Gen.Variant.Graftor.8297_6cd206861b – Adaware

Gen:Variant.Graftor.8297 (B) (Emsisoft), Gen:Variant.Graftor.8297 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 6cd206861b4db3a83667a7b14de4b58d

SHA1: ae18c729391d1744b705ec93f0160605477061c9

SHA256: c9e0f1c6c794a929f331dd5e7f6d4d5800766e73b14f129d8224d6c04949d6f9

SSDeep: 24576:3vPhP6i9K0wfkAUTZaqdiXSp0c02uFG6dAk3xMkR:/JP6Gw6TZaqdwk0c05HGil

Size: 1601536 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171

Company: no certificate found

Created at: 2014-07-05 13:26:32

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan-PSW. Trojan program intended for stealing users passwords.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):

%original file name%.exe:2012

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:2012 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\style[1].css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tjrm_img011[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\hdv832[1].htm (684 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\news_footer[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\style[2].css (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\mlb[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\22110Gb5I[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ico[2].css (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ysxy_20140507[1].css (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\4399_14504425052[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\xml[1].xml (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bdsstyle[1].css (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ucenter[1].js (19465 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\16100Q15406[1].jpg (4088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\mlc[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\mlt[1].jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ico[1].png (5 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (540 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\m6[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4399_14533870073[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (8868 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ysxy_20140507[2].css (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tjrm_img06[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\m12[1].jpg (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jquery-1.2.1.pack[1].js (1740 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\a1-2[1].jpg (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\311622246152[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\crossdomain[1].xml (842 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\a7[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4399[2].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\backg[1].png (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\31160T42W2[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\zwsf2-3[1].gif (987 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@4399[1].txt (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2014ysxy[1].js (3 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\s15.4399.com\seed4399Value.sxx (80 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[1].php (751 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s15.4399.com\settings.sxx (199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tjrm_img08[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\unilogin_package[1].js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\31155012a51[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m9[1].jpg (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\4399_17564382760[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\80727[1].htm (2467 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\unilogin_package[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\save.api.4399[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bds_s_v2[1].js (1807 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CACLIJK5.php (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\131P03EP7[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\m2[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\click[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\flash_ctrl_version[1].xml (530 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ico[1].css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\hdv832[1].swf (4269751 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ctrl_mo_v5[1].swf (70245 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\m8[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\shell_v2[1].js (1 bytes)
C:\SkinH_EL.dll (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4399[1].js (902 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\a5[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m10[1].jpg (1171 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.4399[1].txt (969 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\logo[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\3115344X010[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\icon_keys[1].gif (537 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.4399[2].txt (445 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\a6[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\uijs[1].htm (380 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m11[1].jpg (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\m1[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\4399_17053265645[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\hottop[1].gif (857 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\m4[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tjrm_img09[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m13[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\btn[1].png (392 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (203 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b3[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\0Q443302F2[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAIF0DA3.htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m5[1].jpg (1191 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\id=rHmkPWbznH6&gp=403&time=nHndn1nkPWcvns[1].jpg (2181 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\80727[2].htm (2400 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (198 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\nav2[1].png (3875 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\logger[1].js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\lazy_iframe[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\baiduLoader_as3[1].swf (418 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\31153132L32[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tjrm_img07[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\311629555O1[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\04150AJ2O[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\play_hs1202[2].js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[2].xml (603 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\141US92O1[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\c[1].php (1163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\4399_16460972266[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cb.baidu[1].txt (128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[1].xml (570 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ecom[1].xml (233 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\a1[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\chkDomain[1].js (554 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\311612435933[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\A4399dv_base[1].swf (5532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\more[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\top_bar[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\b2[1].jpg (4850 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\141U0313620[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\crossdomain[1].xml (331 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\31154AH4T[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\m14[1].jpg (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\m3[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\play_hs1202[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b1[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\base[1].css (13565 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2014ysxy[2].js (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\bdshare[1].js (182 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\linkImg[1].jpg (26432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery-1.2.1.pack[1].js (392 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\style[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ysxy_20140507[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2014ysxy[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\80727[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.4399[2].txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\unilogin_package[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4399[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ico[1].css (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.4399[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\save.api.4399[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225\index.dat (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s15.4399.com\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery-1.2.1.pack[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\play_hs1202[1].js (0 bytes)

Registry activity

The process %original file name%.exe:2012 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081720140818]
"CachePrefix" = ":2014081720140818:"
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1024x768x32(BGR 0)" = "31,31,31,31"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081720140818]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1404555992"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081720140818]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014081720140818\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 89 C3 D8 9D 30 F9 E3 F3 72 21 43 3A F8 F4 4E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081720140818]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013030120130302]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130218]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021820130225]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5	File path
147127382e001f495d1842ee7a9e7912	c:\SkinH_EL.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\style[1].css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tjrm_img011[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\hdv832[1].htm (684 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\news_footer[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\style[2].css (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\mlb[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\22110Gb5I[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ico[2].css (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ysxy_20140507[1].css (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\4399_14504425052[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\xml[1].xml (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bdsstyle[1].css (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ucenter[1].js (19465 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\16100Q15406[1].jpg (4088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\mlc[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\mlt[1].jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ico[1].png (5 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (540 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\m6[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4399_14533870073[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (8868 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ysxy_20140507[2].css (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tjrm_img06[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\m12[1].jpg (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jquery-1.2.1.pack[1].js (1740 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\a1-2[1].jpg (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\311622246152[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\crossdomain[1].xml (842 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\a7[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4399[2].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\backg[1].png (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\31160T42W2[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\zwsf2-3[1].gif (987 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@4399[1].txt (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2014ysxy[1].js (3 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\s15.4399.com\seed4399Value.sxx (80 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[1].php (751 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s15.4399.com\settings.sxx (199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tjrm_img08[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\unilogin_package[1].js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\31155012a51[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m9[1].jpg (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\4399_17564382760[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\80727[1].htm (2467 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\unilogin_package[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\save.api.4399[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bds_s_v2[1].js (1807 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CACLIJK5.php (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\131P03EP7[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\m2[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\click[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\flash_ctrl_version[1].xml (530 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ico[1].css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\hdv832[1].swf (4269751 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ctrl_mo_v5[1].swf (70245 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\m8[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\shell_v2[1].js (1 bytes)
C:\SkinH_EL.dll (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4399[1].js (902 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\a5[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m10[1].jpg (1171 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.4399[1].txt (969 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\logo[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\3115344X010[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\icon_keys[1].gif (537 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.4399[2].txt (445 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\a6[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\uijs[1].htm (380 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m11[1].jpg (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\m1[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\4399_17053265645[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\hottop[1].gif (857 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\m4[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tjrm_img09[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m13[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\btn[1].png (392 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (203 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b3[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\0Q443302F2[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAIF0DA3.htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m5[1].jpg (1191 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\id=rHmkPWbznH6&gp=403&time=nHndn1nkPWcvns[1].jpg (2181 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\80727[2].htm (2400 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (198 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\nav2[1].png (3875 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\logger[1].js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\lazy_iframe[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\baiduLoader_as3[1].swf (418 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\31153132L32[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tjrm_img07[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\311629555O1[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\04150AJ2O[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\play_hs1202[2].js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[2].xml (603 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\141US92O1[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\c[1].php (1163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\4399_16460972266[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cb.baidu[1].txt (128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[1].xml (570 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ecom[1].xml (233 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\a1[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\chkDomain[1].js (554 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\311612435933[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\A4399dv_base[1].swf (5532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\more[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\top_bar[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\b2[1].jpg (4850 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\141U0313620[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\crossdomain[1].xml (331 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\31154AH4T[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\m14[1].jpg (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\m3[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\play_hs1202[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b1[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\base[1].css (13565 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2014ysxy[2].js (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\bdshare[1].js (182 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\linkImg[1].jpg (26432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery-1.2.1.pack[1].js (392 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: English (United States)

Company Name: Product Name: ?????Product Version: 1.0.0.0Legal Copyright: ?????? ????????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ?????Comments: ??????????(http://www.eyuyan.com)Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	470447	471040	4.54404	84112665e3d73644f9136e52fe52e973
.rdata	475136	967030	970752	5.28926	2213235e3c8c52cff8d0b61dfffda90d
.data	1445888	184074	65536	3.45572	a803471009ef1b78c190f02824cc6ab6
.rsrc	1630208	87156	90112	2.27554	3a870711b3c73f57b527a56dad041452

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://115.182.52.104/flash_ctrl_version.xml?ran=65853.53179834783
hxxp://8.37.233.6/jss/2014ysxy.js
hxxp://4399stat.5054399.com/js/click.js	115.182.52.78
hxxp://e.xdwscache.glb0.lxdns.com/crossdomain.xml
hxxp://e.xdwscache.glb0.lxdns.com/control/zwsf2-3.gif?20120719
hxxp://e.xdwscache.glb0.lxdns.com/control/A4399dv_base.swf?20130625
hxxp://c.split.cnzz.com/c.php?id=30039538
hxxp://c.split.cnzz.com/core.php?web_id=30039538&t=q
hxxp://q7.cnzz.com/stat.htm?id=30039538&r=&lg=en-us&ntime=none&cnzz_eid=860316973-1408248746-&showp=1024x768&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&h=1&rnd=1129475355
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=1551506341
hxxp://pcookie.split.cnzz.com/app.gif?&cna=qxl3DGTX4jwCAbhrJiYA1Bqu
hxxp://static.n.shifen.com/v.gif?pid=307&type=3071&sc=980,3477,1024,740&desturl=&apitype=1&linkid=hyxk90eeqem&velo_load=1812&velo_cssload=953&velo_jsLoad=953&cite_uid=480925&cite_type=1&cite_mini=1
hxxp://115.182.52.104/xml.php?ran=30733.64836163819&gameid=100016523&url=http://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.htm
hxxp://cb.e.shifen.com/crossdomain.xml
hxxp://cb.e.shifen.com/ecom?di=62872&tm=BAIDU_CLB_XML&asp_url=4399.com&return_type=1&ran=2925.8037405088544
hxxp://cpro.e.shifen.com/cpro/ui/baiduLoader_as3.swf
hxxp://cpro.e.shifen.com/cpro/ui/uijs.php?at=6&fv=11&ch=129&ie=1&q=www4399com_tp_cpr&n=1&k=Ã©Â²Å“Ã¨Å Â±&f=Ã¨Â¿â€¡Ã¦Â»Â¤Ã¨Â¯Â1 Ã¨Â¿â€¡Ã¦Â»Â¤Ã¨Â¯Â2 Ã¨Â¿â€¡Ã¦Â»Â¤Ã¨Â¯Â3&u=4399.com&s=2&t=baiduxml_tiepian_400_300&w=940&h=580
hxxp://drmcmm.e.shifen.com/media/id=rHmkPWbznH6&gp=403&time=nHndn1nkPWcvns.jpg
hxxp://e.xdwscache.glb0.lxdns.com/control/ctrl_mo_v5.swf?20140327
hxxp://115.182.52.104/flashflowstatis/submitflowstatis.php?gameid=100016523&seedvalue=718567ba529daf641296ba5d763bf7b2&adid=-1&gamekey=asdf&nocache=1408230825122&os=Windows XP&lng=en&hosturl=hxxp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.htm&scres=1024x768&playurl=hxxp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.swf&fp=WIN 11,6,602,168&adLoadTime=0&adPlayTime=0&browser=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)&ctrVer=5
hxxp://save.d.4399api.net/crossdomain.xml
hxxp://save.d.4399api.net/?ac=get_time&ran=688197.0977410674
hxxp://cpro.baidu.com/cpro/ui/uijs.php?at=6&fv=11&ch=129&ie=1&q=www4399com_tp_cpr&n=1&k=Ã©Â²Å“Ã¨Å Â±&f=Ã¨Â¿â€¡Ã¦Â»Â¤Ã¨Â¯Â1 Ã¨Â¿â€¡Ã¦Â»Â¤Ã¨Â¯Â2 Ã¨Â¿â€¡Ã¦Â»Â¤Ã¨Â¯Â3&u=4399.com&s=2&t=baiduxml_tiepian_400_300&w=940&h=580	123.125.70.108
hxxp://pcookie.cnzz.com/app.gif?&cna=qxl3DGTX4jwCAbhrJiYA1Bqu	42.120.219.171
hxxp://stat.api.4399.com/xml.php?ran=30733.64836163819&gameid=100016523&url=http://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.htm
hxxp://nsclick.baidu.com/v.gif?pid=307&type=3071&sc=980,3477,1024,740&desturl=&apitype=1&linkid=hyxk90eeqem&velo_load=1812&velo_cssload=953&velo_jsLoad=953&cite_uid=480925&cite_type=1&cite_mini=1	115.239.211.92
hxxp://cpro.baidu.com/cpro/ui/baiduLoader_as3.swf	123.125.70.108
hxxp://save.api.4399.com/?ac=get_time&ran=688197.0977410674	115.182.52.102
hxxp://cdn.comment.4399pk.com/control/A4399dv_base.swf?20130625	8.37.233.6
hxxp://drmcmm.baidu.com/media/id=rHmkPWbznH6&gp=403&time=nHndn1nkPWcvns.jpg	123.125.65.55
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=1551506341	42.120.219.171
hxxp://cb.baidu.com/crossdomain.xml	123.125.115.99
hxxp://stat.api.4399.com/flash_ctrl_version.xml?ran=65853.53179834783
hxxp://save.api.4399.com/crossdomain.xml	115.182.52.102
hxxp://cb.baidu.com/ecom?di=62872&tm=BAIDU_CLB_XML&asp_url=4399.com&return_type=1&ran=2925.8037405088544	123.125.115.99
hxxp://c.cnzz.com/core.php?web_id=30039538&t=q	42.120.219.6
hxxp://cdn.comment.4399pk.com/crossdomain.xml	8.37.233.6
hxxp://cdn.comment.4399pk.com/control/zwsf2-3.gif?20120719	8.37.233.6
hxxp://w.cnzz.com/c.php?id=30039538	1.99.192.14
hxxp://www.4399.com/jss/2014ysxy.js
hxxp://hqs10.cnzz.com/stat.htm?id=30039538&r=&lg=en-us&ntime=none&cnzz_eid=860316973-1408248746-&showp=1024x768&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&h=1&rnd=1129475355	42.156.140.139
hxxp://cdn.comment.4399pk.com/control/ctrl_mo_v5.swf?20140327	8.37.233.6
gprp.4399api.net	42.62.52.249

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /?ac=get_time&ran=688197.0977410674 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.swf

x-flash-version: 11,6,602,168

Content-Type: application/x-www-form-urlencoded

Content-Length: 21

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: save.api.4399.com

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: _4399stats_vid=140823078785628

gameid=100016523&uid=

HTTP/1.1 200 OK

Date: Sun, 17 Aug 2014 04:13:06 GMT

Server: Apache/2.4.7 (Unix)

Cache-Control: no-cache, must-revalidate

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Content-Length: 30

Connection: close

Content-Type: text/html;charset=utf-8

{"time":"2014-08-17 12:13:06"}..

GET /media/id=rHmkPWbznH6&gp=403&time=nHndn1nkPWcvns.jpg HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://cpro.baidu.com/cpro/ui/baiduLoader_as3.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: drmcmm.baidu.com

Connection: Keep-Alive

Cookie: BAIDUID=0813F6F6D873A6FB1368C76E3EF141F3:FG=1

GET /media/id=rHmkPWbznH6&gp=403&time=nHndn1nkPWcvns.jpg HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://cpro.baidu.com/cpro/ui/baiduLoader_as3.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: drmcmm.baidu.com

Connection: Keep-Alive

Cookie: BAIDUID=0813F6F6D873A6FB1368C76E3EF141F3:FG=1

HTTP/1.1 200 OK

media: media

Cache-Control: max-age=31536000

Expires: Fri, 26 Oct 2012 12:24:13 GMT

Last-Modified: Sat, 25 Apr 2009 07:04:00 GMT

Content-Type: image/jpeg

Date: Sun, 17 Aug 2014 04:12:52 GMT

Server: apache

Content-Length: 19625

......Exif..II*.................Ducky.......<.....ohXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:9AC6534D2232E21197278D32144D5421" xmpMM:DocumentID="xmp.did:D93AE388322711E2B782C4EF4C8536EF" xmpMM:InstanceID="xmp.iid:D93AE387322711E2B782C4EF4C8536EF" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:8524B6A02632E21197278D32144D5421" stRef:documentID="xmp.did:9AC6534D2232E21197278D32144D5421"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d.................................................................................................................................................,.........................................................................................!1.A.Q"..aq2.......BR#3..br.......Cs$45S.t6......................!.1A.Qaq"....2....B....Rb#3.r......Sc.............?......q..Z!...)..,w. ...K.6........Xn.r..ZA..V.J...I.;n.eHHA.J. .#C..X..........,wB.$!B. .4.&P%H..1.w..%.P........@.B...&.$.$........V..1.-.IR.!..J.@r4*H.!..%..T..X......g.@.X..B......*C...

<<< skipped >>>

GET /app.gif?&cna=qxl3DGTX4jwCAbhrJiYA1Bqu HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4399.com/flash/80727.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Host: pcookie.cnzz.com

HTTP/1.1 200 OK

Server: Tengine

Date: Sun, 17 Aug 2014 04:12:28 GMT

Content-Type: image/gif

Content-Length: 43

Connection: keep-alive

P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"

Set-Cookie: cna=qxl3DGTX4jwCAbhrJiYA1Bqu; expires=Wed, 14-Aug-24 04:12:28 GMT; path=/; domain=.cnzz.com

Expires: Thu, 01 Jan 1970 00:00:01 GMT

Cache-Control: no-cache

Pragma: no-cache

GIF89a.............!.......,...........L..;..

GET /jss/2014ysxy.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4399.com/flash/80727.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.4399.com

Connection: Keep-Alive

Cookie: cookie_hs=4399.com|||%u52C7%u58EB%u7684%u4FE1%u4EF0||80727||0; bdshare_firstime=1408230785700

HTTP/1.1 200 OK

Expires: Sat, 15 Nov 2014 01:50:43 GMT

Date: Sun, 17 Aug 2014 01:50:43 GMT

Server: nginx

Content-Type: application/x-javascript

Last-Modified: Mon, 12 May 2014 09:24:19 GMT

Transfer-Encoding: chunked

Cache-Control: max-age=7776000

Content-Encoding: gzip

Age: 1

X-Via: 1.1 hzsx166:8080 (Cdn Cache Server V2.0), 1.1 hx3:1 (Cdn Cache Server V2.0)

Connection: keep-alive

f2f.............Z................{g(i..W......].HUe.....z..].9..LJ.<D..G88..w.B .#\P....!U(R.Fi....wfv.k..]..5.l.......T[v.7.[y........G7n.r..rm.i...c.Z[/..Q.......o. ....5..8M.q.9.U.j.c~....L...Y......l.S.nYVZ....<.L,J...G....!...3.<.<....$..a.t(:....Sn5@;.b.,F_...S....4%...%ILLG0..d..c..m..8..Wv...q..l.8...~.5-c^0.....>.....\....V-....j:...A....2.3.cG..,.q.{Z.P.I...=.hx...}...~.ZB.)"..s..%.CC...b...}."(.....e`.......d.!!.O".f.I.V..:...;.xF.pMN....v.b.A..m3w........ZH..p...xu......M...-.....JA-YNy.../.Q..wA...8...d<...^.5.=....d.n.$.};R..{i... ...O ..K......A....g|.[b..C9...:..Jz.Q.........m..5.w.\.c.......u...axL...w..,Xa..W5...LMO...h#........`...S5]Vu...F.65...M.s..5bP[............i;1...L...Xy..c.~..N.}l.6p".!.=I..'1.g.*..R..M0...dE....BX8..Kw..HP...|(.r9G.&=......h.....1....m....fU..F1.rM....v....|%.v...;.K.....r......._.....}w...,=.3.6...Je..s\.g.X........\WdA..zf...7....6.4?........5,...z....7......7?;q.........] ...ww.....]...{....9.B.!..#..).b.At.eZLyTB...c..n.s[.<.l..4tnK]..e.5W.... ..N........w?XY\...g..n=8.|....N..t..o_~....3...X....[.... <:......,C.....gF...H><.F{.p"..;t....H.......Uu.S.;.i.C.h...Dd......"-..fC..........Z:....^.}y......yo......?.m...!..........,..[._"O...C.g.<.......w...ctK.%0.....I..0....0..n...k..W.^..._.>...&.....e.-.Yr........5...|v.Oe..:...PW....n...G..u.....K.~p....7.?.....{3/.x...........~.tme..........7."....X......... W.sjq.....K....Y.....n.....Ko.9{......o.].o..W.`:...v...5].t.......g...j.?a........pm.G.xQ..C.H.f...'.U.USl.........6-...

<<< skipped >>>

GET /c.php?id=30039538 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4399.com/flash/80727.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: w.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine

Date: Sun, 17 Aug 2014 04:12:26 GMT

Content-Type: application/javascript

Transfer-Encoding: chunked

Connection: keep-alive

Last-Modified: Sun, 17 Aug 2014 04:12:26 GMT

Expires: Sun, 17 Aug 2014 05:42:26 GMT

1f7a..(function(){function l(){this.c="30039538";this.O="q";this.K="";this.H="";this.J="";this.o="1408248746";this.M="hqs10.cnzz.com";this.I="";this.q="CNZZDATA" this.c;this.p="_CNZZDbridge_" this.c;this.C="_cnzz_CV" this.c;this.s="1";this.v={};this.a={};this.ia()}function g(a,c){try{var b=[];b.push("siteid=30039538");.b.push("name=" f(a.name));b.push("msg=" f(a.message));b.push("r=" f(h.referrer));b.push("page=" f(d.location.href));b.push("agent=" f(d.navigator.userAgent));b.push("ex=" f(c));b.push("rnd=" Math.floor(2147483648*Math.random()));(new Image).src="hXXp://jserr.cnzz.com/log.php?" b.join("&")}catch(e){}}var h=document,d=window,f=encodeURIComponent,k=decodeURIComponent,p=unescape,q=escape;l.prototype={ia:function(){try{this.R(),this.G(),this.fa(),this.D(),this.l(),this.da(),this.ca(),this.ga(),this.i(),.this.ba(),this.ea(),this.ha(),this.$(),this.Y(),this.aa(),this.na(),d[this.p]=d[this.p]||{},this.Z("_cnzz_CV")}catch(a){g(a,"i failed")}},la:function(){try{var a=this;d._czc={push:function(){return a.w.apply(a,arguments)}}}catch(c){g(c,"oP failed")}},Y:function(){try{var a=d._czc;if("[object Array]"==={}.toString.call(a))for(var c=0;c<a.length;c ){var b=a[c];switch(b[0]){case "_setAccount":d._cz_account="[object String]"==={}.toString.call(b[1])?b[1]:String(b[1]);break;case "_setAutoPageview":"boolean"===.typeof b[1]&&(d._cz_autoPageview=b[1])}}}catch(e){g(e,"cS failed")}},na:function(){try{if("undefined"===typeof d._cz_account||d._cz_account===this.c){d._cz_account=this.c;if("[object Array]"==={}.

<<< skipped >>>

GET /v.gif?pid=307&type=3071&sc=980,3477,1024,740&desturl=&apitype=1&linkid=hyxk90eeqem&velo_load=1812&velo_cssload=953&velo_jsLoad=953&cite_uid=480925&cite_type=1&cite_mini=1 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4399.com/flash/80727.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: nsclick.baidu.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Pragma: no-cache

Cache-Control: max-age=0

Content-Type: image/gif

ETag: "4280832337"

Accept-Ranges: bytes

Last-Modified: Fri, 23 Oct 2009 08:06:04 GMT

Expires: Sun, 17 Aug 2014 04:12:28 GMT

Content-Length: 0

Date: Sun, 17 Aug 2014 04:12:28 GMT

Server: BWS/1.0

Connection: Keep-Alive

HTTP/1.1 200 OK..Pragma: no-cache..Cache-Control: max-age=0..Content-Type: image/gif..ETag: "4280832337"..Accept-Ranges: bytes..Last-Modified: Fri, 23 Oct 2009 08:06:04 GMT..Expires: Sun, 17 Aug 2014 04:12:28 GMT..Content-Length: 0..Date: Sun, 17 Aug 2014 04:12:28 GMT..Server: BWS/1.0..Connection: Keep-Alive..

GET /crossdomain.xml HTTP/1.1

Accept: */*

Accept-Language: en-US

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn.comment.4399pk.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 16 Aug 2014 23:41:37 GMT

Server: nginx/1.0.4

Content-Type: application/xml

Last-Modified: Wed, 17 Mar 2010 03:06:58 GMT

ETag: "5288176-14b-481f66842f880"

Accept-Ranges: bytes

Content-Length: 331

Age: 1

X-Via: 1.1 zjjhdx32:8104 (Cdn Cache Server V2.0), 1.1 hx4:6 (Cdn Cache Server V2.0)

Connection: keep-alive

GET /control/zwsf2-3.gif?20120719 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn.comment.4399pk.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 16 Aug 2014 23:41:37 GMT

Server: nginx/1.0.4

Content-Type: application/xml

Last-Modified: Wed, 17 Mar 2010 03:06:58 GMT

ETag: "5288176-14b-481f66842f880"

Accept-Ranges: bytes

Content-Length: 331

Age: 1

X-Via: 1.1 zjjhdx32:8104 (Cdn Cache Server V2.0), 1.1 hx4:6 (Cdn Cache Server V2.0)

Connection: keep-alive

<?xml version="1.0"?>..<!DOCTYPE cross-domain-policy SYSTEM 'hXXp://VVV.macromedia.com/xml/dtds/cross-domain-policy.dtd'>..<cross-domain-policy>.. <site-control permitted-cross-domain-policies="all" />.. <allow-access-from domain="*" />.. <allow-http-request-headers-from domain="*" headers="*"/>..</cross-domain-policy>..HTTP/1.1 200 OK..Expires: Fri, 14 Nov 2014 18:17:32 GMT..Date: Sat, 16 Aug 2014 18:17:32 GMT..Server: nginx/1.0.4..Content-Type: image/gif..Last-Modified: Wed, 07 Sep 2011 08:07:32 GMT..ETag: "5383f2e-2bc8-4ac556fa31900"..Accept-Ranges: bytes..Content-Length: 11208..Cache-Control: max-age=7776000..Age: 1..X-Via: 1.1 zjjhdx31:8080 (Cdn Cache Server V2.0), 1.1 hx3:7 (Cdn Cache Server V2.0)..Connection: keep-alive..GIF89a..P...........[#.Z".Z#AAC.......wH..........ee......... ...kkl......aab.........ZZ[.zz...............noq..X@@@....66qqq.JJ............PPQ............$$$............... ......===................l:.......... ...000......xxy...............................$$...EEF....["...............HHI.DD...............uvx..{..b...555....]&...}}~.b-TTU...uuu.....lrrtCCC999LLM.]]...eefnor...........r}~.BBD.f1.==.........zz{.............UU.PPFFH......KKL..v.mm...NNP....h5.............|P._(...stv............BAC.....~...WWX....... ....................................wwz......ggh.\$AAA......__`...{|~......................................................ccc~.....RRS....uu............................\#.Z".........GGI.........................["...SSU.Z

<<< skipped >>>

GET /control/ctrl_mo_v5.swf?20140327 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn.comment.4399pk.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sun, 17 Aug 2014 04:12:04 GMT

Server: nginx/1.0.4

Content-Type: application/x-shockwave-flash

Last-Modified: Tue, 15 Jul 2014 03:20:47 GMT

ETag: "538c83d-62c6f-4fe32e4c861c0"

Accept-Ranges: bytes

Content-Length: 404591

Age: 1

X-Via: 1.1 zjjhdx41:8080 (Cdn Cache Server V2.0), 1.1 hx5:5 (Cdn Cache Server V2.0)

Connection: keep-alive

CWS.....x...uX.[...,...PP..(H7..Jw#.hX..S...0@P....ABJ.0..n.T.K...z...=.....w]..^s.9....s.......; ..;..! ..t...R..C..............K.|.dr.`..xx|}}.}.....<|...<..<..\@.....c......$..-(..l<..1.h7$...5..#........of....l..(n.. ...;..7/...P...DYa..zh...,V...b.....D.....y ......._.......I....q..q...........s...........M.Q. [ .....\.........x.@.?6.....h[G;......H............G]]y~i{atPv.Y.K.......B{{...:...QW......r.A]R...nGG[1EAa..".....r..||....r..rJ..".r".p..n...........i...`..M.Y..t.w.9.OV.......E.Dd.A... ....*......./..`.7.(OG....'....w O/...$.~u......s..n.._.................O.._M .......;.mm~.PwoO.x....A.....@.............#e....hc.5.......q...Aq.aW...........O...........E......PH>..&...~..........:..$...3FP........B.~O-.j....)A...w....> ..].....p!.<H...\H5..cL..mno.yq.5.<.:z.QI..c.z..i9j.."-.5J).b.a9..G.oJ:...^.....;.._..;......i...Lg70.9J,.7.LrR.NH..S..........0.]...bit.h}....[U..;N....4,..-...O..\..|:......k...GE...x'[^|<..W3Ul.EI.......E.........E3as....r..gg.....76|..E.NO?.=s..w.\$fc3%%e.......7.|v<.ei.^>........<...o......iin..q.....f..QQ.....:-JK..}...qq.....<|H...a.../955.....FN.L[ju...].....!W...e._....gvn...quU...y>k."z=....{Q......h..k;<F.&m&....../Wo..._.......^q..#HY.OEE%.-...8.y...(5...<.3.bU.....^^...w=...9..>..R...}...K|...............Zg..-f1/1.|R....o....9..[.])..R...F[dKX.................;..s.e.t[..._}..3..~J.........`c.9{&.|.......<Y 1....H.......G.......HLLLz...L%.?/..n.lO.}[...1.......,.\i.H.>....iVVV...g.........RC{;.......jK...v......xq.

<<< skipped >>>

GET /crossdomain.xml HTTP/1.1

Accept: */*

Accept-Language: en-US

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: save.api.4399.com

Connection: Keep-Alive

Cookie: _4399stats_vid=140823078785628

HTTP/1.1 200 OK

Date: Sun, 17 Aug 2014 04:13:05 GMT

Server: Apache/2.4.7 (Unix)

Last-Modified: Wed, 23 Jul 2014 01:28:29 GMT

ETag: "25b-4fed241e5a940"

Accept-Ranges: bytes

Content-Length: 603

Connection: close

Content-Type: application/xml

<?xml version="1.0"?>..<!DOCTYPE cross-domain-policy SYSTEM 'hXXp://VVV.macromedia.com/xml/dtds/cross-domain-policy.dtd'>..<cross-domain-policy>.. <allow-access-from domain="*.4399pk.com"/>.. <allow-access-from domain="*.4399.com"/>.. <allow-access-from domain="*.my4399.com"/>.. <allow-access-from domain="*.4399.net"/>.. <allow-access-from domain="4399pk.com"/>.. <allow-access-from domain="*.4399api.com"/>.. <allow-access-from domain="imga.4399.com"/>.. <allow-access-from domain="imga1.4399.com"/>...<allow-access-from domain="manage.5054399.com"/>..</cross-domain-policy>....

GET /9.gif?abc=1&rnd=1551506341 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4399.com/flash/80727.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cnzz.mmstat.com

Connection: Keep-Alive

HTTP/1.1 302 Found

Server: Tengine

Date: Sun, 17 Aug 2014 04:12:27 GMT

Content-Type: image/gif

Content-Length: 43

Connection: keep-alive

P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"

Set-Cookie: cna=qxl3DGTX4jwCAbhrJiYA1Bqu; expires=Wed, 14-Aug-24 04:12:27 GMT; path=/; domain=.mmstat.com

Set-Cookie: sca=98630e66; path=/; domain=.cnzz.mmstat.com

Set-Cookie: atpsida=bed8d8f476f71146473f3227_1408248747; expires=Wed, 14-Aug-24 04:12:27 GMT; path=/; domain=.cnzz.mmstat.com

Location: hXXp://pcookie.cnzz.com/app.gif?&cna=qxl3DGTX4jwCAbhrJiYA1Bqu

Expires: Thu, 01 Jan 1970 00:00:01 GMT

Cache-Control: no-cache

Pragma: no-cache

GIF89a.............!.......,...........L..;..

GET /xml.php?ran=30733.64836163819&gameid=100016523&url=http://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.htm HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.swf/[[DYNAMIC]]/2

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: stat.api.4399.com

Connection: Keep-Alive

Cookie: _4399stats_vid=140823078785628

GET /xml.php?ran=30733.64836163819&gameid=100016523&url=http://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.htm HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.swf/[[DYNAMIC]]/2

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: stat.api.4399.com

Connection: Keep-Alive

Cookie: _4399stats_vid=140823078785628

HTTP/1.1 200 OK

Date: Sun, 17 Aug 2014 04:12:30 GMT

Server: Apache/2.2.17 (Unix)

Content-Length: 664

Connection: close

Content-Type: text/xml; charset=utf-8

<?xml version="1.0" encoding="UTF-8" ?>.<config><entry id="62872" category="brand" time2skip="12"><item src="hXXp://cb.baidu.com/ecom?di=62872&tm=BAIDU_CLB_XML&asp_url=4399.com&return_type=1" click_base="hXXp://stat.api.flashgame163.com/brand.php?url=" /></entry><entry id="999" category="baidu" time2skip="12" channel="129" pubid="www4399com_tp_cpr" /><entry id="999" category="google" time2skip="12" channel="0000000136,game136" pubid="ca-games-pub-9606551472994074" /><entry id="999" category="combrand" time2skip="12" width="640" height="640"><item src="hXXp://cdn.comment.4399pk.com/control/4399.swf" link="" bgcolor="0xb5e9f9" /></entry></config>..

GET /crossdomain.xml HTTP/1.1

Accept: */*

Accept-Language: en-US

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cb.baidu.com

Connection: Keep-Alive

GET /crossdomain.xml HTTP/1.1

Accept: */*

Accept-Language: en-US

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cb.baidu.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 17 Aug 2014 04:12:42 GMT

Content-Type: text/xml

Content-Length: 3710

Last-Modified: Wed, 12 Mar 2014 07:45:00 GMT

Connection: Keep-Alive

ETag: "5320107c-e7e"

Accept-Ranges: bytes

<?xml version="1.0"?>..<!DOCTYPE cross-domain-policy SYSTEM "hXXp://VVV.adobe.com/xml/dtds/cross-domain-policy.dtd">..<cross-domain-policy>.. <site-control permitted-cross-domain-policies="master-only"/> .. <allow-access-from domain="*.4399.com"/>.. <allow-http-request-headers-from domain="*.4399.com" headers="SOAPAction"/>.. <allow-access-from domain="*.4399.net"/>.. <allow-http-request-headers-from domain="*.4399.net" headers="SOAPAction"/>.. <allow-access-from domain="*.4399api.com"/>.. <allow-http-request-headers-from domain="*.4399api.com" headers="SOAPAction"/>.. <allow-access-from domain="*.4399pk.com"/>.. <allow-http-request-headers-from domain="*.4399pk.com" headers="SOAPAction"/>.. <allow-access-from domain="*.4399pk.net"/>.. <allow-http-request-headers-from domain="*.4399pk.net" headers="SOAPAction"/>.. <allow-access-from domain="*.5054399.com"/>.. <allow-http-request-headers-from domain="*.5054399.com" headers="SOAPAction"/>.. <allow-access-from domain="*.61.com"/>.. <allow-http-request-headers-from domain="*.61.com" headers="SOAPAction"/>.. <allow-access-from domain="*.app111.com"/>.. <allow-http-request-headers-from domain="*.app111.com" headers="SOAPAction"/>.. <allow-access-from domain="*.baidu.com"/>.. <allow-http-request-headers-from domain="*.baidu.com" headers="SOAPAction"/>.. <allow-access-from doma

<<< skipped >>>

GET /ecom?di=62872&tm=BAIDU_CLB_XML&asp_url=4399.com&return_type=1&ran=2925.8037405088544 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.swf/[[DYNAMIC]]/2

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cb.baidu.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 17 Aug 2014 04:12:42 GMT

Content-Type: text/xml

Content-Length: 3710

Last-Modified: Wed, 12 Mar 2014 07:45:00 GMT

Connection: Keep-Alive

ETag: "5320107c-e7e"

Accept-Ranges: bytes

headers-from domain="*.baomihua.com" headers="SOAPAction"/>.. <allow-access-from domain="*.bokecc.com"/>.. <allow-http-request-headers-from domain="*.bokecc.com" headers="SOAPAction"/>.. <allow-access-from domain="*.boosj.com"/>.. <allow-http-request-headers-from domain="*.boosj.com" headers="SOAPAction"/>.. <allow-access-from domain="*.cztv.com"/>.. <allow-http-request-headers-from domain="*.cztv.com" headers="SOAPAction"/>.. <allow-access-from domain="*.forex.com.cn"/>.. <allow-http-request-headers-from domain="*.forex.com.cn" headers="SOAPAction"/>.. <allow-access-from domain="*.funshion.com"/>.. <allow-http-request-headers-from domain="*.funshion.com" headers="SOAPAction"/>.. <allow-access-from domain="*.ggxt.net"/>.. <allow-http-request-headers-from domain="*.ggxt.net" headers="SOAPAction"/>.. <allow-access-from domain="*.kumi.cn"/>.. <allow-http-request-headers-from domain="*.kumi.cn" headers="SOAPAction"/>.. <allow-access-from domain="*.letv.com"/>.. <allow-http-request-headers-from domain="*.letv.com" headers="SOAPAction"/>.. <allow-access-from domain="*.my4399.com"/>.. <allow-http-request-headers-from domain="*.my4399.com" headers="SOAPAction"/>.. <allow-access-from domain="*.mytv365.com"/>.. <allow-http-request-headers-from domain="*.mytv365.com" headers="SOAPAction"/>.. <allow-access-from domain="*.pipi.cn"/>..

<<< skipped >>>

GET /cpro/ui/baiduLoader_as3.swf HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.swf/[[DYNAMIC]]/2

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cpro.baidu.com

Connection: Keep-Alive

Cookie: BAIDUID=0813F6F6D873A6FB1368C76E3EF141F3:FG=1

<<< skipped >>>

GET /stat.htm?id=30039538&r=&lg=en-us&ntime=none&cnzz_eid=860316973-1408248746-&showp=1024x768&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&h=1&rnd=1129475355 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4399.com/flash/80727.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: hqs10.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine/1.4.1

Date: Sun, 17 Aug 2014 04:12:27 GMT

Content-Type: image/gif

Content-Length: 43

Last-Modified: Tue, 28 May 2013 02:57:17 GMT

Connection: close

Accept-Ranges: bytes

GIF89a.............!.......,...........D..;..

GET /core.php?web_id=30039538&t=q HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4399.com/flash/80727.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine

Date: Sun, 17 Aug 2014 04:12:27 GMT

Content-Type: application/javascript

Transfer-Encoding: chunked

Connection: keep-alive

Last-Modified: Sun, 17 Aug 2014 04:12:27 GMT

Expires: Sun, 17 Aug 2014 04:27:27 GMT

2ef..!function(){var p,q,r,a=encodeURIComponent,b="30039538",c="",d="",e="online_v3.php",f="hqs10.cnzz.com",g="",h="text",i="q",j="全景统计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="0",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k.callRequest([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k.createScriptIcon(n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/website.php?web_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.cnzz.com/img/" c ".gif",p="<a href='" q "' target=_blank title='" j "'><img border=0 hspace=0 vspace=0 src='" r "'></a>"):p="<a href='" q "' target=_blank title='" j "'>" j "</a>",k.createIcon([p])))}();..0..

GET /cpro/ui/uijs.php?at=6&fv=11&ch=129&ie=1&q=www4399com_tp_cpr&n=1&k=Ã©Â²Å“Ã¨Å Â±&f=Ã¨Â¿â€¡Ã¦Â»Â¤Ã¨Â¯Â1 Ã¨Â¿â€¡Ã¦Â»Â¤Ã¨Â¯Â2 Ã¨Â¿â€¡Ã¦Â»Â¤Ã¨Â¯Â3&u=4399.com&s=2&t=baiduxml_tiepian_400_300&w=940&h=580 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://cpro.baidu.com/cpro/ui/baiduLoader_as3.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cpro.baidu.com

Connection: Keep-Alive

Cookie: BAIDUID=0813F6F6D873A6FB1368C76E3EF141F3:FG=1

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 17 Aug 2014 04:12:48 GMT

Content-Type: text/html

Content-Length: 380

Connection: close

P3P: CP=" OTI DSP COR IVA OUR IND COM "

Set-Cookie: sequery=ÃÃŠÂ»Â¨:4399.com;path=/;domain=.cpro.baidu.com;HttpOnly

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Last-Modified: Sun Aug 17 12:12:48 2014

Cache-Control: post-check=0, pre-check=0

Pragma: no-cache

P3P: CP=" OTI DSP COR IVA OUR IND COM "

<?xml version="1.0" encoding="GBK"?>.<cpro>..<adnum>1</adnum>..<noad>7</noad>..<ads>...<ad>....<desc><![CDATA[hXXp://drmcmm.baidu.com/media/id=rHmkPWbznH6&gp=403&time=nHndn1nkPWcvns.jpg]]></desc>....<surl><![CDATA[love.baidu.com]]></surl>....<curl><![CDATA[hXXp://love.baidu.com/]]></curl>....<width>400</width>....<height>300</height>...</ad>..</ads>..<type>gongyi</type>.</cpro>..

GET /js/click.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4399.com/flash/80727.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 4399stat.5054399.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 17 Aug 2014 04:12:26 GMT

Content-Type: application/x-javascript

Last-Modified: Wed, 15 Jan 2014 06:56:45 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Expires: Sun, 17 Aug 2014 04:12:27 GMT

Cache-Control: max-age=1

Content-Encoding: gzip

41b............}U.o.6..v.....DT.*...K<-.)6....uOA`0.%3.(....I....EY...A......}p'.3..d..V....Zj..L.#M.<? {.[.hV...~........)......<..el.u.........2H@...T.e.eo...d..[. .A=#mo4..1..u.?t.(]..Dv.:.....@..S.*.q.........4=.Fq.....**....Fm%W....!.....5j`.....U..e. .2P..I~$.f...........Je.<b.F./(.V<.oQ.....b.I.E.^1..)z..0&...T0OU2n...)..} .....a.%...E.......F...-..%ka0>.v.VY.>..I..`.....-g..?....IB^.3.^\......XU...t.....JN......tr.-.t.J..`...H..V.fX.Z.".c.)./ 6......>..M....=.^....igrp.l.m.//.m..vV....=.Y...$A... ... ...7\F....zr?....Ts..G.v.....<\.0>.K..*.g:..0.[...g....Y....o.B.M!..ku..m.am.<=..<a....4r<.x2...&l.."av...............Ya.n(........7.......@.f.._2..U.vQ.z`f.?>~.....9.[n;...l.....=..^`..S..nvH.D.%...d.K...P:K)<V..S....P..=........v.....E.Oi'bKuX.'.Ejk.{pknyH.n.g.t..9......n.y...d..a$...-..z.........,.Z.....Yb..Ov...@^j..TC..a.i].........i.....v..."O.#.C..G...ln..D.........&.C......W.r *.o.......%1U..]..:X.jtD:.......R5"......W...CW9..V...........@.....t.......a..p@|{<...}...j.;....M..}...H...?k.yH...Unc..(Q..Fi.^..t.6..U ..^"...z.F{......0..

GET /flash_ctrl_version.xml?ran=65853.53179834783 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: stat.api.4399.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.1

Date: Sun, 17 Aug 2014 04:12:24 GMT

Content-Type: text/xml

Content-Length: 530

Last-Modified: Thu, 27 Mar 2014 03:14:01 GMT

Connection: close

ETag: "53339779-212"

Accept-Ranges: bytes

<?xml version="1.0" encoding="utf-8"?>.<resInfos>..<info resName="zwsf">hXXp://cdn.comment.4399pk.com/control/zwsf2-3.gif?20120719</info>..<info resName="ctrl">hXXp://cdn.comment.4399pk.com/control/ctrl_mo_v4.swf?20140327</info>..<info resName="ads">hXXp://cdn.comment.4399pk.com/control/A4399dv_base.swf?20130625</info>..<info resName="ctrl_v5">hXXp://cdn.comment.4399pk.com/control/ctrl_mo_v5.swf?20140327</info>..<info resName="tools_as3">hXXp://cdn.comment.4399pk.com/control/open4399tools_AS3.swf?20130617</info>.</resInfos>...

GET /control/A4399dv_base.swf?20130625 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn.comment.4399pk.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sun, 17 Aug 2014 04:10:04 GMT

Server: nginx/1.0.4

Content-Type: application/x-shockwave-flash

Last-Modified: Tue, 25 Jun 2013 08:05:23 GMT

ETag: "538199e-841e-4dff5fdb016c0"

Accept-Ranges: bytes

Content-Length: 33822

Age: 1

X-Via: 1.1 zjjhdx35:80 (Cdn Cache Server V2.0), 1.1 hx5:7 (Cdn Cache Server V2.0)

Connection: keep-alive

CWS.A...x....\SG.>~..&77.....5....h.."(*`...........R..}..]q..}.........X..V[k..............}..g...9sf....2....8NK..>j..".....*.E.p...=..Y...Z..YN......b...t.k.=O..0...(........u....\a.3.8..W..CU...1....ke.!...rC...(8.o...Cw......H.~8..6.5...,.Lk...S..j...6.S.aH7..*...w.?G.AxU}..b...Z-..T.[LN....cH7[3[T...e?U.}Mv..U.e..C.....[...<}Mk.#..L.....>..e..9-1...I.F...7.1....m.T...rX.$... .. .[6.........>*.q.E..j.)..hK_.........%U...9.w`B.._BF<..Xz>...T./....!p...*...K....A.t..$...:..suVq._~......#..4.q..8.g...}...!....qd......~.P....\..a.0.. ....p...m[{.........-.....4......?...k....>.?....\..:.H[. .93....>>.]..}........t....4i...[...\.Mw.k.I..........W$.A\....R..\.|....C5|'F..VD..p..*.|.".I...X.=s..MI.....5.W...8..K..*...:D...BU...k..S.J.J.$..V.R)..h..xi..HIZ.N[Q..PF..xh.^e* .....!W_..L.(....g.....z...?e.t......0.m..KV....C.>..8W.[.W.....T).5..&:.(..B.Q*...^!(U>..X.A..W.~e.."....Q-.S..6..W.L.....`..g......J8^.^.O...>5....h..(|.V..?...U:....Q.=....T.1..g.^.{........_o.m..ul..e...L.6wc."nZ\....#k.....5c..?.tL...l. .Z..'SF5...8.j.....N..U..o{.YQ...8T:.e./..Y.cI.UE....).n.43q..Kcz...V.J.....i.l..`..tN..].....9...[..~.!W.t{.G.X.'.-.Z4^w.a...;u{*d..U.y.....f.....i..57...s.x.....:...}... ..wI..6v.........n~v.....9....~...vM...:.O.-}.o........=w}..ql....n.lH..|....Sk.7]T..X.v.}...5y......?.0ql.G..].f.......fQV..Y.w.....M.(*...U..-k`,.{.Mka......=Rpf..?6...x..._<i..X.^... .l..b.q.if.....`}...;..m2...o...;e.6m..C...=.g...D7...3...^o?y.}.......G\...I/.~.tQ.G......-.. 7....?..<..o^Z..

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_2012:

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

u$SShe

kernel32.dll

SkinH_EL.dll

hXXp://VVV.4399.com/flash/80727.htm

DSound.dll

Winmm.dll

fJ.WM_

CX%xm

Ã•6m*

n.BjCw

%s;7*

0%x@w

%C^L:

%s T5

]E4%F(

.Funr

k%UPp

fg.VG

%C',@

>Ã™d

0'.Ll

[I(3/#N0.bd

j"%u=w

q%Xn`

@|H.NI

.wdd!

S|%u4

*.Ea]S

Q.CGo

fTpe

.LLbX

-.Mdl

\-A}=3K

Y:.akpS

$.Zcqn

.WE= T!N

#?%s(C(

u.Jck~

zx/%FN[

%s=\RI

}j%c%Y)

Rx.GR

4o#.dM

IeS`%C

[n 4\.UY

,4.qO,

gQ'.Io

%cLur?

s%DHB

]I%%X

5r.US

:mD].tB

f%fUZ

.fOuV12

*_.dC

&-N}

({?.cQm

.Cqx~c

.`.Qw

**.dU

!n]%x

%X,Cr

&.PFy{xh

.um ZZE7L

/^p%u$

I.NoQY

zu.ew

D/.nT

\SkinH_EL.dll

C$%cmb

.ppM|

aZ.mO

%-^

.hk;~

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

ole32.dll

__MSVCRT_HEAP_SELECT

user32.dll

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

GetProcessHeap

WinExec

KERNEL32.dll

GetKeyState

RegisterHotKey

UnregisterHotKey

GetViewportOrgEx

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

OLEAUT32.dll

oledlg.dll

DeleteUrlCacheEntry

FindNextUrlCacheEntryA

FindFirstUrlCacheEntryA

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

%d%d%d

rundll32.exe shell32.dll,

(*.htm;*.html)|*.htm;*.html

its:%s::%s

index.dat

desktop.ini

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

.PAVCOleDispatchException@@

zcÃ

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

1, 0, 6, 6

(*.*)

1.0.0.0

(hXXp://VVV.eyuyan.com)

%original file name%.exe_2012_rwx_10001000_00039000:

L$(h%f

SSh0j

msctls_hotkey32

TVCLHotKey

THotKey

\skinh.she

}uo,x6l5k%x-l h

9p%s m)t4`#b

e"m?c&y1`Ã

SetViewportOrgEx

SetViewportExtEx

SetWindowsHookExA

UnhookWindowsHookEx

EnumThreadWindows

EnumChildWindows

`c%US.4/

!#$

.text

`.rdata

@.data

.rsrc

@.UPX0

`.UPX1

`.reloc