Gen:Heur.PWSIME.2 (BitDefender), TrojanDownloader:Win32/Bulilit.A (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), VirTool.Win32.Obfuscator.XZ (v) (VIPRE), Trojan.DownLoader1.14994 (DrWeb), Gen:Heur.PWSIME.2 (B) (Emsisoft), Artemis!B424ADA5B95A (McAfee), Trojan-Downloader.Win32.Bulilit (Ikarus), Gen:Heur.PWSIME.2 (FSecure), Gen:Heur.PWSIME.2 (AdAware), GenericEmailWorm.YR, GenericInjector.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, Worm, EmailWorm, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: b424ada5b95a26a68ae20111fafda4e3
SHA1: f4163bad2be514b7b1b66cf322932c4bdfe32c62
SHA256: 0b4592d12bc8cf17b02875d353e826767261a464b40a43d054008f6bccc35bc1
SSDeep: 49152:xQWWWWWWWWWWWWWWWWWWWWWWCWWWWWWWWWWWWWWWWWWWWWW4BEDXXzFAvE83W6Wd:uWWWWWWWWWWWWWWWWWWWWWWCWWWWWWWb
Size: 2252800 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-07-04 21:46:32
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:1660
File activity
The process %original file name%.exe:1660 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SPE38PAB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\c4869.tmp (3361 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (198 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\drivers\oOkqgAlNacFa.sys (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GXEROL6B\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\E_UIEngine\90afea1eeb37be7a93471c36152ab43a\90afea1eeb37be7a93471c36152ab43a.jpg.data (28 bytes)
%Program Files%\Common Files\ysz.ini (479 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\c4907.tmp (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NN05OJX8\desktop.ini (67 bytes)
%System%\time1.dll (192 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\c4694.tmp (4545 bytes)
%Documents and Settings%\%current user%\Application Data\E_UIEngine\90afea1eeb37be7a93471c36152ab43a\90afea1eeb37be7a93471c36152ab43a.jpg (676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7TJDBR9R\desktop.ini (67 bytes)
%System%\drivers\etc\hosts (232 bytes)
%System%\time.ime (53 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\c4869.tmp (0 bytes)
%Program Files%\Common Files\ysz.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\c4694.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\c4907.tmp (0 bytes)
%System%\drivers\oOkqgAlNacFa.sys (0 bytes)
Registry activity
The process %original file name%.exe:1660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804]
"Layout File" = "kbdus.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804]
"Ime File" = "TIME.IME"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1024x768x32(BGR 0)" = "31,31,31,31"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804]
"Layout Text" = "Windows±êÃâ€â€Ãƒâ€šÃ‚¼ÃƒÅ ÃƒÂ¤ÃƒË†ÃƒÂ«Ã‚·Â¨Ã€Â©Ã•¹·þÎñ"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 13 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F FE C9 9A 05 F6 F7 54 76 F3 CE D4 9D 88 4D 19"
[HKCU\Software\Super-EC\½ûÖ¹ÖØ¸´Ãâ€ÂËÃÂÂÃÂÂ]
"(Default)" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Keyboard Layout\Preload]
"2" = "E0200804"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
b60da4e2e5aceba3ce3d87ee2cd872ee | c:\WINDOWS\system32\time.ime |
ec1f44ea0c4b88856d7ca9dbf8ed628f | c:\WINDOWS\system32\time1.dll |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 232 bytes in size. The following strings are added to the hosts file listed below:
174.139.113.251 | qltea.com |
174.139.113.251 | www.qltea.com |
174.139.113.251 | cfwgw.org |
174.139.113.251 | www.cfwgw.org |
174.139.113.251 | cfwg520.com |
174.139.113.251 | www.cfwg520.com |
174.139.113.251 | 9369.org |
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SPE38PAB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\c4869.tmp (3361 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (198 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\drivers\oOkqgAlNacFa.sys (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GXEROL6B\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\E_UIEngine\90afea1eeb37be7a93471c36152ab43a\90afea1eeb37be7a93471c36152ab43a.jpg.data (28 bytes)
%Program Files%\Common Files\ysz.ini (479 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\c4907.tmp (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NN05OJX8\desktop.ini (67 bytes)
%System%\time1.dll (192 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\c4694.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7TJDBR9R\desktop.ini (67 bytes)
%System%\drivers\etc\hosts (232 bytes)
%System%\time.ime (53 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 1037867 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rdata | 1044480 | 5931336 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.data | 6979584 | 319434 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 7299072 | 252032 | 237568 | 3.4753 | b6456c9192f6e018128b5e168620e143 |
.vmp0 | 7553024 | 201028 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.vmp1 | 7757824 | 2006227 | 2007040 | 5.48167 | 55ba30728472309e8891a9a9013510b2 |
.reloc | 9764864 | 140 | 4096 | 0.161251 | 114c09c2680124eb824d72995ea548c4 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1660:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.vmp0
@.vmp0
.vmp1
.vmp1
.reloc
.reloc
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
gdiplus.dll
gdiplus.dll
kernel32.dll
kernel32.dll
user32.dll
user32.dll
shlwapi.dll
shlwapi.dll
advapi32.dll
advapi32.dll
ntdll.dll
ntdll.dll
Shlwapi.dll
Shlwapi.dll
gdi32.dll
gdi32.dll
ole32.dll
ole32.dll
GdiPlus.dll
GdiPlus.dll
dwmapi.dll
dwmapi.dll
shell32.dll
shell32.dll
ShellExecuteA
ShellExecuteA
GetAsyncKeyState
GetAsyncKeyState
GetKeyState
GetKeyState
EnumWindows
EnumWindows
RegOpenKeyExA
RegOpenKeyExA
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
GetKeyboardLayout
GetKeyboardLayout
UnloadKeyboardLayout
UnloadKeyboardLayout
GetKeyboardLayoutList
GetKeyboardLayoutList
ActivateKeyboardLayout
ActivateKeyboardLayout
GetKeyboardLayoutNameA
GetKeyboardLayoutNameA
RegOpenKeyA
RegOpenKeyA
RegDeleteKeyA
RegDeleteKeyA
RegCloseKey
RegCloseKey
RegCreateKeyA
RegCreateKeyA
RegFlushKey
RegFlushKey
LoadKeyboardLayoutA
LoadKeyboardLayoutA
MapVirtualKeyExA
MapVirtualKeyExA
GdipSetImageAttributesColorKeys
GdipSetImageAttributesColorKeys
GdipSetPenLineJoin
GdipSetPenLineJoin
GdipGetPenLineJoin
GdipGetPenLineJoin
GdipSetStringFormatHotkeyPrefix
GdipSetStringFormatHotkeyPrefix
GdipGetStringFormatHotkeyPrefix
GdipGetStringFormatHotkeyPrefix
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\
$@.jpg
$@.jpg
.data
.data
{B96B3CAE-0728-11D3-9D7B-0000F81EF32E}
{B96B3CAE-0728-11D3-9D7B-0000F81EF32E}
@crossfire.exe
@crossfire.exe
C:\CFLog
C:\CFLog
%System%\TesSafe.sys
%System%\TesSafe.sys
\time.ime
\time.ime
\time1.dll
\time1.dll
.rdata
.rdata
.shoooo
.shoooo
22222222022
22222222022
13447756
13447756
FFGm@AB^777R$$%C
FFGm@AB^777R$$%C
2%c-r
2%c-r
g%UR_
g%UR_
.Un{"
.Un{"
:A.td
:A.td
/.FbH
/.FbH
x7Sql
x7Sql
h;.ptG.(
h;.ptG.(
R`&.UV
R`&.UV
6liR%C?s
6liR%C?s
;%S9!
;%S9!
SYD.ai
SYD.ai
%Documents and Settings%\Administrator\svchost.exe
%Documents and Settings%\Administrator\svchost.exe
software\microsoft\windows\CurrentVersion\Run\
software\microsoft\windows\CurrentVersion\Run\
.yM<=
.yM<=
o.OM -
o.OM -
*.mO]@-.
*.mO]@-.
@_ // >8
@_ // >8
.Ml/0
.Ml/0
>.mO> >
>.mO> >
.OMO?o//
.OMO?o//
`@@=^=- .
`@@=^=- .
->|.\/-/
->|.\/-/
"!@0>]-<</pre><pre>11`.?>?>.>?00</pre><pre>2000_/..?.</pre><pre>" 0@0@>@</pre><pre>0/ /0 ./ /</pre><pre>1 @ 00?/</pre><pre>www.9dcc.com</pre><pre>iexplore.exe</pre><pre>http://www.9dcc.com/po.txt</pre><pre>SOFTWARE\Microsoft\windows\currentversion\run</pre><pre>abcdabcdabcdabcdabcdhttp://zhu.wujidasaobi.com:9099/img.jpg</pre><pre>cdefcdefcdefcdefcdefhttp://qq.3tsf.com:9999/img.jpg</pre><pre>ghfighfighfighfighfiwww.fod.com</pre><pre>hellohellohellohellohttp://zhu.wujidasaobi.com:9099/t/count.asp</pre><pre>kennekennekennekennehttp://qq.3tsf.com:9999/t/count.asp</pre><pre>XXXXXX000000000000</pre><pre>%System%</pre><pre>%System%\xvhost.sb</pre><pre>{00000103-0000-0010-8000-00AA006D2EA4}</pre><pre>{00000101-0000-0010-8000-00AA006D2EA4}</pre><pre>?uid=%s&address=%s&p=%d&a=%d</pre><pre>NETAPI32.dll</pre><pre>MFC42.DLL</pre><pre>MSVCRT.dll</pre><pre>_acmdln</pre><pre>WinExec</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>ADVAPI32.dll</pre><pre>InternetOpenUrlA</pre><pre>WININET.dll</pre><pre>PSAPI.DLL</pre><pre>imm32.dll</pre><pre>%Documents and Settings%\Administrator\Local Settings\Temporary Internet Files\360.dat</pre><pre>.vmp0</pre><pre>`.vmp1</pre><pre>.vmp2</pre><pre>_x.OV</pre><pre>%u@;o</pre><pre>%DTn#</pre><pre>%u:oEc</pre><pre>G%uckm2</pre><pre>J.PQ9Q</pre><pre>The ordinal %u could not be located in the dynamic link library %s</pre><pre>:}zZB>.tp</pre><pre>2]X%u!</pre><pre>=.UND</pre><pre>|;/\%F</pre><pre>WINMM.dll</pre><pre>!.Psa</pre><pre>3(@Ej%f'IU</pre><pre>'7%d!*`</pre><pre>_.okn\^F</pre><pre>f .oi</pre><pre>'y.Go</pre><pre>PGl~Z%sF</pre><pre>k..yAjm=</pre><pre>?.vKh</pre><pre>g%~keY</pre><pre>Kftp6</pre><pre>.vsQ;T:GpOW</pre><pre>The procedure entry point %s could not be located in the dynamic link library %s</pre><pre>GDI32.dll</pre><pre>L.fUx</pre><pre>SHELL32.dll</pre><pre>COMCTL32.dll</pre><pre>@.reloc</pre><pre>^}•D</pre><pre>__MSVCRT_HEAP_SELECT</pre><pre>IMM32.dll</pre><pre>GetCPInfo</pre><pre>imehost.dll</pre><pre>ImeProcessKey</pre><pre>Windows</pre><pre>:):3:9:|:</pre><pre>= =$=(=,=0=4=8=</pre><pre>? ?$?(?,?</pre><pre>|Protected.Now</pre><pre>http://www.9dcc.com/shiguang1.html</pre><pre>174.139.113.251 qltea.com</pre><pre>174.139.113.251 www.qltea.com</pre><pre>174.139.113.251 cfwgw.org</pre><pre>174.139.113.251 www.cfwgw.org</pre><pre>174.139.113.251 cfwg520.com</pre><pre>174.139.113.251 www.cfwg520.com</pre><pre>174.139.113.251 9369.org</pre><pre>174.139.113.251 www.9369.org</pre><pre>http://hi.baidu.com/zhangsanysq/blog/item/1ae7324c39cc68c19d8204c7.html</pre><pre>www.9dcc.com</pre><pre>QQLogin.exe</pre><pre>CFSelWorld.exe</pre><pre>\1.jpg</pre><pre>smtp.163.com</pre><pre>cfjiuling@163.com</pre><pre>C$%cmb</pre><pre>.ppM|</pre><pre> aZ.mO</pre><pre>%-^</pre><pre>.hk;~</pre><pre>KERNEL32.DLL</pre><pre>MSIMG32.dll</pre><pre>MSVFW32.dll</pre><pre>SkinH_EL.dll</pre><pre>(7),01444</pre><pre>'9=82<.342</pre><pre>8e;S÷</pre><pre>urlTEXT</pre><pre>MsgeTEXT</pre><pre>2008:05:14 09:43:11</pre><pre>2008:05:14 09:43:57</pre><pre>2008:05:14 09:44:21</pre><pre>2008:05:14 09:44:39</pre><pre>2008:05:14 09:44:58</pre><pre>2008:05:14 09:46:15</pre><pre>2008:05:14 09:46:36</pre><pre>1=3487638</pre><pre>2=3487639</pre><pre>3=3487640</pre><pre>4=3422105</pre><pre>5=3422106</pre><pre>6=3422363</pre><pre>7=3356828</pre><pre>8=3356829</pre><pre>9=3356830</pre><pre>10=3291295</pre><pre>11=3291551</pre><pre>12=3291552</pre><pre>13=3291553</pre><pre>14=3291554</pre><pre>15=3226018</pre><pre>16=3226019</pre><pre>17=3226020</pre><pre>18=3226276</pre><pre>19=3226277</pre><pre>20=3160741</pre><pre>21=3160742</pre><pre>22=3160743</pre><pre>23=3160744</pre><pre>24=3095209</pre><pre>25=3095467</pre><pre>26=3029932</pre><pre>27=3030190</pre><pre>28=2964654</pre><pre>29=2964657</pre><pre>30=2899379</pre><pre>31=2833847</pre><pre>32=2768567</pre><pre>33=2703293</pre><pre>34=2637760</pre><pre>35=2507206</pre><pre>36=2310861</pre><pre>37=2114775</pre><pre>38=1918687</pre><pre>39=1787880</pre><pre>40=1526514%Program Files%\Common Files\ysz.ini</pre><pre>EAD_PORT</pre><pre>$1(14181</pre><pre>C:\Windows\System32\Drivers\etc\hostshttp://www.super-ec.cnhttp://wghai.com/echttp://qsyou.com/echttp://www.wghai.comhttp://bbs.wghai.com/forum-17-1.html/forum-12-1.html/memcp.php/ip.asp/time.asp/gonggao.txt/ec-user6.php/ec-bd.php/ec-jh.php</pre><pre>http://www.super-ec.cn</pre><pre><input type="text" name="field_2new" size="25" value="" disabled class="txt" />" class="txt" />Function Getcpuid()</pre><pre>Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")</pre><pre>getcpuid=cpu.ProcessorId</pre><pre>%S~-D</pre><pre>Kernel32.dll</pre><pre>cmd.exe /c del</pre><pre>\\.\PhysicalDrive</pre><pre>Keyboard Layout</pre><pre>Keyboard Layout\Preload</pre><pre>.frH^w</pre><pre>F#Y.Ai[</pre><pre>ZV0.FqT</pre><pre><*.zzd</pre><pre>,,**)))...###</pre><pre>@89899899:</pre><pre>89899899<</pre><pre>898998999</pre><pre>888888888</pre><pre>898998998</pre><pre>998998998</pre><pre>'''*'''%F</pre><pre>''**'***</pre><pre>''**'**'</pre><pre>''**''''</pre><pre>%#()-.00</pre><pre>%%xB0</pre><pre>cfshiguang@163.com )</pre><pre>http://www.9dcc.com</pre><pre>www.meitu.com</pre><pre>1111111</pre><pre>%*.*f</pre><pre>CNotSupportedException</pre><pre>commctrl_DragListMsg</pre><pre>Afx:%x:%x:%x:%x:%x</pre><pre>Afx:%x:%x</pre><pre>COMCTL32.DLL</pre><pre>CCmdTarget</pre><pre>JOIN</pre><pre>iphlpapi.dll</pre><pre>SHLWAPI.dll</pre><pre>MPR.dll</pre><pre>VERSION.dll</pre><pre>v%sms</pre><pre>WSOCK32.dll</pre><pre>%x.tmp</pre><pre>.PAVCException@@</pre><pre>.PAVCNotSupportedException@@</pre><pre>.PAVCFileException@@</pre><pre>(*.prn)|*.prn|</pre><pre>(*.*)|*.*||</pre><pre>Shell32.dll</pre><pre>Mpr.dll</pre><pre>Advapi32.dll</pre><pre>User32.dll</pre><pre>Gdi32.dll</pre><pre>(&07-034/)7 '</pre><pre>?? / %d]</pre><pre>%d / %d]</pre><pre>: %d]</pre><pre>(*.WAV;*.MID)|*.WAV;*.MID|WAV</pre><pre>(*.WAV)|*.WAV|MIDI</pre><pre>(*.MID)|*.MID|</pre><pre>(*.txt)|*.txt|</pre><pre>(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG</pre><pre>(*.JPG)|*.JPG|BMP</pre><pre>(*.BMP)|*.BMP|GIF</pre><pre>(*.GIF)|*.GIF|</pre><pre>(*.ICO)|*.ICO|</pre><pre>(*.CUR)|*.CUR|</pre><pre>%s:%d</pre><pre>windows</pre><pre>BDGetColSQLType</pre><pre>%Y-%m-%d %H:%M:%S</pre><pre>out.prn</pre><pre>%d.%d</pre><pre>%d / %d</pre><pre>%d/%d</pre><pre>Bogus message code %d</pre><pre>(%d-%d):</pre><pre>%ld%c</pre><pre>www.dywt.com.cn</pre><pre>USER32.DLL</pre><pre>(*.htm;*.html)|*.htm;*.html</pre><pre>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)</pre><pre>HTTP/1.0</pre><pre>%s <%s></pre><pre>Reply-To: %s</pre><pre>From: %s</pre><pre>To: %s</pre><pre>Subject: %s</pre><pre>Date: %s</pre><pre>Cc: %s</pre><pre>%a, %d %b %Y %H:%M:%S</pre><pre>HELO %s</pre><pre>SMTP</pre><pre>AUTH LOGIN</pre><pre>LOGIN</pre><pre>AUTH=LOGIN</pre><pre>EHLO %s</pre><pre>Content-Type: application/octet-stream; name=%s</pre><pre>Content-Disposition: attachment; filename=%s</pre><pre>MAIL FROM:<%s></pre><pre>RCPT TO:<%s></pre><pre>ExecuteSql</pre><pre>.PAVCOleException@@</pre><pre>.PAVCObject@@</pre><pre>.PAVCSimpleException@@</pre><pre>.PAVCMemoryException@@</pre><pre>.?AVCNotSupportedException@@</pre><pre>.PAVCResourceException@@</pre><pre>.PAVCUserException@@</pre><pre>.?AVCCmdTarget@@</pre><pre>.?AVCCmdUI@@</pre><pre>.?AVCTestCmdUI@@</pre><pre>.PAVCArchiveException@@</pre><pre>.PAVCOleDispatchException@@</pre><pre>.PAVCDBException@@</pre><pre>zcÁ</pre><pre>a68ae20111fafda4e3.exe</pre><pre>wmiprvse.exe</pre><pre>c:\%original file name%.exe</pre><pre>#include "l.chs\afxres.rc" // Standard components</pre><pre>h].uP</pre><pre>WKERNEL32.dll</pre><pre>rWINSPOOL.DRV</pre><pre>.ADVAPI32.dll</pre><pre>umGDI32.dll</pre><pre>IAA</pre><pre>comdlg32.dll</pre><pre>InternetCanonicalizeUrlA</pre><pre>N-4.Me^0/</pre><pre>.GI-&</pre><pre>.op<'</pre><pre>'F.qz</pre><pre>?!o%s</pre><pre>{!.SR</pre><pre>.qPXD</pre><pre>p.ld)C</pre><pre>Q*.By</pre><pre>.Spuv}T)</pre><pre>süb[</pre><pre>.tZpX</pre><pre>j5.xw</pre><pre>-Yc}%</pre><pre>BRsql</pre><pre>I|GQ-brX}</pre><pre>mR#Yf.GW}3</pre><pre>X"BT%u</pre><pre>.oC=g</pre><pre>WS2_32.dll</pre><pre>Goledlg.dll</pre><pre>OLEAUT32.dll</pre><pre>B*-q}</pre><pre>.cY*S</pre><pre>y.kj!</pre><pre>U1.ZQ</pre><pre>R.qua</pre><pre>9$2.Zh</pre><pre>%d~Avsj</pre><pre>-T.lC</pre><pre>%9SAn</pre><pre>eRf.QjK</pre><pre>_h%u4</pre><pre>``T</pre><pre>h%x/ij-</pre><pre>aV%XVA[</pre><pre>.ACe{</pre><pre>[.Ny^w</pre><pre>.Hd-`</pre><pre>`c_y:%Sm</pre><pre>|s%cR$</pre><pre>y@%f"</pre><pre>.tQG,</pre><pre>*W!%Sg</pre><pre>ye].Ro</pre><pre>j%d{^G]</pre><pre>7W.xb]</pre><pre>31/- )'%8#</pre><pre>ÊT%</pre><pre>U%0XT</pre><pre>.PkTqh</pre><pre>@weBO</pre><pre>.iR=Y=g</pre><pre>c%FK|</pre><pre>)%FoX</pre><pre>.Lf(Z</pre><pre>'g.aJ</pre><pre>Z.lRA'</pre><pre>\^.JA</pre><pre>!k%Fg</pre><pre>)v.wz</pre><pre>sQ3.VBr"1</pre><pre>eN%u\</pre><pre>C.zGo</pre><pre>E!<\%F</pre><pre>,"RASAPI32.dll</pre><pre>.Kkl;</pre><pre>'WINMM.dll</pre><pre>ODBC32.dll</pre><pre>e.GZ(</pre><pre>{/.UH,</pre><pre>F,..Um</pre><pre>_*.Vsz?</pre><pre>#Tc.Yy</pre><pre>.mSFmby}</pre><pre>"%d|SaE</pre><pre>1, 0, 0, 1</pre><pre>gameupdate.EXE</pre><pre>imedllhost09.ime</pre><pre>1, 0, 6, 6</pre><pre>(*.*)</pre><b>%original file name%.exe_1660_rwx_005C3000_00007000:</b><pre>(7),01444</pre><pre>'9=82<.342</pre><pre>1=3487638</pre><pre>2=3487639</pre><pre>3=3487640</pre><pre>4=3422105</pre><pre>5=3422106</pre><pre>6=3422363</pre><pre>7=3356828</pre><pre>8=3356829</pre><pre>9=3356830</pre><pre>10=3291295</pre><pre>11=3291551</pre><pre>12=3291552</pre><pre>13=3291553</pre><pre>14=3291554</pre><pre>15=3226018</pre><pre>16=3226019</pre><pre>17=3226020</pre><pre>18=3226276</pre><pre>19=3226277</pre><pre>20=3160741</pre><pre>21=3160742</pre><pre>22=3160743</pre><pre>23=3160744</pre><pre>24=3095209</pre><pre>25=3095467</pre><pre>26=3029932</pre><pre>27=3030190</pre><pre>28=2964654</pre><pre>29=2964657</pre><pre>30=2899379</pre><pre>31=2833847</pre><pre>32=2768567</pre><pre>33=2703293</pre><pre>34=2637760</pre><pre>35=2507206</pre><pre>36=2310861</pre><pre>37=2114775</pre><pre>38=1918687</pre><pre>39=1787880</pre><b>%original file name%.exe_1660_rwx_00B34000_00032000:</b><pre>h].uP</pre><b>%original file name%.exe_1660_rwx_00B67000_00001000:</b><pre>rWINSPOOL.DRV</pre><b>%original file name%.exe_1660_rwx_10027000_00015000:</b><pre>msctls_hotkey32</pre><pre>TVCLHotKey</pre><pre>THotKey</pre><pre>\skinh.she</pre><pre>}uo,x6l5k%x-l h</pre><pre>9p%s m)t4`#b</pre><pre>e"m?c&y1`Ð<</pre><pre>SetViewportOrgEx</pre><pre>SetViewportExtEx</pre><pre>SetWindowsHookExA</pre><pre>UnhookWindowsHookEx</pre><pre>EnumThreadWindows</pre><pre>EnumChildWindows</pre><pre>`c%US.4/</pre><pre>!#$<#$#=</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>@.UPX0</pre><pre>`.UPX1</pre><pre>`.reloc</pre><pre>%-^</pre><pre>.hk;~</pre></pre></pre>