Trojan.Generic.11227277 (B) (Emsisoft), Trojan.Generic.11227277 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 8d6da1f878e2853eea459225a9fc10f0
SHA1: c84bf00b377b7fdd0147ac1f1367bddb50dcc1c3
SHA256: 82312f3a488a1e0b10cd91c3a7a894aa6ed2311ae81229eef1ad92afbf570221
SSDeep: 49152:xjnCOJd3fyg5GJ8TZaqdwk0c05HGiERRE:xjffyUvYqdwkLcHHEw
Size: 1769472 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-12-03 11:08:04
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):
wuauclt.exe:1880
The Trojan injects its code into the following process(es):
%original file name%.exe:132
File activity
The process %original file name%.exe:132 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ANKBAVY5\Movie[1].swf (81913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ANKBAVY5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ANKBAVY5\count[1].htm (66 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VCZV2W0V\enter[1].jpg (432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C9UB81QB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VCZV2W0V\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6XC3GZ2P\chinahacker[1].htm (1265 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ANKBAVY5\topic[1].mid (24361 bytes)
C:\SkinH_EL.dll (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6XC3GZ2P\desktop.ini (67 bytes)
The process wuauclt.exe:1880 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2448 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
The Trojan deletes the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)
Registry activity
The process %original file name%.exe:132 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device]
"DSGuid" = "{00000000-0000-0000-0000-000000000000}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device]
"FriendlyName" = "Default DirectSound Device"
[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1916x902x32(BGR 0)" = "31,31,31,31"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device]
"CLSID" = "{79376820-07D0-11CF-A24D-0020AFD79767}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device]
"CLSID" = "{07B65360-C445-11CE-AFDE-00AA006C14F4}"
"MidiOutId" = "4294967295"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device]
"FilterData" = "02 00 00 00 00 00 80 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 F3 4F C2 46 B8 87 E4 50 2A DF 9E A6 9B 89 A1"
[HKCU\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache]
"0" = "E0 5A 00 00 65 68 63 66 00 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device]
"FilterData" = "02 00 00 00 00 00 80 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device]
"FriendlyName" = "Default MidiOut Device"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
[HKCU\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache]
"1"
Dropped PE files
MD5 | File path |
---|---|
147127382e001f495d1842ee7a9e7912 | c:\SkinH_EL.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
wuauclt.exe:1880
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ANKBAVY5\Movie[1].swf (81913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ANKBAVY5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ANKBAVY5\count[1].htm (66 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VCZV2W0V\enter[1].jpg (432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C9UB81QB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VCZV2W0V\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6XC3GZ2P\chinahacker[1].htm (1265 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ANKBAVY5\topic[1].mid (24361 bytes)
C:\SkinH_EL.dll (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6XC3GZ2P\desktop.ini (67 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2448 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: ??????????
Product Name: ????????????
Product Version: 1.0.0.0
Legal Copyright: ????????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ????????????
Comments: ??????????
Language: Chinese (Simplified, PRC)
Company Name: ??????????Product Name: ????????????Product Version: 1.0.0.0Legal Copyright: ????????????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ????????????Comments: ??????????Language: Chinese (Simplified, PRC)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 621234 | 622592 | 5.1389 | 7762e84b73bd3a6c39ed866c408c2047 |
.rdata | 626688 | 1039398 | 1040384 | 5.36973 | c96e03ce80a13ce193b1a8b85850f70e |
.data | 1667072 | 281002 | 65536 | 4.34074 | 8285d322d54f9aadbcc29a08cc9f475b |
.rsrc | 1949696 | 34580 | 36864 | 3.80064 | a768d97d1833f03f4cd4ae65e31583b6 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://www.chinahacker.com/ | 222.76.217.48 |
hxxp://www.chinahacker.com/Movie.swf | 222.76.217.48 |
hxxp://www.chinahacker.com/mid/topic.mid | 222.76.217.48 |
hxxp://www.chinahacker.com/count/count.cgi?ID=chinahacker.com&SHOW=count | 222.76.217.48 |
hxxp://www.chinahacker.com/images/enter.jpg | 222.76.217.48 |
hxxp://data.chinahacker.com/count/count.cgi?ID=chinahacker.com&SHOW=count | 222.76.217.48 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.chinahacker.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Wed, 30 Apr 2014 09:46:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 3416
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSCCQADQQ=OJHPCCGAPPJIPOMPOHJFKIAA; path=/
Cache-control: private
<html>..<head>..<title>:::............::: VVV.ChinaHacker.com ........ China Hacker Union</title>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312">..<STYLE type=text/css>BODY {...FONT-SIZE: 9pt; FONT-FAMILY: "...."..}..TD {...FONT-SIZE: 9pt; FONT-FAMILY: "...."..}..A {...COLOR: #000000; TEXT-DECORATION: none..}..A:hover {...COLOR: red; TEXT-DECORATION: underline..}..</STYLE>..<bgsound src="mid/topic.mid" loop="-1">..</head>..<body bgcolor="#000000" text="#FF0000" link="#FF0000" vlink="#FF0000">..<form method="POST" action="--WEBBOT-SELF--">.. <div align="center">.. <center>.. <table border="0" width="100%" height="527">.. <tr>.. <td width="100%" height="326">.. <p align="center"><object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="hXXp://download.macrHTTP/1.1 200 OK..Date: Wed, 30 Apr 2014 09:46:44 GMT..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Content-Length: 3416..Content-Type: text/html..Set-Cookie: ASPSESSIONIDSCCQADQQ=OJHPCCGAPPJIPOMPOHJFKIAA; path=/..Cache-control: private..<html>..<head>..<title>:::............::: VVV.ChinaHacker.com ........ China Hacker Union</title>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312">..<STYLE type=text/css>BODY {...FONT-SIZE: 9pt; FONT-FAMILY: "...."..}..TD {...FONT-SIZE: 9pt; FONT-FAMILY: "...."..}..A {...COLOR: #000000; TEXT-DECORATION:
<<
<<< skipped >>>
GET /Movie.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://VVV.chinahacker.com/
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.chinahacker.com
Connection: Keep-Alive
Cookie: ASPSESSIONIDSCCQADQQ=OJHPCCGAPPJIPOMPOHJFKIAA
HTTP/1.1 200 OK
Content-Length: 214015
Content-Type: application/x-shockwave-flash
Last-Modified: Mon, 14 Mar 2011 16:00:00 GMT
Accept-Ranges: bytes
ETag: "5033adf60e2cb1:e6d"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 30 Apr 2014 09:46:45 GMT
FWS..C..x..........<.C....D.....?.>........C....................................................................C......................................................................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.............................................................................%..........JFIF................1...."...................?...?.(...(.Q.....i]...}..D\...OA......}.I@.O.....9..=...bgt.g'.9..3. .t?.,...9...........7...r.]..k........u....T.9)5..../>...<}t)H..<....N....y.>....W.P.5.... v............._.....iq..............>.....}]............_....H.......?.O..........y..9.F......(.1.......\./.}.~..>..._F.{...zi....yy~:|.......t.....R...>........#.........@...C#...#..Z_../.}:./>.}...~..........}7..v..[...}...G..9....8..\......o.G....q....3......_.......\eE.............9...........].W......................W.....G.1.c..?..O.....8.q...j.u......v'.i.-..../..Z...........?.....C.F......5...!...<...iG.S.yc.?.t....?..w........(}.....;...//..l....#............?...}B<..y.._.`?:...........G..K..N.....{.t..Nae.........}ms......B}......`.:...._Q.. ..._....!Q?..9...._....W.2..........O>.G5O.^b.....z.*.D............)?............'.......Z..C..y......Z.1..
<<
<<< skipped >>>
GET /count/count.cgi?ID=chinahacker.com&SHOW=count HTTP/1.1
Accept: */*
Referer: hXXp://VVV.chinahacker.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: data.chinahacker.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 30 Apr 2014 09:46:47 GMT
Connection: close
document.write('........<font color=red>' 34529530 '</font>....');..
GET /mid/topic.mid HTTP/1.1
Accept: */*
Referer: hXXp://VVV.chinahacker.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.chinahacker.com
Connection: Keep-Alive
Cookie: ASPSESSIONIDSCCQADQQ=OJHPCCGAPPJIPOMPOHJFKIAA
HTTP/1.1 200 OK
Content-Length: 30594
Content-Type: audio/mid
Last-Modified: Mon, 14 Mar 2011 16:00:00 GMT
Accept-Ranges: bytes
ETag: "5033adf60e2cb1:e6d"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 30 Apr 2014 09:46:45 GMT
MThd.........xMTrk...u....untitled....GGT....A.B.@...A....A.B.@...Ug....A.B.@I".T....A.E....adm-music.com....X.......Y.....Q..'...Q..,.../.MTrk...2....x.... ...=...Y..$.][d..H}.H..Az.A..Cw.C..Hw.H..H..H..At.A..Cw.C..Hz.H..Hz.H.-Kz9K.{Ht.H..Ak.A..Ct.C..Hz.H..Hz.H..Az.A..Cw.C..H}.H..H}.H. Fz:F.zHz.H..Aw.A..Cw.C..Hw.H..H}.H..At.A..Cz.C..Hw.H..H}.H.-Kz8K.|H..H..Az.A..C}.C..H}.H..Ht.H..Az.A..Cw.C..Hq.H..Hz.H.,F}3F...H..H..Az.A..C}.C..H}.H..H}.H..A}.A..Cz.C..Hw.H..H}.H.-Kz9K.{H}.H..Az.A..Cn.C..Hw.H..Hz.H..At.A..Cw.C..Ht.H..Hz.H.*Fw6F.~H..H..Aw.A..Cw.C..Hw.H..H}.H..Aw.A..Cz.C..Ht.H..H..H.-Kz4K...H}.H..Az.A..Cw.C..Hn.H..H}.H..Aw.A..Ct.C..Hq.H..Hz.H.)Fw1F...?w.<w(<..?..>q.Ah.A..>..?z.CwTC..?..>w.At.A..>.M<q.?w8?..<..>k.AnIA..>..?z.Cw.C..?.G<z.Aw.,A..<.w<t.?z,?..<..>w.At.>..A..>z.At.A..>..<t.?z.=[.=.R?..<..?w.<w1<..?..>tHTTP/1.1 200 OK..Content-Length: 30594..Content-Type: audio/mid..Last-Modified: Mon, 14 Mar 2011 16:00:00 GMT..Accept-Ranges: bytes..ETag: "5033adf60e2cb1:e6d"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Wed, 30 Apr 2014 09:46:45 GMT..MThd.........xMTrk...u....untitled....GGT....A.B.@...A....A.B.@...Ug....A.B.@I".T....A.E....adm-music.com....X.......Y.....Q..'...Q..,.../.MTrk...2....x.... ...=...Y..$.][d..H}.H..Az.A..Cw.C..Hw.H..H..H..At.A..Cw.C..Hz.H..Hz.H.-Kz9K.{Ht.H..Ak.A..Ct.C..Hz.H..Hz.H..Az.A..Cw.C..H}.H..H}.H. Fz:F.zHz.H..Aw.A..Cw.C..Hw.H..H}.H..At.A..Cz.C..Hw.H..H}.H.-Kz8K.|H..H..Az.A..C}.C..H}.H..Ht.H..Az.A..Cw.C..H
<<
<<< skipped >>>
GET /images/enter.jpg HTTP/1.1
Accept: */*
Referer: hXXp://VVV.chinahacker.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.chinahacker.com
Connection: Keep-Alive
Cookie: ASPSESSIONIDSCCQADQQ=OJHPCCGAPPJIPOMPOHJFKIAA
HTTP/1.1 200 OK
Content-Length: 3593
Content-Type: image/jpeg
Last-Modified: Mon, 14 Mar 2011 16:00:00 GMT
Accept-Ranges: bytes
ETag: "5033adf60e2cb1:e6d"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 30 Apr 2014 09:47:10 GMT
......JFIF..............Exif..II*...........................V...........^...(.......................i.......f.......H.......H.................0200....................0101....................@...........U...........ACD Systems Digital Imaging..........................................("..&...#/#&)*---.!141 4(,- ...........@ $ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@........................................................!1.AQ..a"2q.#.3B..$CRS................................................!1...a"2A......U.@.."...................?.........x....X.x.z.$.V..,..c..=v7. ......g8....;F6.`.Z`..bJng.Z.ii..m.6.d......`.u.k..z| .E..._...?......a.>.z.<...&>8.....a......./...xVF..<........F....c..T....Z[......@6.....S..O.Z0..e...xAX|.o....*f.[...... .......................2V....o.D.b...[..X..qO......{{(...%g...J>........|l/{biqk~N..j.?.m[o...1/.'..8.h.....o..S.g.%7Z..$...xw. ..d..Z..e.....T.....k&..R...k]]'[......_(&.....Z6..S.........K.A.......]>......]L..Y..7...j.z.hxr.s.p..\........^.A ........n...........\x>.#....s.i..2.....w....`. w...'n`...D...Y..?.l.....4......A.......u..d....$..... W..[..MO..M..2..v.....AK.&.Q.%.Y.u./a...t.t...<8.......Z.....T.m.1....?.Z.....f.....i.f...J..`DEU.^...;......" "&..."kh.....6..&^.`1.,.:..QS.....k..b.8.[1.....nq.....A...... .!^~..)..X!.J.L..&.. .fkZIh'...H)B.9. .z..._q!......?..J...X...2{........Mc})...#......l*\9.6g;o#..Z...%....8....j......F.,P.g......L..M.....z... .}S......\\.e#........d...f...].R..9.......L.[.X.mh....X...8....q.'.U.M7O?S.......N.r.....
<<
<<< skipped >>>
Map
Strings from Dumps
%original file name%.exe_132:
.text
.text
.rdata
.rdata
@.data
@.data
.rsrc
.rsrc
xh.NV
xh.NV
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
atl.dll
atl.dll
wininet.dll
wininet.dll
user32.dll
user32.dll
kernel32.dll
kernel32.dll
SkinH_EL.dll
SkinH_EL.dll
WinINet.dll
WinINet.dll
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
&keyindex=9&pt_aid=549000912&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone
&keyindex=9&pt_aid=549000912&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone
&clientkey=
&clientkey=
http://ptlogin2.qq.com/jump?clientuin=
http://ptlogin2.qq.com/jump?clientuin=
http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone
http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone
skey
skey
http://url.cn/9iIZQ9
http://url.cn/9iIZQ9
#home&syn_tweet_verson=1&richtype=&richval=&special_url=&subrichtype=&who=1&con=qm
#home&syn_tweet_verson=1&richtype=&richval=&special_url=&subrichtype=&who=1&con=qm
qzreferrer=http://user.qzone.qq.com/
qzreferrer=http://user.qzone.qq.com/
http://taotao.qq.com/cgi-bin/emotion_cgi_publish_v6?g_tk=
http://taotao.qq.com/cgi-bin/emotion_cgi_publish_v6?g_tk=
qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=base&nickname=
qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=base&nickname=
http://w.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=
http://w.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=
qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=space&spacename=
qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=space&spacename=
http://w.cnc.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=
http://w.cnc.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=
&secverifykey=28Q12062209183668_2209183668
&secverifykey=28Q12062209183668_2209183668