Trojan.Win32.FlyStudio_b424ada5b9

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):

%original file name%.exe:1660

File activity

The process %original file name%.exe:1660 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SPE38PAB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\c4869.tmp (3361 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (198 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\drivers\oOkqgAlNacFa.sys (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GXEROL6B\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\E_UIEngine\90afea1eeb37be7a93471c36152ab43a\90afea1eeb37be7a93471c36152ab43a.jpg.data (28 bytes)
%Program Files%\Common Files\ysz.ini (479 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\c4907.tmp (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NN05OJX8\desktop.ini (67 bytes)
%System%\time1.dll (192 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\c4694.tmp (4545 bytes)
%Documents and Settings%\%current user%\Application Data\E_UIEngine\90afea1eeb37be7a93471c36152ab43a\90afea1eeb37be7a93471c36152ab43a.jpg (676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7TJDBR9R\desktop.ini (67 bytes)
%System%\drivers\etc\hosts (232 bytes)
%System%\time.ime (53 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\c4869.tmp (0 bytes)
%Program Files%\Common Files\ysz.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\c4694.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\c4907.tmp (0 bytes)
%System%\drivers\oOkqgAlNacFa.sys (0 bytes)

Registry activity

The process %original file name%.exe:1660 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804]
"Layout File" = "kbdus.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804]
"Ime File" = "TIME.IME"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1024x768x32(BGR 0)" = "31,31,31,31"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804]
"Layout Text" = "Windows±ê×¼ÊäÈë·¨À©Õ¹·þÎñ"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 13 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F FE C9 9A 05 F6 F7 54 76 F3 CE D4 9D 88 4D 19"

[HKCU\Software\Super-EC\½ûÖ¹Öظ´ÔËÐÐ]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Keyboard Layout\Preload]
"2" = "E0200804"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5	File path
b60da4e2e5aceba3ce3d87ee2cd872ee	c:\WINDOWS\system32\time.ime
ec1f44ea0c4b88856d7ca9dbf8ed628f	c:\WINDOWS\system32\time1.dll

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 232 bytes in size. The following strings are added to the hosts file listed below:

174.139.113.251	qltea.com
174.139.113.251	www.qltea.com
174.139.113.251	cfwgw.org
174.139.113.251	www.cfwgw.org
174.139.113.251	cfwg520.com
174.139.113.251	www.cfwg520.com
174.139.113.251	9369.org

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SPE38PAB\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\c4869.tmp (3361 bytes)
   %Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (198 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %System%\drivers\oOkqgAlNacFa.sys (9 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GXEROL6B\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Application Data\E_UIEngine\90afea1eeb37be7a93471c36152ab43a\90afea1eeb37be7a93471c36152ab43a.jpg.data (28 bytes)
   %Program Files%\Common Files\ysz.ini (479 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\c4907.tmp (1425 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NN05OJX8\desktop.ini (67 bytes)
   %System%\time1.dll (192 bytes)
   %Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\c4694.tmp (4545 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7TJDBR9R\desktop.ini (67 bytes)
   %System%\drivers\etc\hosts (232 bytes)
   %System%\time.ime (53 bytes)

4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	1037867	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	1044480	5931336	0	0	d41d8cd98f00b204e9800998ecf8427e
.data	6979584	319434	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	7299072	252032	237568	3.4753	b6456c9192f6e018128b5e168620e143
.vmp0	7553024	201028	0	0	d41d8cd98f00b204e9800998ecf8427e
.vmp1	7757824	2006227	2007040	5.48167	55ba30728472309e8891a9a9013510b2
.reloc	9764864	140	4096	0.161251	114c09c2680124eb824d72995ea548c4

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1660:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.vmp0

@.vmp0

.vmp1

.vmp1

.reloc

.reloc

t$(SSh

t$(SSh

~%UVW

~%UVW

u$SShe

u$SShe

gdiplus.dll

gdiplus.dll

kernel32.dll

kernel32.dll

user32.dll

user32.dll

shlwapi.dll

shlwapi.dll

advapi32.dll

advapi32.dll

ntdll.dll

ntdll.dll

Shlwapi.dll

Shlwapi.dll

gdi32.dll

gdi32.dll

ole32.dll

ole32.dll

GdiPlus.dll

GdiPlus.dll

dwmapi.dll

dwmapi.dll

shell32.dll

shell32.dll

ShellExecuteA

ShellExecuteA

GetAsyncKeyState

GetAsyncKeyState

GetKeyState

GetKeyState

EnumWindows

EnumWindows

RegOpenKeyExA

RegOpenKeyExA

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

GetKeyboardLayout

GetKeyboardLayout

UnloadKeyboardLayout

UnloadKeyboardLayout

GetKeyboardLayoutList

GetKeyboardLayoutList

ActivateKeyboardLayout

ActivateKeyboardLayout

GetKeyboardLayoutNameA

GetKeyboardLayoutNameA

RegOpenKeyA

RegOpenKeyA

RegDeleteKeyA

RegDeleteKeyA

RegCloseKey

RegCloseKey

RegCreateKeyA

RegCreateKeyA

RegFlushKey

RegFlushKey

LoadKeyboardLayoutA

LoadKeyboardLayoutA

MapVirtualKeyExA

MapVirtualKeyExA

GdipSetImageAttributesColorKeys

GdipSetImageAttributesColorKeys

GdipSetPenLineJoin

GdipSetPenLineJoin

GdipGetPenLineJoin

GdipGetPenLineJoin

GdipSetStringFormatHotkeyPrefix

GdipSetStringFormatHotkeyPrefix

GdipGetStringFormatHotkeyPrefix

GdipGetStringFormatHotkeyPrefix

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\

$@.jpg

$@.jpg

.data

.data

{B96B3CAE-0728-11D3-9D7B-0000F81EF32E}

{B96B3CAE-0728-11D3-9D7B-0000F81EF32E}

@crossfire.exe

@crossfire.exe

C:\CFLog

C:\CFLog

%System%\TesSafe.sys

%System%\TesSafe.sys

\time.ime

\time.ime

\time1.dll

\time1.dll

.rdata

.rdata

.shoooo

.shoooo

22222222022

22222222022

13447756

13447756

FFGm@AB^777R$$%C

FFGm@AB^777R$$%C

2%c-r

2%c-r

g%UR_

g%UR_

.Un{"

.Un{"

:A.td

:A.td

/.FbH

/.FbH

x7Sql

x7Sql

h;.ptG.(

h;.ptG.(

R`&.UV

R`&.UV

6liR%C?s

6liR%C?s

;%S9!

;%S9!

SYD.ai

SYD.ai

%Documents and Settings%\Administrator\svchost.exe

%Documents and Settings%\Administrator\svchost.exe

software\microsoft\windows\CurrentVersion\Run\

software\microsoft\windows\CurrentVersion\Run\

.yM<=

.yM<=

o.OM -

o.OM -

*.mO]@-.

*.mO]@-.

@_ // >8

@_ // >8

.Ml/0

.Ml/0

>.mO> >

>.mO> >

.OMO?o//

.OMO?o//

`@@=^=- .

`@@=^=- .

->|.\/-/

->|.\/-/

"!@0>]-<</pre><pre>11`.?>?>.>?00</pre><pre>2000_/..?.</pre><pre>" 0@0@>@</pre><pre>0/ /0 ./ /</pre><pre>1 @ 00?/</pre><pre>www.9dcc.com</pre><pre>iexplore.exe</pre><pre>http://www.9dcc.com/po.txt</pre><pre>SOFTWARE\Microsoft\windows\currentversion\run</pre><pre>abcdabcdabcdabcdabcdhttp://zhu.wujidasaobi.com:9099/img.jpg</pre><pre>cdefcdefcdefcdefcdefhttp://qq.3tsf.com:9999/img.jpg</pre><pre>ghfighfighfighfighfiwww.fod.com</pre><pre>hellohellohellohellohttp://zhu.wujidasaobi.com:9099/t/count.asp</pre><pre>kennekennekennekennehttp://qq.3tsf.com:9999/t/count.asp</pre><pre>XXXXXX000000000000</pre><pre>%System%</pre><pre>%System%\xvhost.sb</pre><pre>{00000103-0000-0010-8000-00AA006D2EA4}</pre><pre>{00000101-0000-0010-8000-00AA006D2EA4}</pre><pre>?uid=%s&address=%s&p=%d&a=%d</pre><pre>NETAPI32.dll</pre><pre>MFC42.DLL</pre><pre>MSVCRT.dll</pre><pre>_acmdln</pre><pre>WinExec</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>ADVAPI32.dll</pre><pre>InternetOpenUrlA</pre><pre>WININET.dll</pre><pre>PSAPI.DLL</pre><pre>imm32.dll</pre><pre>%Documents and Settings%\Administrator\Local Settings\Temporary Internet Files\360.dat</pre><pre>.vmp0</pre><pre>`.vmp1</pre><pre>.vmp2</pre><pre>_x.OV</pre><pre>%u@;o</pre><pre>%DTn#</pre><pre>%u:oEc</pre><pre>G%uckm2</pre><pre>J.PQ9Q</pre><pre>The ordinal %u could not be located in the dynamic link library %s</pre><pre>:}zZB>.tp</pre><pre>2]X%u!</pre><pre>=.UND</pre><pre>|;/\%F</pre><pre>WINMM.dll</pre><pre>!.Psa</pre><pre>3(@Ej%f'IU</pre><pre>'7%d!*`</pre><pre>_.okn\^F</pre><pre>f .oi</pre><pre>'y.Go</pre><pre>PGl~Z%sF</pre><pre>k..yAjm=</pre><pre>?.vKh</pre><pre>g%~keY</pre><pre>Kftp6</pre><pre>.vsQ;T:GpOW</pre><pre>The procedure entry point %s could not be located in the dynamic link library %s</pre><pre>GDI32.dll</pre><pre>L.fUx</pre><pre>SHELL32.dll</pre><pre>COMCTL32.dll</pre><pre>@.reloc</pre><pre>^}•D</pre><pre>__MSVCRT_HEAP_SELECT</pre><pre>IMM32.dll</pre><pre>GetCPInfo</pre><pre>imehost.dll</pre><pre>ImeProcessKey</pre><pre>Windows</pre><pre>:):3:9:|:</pre><pre>= =$=(=,=0=4=8=</pre><pre>? ?$?(?,?</pre><pre>|Protected.Now</pre><pre>http://www.9dcc.com/shiguang1.html</pre><pre>174.139.113.251 qltea.com</pre><pre>174.139.113.251 www.qltea.com</pre><pre>174.139.113.251 cfwgw.org</pre><pre>174.139.113.251 www.cfwgw.org</pre><pre>174.139.113.251 cfwg520.com</pre><pre>174.139.113.251 www.cfwg520.com</pre><pre>174.139.113.251 9369.org</pre><pre>174.139.113.251 www.9369.org</pre><pre>http://hi.baidu.com/zhangsanysq/blog/item/1ae7324c39cc68c19d8204c7.html</pre><pre>www.9dcc.com</pre><pre>QQLogin.exe</pre><pre>CFSelWorld.exe</pre><pre>\1.jpg</pre><pre>smtp.163.com</pre><pre>cfjiuling@163.com</pre><pre>C$%cmb</pre><pre>.ppM|</pre><pre> aZ.mO</pre><pre>%-^</pre><pre>.hk;~</pre><pre>KERNEL32.DLL</pre><pre>MSIMG32.dll</pre><pre>MSVFW32.dll</pre><pre>SkinH_EL.dll</pre><pre>(7),01444</pre><pre>'9=82<.342</pre><pre>8e;S÷</pre><pre>urlTEXT</pre><pre>MsgeTEXT</pre><pre>2008:05:14 09:43:11</pre><pre>2008:05:14 09:43:57</pre><pre>2008:05:14 09:44:21</pre><pre>2008:05:14 09:44:39</pre><pre>2008:05:14 09:44:58</pre><pre>2008:05:14 09:46:15</pre><pre>2008:05:14 09:46:36</pre><pre>1=3487638</pre><pre>2=3487639</pre><pre>3=3487640</pre><pre>4=3422105</pre><pre>5=3422106</pre><pre>6=3422363</pre><pre>7=3356828</pre><pre>8=3356829</pre><pre>9=3356830</pre><pre>10=3291295</pre><pre>11=3291551</pre><pre>12=3291552</pre><pre>13=3291553</pre><pre>14=3291554</pre><pre>15=3226018</pre><pre>16=3226019</pre><pre>17=3226020</pre><pre>18=3226276</pre><pre>19=3226277</pre><pre>20=3160741</pre><pre>21=3160742</pre><pre>22=3160743</pre><pre>23=3160744</pre><pre>24=3095209</pre><pre>25=3095467</pre><pre>26=3029932</pre><pre>27=3030190</pre><pre>28=2964654</pre><pre>29=2964657</pre><pre>30=2899379</pre><pre>31=2833847</pre><pre>32=2768567</pre><pre>33=2703293</pre><pre>34=2637760</pre><pre>35=2507206</pre><pre>36=2310861</pre><pre>37=2114775</pre><pre>38=1918687</pre><pre>39=1787880</pre><pre>40=1526514%Program Files%\Common Files\ysz.ini</pre><pre>EAD_PORT</pre><pre>$1(14181</pre><pre>C:\Windows\System32\Drivers\etc\hostshttp://www.super-ec.cnhttp://wghai.com/echttp://qsyou.com/echttp://www.wghai.comhttp://bbs.wghai.com/forum-17-1.html/forum-12-1.html/memcp.php/ip.asp/time.asp/gonggao.txt/ec-user6.php/ec-bd.php/ec-jh.php</pre><pre>http://www.super-ec.cn</pre><pre><input type="text" name="field_2new" size="25" value="" disabled class="txt" />" class="txt" />Function Getcpuid()</pre><pre>Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")</pre><pre>getcpuid=cpu.ProcessorId</pre><pre>%S~-D</pre><pre>Kernel32.dll</pre><pre>cmd.exe /c del</pre><pre>\\.\PhysicalDrive</pre><pre>Keyboard Layout</pre><pre>Keyboard Layout\Preload</pre><pre>.frH^w</pre><pre>F#Y.Ai[</pre><pre>ZV0.FqT</pre><pre><*.zzd</pre><pre>,,**)))...###</pre><pre>@89899899:</pre><pre>89899899<</pre><pre>898998999</pre><pre>888888888</pre><pre>898998998</pre><pre>998998998</pre><pre>'''*'''%F</pre><pre>''**'***</pre><pre>''**'**'</pre><pre>''**''''</pre><pre>%#()-.00</pre><pre>%%xB0</pre><pre>cfshiguang@163.com )</pre><pre>http://www.9dcc.com</pre><pre>www.meitu.com</pre><pre>1111111</pre><pre>%*.*f</pre><pre>CNotSupportedException</pre><pre>commctrl_DragListMsg</pre><pre>Afx:%x:%x:%x:%x:%x</pre><pre>Afx:%x:%x</pre><pre>COMCTL32.DLL</pre><pre>CCmdTarget</pre><pre>JOIN</pre><pre>iphlpapi.dll</pre><pre>SHLWAPI.dll</pre><pre>MPR.dll</pre><pre>VERSION.dll</pre><pre>v%sms</pre><pre>WSOCK32.dll</pre><pre>%x.tmp</pre><pre>.PAVCException@@</pre><pre>.PAVCNotSupportedException@@</pre><pre>.PAVCFileException@@</pre><pre>(*.prn)|*.prn|</pre><pre>(*.*)|*.*||</pre><pre>Shell32.dll</pre><pre>Mpr.dll</pre><pre>Advapi32.dll</pre><pre>User32.dll</pre><pre>Gdi32.dll</pre><pre>(&07-034/)7 '</pre><pre>?? / %d]</pre><pre>%d / %d]</pre><pre>: %d]</pre><pre>(*.WAV;*.MID)|*.WAV;*.MID|WAV</pre><pre>(*.WAV)|*.WAV|MIDI</pre><pre>(*.MID)|*.MID|</pre><pre>(*.txt)|*.txt|</pre><pre>(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG</pre><pre>(*.JPG)|*.JPG|BMP</pre><pre>(*.BMP)|*.BMP|GIF</pre><pre>(*.GIF)|*.GIF|</pre><pre>(*.ICO)|*.ICO|</pre><pre>(*.CUR)|*.CUR|</pre><pre>%s:%d</pre><pre>windows</pre><pre>BDGetColSQLType</pre><pre>%Y-%m-%d %H:%M:%S</pre><pre>out.prn</pre><pre>%d.%d</pre><pre>%d / %d</pre><pre>%d/%d</pre><pre>Bogus message code %d</pre><pre>(%d-%d):</pre><pre>%ld%c</pre><pre>www.dywt.com.cn</pre><pre>USER32.DLL</pre><pre>(*.htm;*.html)|*.htm;*.html</pre><pre>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)</pre><pre>HTTP/1.0</pre><pre>%s <%s></pre><pre>Reply-To: %s</pre><pre>From: %s</pre><pre>To: %s</pre><pre>Subject: %s</pre><pre>Date: %s</pre><pre>Cc: %s</pre><pre>%a, %d %b %Y %H:%M:%S</pre><pre>HELO %s</pre><pre>SMTP</pre><pre>AUTH LOGIN</pre><pre>LOGIN</pre><pre>AUTH=LOGIN</pre><pre>EHLO %s</pre><pre>Content-Type: application/octet-stream; name=%s</pre><pre>Content-Disposition: attachment; filename=%s</pre><pre>MAIL FROM:<%s></pre><pre>RCPT TO:<%s></pre><pre>ExecuteSql</pre><pre>.PAVCOleException@@</pre><pre>.PAVCObject@@</pre><pre>.PAVCSimpleException@@</pre><pre>.PAVCMemoryException@@</pre><pre>.?AVCNotSupportedException@@</pre><pre>.PAVCResourceException@@</pre><pre>.PAVCUserException@@</pre><pre>.?AVCCmdTarget@@</pre><pre>.?AVCCmdUI@@</pre><pre>.?AVCTestCmdUI@@</pre><pre>.PAVCArchiveException@@</pre><pre>.PAVCOleDispatchException@@</pre><pre>.PAVCDBException@@</pre><pre>zcÁ</pre><pre>a68ae20111fafda4e3.exe</pre><pre>wmiprvse.exe</pre><pre>c:\%original file name%.exe</pre><pre>#include "l.chs\afxres.rc" // Standard components</pre><pre>h].uP</pre><pre>WKERNEL32.dll</pre><pre>rWINSPOOL.DRV</pre><pre>.ADVAPI32.dll</pre><pre>umGDI32.dll</pre><pre>IAA</pre><pre>comdlg32.dll</pre><pre>InternetCanonicalizeUrlA</pre><pre>N-4.Me^0/</pre><pre>.GI-&</pre><pre>.op<'</pre><pre>'F.qz</pre><pre>?!o%s</pre><pre>{!.SR</pre><pre>.qPXD</pre><pre>p.ld)C</pre><pre>Q*.By</pre><pre>.Spuv}T)</pre><pre>süb[</pre><pre>.tZpX</pre><pre>j5.xw</pre><pre>-Yc}%</pre><pre>BRsql</pre><pre>I|GQ-brX}</pre><pre>mR#Yf.GW}3</pre><pre>X"BT%u</pre><pre>.oC=g</pre><pre>WS2_32.dll</pre><pre>Goledlg.dll</pre><pre>OLEAUT32.dll</pre><pre>B*-q}</pre><pre>.cY*S</pre><pre>y.kj!</pre><pre>U1.ZQ</pre><pre>R.qua</pre><pre>9$2.Zh</pre><pre>%d~Avsj</pre><pre>-T.lC</pre><pre>%9SAn</pre><pre>eRf.QjK</pre><pre>_h%u4</pre><pre>``T</pre><pre>h%x/ij-</pre><pre>aV%XVA[</pre><pre>.ACe{</pre><pre>[.Ny^w</pre><pre>.Hd-`</pre><pre>`c_y:%Sm</pre><pre>|s%cR$</pre><pre>y@%f"</pre><pre>.tQG,</pre><pre>*W!%Sg</pre><pre>ye].Ro</pre><pre>j%d{^G]</pre><pre>7W.xb]</pre><pre>31/- )'%8#</pre><pre>ÊT%</pre><pre>U%0XT</pre><pre>.PkTqh</pre><pre>@weBO</pre><pre>.iR=Y=g</pre><pre>c%FK|</pre><pre>)%FoX</pre><pre>.Lf(Z</pre><pre>'g.aJ</pre><pre>Z.lRA'</pre><pre>\^.JA</pre><pre>!k%Fg</pre><pre>)v.wz</pre><pre>sQ3.VBr"1</pre><pre>eN%u\</pre><pre>C.zGo</pre><pre>E!<\%F</pre><pre>,"RASAPI32.dll</pre><pre>.Kkl;</pre><pre>'WINMM.dll</pre><pre>ODBC32.dll</pre><pre>e.GZ(</pre><pre>{/.UH,</pre><pre>F,..Um</pre><pre>_*.Vsz?</pre><pre>#Tc.Yy</pre><pre>.mSFmby}</pre><pre>"%d|SaE</pre><pre>1, 0, 0, 1</pre><pre>gameupdate.EXE</pre><pre>imedllhost09.ime</pre><pre>1, 0, 6, 6</pre><pre>(*.*)</pre><b>%original file name%.exe_1660_rwx_005C3000_00007000:</b><pre>(7),01444</pre><pre>'9=82<.342</pre><pre>1=3487638</pre><pre>2=3487639</pre><pre>3=3487640</pre><pre>4=3422105</pre><pre>5=3422106</pre><pre>6=3422363</pre><pre>7=3356828</pre><pre>8=3356829</pre><pre>9=3356830</pre><pre>10=3291295</pre><pre>11=3291551</pre><pre>12=3291552</pre><pre>13=3291553</pre><pre>14=3291554</pre><pre>15=3226018</pre><pre>16=3226019</pre><pre>17=3226020</pre><pre>18=3226276</pre><pre>19=3226277</pre><pre>20=3160741</pre><pre>21=3160742</pre><pre>22=3160743</pre><pre>23=3160744</pre><pre>24=3095209</pre><pre>25=3095467</pre><pre>26=3029932</pre><pre>27=3030190</pre><pre>28=2964654</pre><pre>29=2964657</pre><pre>30=2899379</pre><pre>31=2833847</pre><pre>32=2768567</pre><pre>33=2703293</pre><pre>34=2637760</pre><pre>35=2507206</pre><pre>36=2310861</pre><pre>37=2114775</pre><pre>38=1918687</pre><pre>39=1787880</pre><b>%original file name%.exe_1660_rwx_00B34000_00032000:</b><pre>h].uP</pre><b>%original file name%.exe_1660_rwx_00B67000_00001000:</b><pre>rWINSPOOL.DRV</pre><b>%original file name%.exe_1660_rwx_10027000_00015000:</b><pre>msctls_hotkey32</pre><pre>TVCLHotKey</pre><pre>THotKey</pre><pre>\skinh.she</pre><pre>}uo,x6l5k%x-l h</pre><pre>9p%s m)t4`#b</pre><pre>e"m?c&y1`Ð<</pre><pre>SetViewportOrgEx</pre><pre>SetViewportExtEx</pre><pre>SetWindowsHookExA</pre><pre>UnhookWindowsHookEx</pre><pre>EnumThreadWindows</pre><pre>EnumChildWindows</pre><pre>`c%US.4/</pre><pre>!#$<#$#=</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>@.UPX0</pre><pre>`.UPX1</pre><pre>`.reloc</pre><pre>%-^</pre><pre>.hk;~</pre></pre></pre>