Trojan.NSIS.StartPage_6159d40a10

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

shandian.exe:648
shandian.exe:1724

The Trojan injects its code into the following process(es):

sdad.exe:668
%original file name%.exe:1912

File activity

The process shandian.exe:648 makes changes in the file system.

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DF292B.tmp (0 bytes)

The process shandian.exe:1724 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\DD_belatedPNG_0.0.8a-min[2].js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\edKzjJ6oPX1140[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@123.sogou[2].txt (1876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\setting_icon[1].gif (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\DD_belatedPNG_0.0.8a-min[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\skin3[1].gif (818 bytes)
%Program Files%\shandian\bin\twcache.ini (696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\20130531144119_126[1].png (3811 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\titlebg[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\ufo2[1].js (19130 bytes)
%Program Files%\shandian\bin\ImgCache\123.sogou.com_favicon.ico (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\fbg_about[1].png (634 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\hotdata[1].js (478 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\selogo_111207[1].png (2510 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\main[1].js (7906 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\rec[1].do (377 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VGX3.tmp (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\20140508103513_537[1].gif (7686 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\20140520134931_810[1].jpg (3964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\setskinbg[1].gif (397 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\20130830161205_609[1].gif (3061 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\ufo2[2].js (19815 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@123.sogou[1].txt (1394 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\hotdata[2].js (1368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\selogo_111207[1].png (2891 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\_ads_2[2].js (706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\skin2_0[1].gif (592 bytes)
%Program Files%\shandian\bin\shandian.ini.tmp (244 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (454 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\v53_123n[1].js (2100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\20130820165531_481[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\new-erweima2[1].png (4281 bytes)
%Program Files%\shandian\bin\theworld.ac (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\123.sogou[1] (13337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\img-video-2[1].gif (225 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\v33_sugg_ajaj_v40_3[2].js (940 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\newioage[1].css (715 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\20140526163043_207[1].jpg (815 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\20140526151005_195[1].jpg (3523 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\v53_2icos[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\welcome_cn[1].htm (1469 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\start_button[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\v53_bicos[1].gif (826 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\skin_[1].css (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\guide_top[1].jpg (2102 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\texture[1].gif (2268 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\subnav_v41[1].png (634 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\v53_123n[2].js (3723 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@wan.sogou[1].txt (193 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\cloudy[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\main[2].js (6187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\20140526170756_638[1].jpg (985 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\citydata[2].js (7819 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\favicon[1].ico (681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\zd7uDX2EkK0904[1].jpg (506 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\citydata[1].js (8401 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\get_tj[1].php (2445 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\img-news[1].gif (225 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\fine[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\20140526163242_997[1].jpg (1366 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\guide_tip[1].png (3015 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\logo_1112293[1].gif (1266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\search_arrow[1].gif (447 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\get_123_v53[1].php (17411 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\v53_arrow_h[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\i-ico-2b[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\20140526163446_912[1].jpg (1434 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\icon4[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\_ads_2[1].js (678 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\selogo_111207[2].png (3362 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (9640 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\123.sogou[1].htm (13090 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\foot_slider[1].jpg (322 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\v33_sugg_ajaj_v40_3[1].js (1701 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\new-ico[1].png (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\skin_tips_n1[1].gif (173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\guide_tip[2].png (2319 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\guide_tip[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\main[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@123.sogou[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\DD_belatedPNG_0.0.8a-min[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@123.sogou[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\_ads_2[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\v53_123n[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\hotdata[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\ufo2[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\citydata[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\v33_sugg_ajaj_v40_3[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (0 bytes)
%Program Files%\shandian\bin\shandian.ini (0 bytes)

The process sdad.exe:668 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\aaa3[1].jpg (26282 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\b17[2].jpg (16588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\aaa7[1].jpg (5996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\aaa10[1].jpg (3601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\aaa9[1].jpg (3981 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\id=nHRLPjm3nWRY&gp=401&time=nHnLPjmzrHckPs[1].jpg (1315 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\aaa2[2].jpg (13333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\b18[1].jpg (10441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\shehui_509_366[1].htm (1451 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\nvxing_509_366[1].htm (3581 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\0[1].swf (15268 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\meinv[1].htm (1450 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[2].txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\normal_bg[1].png (14333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\stylemini[1].css (6889 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\cpc_img[1].htm (442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\aaa2[1].jpg (17873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\aaa3[2].jpg (19465 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\b16[1].jpg (19594 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\core[1].php (798 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\style[1].css (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\b15[1].jpg (14929 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\aaa5[1].jpg (29542 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\ico_new2[1].png (23485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\cpc_swf[1].asp (2111 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\b14[1].jpg (17993 bytes)
%Program Files%\shandian\bin\update\PopWinParam.xml (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\b18[1].jpg (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\meinv[1].htm (2043 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\shehui_509_366[1].htm (2349 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\b17[1].jpg (11713 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@70e[1].txt (513 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (20336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\aaa1[1].jpg (14594 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\core[1].php (798 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\aaa6[1].jpg (13013 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\aaa4[2].jpg (14870 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\aaa1[1].jpg (17405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\cpc_img[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\xinwen[1].htm (3498 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\min[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\aaa4[1].jpg (24510 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\Untitled-1[1].gif (7361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\aaa6[1].jpg (15594 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\Untitled-2[1].gif (7761 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\aaa9[1].jpg (9562 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\cpv1[1].htm (1117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\lieqi_509_366[1].htm (4048 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\stat[1].php (2463 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\aaa10[1].jpg (9462 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\aaa8[1].jpg (9622 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@70e[2].txt (269 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\b19[1].jpg (8201 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@565882[1].txt (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\cpc_ztyw[1].css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\Close[1].gif (348 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\b13[1].jpg (18733 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[2].txt (410 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (615 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.mdtxw[2].txt (692 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\jquery-1.7.2.min[1].js (59725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\b15[1].jpg (17013 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\2012_swf[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\jiankang_509_366[1].htm (2088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\close[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\id=nHRLPjm3nWRY&gp=401&time=nHnLPjmzrHckPs[1].jpg (1963 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\jiankang_509_366[1].htm (3105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\aaa8[2].jpg (2820 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[2].txt (330 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\lieqi_509_366[1].htm (3906 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\xinwen[1].htm (2418 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\aaa7[1].jpg (10441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\stat[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\nvxing_509_366[1].htm (3525 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\aaa5[1].jpg (23041 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\tj[1].js (279 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\b13[1].jpg (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\Untitled-3[1].jpg (11612 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\b16[1].jpg (19073 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (330 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\miniindex[1].htm (4033 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\jquery-1.7.2.min[1].js (8326 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\b19[1].jpg (9181 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\b14[1].jpg (16894 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.mdtxw[1].txt (1011 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\aaa3[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@70e[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\cpc_swf[1].asp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\core[1].php (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\aaa10[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\b18[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\aaa7[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\meinv[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\style[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\b19[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\aaa8[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@70e[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\shehui_509_366[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\aaa1[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\nvxing_509_366[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\xinwen[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\b13[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\aaa4[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\aaa2[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.mdtxw[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\b15[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\lieqi_509_366[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\b16[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\b17[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\aaa6[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\aaa9[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\style[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\id=nHRLPjm3nWRY&gp=401&time=nHnLPjmzrHckPs[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\jiankang_509_366[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\aaa5[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\b14[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.mdtxw[1].txt (0 bytes)

The process %original file name%.exe:1912 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\shandian\ico\360.ico (32 bytes)
%Documents and Settings%\%current user%\Desktop\Internet Explorer.lnk (1 bytes)
%Program Files%\shandian\bin\shandian.ini (74 bytes)
%Program Files%\shandian\home.bat (691 bytes)
%Program Files%\shandian\bin\shandian.exe (28332 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp\xID.dll (10 bytes)
%Program Files%\shandian\ico\ie.ico (700 bytes)
































































&gp&time






























































&gp&time

&<&&

<<

<<<>>>

&cna

&cna

<><><><><><><><><>><&<<>

<<

<<<>>>

&gp&time

&&D.TdE..t6..U.e.....u..F&>><<

<<

<<<>>>

<<

<<<>>>

<><><><><><><><><><>

<<

<<<>>>

<><><><><><><><>

<<

<<<>>>

<><><><><><><><><><><>

<<

<<<>>>

<><><><><><><><><><>

<<

<<<>>>

<><><><><><><><>

<<

<<<>>>

<><><><><><><><><><><>

<<

<<<>>>

&b.....HmkBF........................................................................&>>&><<&><>><<

<<

<<<>>>

&&D.TdE..t6..U.e.....u..F&>>>>>>&

<<

<<<>>>

<>>>>&><><<&<<>><<

<<&>&&V>>>

<<

<<<>>>

&&D.TdE..t6..U.e.....u..F&<<<>

<<

<<<>>>

>&&D.TdE..t6..U.e.....u..F&<<<>>&V...fc.

<<

<<<>>>

&&D.TdE..t6..U.e.....u..F&>&&&O.W..._........C..T.........gJ..X..<<

<<

<<<>>>

&&D.TdE..t6..U.e.....u..F&<&v.a.Ay......>>>

<<

<<<>>>

<<

<<<>>>

<><><><><><><><><><><><><><><><><><><><>

&rnd

&cna

&cna

&rnd

&cna

&cna

<<><><><><><><><><>><<<

<<

<<<>>>

<><><><><><><><><><><><><><><><><>

<<

<<<>>>

<<><><><><><><><><>><<

<<

<<<>>>

&mainver&popver&xmlver

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

<<

<<<>>>

<><><><><><><><>

&gp&time

&&D.TdE..t6..U.e.....u..F&>><<&&<

<<

<<<>>>

<<><<&>><<>&>><>&&v....m....02<<<<

<<

<<<>>>

&&<<<>>><>>><><><&<

<<

<<<>>>

<>&<&>&&&><

<<

<<<>>>

<<><><><

<<

<<<>>>

<<<&L.>&<&<<<

<<

<<<>>>

&><<&S....<<<<<>>>&&&<<<&&&KM.M..RM..

<<

<<<>>>

&&>&<><>>>>&

<<

<<<>>>

&&<<&&&>&<<><<

<<

<<<>>>

<<><><><><><><><><><&><&<>&>

<<

<<<>>>

&ver&gfg&city&pid&c&method&cbf

北京多云北风级晴微风多云微风多云微风多云微风多云转阴微风阴微风四月廿九

<<

<<<>>>

&&&b...D..<<&s8..&<&

<<

<<<>>>

&r&lg&ntime&repeatip&rtime&cnzz_eid&showp&st&sin&t&rnd

>>><<<<&L...>><&

<<

<<<>>>

&P......sBIT.....O.....PLTE...

&

&&D.TdE..t6..U.e.....u..F&>>&>>>&>>&&<

<<

<<<>>>

&&D.TdE..t6..U.e.....u..F&<&v.a.Ay......>>>

<<

<<<>>>

<<

<<<>>>

&rdk&img&pars&suid&sduv&ckid&m&apid&sgtp&refer&page&pageUrl&loc&hp&pid&ptype&pcode&yyid&skin&ver&sys&ser&sev&time

&ufoid&ptype&pcode&rdk&refer&page&pageUrl&img&vcode

&r&lg&ntime&repeatip&rtime&cnzz_eid&showp&st&sin&t&rnd

&t

站长统计&&&n.callRequest&&<><><><><>站长统计&&&n.callRequest&&

<<

<<<>>>

&name&mac&md5

&><<&S....<<<<<>>>&&&<<<&&&KM.M..RM..

<<

<<<>>>

&u2.....pHYs................OiCCPPhotoshop&><<&S....<<<<<>>>&&&<<<&&&KM.M..RM..

<<

<<<>>>

>&<&W.>><><&&>&>&><>

<<

<<<>>>

&r&lg&ntime&repeatip&rtime&cnzz_eid&showp&st&sin&t&rnd

<&><>&&<>&V.&&><<<<<

<<

<<<>>>

><<<<<<<&YD.&>>&k.r<&&&<

<<

<<<>>>

&<<>&<

<<

<<<>>>

<<&n.-&j..a...91>>><&K..hhA....U.T.J....-.<>>>>&I...&>>

<<

<<<>>>

&mainver&popver&xmlver

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

<<

<<<>>>

<><><><><><><><><><><><><><>

<><><><><><><><><><><><><><><><><><><><><><><><><><><><>

&><<&S....<<<<<>>>&&&<<<&&&KM.M..RM..

<<

<<<>>>

<><><><><><><><><>>

<<

<<<>>>

<&><><>><>>&<&>><

<<

<<<>>>

<<<>>&>&

<<

<<<>>>

&>&g......u....yv.nz......9..><>>&:>&<&wl.Wp...R.....gu<<>&s..<<<<

<<

<<<>>>

&<<<&

<<

<<<>>>

&ids

<<

<<<>>>

&guid&lastver

<><><><><><><><><><> <><><><><><><><><><><><><><><><><><><><><><><><> <><><><><><><><><><> <><><><><><>

<<

<<<>>>

&guid&lastver

&guid&lastver

&<<>&<&&&&&<

<<

<<<>>>

&guid&lastver

&><>>&<<&&&>>><<&&

<<

<<<>>>

&><<&S....<<<<<>>>&&&<<<&&&KM.M..RM..

<<

<<<>>>

<&&<&&

<><><><><><><><><><><><><><

<<

<<<>>>

<><><><><><>&&<&&&&l

<<

<<<>>>

<><><><><><><><>

<<

<<<>>>

<><><><><><><><>

<<

<<<>>>

<><><><><><><><>

<<

<<<>>>

<><><><><><><><>

<<

<<<>>>

<><><><><><><><>

<<

<<<>>>

<><><><><><><><>

<<

<<<>>>

&<><>>><&<&i.><<&&<

<<

<<<>>>

&&>>>&>&<<<<&&&T....2Q

<<

<<<>>>

<<

>><>>>&bc1l...h..DQ..m..D...4f...b.......1x<><&>&

<<

<<<>>>

<<

<<<>>>

&&D.TdE..t6..U.e.....u..F&>>&>>>&>>&&<

<<

<<<>>>

&&D.TdE..t6..U.e.....u..F&<>>&<>

<<

<<<>>>

&&D.TdE..t6..U.e.....u..F&<>><

<<

<<<>>>

&&D.TdE..t6..U.e.....u..F&<&>>&&

<<

<<<>>>

&&D.TdE..t6..U.e.....u..F&><<&&><<

<<

<<<>>>

&&D.TdE..t6..U.e.....u..F&>>>>><&

<<

<<<>>>

&&D.TdE..t6..U.e.....u..F&<><>><

<<

<<<>>>

&&D.TdE..t6..U.e.....u..F&<&><&&<<&&>>

<<

<<<>>>

&&D.TdE..t6..U.e.....u..F&>&><

<<

<<<>>>

&&D.TdE..t6..U.e.....u..F&>><>&><

<<

<<<>>>

<<

<<<>>>

&X<&X<

<<

<<<>>>

&&<<>><>&&<>><><<<>

<<

<<<>>>

><>&>>><>&&<<<&<

<<

<<<>>>

<><><><><><><><><><><><><><

<<

<<<>>>

&t

站长统计&&&n.callRequest&&<><><><><>站长统计&&&n.callRequest&&

<<

<<<>>>

&ac&name&mac&md5

<<

<<<>>>

&&y.5..<<<>&&p........x...r....>

<<

<<<>>>

&&&&<<>&C.r..N.......<<&<&

<<

<<<>>>

&&D.TdE..t6..U.e.....u..F&&&>>

<<

<<<>>>

&&D.TdE..t6..U.e.....u..F&><&&<<&>

<<

<<<>>>

&&D.TdE..t6..U.e.....u..F&<><>>>

<<

<<<>>>

&&D.TdE..t6..U.e.....u..F&<<<>

<<

<<<>>>

>&&D.TdE..t6..U.e.....u..F&<<<>>&V...fc.

<<

<<<>>>

&&D.TdE..t6..U.e.....u..F&>&&&O.W..._........C..T.........gJ..X..<<

<<

<<<>>>

&&D.TdE..t6..U.e.....u..F&<>>&<>

<<

<<<>>>

&&D.TdE..t6..U.e.....u..F&<>><

<<

<<<>>>

&&D.TdE..t6..U.e.....u..F&<&>>&&

<<

<<<>>>

&&D.TdE..t6..U.e.....u..F&><<&&><<

<<

<<<>>>

&&D.TdE..t6..U.e.....u..F&><&&<<&>

<<

<<<>>>

&&D.TdE..t6..U.e.....u..F&>&><

<<

<<<>>>

&&D.TdE..t6..U.e.....u..F&<><>

<<

<<<>>>

&ufoid&ptype&pcode&rdk&img&sourcelist&titlelist

&r&lg&ntime&repeatip&rtime&cnzz_eid&showp&st&sin&t&rnd

&r&lg&ntime&repeatip&rtime&cnzz_eid&showp&st&sin&t&rnd

<<><><><><><><><><><&><&<>&>

<<

<<<>>>

&ac&name&mac&md5

<<

<<<>>>

&z..Hv......L...&&&&LLN.T>><

&&<<><&<<&><<<<<<&&&

<<

<<<>>>

><&O........<&&>&&F...m...9.h..0..&<>><

<<

<<<>>>

>>

&>>>&&l...>>&&><>><&B><>><&

<<

<<<>>>

&rnd

&cna

&cna

&rnd

&cna

&cna

&rnd

&cna

&cna

&&D.TdE..t6..U.e.....u..F&&&>>

<<

<<<>>>

&&D.TdE..t6..U.e.....u..F&>>>>><&

<<

<<<>>>

&&D.TdE..t6..U.e.....u..F&<><>><

<<

<<<>>>

&&D.TdE..t6..U.e.....u..F&<&><&&<<&&>>

<<

<<<>>>

&cna

&cna

&cna

><

&n..>><&&><&<&&><<><

<<

<<<>>>

&guid&lastver

>>&><>>&&<

<<

<<<>>>

&jsonp&t&_stamp

<>>>>>&<><><><><

<<

<<<>>>

<>"

<>"

""

""

""

""

""

""

   <""""><>

   <""""><>

"

"

""

""

""

""

<""""""><""""><""""""""><><><><><""""""""""""><><><""><><><""""><><><><""><><""><""><><><>

<""""""><""""><""""""""><><><><><""""""""""""><><><""><><><""""><><><><""><><""><""><><><>

"""""

"""""

""""""

""""""

"

"

""""""

""""""

""

""

"""

"""

""""""

""""""

&&&

&&&

&&&&

&&&&

&&&&

&&&&

&&&

&&&

&"

&"