uFG6dAk3xMkR:/JP6Gw6TZaqdwk0c05HGil
Size: 1601536 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2014-07-05 13:26:32
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:2012
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:2012 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\style[1].css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tjrm_img011[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\hdv832[1].htm (684 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\news_footer[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\style[2].css (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\mlb[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\22110Gb5I[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ico[2].css (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ysxy_20140507[1].css (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\4399_14504425052[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\xml[1].xml (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bdsstyle[1].css (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ucenter[1].js (19465 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\16100Q15406[1].jpg (4088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\mlc[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\mlt[1].jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ico[1].png (5 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (540 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\m6[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4399_14533870073[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (8868 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ysxy_20140507[2].css (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tjrm_img06[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\m12[1].jpg (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jquery-1.2.1.pack[1].js (1740 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\a1-2[1].jpg (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\311622246152[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\crossdomain[1].xml (842 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\a7[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4399[2].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\backg[1].png (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\31160T42W2[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\zwsf2-3[1].gif (987 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@4399[1].txt (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2014ysxy[1].js (3 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\s15.4399.com\seed4399Value.sxx (80 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[1].php (751 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s15.4399.com\settings.sxx (199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tjrm_img08[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\unilogin_package[1].js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\31155012a51[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m9[1].jpg (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\4399_17564382760[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\80727[1].htm (2467 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\unilogin_package[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\save.api.4399[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bds_s_v2[1].js (1807 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CACLIJK5.php (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\131P03EP7[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\m2[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\click[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\flash_ctrl_version[1].xml (530 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ico[1].css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\hdv832[1].swf (4269751 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ctrl_mo_v5[1].swf (70245 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\m8[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\shell_v2[1].js (1 bytes)
C:\SkinH_EL.dll (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4399[1].js (902 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\a5[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m10[1].jpg (1171 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.4399[1].txt (969 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\logo[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\3115344X010[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\icon_keys[1].gif (537 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.4399[2].txt (445 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\a6[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\uijs[1].htm (380 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m11[1].jpg (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\m1[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\4399_17053265645[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\hottop[1].gif (857 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\m4[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tjrm_img09[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m13[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\btn[1].png (392 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (203 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b3[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\0Q443302F2[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAIF0DA3.htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m5[1].jpg (1191 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\id=rHmkPWbznH6&gp=403&time=nHndn1nkPWcvns[1].jpg (2181 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\80727[2].htm (2400 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (198 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\nav2[1].png (3875 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\logger[1].js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\lazy_iframe[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\baiduLoader_as3[1].swf (418 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\31153132L32[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tjrm_img07[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\311629555O1[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\04150AJ2O[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\play_hs1202[2].js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[2].xml (603 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\141US92O1[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\c[1].php (1163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\4399_16460972266[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cb.baidu[1].txt (128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[1].xml (570 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ecom[1].xml (233 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\a1[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\chkDomain[1].js (554 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\311612435933[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\A4399dv_base[1].swf (5532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\more[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\top_bar[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\b2[1].jpg (4850 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\141U0313620[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\crossdomain[1].xml (331 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\31154AH4T[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\m14[1].jpg (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\m3[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\play_hs1202[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b1[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\base[1].css (13565 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2014ysxy[2].js (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\bdshare[1].js (182 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\linkImg[1].jpg (26432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery-1.2.1.pack[1].js (392 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\style[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ysxy_20140507[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2014ysxy[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\80727[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.4399[2].txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\unilogin_package[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4399[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ico[1].css (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.4399[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\save.api.4399[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225\index.dat (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s15.4399.com\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery-1.2.1.pack[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\play_hs1202[1].js (0 bytes)
Registry activity
The process %original file name%.exe:2012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081720140818]
"CachePrefix" = ":2014081720140818:"
"CacheLimit" = "8192"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1024x768x32(BGR 0)" = "31,31,31,31"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081720140818]
"CacheOptions" = "11"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1404555992"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081720140818]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014081720140818\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 89 C3 D8 9D 30 F9 E3 F3 72 21 43 3A F8 F4 4E"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081720140818]
"CacheRepair" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013030120130302]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130218]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021820130225]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
147127382e001f495d1842ee7a9e7912 | c:\SkinH_EL.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\style[1].css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tjrm_img011[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\hdv832[1].htm (684 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\news_footer[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\style[2].css (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\mlb[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\22110Gb5I[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ico[2].css (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ysxy_20140507[1].css (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\4399_14504425052[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\xml[1].xml (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bdsstyle[1].css (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ucenter[1].js (19465 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\16100Q15406[1].jpg (4088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\mlc[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\mlt[1].jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ico[1].png (5 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (540 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\m6[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4399_14533870073[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (8868 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ysxy_20140507[2].css (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tjrm_img06[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\m12[1].jpg (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jquery-1.2.1.pack[1].js (1740 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\a1-2[1].jpg (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\311622246152[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\crossdomain[1].xml (842 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\a7[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4399[2].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\backg[1].png (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\31160T42W2[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\zwsf2-3[1].gif (987 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@4399[1].txt (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2014ysxy[1].js (3 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\s15.4399.com\seed4399Value.sxx (80 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[1].php (751 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s15.4399.com\settings.sxx (199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tjrm_img08[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\unilogin_package[1].js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\31155012a51[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m9[1].jpg (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\4399_17564382760[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\80727[1].htm (2467 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\unilogin_package[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\save.api.4399[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bds_s_v2[1].js (1807 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CACLIJK5.php (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\131P03EP7[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\m2[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\click[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\flash_ctrl_version[1].xml (530 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ico[1].css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\hdv832[1].swf (4269751 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ctrl_mo_v5[1].swf (70245 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\m8[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\shell_v2[1].js (1 bytes)
C:\SkinH_EL.dll (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4399[1].js (902 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\a5[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m10[1].jpg (1171 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.4399[1].txt (969 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\logo[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\3115344X010[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\icon_keys[1].gif (537 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.4399[2].txt (445 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\a6[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\uijs[1].htm (380 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m11[1].jpg (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\m1[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\4399_17053265645[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\hottop[1].gif (857 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\m4[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tjrm_img09[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m13[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\btn[1].png (392 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (203 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b3[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\0Q443302F2[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAIF0DA3.htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m5[1].jpg (1191 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\id=rHmkPWbznH6&gp=403&time=nHndn1nkPWcvns[1].jpg (2181 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\80727[2].htm (2400 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (198 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\nav2[1].png (3875 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\logger[1].js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\lazy_iframe[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\baiduLoader_as3[1].swf (418 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\31153132L32[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tjrm_img07[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\311629555O1[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\04150AJ2O[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\play_hs1202[2].js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[2].xml (603 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\141US92O1[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\c[1].php (1163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\4399_16460972266[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cb.baidu[1].txt (128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[1].xml (570 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ecom[1].xml (233 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\a1[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\chkDomain[1].js (554 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\311612435933[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\A4399dv_base[1].swf (5532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\more[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\top_bar[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\b2[1].jpg (4850 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\141U0313620[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\crossdomain[1].xml (331 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\31154AH4T[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\m14[1].jpg (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\m3[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\play_hs1202[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b1[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\base[1].css (13565 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2014ysxy[2].js (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\bdshare[1].js (182 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\linkImg[1].jpg (26432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery-1.2.1.pack[1].js (392 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: English (United States)
Company Name: Product Name: ?????Product Version: 1.0.0.0Legal Copyright: ?????? ????????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ?????Comments: ??????????(http://www.eyuyan.com)Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 470447 | 471040 | 4.54404 | 84112665e3d73644f9136e52fe52e973 |
.rdata | 475136 | 967030 | 970752 | 5.28926 | 2213235e3c8c52cff8d0b61dfffda90d |
.data | 1445888 | 184074 | 65536 | 3.45572 | a803471009ef1b78c190f02824cc6ab6 |
.rsrc | 1630208 | 87156 | 90112 | 2.27554 | 3a870711b3c73f57b527a56dad041452 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://115.182.52.104/flash_ctrl_version.xml?ran=65853.53179834783 | |
hxxp://8.37.233.6/jss/2014ysxy.js | |
hxxp://4399stat.5054399.com/js/click.js | 115.182.52.78 |
hxxp://e.xdwscache.glb0.lxdns.com/crossdomain.xml | |
hxxp://e.xdwscache.glb0.lxdns.com/control/zwsf2-3.gif?20120719 | |
hxxp://e.xdwscache.glb0.lxdns.com/control/A4399dv_base.swf?20130625 | |
hxxp://c.split.cnzz.com/c.php?id=30039538 | |
hxxp://c.split.cnzz.com/core.php?web_id=30039538&t=q | |
hxxp://q7.cnzz.com/stat.htm?id=30039538&r=&lg=en-us&ntime=none&cnzz_eid=860316973-1408248746-&showp=1024x768&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&h=1&rnd=1129475355 | |
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=1551506341 | |
hxxp://pcookie.split.cnzz.com/app.gif?&cna=qxl3DGTX4jwCAbhrJiYA1Bqu | |
hxxp://static.n.shifen.com/v.gif?pid=307&type=3071&sc=980,3477,1024,740&desturl=&apitype=1&linkid=hyxk90eeqem&velo_load=1812&velo_cssload=953&velo_jsLoad=953&cite_uid=480925&cite_type=1&cite_mini=1 | |
hxxp://115.182.52.104/xml.php?ran=30733.64836163819&gameid=100016523&url=http://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.htm | |
hxxp://cb.e.shifen.com/crossdomain.xml | |
hxxp://cb.e.shifen.com/ecom?di=62872&tm=BAIDU_CLB_XML&asp_url=4399.com&return_type=1&ran=2925.8037405088544 | |
hxxp://cpro.e.shifen.com/cpro/ui/baiduLoader_as3.swf | |
hxxp://cpro.e.shifen.com/cpro/ui/uijs.php?at=6&fv=11&ch=129&ie=1&q=www4399com_tp_cpr&n=1&k=鲜花&f=过滤è¯Â1 过滤è¯Â2 过滤è¯Â3&u=4399.com&s=2&t=baiduxml_tiepian_400_300&w=940&h=580 | |
hxxp://drmcmm.e.shifen.com/media/id=rHmkPWbznH6&gp=403&time=nHndn1nkPWcvns.jpg | |
hxxp://e.xdwscache.glb0.lxdns.com/control/ctrl_mo_v5.swf?20140327 | |
hxxp://115.182.52.104/flashflowstatis/submitflowstatis.php?gameid=100016523&seedvalue=718567ba529daf641296ba5d763bf7b2&adid=-1&gamekey=asdf&nocache=1408230825122&os=Windows XP&lng=en&hosturl=hxxp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.htm&scres=1024x768&playurl=hxxp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.swf&fp=WIN 11,6,602,168&adLoadTime=0&adPlayTime=0&browser=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)&ctrVer=5 | |
hxxp://save.d.4399api.net/crossdomain.xml | |
hxxp://save.d.4399api.net/?ac=get_time&ran=688197.0977410674 | |
hxxp://cpro.baidu.com/cpro/ui/uijs.php?at=6&fv=11&ch=129&ie=1&q=www4399com_tp_cpr&n=1&k=鲜花&f=过滤è¯Â1 过滤è¯Â2 过滤è¯Â3&u=4399.com&s=2&t=baiduxml_tiepian_400_300&w=940&h=580 | 123.125.70.108 |
hxxp://pcookie.cnzz.com/app.gif?&cna=qxl3DGTX4jwCAbhrJiYA1Bqu | 42.120.219.171 |
hxxp://stat.api.4399.com/xml.php?ran=30733.64836163819&gameid=100016523&url=http://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.htm | |
hxxp://nsclick.baidu.com/v.gif?pid=307&type=3071&sc=980,3477,1024,740&desturl=&apitype=1&linkid=hyxk90eeqem&velo_load=1812&velo_cssload=953&velo_jsLoad=953&cite_uid=480925&cite_type=1&cite_mini=1 | 115.239.211.92 |
hxxp://cpro.baidu.com/cpro/ui/baiduLoader_as3.swf | 123.125.70.108 |
hxxp://save.api.4399.com/?ac=get_time&ran=688197.0977410674 | 115.182.52.102 |
hxxp://cdn.comment.4399pk.com/control/A4399dv_base.swf?20130625 | 8.37.233.6 |
hxxp://drmcmm.baidu.com/media/id=rHmkPWbznH6&gp=403&time=nHndn1nkPWcvns.jpg | 123.125.65.55 |
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=1551506341 | 42.120.219.171 |
hxxp://cb.baidu.com/crossdomain.xml | 123.125.115.99 |
hxxp://stat.api.4399.com/flash_ctrl_version.xml?ran=65853.53179834783 | |
hxxp://save.api.4399.com/crossdomain.xml | 115.182.52.102 |
hxxp://cb.baidu.com/ecom?di=62872&tm=BAIDU_CLB_XML&asp_url=4399.com&return_type=1&ran=2925.8037405088544 | 123.125.115.99 |
hxxp://c.cnzz.com/core.php?web_id=30039538&t=q | 42.120.219.6 |
hxxp://cdn.comment.4399pk.com/crossdomain.xml | 8.37.233.6 |
hxxp://cdn.comment.4399pk.com/control/zwsf2-3.gif?20120719 | 8.37.233.6 |
hxxp://w.cnzz.com/c.php?id=30039538 | 1.99.192.14 |
hxxp://www.4399.com/jss/2014ysxy.js | |
hxxp://hqs10.cnzz.com/stat.htm?id=30039538&r=&lg=en-us&ntime=none&cnzz_eid=860316973-1408248746-&showp=1024x768&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&h=1&rnd=1129475355 | 42.156.140.139 |
hxxp://cdn.comment.4399pk.com/control/ctrl_mo_v5.swf?20140327 | 8.37.233.6 |
gprp.4399api.net | 42.62.52.249 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /?ac=get_time&ran=688197.0977410674 HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.swf
x-flash-version: 11,6,602,168
Content-Type: application/x-www-form-urlencoded
Content-Length: 21
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: save.api.4399.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: _4399stats_vid=140823078785628
gameid=100016523&uid=
HTTP/1.1 200 OK
Date: Sun, 17 Aug 2014 04:13:06 GMT
Server: Apache/2.4.7 (Unix)
Cache-Control: no-cache, must-revalidate
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Content-Length: 30
Connection: close
Content-Type: text/html;charset=utf-8
{"time":"2014-08-17 12:13:06"}..
GET /media/id=rHmkPWbznH6&gp=403&time=nHndn1nkPWcvns.jpg HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://cpro.baidu.com/cpro/ui/baiduLoader_as3.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: drmcmm.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=0813F6F6D873A6FB1368C76E3EF141F3:FG=1
GET /media/id=rHmkPWbznH6&gp=403&time=nHndn1nkPWcvns.jpg HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://cpro.baidu.com/cpro/ui/baiduLoader_as3.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: drmcmm.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=0813F6F6D873A6FB1368C76E3EF141F3:FG=1
HTTP/1.1 200 OK
media: media
Cache-Control: max-age=31536000
Expires: Fri, 26 Oct 2012 12:24:13 GMT
Last-Modified: Sat, 25 Apr 2009 07:04:00 GMT
Content-Type: image/jpeg
Date: Sun, 17 Aug 2014 04:12:52 GMT
Server: apache
Content-Length: 19625
......Exif..II*.................Ducky.......<.....ohXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:9AC6534D2232E21197278D32144D5421" xmpMM:DocumentID="xmp.did:D93AE388322711E2B782C4EF4C8536EF" xmpMM:InstanceID="xmp.iid:D93AE387322711E2B782C4EF4C8536EF" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:8524B6A02632E21197278D32144D5421" stRef:documentID="xmp.did:9AC6534D2232E21197278D32144D5421"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d.................................................................................................................................................,.........................................................................................!1.A.Q"..aq2.......BR#3..br.......Cs$45S.t6......................!.1A.Qaq"....2....B....Rb#3.r......Sc.............?......q..Z!...)..,w. ...K.6........Xn.r..ZA..V.J...I.;n.eHHA.J. .#C..X..........,wB.$!B. .4.&P%H..1.w..%.P........@.B...&.$.$........V..1.-.IR.!..J.@r4*H.!..%..T..X......g.@.X..B......*C...
<<< skipped >>>
GET /app.gif?&cna=qxl3DGTX4jwCAbhrJiYA1Bqu HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4399.com/flash/80727.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: pcookie.cnzz.com
HTTP/1.1 200 OK
Server: Tengine
Date: Sun, 17 Aug 2014 04:12:28 GMT
Content-Type: image/gif
Content-Length: 43
Connection: keep-alive
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: cna=qxl3DGTX4jwCAbhrJiYA1Bqu; expires=Wed, 14-Aug-24 04:12:28 GMT; path=/; domain=.cnzz.com
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;..
GET /jss/2014ysxy.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4399.com/flash/80727.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.4399.com
Connection: Keep-Alive
Cookie: cookie_hs=4399.com|||%u52C7%u58EB%u7684%u4FE1%u4EF0||80727||0; bdshare_firstime=1408230785700
HTTP/1.1 200 OK
Expires: Sat, 15 Nov 2014 01:50:43 GMT
Date: Sun, 17 Aug 2014 01:50:43 GMT
Server: nginx
Content-Type: application/x-javascript
Last-Modified: Mon, 12 May 2014 09:24:19 GMT
Transfer-Encoding: chunked
Cache-Control: max-age=7776000
Content-Encoding: gzip
Age: 1
X-Via: 1.1 hzsx166:8080 (Cdn Cache Server V2.0), 1.1 hx3:1 (Cdn Cache Server V2.0)
Connection: keep-alive
f2f.............Z................{g(i..W......].HUe.....z..].9..LJ.<D..G88..w.B .#\P....!U(R.Fi....wfv.k..]..5.l.......T[v.7.[y........G7n.r..rm.i...c.Z[/..Q.......o. ....5..8M.q.9.U.j.c~....L...Y......l.S.nYVZ....<.L,J...G....!...3.<.<....$..a.t(:....Sn5@;.b.,F_...S....4%...%ILLG0..d..c..m..8..Wv...q..l.8...~.5-c^0.....>.....\....V-....j:...A....2.3.cG..,.q.{Z.P.I...=.hx...}...~.ZB.)"..s..%.CC...b...}."(.....e`.......d.!!.O".f.I.V..:...;.xF.pMN....v.b.A..m3w........ZH..p...xu......M...-.....JA-YNy.../.Q..wA...8...d<...^.5.=....d.n.$.};R..{i... ...O ..K......A....g|.[b..C9...:..Jz.Q.........m..5.w.\.c.......u...axL...w..,Xa..W5...LMO...h#........`...S5]Vu...F.65...M.s..5bP[............i;1...L...Xy..c.~..N.}l.6p".!.=I..'1.g.*..R..M0...dE....BX8..Kw..HP...|(.r9G.&=......h.....1....m....fU..F1.rM....v....|%.v...;.K.....r......._.....}w...,=.3.6...Je..s\.g.X........\WdA..zf...7....6.4?........5,...z....7......7?;q.........] ...ww.....]...{....9.B.!..#..).b.At.eZLyTB...c..n.s[.<.l..4tnK]..e.5W.... ..N........w?XY\...g..n=8.|....N..t..o_~....3...X....[.... <:......,C.....gF...H><.F{.p"..;t....H.......Uu.S.;.i.C.h...Dd......"-..fC..........Z:....^.}y......yo......?.m...!..........,..[._"O...C.g.<.......w...ctK.%0.....I..0....0..n...k..W.^..._.>...&.....e.-.Yr........5...|v.Oe..:...PW....n...G..u.....K.~p....7.?.....{3/.x...........~.tme..........7."....X......... W.sjq.....K....Y.....n.....Ko.9{......o.].o..W.`:...v...5].t.......g...j.?a........pm.G.xQ..C.H.f...'.U.USl.........6-...
<<< skipped >>>
GET /c.php?id=30039538 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4399.com/flash/80727.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: w.cnzz.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Tengine
Date: Sun, 17 Aug 2014 04:12:26 GMT
Content-Type: application/javascript
Transfer-Encoding: chunked
Connection: keep-alive
Last-Modified: Sun, 17 Aug 2014 04:12:26 GMT
Expires: Sun, 17 Aug 2014 05:42:26 GMT
1f7a..(function(){function l(){this.c="30039538";this.O="q";this.K="";this.H="";this.J="";this.o="1408248746";this.M="hqs10.cnzz.com";this.I="";this.q="CNZZDATA" this.c;this.p="_CNZZDbridge_" this.c;this.C="_cnzz_CV" this.c;this.s="1";this.v={};this.a={};this.ia()}function g(a,c){try{var b=[];b.push("siteid=30039538");.b.push("name=" f(a.name));b.push("msg=" f(a.message));b.push("r=" f(h.referrer));b.push("page=" f(d.location.href));b.push("agent=" f(d.navigator.userAgent));b.push("ex=" f(c));b.push("rnd=" Math.floor(2147483648*Math.random()));(new Image).src="hXXp://jserr.cnzz.com/log.php?" b.join("&")}catch(e){}}var h=document,d=window,f=encodeURIComponent,k=decodeURIComponent,p=unescape,q=escape;l.prototype={ia:function(){try{this.R(),this.G(),this.fa(),this.D(),this.l(),this.da(),this.ca(),this.ga(),this.i(),.this.ba(),this.ea(),this.ha(),this.$(),this.Y(),this.aa(),this.na(),d[this.p]=d[this.p]||{},this.Z("_cnzz_CV")}catch(a){g(a,"i failed")}},la:function(){try{var a=this;d._czc={push:function(){return a.w.apply(a,arguments)}}}catch(c){g(c,"oP failed")}},Y:function(){try{var a=d._czc;if("[object Array]"==={}.toString.call(a))for(var c=0;c<a.length;c ){var b=a[c];switch(b[0]){case "_setAccount":d._cz_account="[object String]"==={}.toString.call(b[1])?b[1]:String(b[1]);break;case "_setAutoPageview":"boolean"===.typeof b[1]&&(d._cz_autoPageview=b[1])}}}catch(e){g(e,"cS failed")}},na:function(){try{if("undefined"===typeof d._cz_account||d._cz_account===this.c){d._cz_account=this.c;if("[object Array]"==={}.
<<< skipped >>>
GET /v.gif?pid=307&type=3071&sc=980,3477,1024,740&desturl=&apitype=1&linkid=hyxk90eeqem&velo_load=1812&velo_cssload=953&velo_jsLoad=953&cite_uid=480925&cite_type=1&cite_mini=1 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4399.com/flash/80727.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: nsclick.baidu.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: max-age=0
Content-Type: image/gif
ETag: "4280832337"
Accept-Ranges: bytes
Last-Modified: Fri, 23 Oct 2009 08:06:04 GMT
Expires: Sun, 17 Aug 2014 04:12:28 GMT
Content-Length: 0
Date: Sun, 17 Aug 2014 04:12:28 GMT
Server: BWS/1.0
Connection: Keep-Alive
HTTP/1.1 200 OK..Pragma: no-cache..Cache-Control: max-age=0..Content-Type: image/gif..ETag: "4280832337"..Accept-Ranges: bytes..Last-Modified: Fri, 23 Oct 2009 08:06:04 GMT..Expires: Sun, 17 Aug 2014 04:12:28 GMT..Content-Length: 0..Date: Sun, 17 Aug 2014 04:12:28 GMT..Server: BWS/1.0..Connection: Keep-Alive..
GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.comment.4399pk.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 16 Aug 2014 23:41:37 GMT
Server: nginx/1.0.4
Content-Type: application/xml
Last-Modified: Wed, 17 Mar 2010 03:06:58 GMT
ETag: "5288176-14b-481f66842f880"
Accept-Ranges: bytes
Content-Length: 331
Age: 1
X-Via: 1.1 zjjhdx32:8104 (Cdn Cache Server V2.0), 1.1 hx4:6 (Cdn Cache Server V2.0)
Connection: keep-alive
<?xml version="1.0"?>..<!DOCTYPE cross-domain-policy SYSTEM 'hXXp://VVV.macromedia.com/xml/dtds/cross-domain-policy.dtd'>..<cross-domain-policy>.. <site-control permitted-cross-domain-policies="all" />.. <allow-access-from domain="*" />.. <allow-http-request-headers-from domain="*" headers="*"/>..</cross-domain-policy>......
GET /control/zwsf2-3.gif?20120719 HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.comment.4399pk.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 16 Aug 2014 23:41:37 GMT
Server: nginx/1.0.4
Content-Type: application/xml
Last-Modified: Wed, 17 Mar 2010 03:06:58 GMT
ETag: "5288176-14b-481f66842f880"
Accept-Ranges: bytes
Content-Length: 331
Age: 1
X-Via: 1.1 zjjhdx32:8104 (Cdn Cache Server V2.0), 1.1 hx4:6 (Cdn Cache Server V2.0)
Connection: keep-alive
<?xml version="1.0"?>..<!DOCTYPE cross-domain-policy SYSTEM 'hXXp://VVV.macromedia.com/xml/dtds/cross-domain-policy.dtd'>..<cross-domain-policy>.. <site-control permitted-cross-domain-policies="all" />.. <allow-access-from domain="*" />.. <allow-http-request-headers-from domain="*" headers="*"/>..</cross-domain-policy>..HTTP/1.1 200 OK..Expires: Fri, 14 Nov 2014 18:17:32 GMT..Date: Sat, 16 Aug 2014 18:17:32 GMT..Server: nginx/1.0.4..Content-Type: image/gif..Last-Modified: Wed, 07 Sep 2011 08:07:32 GMT..ETag: "5383f2e-2bc8-4ac556fa31900"..Accept-Ranges: bytes..Content-Length: 11208..Cache-Control: max-age=7776000..Age: 1..X-Via: 1.1 zjjhdx31:8080 (Cdn Cache Server V2.0), 1.1 hx3:7 (Cdn Cache Server V2.0)..Connection: keep-alive..GIF89a..P...........[#.Z".Z#AAC.......wH..........ee......... ...kkl......aab.........ZZ[.zz...............noq..X@@@....66qqq.JJ............PPQ............$$$............... ......===................l:.......... ...000......xxy...............................$$...EEF....["...............HHI.DD...............uvx..{..b...555....]&...}}~.b-TTU...uuu.....lrrtCCC999LLM.]]...eefnor...........r}~.BBD.f1.==.........zz{.............UU.PPFFH......KKL..v.mm...NNP....h5.............|P._(...stv............BAC.....~...WWX....... ....................................wwz......ggh.\$AAA......__`...{|~......................................................ccc~.....RRS....uu............................\#.Z".........GGI.........................["...SSU.Z
<<< skipped >>>
GET /control/ctrl_mo_v5.swf?20140327 HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.comment.4399pk.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 17 Aug 2014 04:12:04 GMT
Server: nginx/1.0.4
Content-Type: application/x-shockwave-flash
Last-Modified: Tue, 15 Jul 2014 03:20:47 GMT
ETag: "538c83d-62c6f-4fe32e4c861c0"
Accept-Ranges: bytes
Content-Length: 404591
Age: 1
X-Via: 1.1 zjjhdx41:8080 (Cdn Cache Server V2.0), 1.1 hx5:5 (Cdn Cache Server V2.0)
Connection: keep-alive
CWS.....x...uX.[...,...PP..(H7..Jw#.hX..S...0@P....ABJ.0..n.T.K...z...=.....w]..^s.9....s.......; ..;..! ..t...R..C..............K.|.dr.`..xx|}}.}.....<|...<..<..\@.....c......$..-(..l<..1.h7$...5..#........of....l..(n.. ...;..7/...P...DYa..zh...,V...b.....D.....y ......._.......I....q..q...........s...........M.Q. [ .....\.........x.@.?6.....h[G;......H............G]]y~i{atPv.Y.K.......B{{...:...QW......r.A]R...nGG[1EAa..".....r..||....r..rJ..".r".p..n...........i...`..M.Y..t.w.9.OV.......E.Dd.A... ....*......./..`.7.(OG....'....w O/...$.~u......s..n.._.................O.._M .......;.mm~.PwoO.x....A.....@.............#e....hc.5.......q...Aq.aW...........O...........E......PH>..&...~..........:..$...3FP........B.~O-.j....)A...w....> ..].....p!.<H...\H5..cL..mno.yq.5.<.:z.QI..c.z..i9j.."-.5J).b.a9..G.oJ:...^.....;.._..;......i...Lg70.9J,.7.LrR.NH..S..........0.]...bit.h}....[U..;N....4,..-...O..\..|:......k...GE...x'[^|<..W3Ul.EI.......E.........E3as....r..gg.....76|..E.NO?.=s..w.\$fc3%%e.......7.|v<.ei.^>........<...o......iin..q.....f..QQ.....:-JK..}...qq.....<|H...a.../955.....FN.L[ju...].....!W...e._....gvn...quU...y>k."z=....{Q......h..k;<F.&m&....../Wo..._.......^q..#HY.OEE%.-...8.y...(5...<.3.bU.....^^...w=...9..>..R...}...K|...............Zg..-f1/1.|R....o....9..[.])..R...F[dKX.................;..s.e.t[..._}..3..~J.........`c.9{&.|.......<Y 1....H.......G.......HLLLz...L%.?/..n.lO.}[...1.......,.\i.H.>....iVVV...g.........RC{;.......jK...v......xq.
<<< skipped >>>
GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: save.api.4399.com
Connection: Keep-Alive
Cookie: _4399stats_vid=140823078785628
HTTP/1.1 200 OK
Date: Sun, 17 Aug 2014 04:13:05 GMT
Server: Apache/2.4.7 (Unix)
Last-Modified: Wed, 23 Jul 2014 01:28:29 GMT
ETag: "25b-4fed241e5a940"
Accept-Ranges: bytes
Content-Length: 603
Connection: close
Content-Type: application/xml
<?xml version="1.0"?>..<!DOCTYPE cross-domain-policy SYSTEM 'hXXp://VVV.macromedia.com/xml/dtds/cross-domain-policy.dtd'>..<cross-domain-policy>.. <allow-access-from domain="*.4399pk.com"/>.. <allow-access-from domain="*.4399.com"/>.. <allow-access-from domain="*.my4399.com"/>.. <allow-access-from domain="*.4399.net"/>.. <allow-access-from domain="4399pk.com"/>.. <allow-access-from domain="*.4399api.com"/>.. <allow-access-from domain="imga.4399.com"/>.. <allow-access-from domain="imga1.4399.com"/>...<allow-access-from domain="manage.5054399.com"/>..</cross-domain-policy>....
GET /9.gif?abc=1&rnd=1551506341 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4399.com/flash/80727.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cnzz.mmstat.com
Connection: Keep-Alive
HTTP/1.1 302 Found
Server: Tengine
Date: Sun, 17 Aug 2014 04:12:27 GMT
Content-Type: image/gif
Content-Length: 43
Connection: keep-alive
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: cna=qxl3DGTX4jwCAbhrJiYA1Bqu; expires=Wed, 14-Aug-24 04:12:27 GMT; path=/; domain=.mmstat.com
Set-Cookie: sca=98630e66; path=/; domain=.cnzz.mmstat.com
Set-Cookie: atpsida=bed8d8f476f71146473f3227_1408248747; expires=Wed, 14-Aug-24 04:12:27 GMT; path=/; domain=.cnzz.mmstat.com
Location: hXXp://pcookie.cnzz.com/app.gif?&cna=qxl3DGTX4jwCAbhrJiYA1Bqu
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;..
GET /xml.php?ran=30733.64836163819&gameid=100016523&url=http://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.htm HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.swf/[[DYNAMIC]]/2
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: stat.api.4399.com
Connection: Keep-Alive
Cookie: _4399stats_vid=140823078785628
GET /xml.php?ran=30733.64836163819&gameid=100016523&url=http://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.htm HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.swf/[[DYNAMIC]]/2
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: stat.api.4399.com
Connection: Keep-Alive
Cookie: _4399stats_vid=140823078785628
HTTP/1.1 200 OK
Date: Sun, 17 Aug 2014 04:12:30 GMT
Server: Apache/2.2.17 (Unix)
Content-Length: 664
Connection: close
Content-Type: text/xml; charset=utf-8
<?xml version="1.0" encoding="UTF-8" ?>.<config><entry id="62872" category="brand" time2skip="12"><item src="hXXp://cb.baidu.com/ecom?di=62872&tm=BAIDU_CLB_XML&asp_url=4399.com&return_type=1" click_base="hXXp://stat.api.flashgame163.com/brand.php?url=" /></entry><entry id="999" category="baidu" time2skip="12" channel="129" pubid="www4399com_tp_cpr" /><entry id="999" category="google" time2skip="12" channel="0000000136,game136" pubid="ca-games-pub-9606551472994074" /><entry id="999" category="combrand" time2skip="12" width="640" height="640"><item src="hXXp://cdn.comment.4399pk.com/control/4399.swf" link="" bgcolor="0xb5e9f9" /></entry></config>..
GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cb.baidu.com
Connection: Keep-Alive
GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cb.baidu.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 17 Aug 2014 04:12:42 GMT
Content-Type: text/xml
Content-Length: 3710
Last-Modified: Wed, 12 Mar 2014 07:45:00 GMT
Connection: Keep-Alive
ETag: "5320107c-e7e"
Accept-Ranges: bytes
<?xml version="1.0"?>..<!DOCTYPE cross-domain-policy SYSTEM "hXXp://VVV.adobe.com/xml/dtds/cross-domain-policy.dtd">..<cross-domain-policy>.. <site-control permitted-cross-domain-policies="master-only"/> .. <allow-access-from domain="*.4399.com"/>.. <allow-http-request-headers-from domain="*.4399.com" headers="SOAPAction"/>.. <allow-access-from domain="*.4399.net"/>.. <allow-http-request-headers-from domain="*.4399.net" headers="SOAPAction"/>.. <allow-access-from domain="*.4399api.com"/>.. <allow-http-request-headers-from domain="*.4399api.com" headers="SOAPAction"/>.. <allow-access-from domain="*.4399pk.com"/>.. <allow-http-request-headers-from domain="*.4399pk.com" headers="SOAPAction"/>.. <allow-access-from domain="*.4399pk.net"/>.. <allow-http-request-headers-from domain="*.4399pk.net" headers="SOAPAction"/>.. <allow-access-from domain="*.5054399.com"/>.. <allow-http-request-headers-from domain="*.5054399.com" headers="SOAPAction"/>.. <allow-access-from domain="*.61.com"/>.. <allow-http-request-headers-from domain="*.61.com" headers="SOAPAction"/>.. <allow-access-from domain="*.app111.com"/>.. <allow-http-request-headers-from domain="*.app111.com" headers="SOAPAction"/>.. <allow-access-from domain="*.baidu.com"/>.. <allow-http-request-headers-from domain="*.baidu.com" headers="SOAPAction"/>.. <allow-access-from doma
<<< skipped >>>
GET /ecom?di=62872&tm=BAIDU_CLB_XML&asp_url=4399.com&return_type=1&ran=2925.8037405088544 HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.swf/[[DYNAMIC]]/2
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cb.baidu.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 17 Aug 2014 04:12:42 GMT
Content-Type: text/xml
Content-Length: 3710
Last-Modified: Wed, 12 Mar 2014 07:45:00 GMT
Connection: Keep-Alive
ETag: "5320107c-e7e"
Accept-Ranges: bytes
headers-from domain="*.baomihua.com" headers="SOAPAction"/>.. <allow-access-from domain="*.bokecc.com"/>.. <allow-http-request-headers-from domain="*.bokecc.com" headers="SOAPAction"/>.. <allow-access-from domain="*.boosj.com"/>.. <allow-http-request-headers-from domain="*.boosj.com" headers="SOAPAction"/>.. <allow-access-from domain="*.cztv.com"/>.. <allow-http-request-headers-from domain="*.cztv.com" headers="SOAPAction"/>.. <allow-access-from domain="*.forex.com.cn"/>.. <allow-http-request-headers-from domain="*.forex.com.cn" headers="SOAPAction"/>.. <allow-access-from domain="*.funshion.com"/>.. <allow-http-request-headers-from domain="*.funshion.com" headers="SOAPAction"/>.. <allow-access-from domain="*.ggxt.net"/>.. <allow-http-request-headers-from domain="*.ggxt.net" headers="SOAPAction"/>.. <allow-access-from domain="*.kumi.cn"/>.. <allow-http-request-headers-from domain="*.kumi.cn" headers="SOAPAction"/>.. <allow-access-from domain="*.letv.com"/>.. <allow-http-request-headers-from domain="*.letv.com" headers="SOAPAction"/>.. <allow-access-from domain="*.my4399.com"/>.. <allow-http-request-headers-from domain="*.my4399.com" headers="SOAPAction"/>.. <allow-access-from domain="*.mytv365.com"/>.. <allow-http-request-headers-from domain="*.mytv365.com" headers="SOAPAction"/>.. <allow-access-from domain="*.pipi.cn"/>..
<<< skipped >>>
GET /cpro/ui/baiduLoader_as3.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.swf/[[DYNAMIC]]/2
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cpro.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=0813F6F6D873A6FB1368C76E3EF141F3:FG=1
<<< skipped >>>
GET /stat.htm?id=30039538&r=&lg=en-us&ntime=none&cnzz_eid=860316973-1408248746-&showp=1024x768&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&h=1&rnd=1129475355 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4399.com/flash/80727.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: hqs10.cnzz.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Tengine/1.4.1
Date: Sun, 17 Aug 2014 04:12:27 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Tue, 28 May 2013 02:57:17 GMT
Connection: close
Accept-Ranges: bytes
GIF89a.............!.......,...........D..;..
GET /core.php?web_id=30039538&t=q HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4399.com/flash/80727.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c.cnzz.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Tengine
Date: Sun, 17 Aug 2014 04:12:27 GMT
Content-Type: application/javascript
Transfer-Encoding: chunked
Connection: keep-alive
Last-Modified: Sun, 17 Aug 2014 04:12:27 GMT
Expires: Sun, 17 Aug 2014 04:27:27 GMT
2ef..!function(){var p,q,r,a=encodeURIComponent,b="30039538",c="",d="",e="online_v3.php",f="hqs10.cnzz.com",g="",h="text",i="q",j="全景统计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="0",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k.callRequest([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k.createScriptIcon(n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/website.php?web_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.cnzz.com/img/" c ".gif",p="<a href='" q "' target=_blank title='" j "'><img border=0 hspace=0 vspace=0 src='" r "'></a>"):p="<a href='" q "' target=_blank title='" j "'>" j "</a>",k.createIcon([p])))}();..0..
GET /cpro/ui/uijs.php?at=6&fv=11&ch=129&ie=1&q=www4399com_tp_cpr&n=1&k=鲜花&f=过滤è¯Â1 过滤è¯Â2 过滤è¯Â3&u=4399.com&s=2&t=baiduxml_tiepian_400_300&w=940&h=580 HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://cpro.baidu.com/cpro/ui/baiduLoader_as3.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cpro.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=0813F6F6D873A6FB1368C76E3EF141F3:FG=1
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 17 Aug 2014 04:12:48 GMT
Content-Type: text/html
Content-Length: 380
Connection: close
P3P: CP=" OTI DSP COR IVA OUR IND COM "
Set-Cookie: sequery=ÃÊ»¨:4399.com;path=/;domain=.cpro.baidu.com;HttpOnly
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sun Aug 17 12:12:48 2014
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP=" OTI DSP COR IVA OUR IND COM "
<?xml version="1.0" encoding="GBK"?>.<cpro>..<adnum>1</adnum>..<noad>7</noad>..<ads>...<ad>....<desc><![CDATA[hXXp://drmcmm.baidu.com/media/id=rHmkPWbznH6&gp=403&time=nHndn1nkPWcvns.jpg]]></desc>....<surl><![CDATA[love.baidu.com]]></surl>....<curl><![CDATA[hXXp://love.baidu.com/]]></curl>....<width>400</width>....<height>300</height>...</ad>..</ads>..<type>gongyi</type>.</cpro>..
GET /js/click.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4399.com/flash/80727.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 4399stat.5054399.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 17 Aug 2014 04:12:26 GMT
Content-Type: application/x-javascript
Last-Modified: Wed, 15 Jan 2014 06:56:45 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Expires: Sun, 17 Aug 2014 04:12:27 GMT
Cache-Control: max-age=1
Content-Encoding: gzip
41b............}U.o.6..v.....DT.*...K<-.)6....uOA`0.%3.(....I....EY...A......}p'.3..d..V....Zj..L.#M.<? {.[.hV...~........)......<..el.u.........2H@...T.e.eo...d..[. .A=#mo4..1..u.?t.(]..Dv.:.....@..S.*.q.........4=.Fq.....**....Fm%W....!.....5j`.....U..e. .2P..I~$.f...........Je.<b.F./(.V<.oQ.....b.I.E.^1..)z..0&...T0OU2n...)..} .....a.%...E.......F...-..%ka0>.v.VY.>..I..`.....-g..?....IB^.3.^\......XU...t.....JN......tr.-.t.J..`...H..V.fX.Z.".c.)./ 6......>..M....=.^....igrp.l.m.//.m..vV....=.Y...$A... ... ...7\F....zr?....Ts..G.v.....<\.0>.K..*.g:..0.[...g....Y....o.B.M!..ku..m.am.<=..<a....4r<.x2...&l.."av...............Ya.n(........7.......@.f.._2..U.vQ.z`f.?>~.....9.[n;...l.....=..^`..S..nvH.D.%...d.K...P:K)<V..S....P..=........v.....E.Oi'bKuX.'.Ejk.{pknyH.n.g.t..9......n.y...d..a$...-..z.........,.Z.....Yb..Ov...@^j..TC..a.i].........i.....v..."O.#.C..G...ln..D.........&.C......W.r *.o.......%1U..]..:X.jtD:.......R5"......W...CW9..V...........@.....t.......a..p@|{<...}...j.;....M..}...H...?k.yH...Unc..(Q..Fi.^..t.6..U ..^"...z.F{......0..
GET /flash_ctrl_version.xml?ran=65853.53179834783 HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: stat.api.4399.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Sun, 17 Aug 2014 04:12:24 GMT
Content-Type: text/xml
Content-Length: 530
Last-Modified: Thu, 27 Mar 2014 03:14:01 GMT
Connection: close
ETag: "53339779-212"
Accept-Ranges: bytes
<?xml version="1.0" encoding="utf-8"?>.<resInfos>..<info resName="zwsf">hXXp://cdn.comment.4399pk.com/control/zwsf2-3.gif?20120719</info>..<info resName="ctrl">hXXp://cdn.comment.4399pk.com/control/ctrl_mo_v4.swf?20140327</info>..<info resName="ads">hXXp://cdn.comment.4399pk.com/control/A4399dv_base.swf?20130625</info>..<info resName="ctrl_v5">hXXp://cdn.comment.4399pk.com/control/ctrl_mo_v5.swf?20140327</info>..<info resName="tools_as3">hXXp://cdn.comment.4399pk.com/control/open4399tools_AS3.swf?20130617</info>.</resInfos>...
GET /control/A4399dv_base.swf?20130625 HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.comment.4399pk.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 17 Aug 2014 04:10:04 GMT
Server: nginx/1.0.4
Content-Type: application/x-shockwave-flash
Last-Modified: Tue, 25 Jun 2013 08:05:23 GMT
ETag: "538199e-841e-4dff5fdb016c0"
Accept-Ranges: bytes
Content-Length: 33822
Age: 1
X-Via: 1.1 zjjhdx35:80 (Cdn Cache Server V2.0), 1.1 hx5:7 (Cdn Cache Server V2.0)
Connection: keep-alive
CWS.A...x....\SG.>~..&77.....5....h.."(*`...........R..}..]q..}.........X..V[k..............}..g...9sf....2....8NK..>j..".....*.E.p...=..Y...Z..YN......b...t.k.=O..0...(........u....\a.3.8..W..CU...1....ke.!...rC...(8.o...Cw......H.~8..6.5...,.Lk...S..j...6.S.aH7..*...w.?G.AxU}..b...Z-..T.[LN....cH7[3[T...e?U.}Mv..U.e..C.....[...<}Mk.#..L.....>..e..9-1...I.F...7.1....m.T...rX.$... .. .[6.........>*.q.E..j.)..hK_.........%U...9.w`B.._BF<..Xz>...T./....!p...*...K....A.t..$...:..suVq._~......#..4.q..8.g...}...!....qd......~.P....\..a.0.. ....p...m[{.........-.....4......?...k....>.?....\..:.H[. .93....>>.]..}........t....4i...[...\.Mw.k.I..........W$.A\....R..\.|....C5|'F..VD..p..*.|.".I...X.=s..MI.....5.W...8..K..*...:D...BU...k..S.J.J.$..V.R)..h..xi..HIZ.N[Q..PF..xh.^e* .....!W_..L.(....g.....z...?e.t......0.m..KV....C.>..8W.[.W.....T).5..&:.(..B.Q*...^!(U>..X.A..W.~e.."....Q-.S..6..W.L.....`..g......J8^.^.O...>5....h..(|.V..?...U:....Q.=....T.1..g.^.{........_o.m..ul..e...L.6wc."nZ\....#k.....5c..?.tL...l. .Z..'SF5...8.j.....N..U..o{.YQ...8T:.e./..Y.cI.UE....).n.43q..Kcz...V.J.....i.l..`..tN..].....9...[..~.!W.t{.G.X.'.-.Z4^w.a...;u{*d..U.y.....f.....i..57...s.x.....:...}... ..wI..6v.........n~v.....9....~...vM...:.O.-}.o........=w}..ql....n.lH..|....Sk.7]T..X.v.}...5y......?.0ql.G..].f.......fQV..Y.w.....M.(*...U..-k`,.{.Mka......=Rpf..?6...x..._<i..X.^... .l..b.q.if.....`}...;..m2...o...;e.6m..C...=.g...D7...3...^o?y.}.......G\...I/.~.tQ.G......-.. 7....?..<..o^Z..
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_2012:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
kernel32.dll
kernel32.dll
SkinH_EL.dll
SkinH_EL.dll
hXXp://VVV.4399.com/flash/80727.htm
hXXp://VVV.4399.com/flash/80727.htm
DSound.dll
DSound.dll
Winmm.dll
Winmm.dll
fJ.WM_
fJ.WM_
CX%xm
CX%xm
Õ6m*
Õ6m*
n.BjCw
n.BjCw
%s;7*
%s;7*
0%x@w
0%x@w
%C^L:
%C^L:
%s T5
%s T5
]E4%F(
]E4%F(
.Funr
.Funr
k%UPp
k%UPp
fg.VG
fg.VG
%C',@
%C',@
>Ùd
>Ùd
0'.Ll
0'.Ll
[I(3/#N0.bd
[I(3/#N0.bd
j"%u=w
j"%u=w
q%Xn`
q%Xn`
@|H.NI
@|H.NI
.wdd!
.wdd!
S|%u4
S|%u4
*.Ea]S
*.Ea]S
Q.CGo
Q.CGo
fTpe
fTpe
.LLbX
.LLbX
-.Mdl
-.Mdl
\-A}=3K
\-A}=3K
Y:.akpS
Y:.akpS
$.Zcqn
$.Zcqn
.WE= T!N
.WE= T!N
#?%s(C(
#?%s(C(
u.Jck~
u.Jck~
zx/%FN[
zx/%FN[
%s=\RI
%s=\RI
}j%c%Y)
}j%c%Y)
Rx.GR
Rx.GR
4o#.dM
4o#.dM
IeS`%C
IeS`%C
[n 4\.UY
[n 4\.UY
,4.qO,
,4.qO,
gQ'.Io
gQ'.Io
%cLur?
%cLur?
s%DHB
s%DHB
]I%%X
]I%%X
5r.US
5r.US
:mD].tB
:mD].tB
f%fUZ
f%fUZ
.fOuV12
.fOuV12
*_.dC
*_.dC
&-N}
&-N}
({?.cQm
({?.cQm
.Cqx~c
.Cqx~c
.`.Qw
.`.Qw
**.dU
**.dU
!n]%x
!n]%x
%X,Cr
%X,Cr
&.PFy{xh
&.PFy{xh
.um ZZE7L
.um ZZE7L
/^p%u$
/^p%u$
I.NoQY
I.NoQY
zu.ew
zu.ew
D/.nT
D/.nT
\SkinH_EL.dll
\SkinH_EL.dll
C$%cmb
C$%cmb
.ppM|
.ppM|
aZ.mO
aZ.mO
%-^
%-^
.hk;~
.hk;~
KERNEL32.DLL
KERNEL32.DLL
COMCTL32.dll
COMCTL32.dll
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
MSVCRT.dll
MSVCRT.dll
MSVFW32.dll
MSVFW32.dll
USER32.dll
USER32.dll
F%*.*f
F%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
ole32.dll
ole32.dll
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
MPR.dll
MPR.dll
WINMM.dll
WINMM.dll
WS2_32.dll
WS2_32.dll
VERSION.dll
VERSION.dll
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
RegisterHotKey
RegisterHotKey
UnregisterHotKey
UnregisterHotKey
GetViewportOrgEx
GetViewportOrgEx
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
OLEAUT32.dll
OLEAUT32.dll
oledlg.dll
oledlg.dll
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
WININET.dll
WININET.dll
GetCPInfo
GetCPInfo
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
comdlg32.dll
comdlg32.dll
.PAVCException@@
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
: %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
out.prn
out.prn
%d.%d
%d.%d
%d / %d
%d / %d
%d/%d
%d/%d
Bogus message code %d
Bogus message code %d
(%d-%d):
(%d-%d):
%ld%c
%ld%c
%d%d%d
%d%d%d
rundll32.exe shell32.dll,
rundll32.exe shell32.dll,
(*.htm;*.html)|*.htm;*.html
(*.htm;*.html)|*.htm;*.html
its:%s::%s
its:%s::%s
index.dat
index.dat
desktop.ini
desktop.ini
.PAVCOleException@@
.PAVCOleException@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCArchiveException@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
zcÃ
zcÃ
c:\%original file name%.exe
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
1, 0, 6, 6
1, 0, 6, 6
(*.*)
(*.*)
1.0.0.0
1.0.0.0
(hXXp://VVV.eyuyan.com)
(hXXp://VVV.eyuyan.com)
%original file name%.exe_2012_rwx_10001000_00039000:
L$(h%f
L$(h%f
SSh0j
SSh0j
msctls_hotkey32
msctls_hotkey32
TVCLHotKey
TVCLHotKey
THotKey
THotKey
\skinh.she
\skinh.she
}uo,x6l5k%x-l h
}uo,x6l5k%x-l h
9p%s m)t4`#b
9p%s m)t4`#b
e"m?c&y1`Ã
e"m?c&y1`Ã
SetViewportOrgEx
SetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
EnumThreadWindows
EnumThreadWindows
EnumChildWindows
EnumChildWindows
`c%US.4/
`c%US.4/
!#$
!#$
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.UPX0
@.UPX0
`.UPX1
`.UPX1
`.reloc
`.reloc