Gen.Variant.Strictor.113557_4a484393b1
Gen:Variant.Strictor.113557 (BitDefender), not-a-virus:RiskTool.Win32.IMEStartup.wpk (Kaspersky), Gen:Variant.Strictor.113557 (B) (Emsisoft), ML.Attribute.HighConfidence (Symantec), Gen:Variant.Strictor.113557 (FSecure), Gen:Variant.Strictor.113557 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS) Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 4a484393b122ba5ea5d1805514cae7a1
SHA1: 8d2243dd4cc58c4c534f803dc0821c0d79c2566a
SHA256: 6bdb2996688a63f96abe515695e598eca3f39cea050d699303b5545078fd2f6b
SSDeep: 24576:LTCYvdzvWSMfXnK2YT6cixAVrcbzocI2qgVS/939TRho10FXB7CgBxlCKDdi:PC2ZTTYKIzM2Ze31R 10nQKD8
Size: 1689600 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company: Essentware
Created at: 2017-03-10 19:56:10
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es): No processes have been created. The Trojan injects its code into the following process(es):
%original file name%.exe:2880
Mutexes
The following mutexes were created/opened: No objects were found.
File activity
The process %original file name%.exe:2880 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\tj[1].htm (339 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\navcancl[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ErrorPageTemplate[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\info_48[1] (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\httpErrorPagesScripts[1] (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017032920170330\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\bullet[1] (447 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\TA3DKYRR.txt (125 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\67ff8.tmp (7971 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\stat[1].js (1321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\errorPageStrings[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\UW7Q6M8K.txt (135 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\navcancl[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ErrorPageTemplate[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\errorPageStrings[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\background_gradient[1] (453 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\background_gradient[1] (453 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\bullet[1] (447 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\68018.tmp (5873 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\68029.tmp (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\info_48[1] (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\httpErrorPagesScripts[1] (5 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\info_48[1] (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101020161017 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\bullet[1] (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\background_gradient[1] (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\navcancl[1] (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016102820161029 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\68018.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\68029.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ErrorPageTemplate[1] (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\67ff8.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\errorPageStrings[1] (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\httpErrorPagesScripts[1] (0 bytes)
Registry activity
The process %original file name%.exe:2880 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017032920170330]
"CachePrefix" = ":2017032920170330:"
"CacheLimit" = "8192"
[HKLM\SOFTWARE\Microsoft\Tracing\4a484393b122ba5ea5d1805514cae7a1_RASMANCS]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\4a484393b122ba5ea5d1805514cae7a1_RASAPI32]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\4a484393b122ba5ea5d1805514cae7a1_RASMANCS]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{E549E976-C5F2-4E77-819D-55BC9B7C25BC}"
[HKLM\SOFTWARE\Microsoft\Tracing\4a484393b122ba5ea5d1805514cae7a1_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017032920170330]
"CacheRepair" = "0"
"CacheOptions" = "11"
[HKLM\SOFTWARE\Microsoft\Tracing\4a484393b122ba5ea5d1805514cae7a1_RASMANCS]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\4a484393b122ba5ea5d1805514cae7a1_RASAPI32]
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 0C 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\4a484393b122ba5ea5d1805514cae7a1_RASMANCS]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\4a484393b122ba5ea5d1805514cae7a1_RASAPI32]
"EnableConsoleTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017032920170330]
"CachePath" = "%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017032920170330"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\4a484393b122ba5ea5d1805514cae7a1_RASMANCS]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\4a484393b122ba5ea5d1805514cae7a1_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101020161017]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016102820161029]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\tj[1].htm (339 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\navcancl[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ErrorPageTemplate[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\info_48[1] (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\httpErrorPagesScripts[1] (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017032920170330\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\bullet[1] (447 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\TA3DKYRR.txt (125 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\67ff8.tmp (7971 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\stat[1].js (1321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\errorPageStrings[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\UW7Q6M8K.txt (135 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\navcancl[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ErrorPageTemplate[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\errorPageStrings[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\background_gradient[1] (453 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\background_gradient[1] (453 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\bullet[1] (447 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\68018.tmp (5873 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\68029.tmp (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\info_48[1] (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\httpErrorPagesScripts[1] (5 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: ????????
Product Name: ????????
Product Version: 6.9.0.1
Legal Copyright: www.ucbug.com
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 6.9.0.1
File Description: www.ucbug.com ????????
Comments: www.ucbug.com ????????
Language: English (United States)
Company Name: ???????? Product Name: ???????? Product Version: 6.9.0.1 Legal Copyright: www.ucbug.com Legal Trademarks: Original Filename: Internal Name: File Version: 6.9.0.1 File Description: www.ucbug.com ???????? Comments: www.ucbug.com ???????? Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 1155072 | 377344 | 5.54477 | 44750dc3d7d55f6bc2ea59d40f798f24 |
| .rdata | 1159168 | 1851392 | 1270272 | 5.54489 | 2276e4dafe764542faeb433e6ebc482c |
| .data | 3010560 | 356352 | 25088 | 5.53681 | ba6aa45e09846f30d7371f19635b8759 |
| .rsrc | 3366912 | 24576 | 8192 | 4.38443 | e8b3824af427c19c862f93bbaa7ba64d |
| .asssjj | 3391488 | 8192 | 7680 | 3.80535 | 3c6ec7784d2b6ba0fc72e03d32c8354f |
| .adata | 3399680 | 4096 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://asssjjdata.sddata6.com//asjjdata/cs.txt |  192.225.225.167 |
| hxxp://asssjjdata.sddata6.com//asjjdata/banben.txt | 192.225.225.167 |
| hxxp://asssjjdata.sddata6.com//asjjdata/zdbanben.txt | 192.225.225.167 |
| hxxp://asssjjdata.sddata6.com//asjjdata/tj.html?V6.9 | 192.225.225.167 |
| hxxp://asssjjdata.sddata6.com//asjjdata/gxdz.txt | 192.225.225.167 |
| hxxp://all.cnzz.com.danuoyi.tbcache.com/stat.php?id=1252900975&show=pic |  |
| hxxp://s23.cnzz.com/stat.php?id=1252900975&show=pic |  1.99.192.16 |
| dns.msftncsi.com | 131.107.255.255 |
| my.4399.com |  |
| c.cnzz.com | |
| asdata.ui10.net | |
| z5.cnzz.com | |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET //asjjdata/cs.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: asssjjdata.sddata6.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 1
Content-Type: text/plain
Last-Modified: Wed, 22 Feb 2017 18:53:54 GMT
Accept-Ranges: bytes
ETag: "a564d133d8dd21:17ec"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 29 Mar 2017 14:25:39 GMT
1HTTP/1.1 200 OK..Content-Length: 1..Content-Type: text/plain..Last-Modified: Wed, 22 Feb 2017 18:53:54 GMT..Accept-Ranges: bytes..ETag: "a564d133d8dd21:17ec"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Wed, 29 Mar 2017 14:25:39 GMT..1....
GET //asjjdata/banben.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: asssjjdata.sddata6.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 4
Content-Type: text/plain
Last-Modified: Fri, 17 Mar 2017 14:29:08 GMT
Accept-Ranges: bytes
ETag: "9564d0d62a9fd21:17ec"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 29 Mar 2017 14:25:46 GMT
V7.0....
GET //asjjdata/zdbanben.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: asssjjdata.sddata6.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 4
Content-Type: text/plain
Last-Modified: Sat, 19 Jul 2014 17:54:04 GMT
Accept-Ranges: bytes
ETag: "c4cbe46d7aa3cf1:17ec"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 29 Mar 2017 14:25:46 GMT
V0.1....
GET //asjjdata/tj.html?V6.9 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: asssjjdata.sddata6.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 339
Content-Type: text/html
Last-Modified: Sat, 19 Jul 2014 18:20:35 GMT
Accept-Ranges: bytes
ETag: "978397227ea3cf1:17ec"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 29 Mar 2017 14:25:46 GMT
<script type="text/javascript">var cnzz_protocol = (("https:" == document.location.protocol) ? " hXXps://" : " hXXp://");document.write(unescape("
GET //asjjdata/gxdz.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: asssjjdata.sddata6.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 30
Content-Type: text/plain
Last-Modified: Fri, 17 Feb 2017 23:13:24 GMT
Accept-Ranges: bytes
ETag: "6dd8a707389d21:17ec"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 29 Mar 2017 14:26:07 GMT
hXXp://VVV.asssjj.com/?6.72|W|HTTP/1.1 200 OK..Content-Length: 30..Content-Type: text/plain..Last-Modified: Fri, 17 Feb 2017 23:13:24 GMT..Accept-Ranges: bytes..ETag: "6dd8a707389d21:17ec"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Wed, 29 Mar 2017 14:26:07 GMT..http://VVV.asssjj.com/?6.72|W|..
GET /stat.php?id=1252900975&show=pic HTTP/1.1
Accept: */*
Referer: hXXp://asssjjdata.sddata6.com//asjjdata/tj.html?V6.9
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: s23.cnzz.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Content-Length: 10990
Connection: keep-alive
Date: Wed, 29 Mar 2017 13:07:52 GMT
Last-Modified: Wed, 29 Mar 2017 13:07:51 GMT
Cache-Control: max-age=5400,s-maxage=5400
Via: cache20.l2et2-1[0,200-0,H], cache4.l2et2-1[6,0], kunlun4.cn74[0,200-0,H], kunlun5.cn74[0,0]
Age: 4707
X-Cache: HIT TCP_MEM_HIT dirn:11:32477764
X-Swift-SaveTime: Wed, 29 Mar 2017 13:43:01 GMT
X-Swift-CacheTime: 3291
Timing-Allow-Origin: *
EagleId: deba319e14907975798336642e
(function(){function k(){this.c="1252900975";this.ca="z";this.Z="pic";this.W="";this.Y="";this.C="1490792871";this.aa="z5.cnzz.com";this.X="";this.G="CNZZDATA" this.c;this.F="_CNZZDbridge_" this.c;this.P="_cnzz_CV" this.c;this.R="CZ_UUID" this.c;this.L="UM_distinctid";this.H="0";this.K={};this.a={};this.Aa()}function g(a,.b){try{var c=[];c.push("siteid=1252900975");c.push("name=" f(a.name));c.push("msg=" f(a.message));c.push("r=" f(h.referrer));c.push("page=" f(e.location.href));c.push("agent=" f(e.navigator.userAgent));c.push("ex=" f(b));c.push("rnd=" Math.floor(2147483648*Math.random()));(new Image).src="hXXp://jserr.cnzz.com/log.php?" c.join("&")}catch(d){}}var h=document,e=window,f=encodeURIComponent,m=decodeURIComponent,r=unescape;k.prototype={Aa:function(){try{this.ja(),this.V(),this.wa(),this.T(),this.za(),.this.w(),this.ua(),this.ta(),this.xa(),this.o(),this.sa(),this.va(),this.ya(),this.qa(),this.oa(),thCustomVar":if(3<=a.length){if(!a[1]||!a[2])return!1;var d=a[1],l=a[2],n=a[3]||0;a=0;for(var h in this.a.b)a ;if(5<=a)return!1;var p;0==n?p="p":-1==n||-2==n?p=n:p=(new Date).getTime() 1E3*n;this.a.b[d]={};this.a.b[d].da=l;this.a.b[d].h=p;this.I()}break;case "_deleteCustomVar":2<=a.length&&(d=a[1],this.a.b[d]&&(delete this.a.b[d],this.I()));break;case "_trackPageContent":a[1]&&(this.D=a[1],this.s(),delete this.D);case "_trackPageAction":c=.[];a[1]&&a[2]&&(c.push(f(a[1])),c.push(f(a[2])),this.u=c.join("|"),this.s(),delete this.u);break;case "_setUUid":var m=a[1];if(128<m.length)return!1;var k=
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_2880:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
.asssjj
.asssjj
.adata
.adata
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
Bv=kAv.SCv
Bv=kAv.SCv
kernel32.dll
kernel32.dll
gdi32.dll
gdi32.dll
user32.dll
user32.dll
ntdll.dll
ntdll.dll
wininet.dll
wininet.dll
shlwapi.dll
shlwapi.dll
ws2_32.dll
ws2_32.dll
WS2_32.dll
WS2_32.dll
mswsock.dll
mswsock.dll
Shlwapi.dll
Shlwapi.dll
GetAsyncKeyState
GetAsyncKeyState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
MapVirtualKeyA
MapVirtualKeyA
GetKeyNameTextA
GetKeyNameTextA
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindCloseUrlCache
FindCloseUrlCache
{A068799B-7551-46b9-8CA8-EEF8357AFEA4}
{A068799B-7551-46b9-8CA8-EEF8357AFEA4}
WebBrowser
WebBrowser
hXXp://my.4399.com/zhuanti/home/adxsk-getCode-app-ssjj-sid-
hXXp://my.4399.com/zhuanti/home/adxsk-getCode-app-ssjj-sid-
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.*)|*.*
(*.*)|*.*
hXXp://my.4399.com/yxssjj/
hXXp://my.4399.com/yxssjj/
hXXp://my.qzone.qq.com/app/1102503166.html
hXXp://my.qzone.qq.com/app/1102503166.html
).txt
).txt
00ptlogin2.qq.com
00ptlogin2.qq.com
ptnick_
ptnick_
ptui_loginuin=
ptui_loginuin=
hXXp://
hXXp://
\dm.dll
\dm.dll
!!"#$%&'())?
!!"#$%&'())?
%C%]uSj
%C%]uSj
Ha.QE
Ha.QE
xCmD$L
xCmD$L
s.Nd)
s.Nd)
A_%.ID,
A_%.ID,
n.Nn0 b
n.Nn0 b
.hh=@-
.hh=@-
T8.Sz
T8.Sz
.dTR0
.dTR0
.PWh=j
.PWh=j
nL.nP?
nL.nP?
webH
webH
NQt%F
NQt%F
.XV LV#
.XV LV#
PGPus(.Gz
PGPus(.Gz
.ROH=
.ROH=
]v%UO
]v%UO
uù u
uù u
0k00[ `.kh#
0k00[ `.kh#
.scwX
.scwX
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
CxImage 6.0.0
CxImage 6.0.0
deflate 1.2.3 Copyright 1995-200d
deflate 1.2.3 Copyright 1995-200d
a .WO a .WO e processors when executed e processors when executed >support g >support g X: X: UxTheme.dll UxTheme.dll ;9HttpCli ;9HttpCli 7.PAVCExcep=^ 7.PAVCExcep=^ .1.2600.441~ .1.2600.441~ PSAPI.DLLU%f PSAPI.DLLU%f %u%x- %u%x- 88.185.3 88.185.3 20 4.49. 20 4.49. 0.4.10n 0.4.10n 129.6.15.29 129.6.15.29 202.120. 202.120. \.\%c \.\%c g%s#$A g%s#$A "LuCBy%d "LuCBy%d ./*.bmp ./*.bmp log.tx log.tx cpublic.inject.type.54 cpublic.inject.type.54 LL keypadput LL keypadput k.ap* k.ap* .=.minmax .=.minmax x.cfake`? x.cfake`? defense.szX defense.szX .sel/O .sel/O on.Leve on.Leve mp7%ss mp7%ss tCPo tCPo wKeyboardD wKeyboardD Scsi%d: Scsi%d: H%d_% H%d_% 1.2.24 1.2.24 %ct t %ct t : %s= : %s= = (%d/10 = (%d/10 gx=%f, gy gx=%f, gy %ld, pass %ld, pass xkey xkey '%ds= '%ds= 3%u B 3%u B orm.de6 orm.de6 `O%dhx%dv qV `O%dhx%dv qV FD=%u, " FD=%u, " 'z %4u 'z %4u iY;kUnkeY iY;kUnkeY %ld%c$ %ld%c$ -t.SSSj -t.SSSj MSVCRT MSVCRT ntoskrnl.exQ ntoskrnl.exQ 8)939@9|9 8)939@9|9 #&$&@'!? #&$&@'!? 9}%U} 9}%U} 3(Ýd 3(Ýd 6,?-.7?` 6,?-.7?` SAPI.DLLK04e SAPI.DLLK04e 506:6?6[ 506:6?6[ 8(83888? 8(83888? >,?0?4?8? >,?0?4?8? .net4x7 .net4x7 .Crz03 .Crz03 hÕ@e hÕ@e :;.ofSb :;.ofSb R.of'z R.of'z B{.zS,y B{.zS,y 6o.ob# 6o.ob# Ftpf Ftpf PIpE PIpE .Sj_^ .Sj_^ .vCb'PK .vCb'PK WlCmd WlCmd l%u$}0 l%u$}0 Jy%s2;J Jy%s2;J x-d}X x-d}X _~.SO _~.SO '.Sj? '.Sj? .Increm .Increm WinExe&Copy WinExe&Copy .DIBi .DIBi uDPtoLPNq`n uDPtoLPNq`n fo@@UAE@XZ.on fo@@UAE@XZ.on ad.boa ad.boa .DD-?J8 .DD-?J8 1,//2/,/ 1,//2/,/ 7G#V%F 7G#V%F (.text (.text @.tp0 @.tp0 {43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A} = s 'Dm' {43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A} = s 'Dm' 'Dm.EXE' 'Dm.EXE' val AppID = s {43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A} val AppID = s {43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A} dm.dmsoft = s 'dm.dmsoft' dm.dmsoft = s 'dm.dmsoft' CLSID = s '{26037A0E-7CBD-4FFF-9C63-56F2D0770214}' CLSID = s '{26037A0E-7CBD-4FFF-9C63-56F2D0770214}' CurVer = s 'dm.dmsoft' CurVer = s 'dm.dmsoft' ForceRemove {26037A0E-7CBD-4FFF-9C63-56F2D0770214} = s 'dm.dmsoft' ForceRemove {26037A0E-7CBD-4FFF-9C63-56F2D0770214} = s 'dm.dmsoft' ProgID = s 'dm.dmsoft' ProgID = s 'dm.dmsoft' stdole2.tlbWWW stdole2.tlbWWW ~cmdWd ~cmdWd KeyPress KeyPress .aKeyDownWd .aKeyDownWd MKeyUpWWWd MKeyUpWWWd ShowScrMsgWW ShowScrMsgWW msgWd msgWd SetShowErrorMsgW SetShowErrorMsgW >SGetWindowStateWW >SGetWindowStateWW U@SetWindowSizeWWWd U@SetWindowSizeWWWd SetWindowStateWWd SetWindowStateWWd iRSetKeypadDelayWWd iRSetKeypadDelayWWd BkeypadWW BkeypadWW SetExportDictWWWd SetExportDictWWWd keyWd keyWd FindWindowSuperW FindWindowSuperW qHKeyDownCharW qHKeyDownCharW pOkey_strWd pOkey_strWd KeyUpCharWWWd KeyUpCharWWWd KeyPressChard KeyPressChard KeyPressStrWd KeyPressStrWd EnableKeypadPatchWWWd EnableKeypadPatchWWWd =PEnableKeypadSyncd =PEnableKeypadSyncd EnableRealKeypadd EnableRealKeypadd GetKeyStateWd GetKeyStateWd [.ReadFiled [.ReadFiled WaitKeyW WaitKeyW !key_coded !key_coded joEnumWindowSuperW joEnumWindowSuperW urlW urlW =EnableKeypadMsgWd =EnableKeypadMsgWd EnableMouseMsgWWd EnableMouseMsgWWd method KeyPressWWW method KeyPressWWW method KeyDown method KeyDown method KeyUpWW method KeyUpWW method ShowScrMsgW method ShowScrMsgW method SetShowErrorMsg method SetShowErrorMsg method GetWindowStateW method GetWindowStateW method SetWindowSizeWW method SetWindowSizeWW method SetWindowStateW method SetWindowStateW method SetKeypadDelayW method SetKeypadDelayW method SetExportDictWW method SetExportDictWW method FindWindowSuper method FindWindowSuper method KeyDownChar method KeyDownChar method KeyUpCharWW method KeyUpCharWW method KeyPressCharWWW method KeyPressCharWWW method KeyPressStr method KeyPressStr method EnableKeypadPatchWW method EnableKeypadPatchWW method EnableKeypadSyncWWW method EnableKeypadSyncWWW method EnableRealKeypadWWW method EnableRealKeypadWWW method GetKeyState method GetKeyState method WaitKey method WaitKey method EnumWindowSuper method EnumWindowSuper method EnableKeypadMsg method EnableKeypadMsg method EnableMouseMsgW method EnableMouseMsgW KERNEL32.DLL KERNEL32.DLL ADVAPI32.dll ADVAPI32.dll GDI32.dll GDI32.dll IMM32.dll IMM32.dll MFC42.DLL MFC42.DLL MSVCRT.dll MSVCRT.dll ole32.dll ole32.dll OLEAUT32.dll OLEAUT32.dll SHELL32.dll SHELL32.dll USER32.dll USER32.dll VERSION.dll VERSION.dll WINMM.dll WINMM.dll RegCloseKey RegCloseKey dm.dll dm.dll dm.dmsoft dm.dmsoft hXXp://my.4399.com/yxssjj/?from=news&newsrefer= hXXp://my.4399.com/yxssjj/?from=news&newsrefer= FpUdP FpUdP :t6.dB :t6.dB s.ftlZ s.ftlZ Y.dlh Y.dlh oLQP.xL oLQP.xL 0244>" ` 0244>" ` %U{&X %U{&X ComboLBox%SHE_ ComboLBox%SHE_ otkeyScrol;r[MDIClil otkeyScrol;r[MDIClil #3276870 #3276870 l5k%x-l h l5k%x-l h 9p%s m)t4`# 9p%s m)t4`# &y1`Ð
&y1`Ð
f`c%US. f`c%US. COMCTL32.dll COMCTL32.dll MSIMG32.dll MSIMG32.dll MSVFW32.dll MSVFW32.dll SkinH_EL.dll SkinH_EL.dll ptlogin.4399.com ptlogin.4399.com hXXp://VVV.ucbug.com/soft/42883.html hXXp://VVV.ucbug.com/soft/42883.html VVV.asssjj.com ( VVV.asssjj.com ( hXXp://asdata.ui10.net/ hXXp://asdata.ui10.net/ /asjjdata/cs.txt /asjjdata/cs.txt hXXp://asssjjdata.sddata6.com/ hXXp://asssjjdata.sddata6.com/ hXXp://VVV.asssjj.com/ hXXp://VVV.asssjj.com/ /asjjdata/banben.txt /asjjdata/banben.txt /asjjdata/zdbanben.txt /asjjdata/zdbanben.txt /asjjdata/tj.html?V /asjjdata/tj.html?V hXXp://asssjjdata.sddata6.com/asjjdata/tj.html?V hXXp://asssjjdata.sddata6.com/asjjdata/tj.html?V /asjjdata/gxdz.txt /asjjdata/gxdz.txt hXXp://VVV.ucbug.com/ hXXp://VVV.ucbug.com/ VVV.ucbug.com VVV.ucbug.com /asjjdata/gonggao/gglx.txt /asjjdata/gonggao/gglx.txt /asjjdata/gonggao/tcgg.txt /asjjdata/gonggao/tcgg.txt /asjjdata/gonggao/wbgg.txt /asjjdata/gonggao/wbgg.txt ! VVV.ucbug.com ! VVV.ucbug.com /asjjdata/gonggao/zxgg.html /asjjdata/gonggao/zxgg.html /asjjdata/tjrj.txt /asjjdata/tjrj.txt hXXp://asssjjdata.sddata6.com/asjjdata/tjrj.txt hXXp://asssjjdata.sddata6.com/asjjdata/tjrj.txt hXXp://asdata.ui10.net/asssjjdata/logindata/tjjs.txt hXXp://asdata.ui10.net/asssjjdata/logindata/tjjs.txt VVV.ucbug.com ( VVV.ucbug.com ( asdata.sddata6.com asdata.sddata6.com 127.0.0.1 127.0.0.1 VVV.ucbug.com VVV.ucbug.com VVV.asssjj.com VVV.asssjj.com WS2_32.DLL WS2_32.DLL wsock32.dll wsock32.dll sound/player/pl_step.mp3 sound/player/pl_step.mp3 sound/kill/head_shot.mp3 sound/kill/head_shot.mp3 sound/weapon/m3_fire.mp3 sound/weapon/m3_fire.mp3 .Pr!J .Pr!J !.h%X !.h%X TS.bt TS.bt .OF@W# .OF@W# "1.Zx7 "1.Zx7 .jYhH .jYhH O%5sX O%5sX 't%Fs 't%Fs ;N.VL ;N.VL %Fg04L %Fg04L s.iF_ s.iF_ .Jz$& .Jz$& .Ha7%7 .Ha7%7 .OZ>8b)LwS .OZ>8b)LwS A%u3* A%u3* ,)
,)
uXJ2X.Ag uXJ2X.Ag *Xt.GO *Xt.GO AZ.NR AZ.NR f-8}, f-8}, j'.tm j'.tm ,.XxG ,.XxG S%u&ns/$ S%u&ns/$ &.KxM &.KxM %SV4F&1 %SV4F&1 )\.CK )\.CK F.xo-d F.xo-d Y.HH ep: Y.HH ep: hXXp://asdata.ui10.net/asssjjdata/logindata hXXp://asdata.ui10.net/asssjjdata/logindata hXXp://asdata.sddata6.com/asssjjdata/logindata hXXp://asdata.sddata6.com/asssjjdata/logindata /t.asp /t.asp /login.asp /login.asp /reg.asp /reg.asp /shiy.asp /shiy.asp @Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) @Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) http= http= HTTP/1.1 HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Content-Type: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded /lobby.php? /lobby.php? hXXp://asdata.ui10.net/asssjjdata/logindata/tsdata1611.txt hXXp://asdata.ui10.net/asssjjdata/logindata/tsdata1611.txt hXXp://asdata.sddata6.com/asssjjdata/logindata/tsdata1611.txt hXXp://asdata.sddata6.com/asssjjdata/logindata/tsdata1611.txt d3d9.dll d3d9.dll J@hXXp://cdn.ssjj.iwan4399.com J@hXXp://cdn.ssjj.iwan4399.com lobby.php lobby.php qqopenapp.com/ qqopenapp.com/ index_qq.php index_qq.php /index_qq.php? /index_qq.php? VVV.ucbug.com VVV.ucbug.com ddd ddd d:d:d d:d:d d-d-d d-d-d d/d/d d/d/d d.d.d d.d.d ddd ddd d-d-d d:d:d d-d-d d:d:d d/d/d d:d:d d/d/d d:d:d d.d.d d:d:d d.d.d d:d:d dddddd dddddd G|Z%d G|Z%d GetKeyboardType,MessageBoxA,CharNextA GetKeyboardType,MessageBoxA,CharNextA advapi32.dll advapi32.dll RegQueryValueExA,RegOpenKeyExA,RegCloseKey RegQueryValueExA,RegOpenKeyExA,RegCloseKey javascript:parent.window.UniLogin.toQzoneLogin(true) javascript:parent.window.UniLogin.toQzoneLogin(true) javascript:parent.window.UniLogin.toWeiboLogin(true) javascript:parent.window.UniLogin.toWeiboLogin(true) javascript:parent.window.UniLogin.toWeixinLogin(true) javascript:parent.window.UniLogin.toWeixinLogin(true) qq.com/cgi-bin/xlogin?appid= qq.com/cgi-bin/xlogin?appid= 4399.com/qzone/callback.do?code= 4399.com/qzone/callback.do?code= weibo.com/oauth2/authorize?forcelogin= weibo.com/oauth2/authorize?forcelogin= 4399.com/weibo/callback.do?state= 4399.com/weibo/callback.do?state= weixin.qq.com/connect/qrconnect?appid= weixin.qq.com/connect/qrconnect?appid= 4399.com/weixin/callback.do? 4399.com/weixin/callback.do? C:\Windows\System32\Drivers\etc\hostshXXp://VVV.super-ec.cnhXXp://wghai.com/echXXp://qsyou.com/echXXp://bbs.wghai.com/forum-17-1.html/forum-12-1.html/memcp.php/ip.asp/time.asp/ec-user.php?string=hXXp://down.wghai.com/up/super-ec/ C:\Windows\System32\Drivers\etc\hostshXXp://VVV.super-ec.cnhXXp://wghai.com/echXXp://qsyou.com/echXXp://bbs.wghai.com/forum-17-1.html/forum-12-1.html/memcp.php/ip.asp/time.asp/ec-user.php?string=hXXp://down.wghai.com/up/super-ec/ .txthXXp://down.wghai.com/up/super-ec/tongji.asphXXp://down.wghai.com/up/super-ec/ec.txt .txthXXp://down.wghai.com/up/super-ec/tongji.asphXXp://down.wghai.com/up/super-ec/ec.txt hXXp://VVV.super-ec.cn hXXp://VVV.super-ec.cn " class="txt" />Function Getcpuid() " class="txt" />Function Getcpuid() Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor") Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor") getcpuid=cpu.ProcessorId getcpuid=cpu.ProcessorId K@ntdll.dll K@ntdll.dll V6.9 VVV.ucbug.com V6.9 VVV.ucbug.com hXXp://asssjjdata.sddata6.com/asjjdata/gonggao/zxgg.htmlP hXXp://asssjjdata.sddata6.com/asjjdata/gonggao/zxgg.htmlP (VVV.ucbug.com) (VVV.ucbug.com) hXXp://extlogin.4399.com/qzone/redirectToAuthorize.do?params=postLoginHandler=default&redirectUrl=&appId=ssjj&gameId=news&cid=-1&aid=-3&ref=&autoLogin=false&v=1429304245861 hXXp://extlogin.4399.com/qzone/redirectToAuthorize.do?params=postLoginHandler=default&redirectUrl=&appId=ssjj&gameId=news&cid=-1&aid=-3&ref=&autoLogin=false&v=1429304245861 hXXp://extlogin.4399.com/weibo/redirectToAuthorize.do?params=postLoginHandler=default&redirectUrl=&appId=ssjj&gameId=news&cid=-1&aid=-3&ref=&autoLogin=false&v=1429304302642 hXXp://extlogin.4399.com/weibo/redirectToAuthorize.do?params=postLoginHandler=default&redirectUrl=&appId=ssjj&gameId=news&cid=-1&aid=-3&ref=&autoLogin=false&v=1429304302642 hXXp://extlogin.4399.com/weixin/redirectToAuthorize.do?params=postLoginHandler=default&redirectUrl=&appId=ssjj&gameId=news&cid=-1&aid=-3&ref=&autoLogin=false&v=1435328091750 hXXp://extlogin.4399.com/weixin/redirectToAuthorize.do?params=postLoginHandler=default&redirectUrl=&appId=ssjj&gameId=news&cid=-1&aid=-3&ref=&autoLogin=false&v=1435328091750 %d&&' %d&&' 123456789 123456789 00003333 00003333 deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly inflate 1.1.3 Copyright 1995-1998 Mark Adler inflate 1.1.3 Copyright 1995-1998 Mark Adler %*.*f %*.*f CNotSupportedException CNotSupportedException commctrl_DragListMsg commctrl_DragListMsg Afx:%x:%x:%x:%x:%x Afx:%x:%x:%x:%x:%x Afx:%x:%x Afx:%x:%x COMCTL32.DLL COMCTL32.DLL CCmdTarget CCmdTarget MSH_SCROLL_LINES_MSG MSH_SCROLL_LINES_MSG MSWHEEL_ROLLMSG MSWHEEL_ROLLMSG __MSVCRT_HEAP_SELECT __MSVCRT_HEAP_SELECT Broken pipe Broken pipe Inappropriate I/O control operation Inappropriate I/O control operation Operation not permitted Operation not permitted iphlpapi.dll iphlpapi.dll SHLWAPI.dll SHLWAPI.dll MPR.dll MPR.dll RASAPI32.dll RASAPI32.dll GetProcessHeap GetProcessHeap WinExec WinExec GetWindowsDirectoryA GetWindowsDirectoryA KERNEL32.dll KERNEL32.dll GetKeyState GetKeyState RegisterHotKey RegisterHotKey UnregisterHotKey UnregisterHotKey GetKeyboardLayout GetKeyboardLayout VkKeyScanExA VkKeyScanExA keybd_event keybd_event GetViewportOrgEx GetViewportOrgEx WINSPOOL.DRV WINSPOOL.DRV RegOpenKeyExA RegOpenKeyExA RegCreateKeyA RegCreateKeyA RegCreateKeyExA RegCreateKeyExA ShellExecuteA ShellExecuteA oledlg.dll oledlg.dll WSOCK32.dll WSOCK32.dll InternetCrackUrlA InternetCrackUrlA InternetCanonicalizeUrlA InternetCanonicalizeUrlA WININET.dll WININET.dll GetCPInfo GetCPInfo CreateDialogIndirectParamA CreateDialogIndirectParamA UnhookWindowsHookEx UnhookWindowsHookEx SetWindowsHookExA SetWindowsHookExA SetViewportOrgEx SetViewportOrgEx OffsetViewportOrgEx OffsetViewportOrgEx SetViewportExtEx SetViewportExtEx ScaleViewportExtEx ScaleViewportExtEx GetViewportExtEx GetViewportExtEx comdlg32.dll comdlg32.dll %x.tmp %x.tmp .PAVCException@@ .PAVCException@@ .PAVCNotSupportedException@@ .PAVCNotSupportedException@@ .PAVCFileException@@ .PAVCFileException@@ (*.prn)|*.prn| (*.prn)|*.prn| (*.*)|*.*|| (*.*)|*.*|| Shell32.dll Shell32.dll Mpr.dll Mpr.dll Advapi32.dll Advapi32.dll User32.dll User32.dll Gdi32.dll Gdi32.dll Kernel32.dll Kernel32.dll (&07-034/)7 ' (&07-034/)7 ' ?? / %d] ?? / %d] %d / %d] %d / %d] : %d] : %d] (*.WAV;*.MID)|*.WAV;*.MID|WAV (*.WAV;*.MID)|*.WAV;*.MID|WAV (*.WAV)|*.WAV|MIDI (*.WAV)|*.WAV|MIDI (*.MID)|*.MID| (*.MID)|*.MID| (*.txt)|*.txt| (*.txt)|*.txt| (*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG (*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG (*.JPG)|*.JPG|PNG (*.JPG)|*.JPG|PNG (*.PNG)|*.PNG|BMP (*.PNG)|*.PNG|BMP (*.BMP)|*.BMP|GIF (*.BMP)|*.BMP|GIF (*.GIF)|*.GIF| (*.GIF)|*.GIF| (*.ICO)|*.ICO| (*.ICO)|*.ICO| (*.CUR)|*.CUR| (*.CUR)|*.CUR| %s:%d %s:%d windows windows 1.6.9 1.6.9 unsupported zlib version unsupported zlib version png_read_image: unsupported transformation png_read_image: unsupported transformation out.prn out.prn %d.%d %d.%d %d / %d %d / %d %d/%d %d/%d Bogus message code %d Bogus message code %d libpng error: %s libpng error: %s libpng warning: %s libpng warning: %s 1.1.3 1.1.3 bad keyword bad keyword libpng does not support gamma background rgb_to_gray libpng does not support gamma background rgb_to_gray Palette is NULL in indexed image Palette is NULL in indexed image (%d-%d): (%d-%d): %ld%c %ld%c %d%d%d %d%d%d rundll32.exe shell32.dll, rundll32.exe shell32.dll, VVV.dywt.com.cn VVV.dywt.com.cn index.dat index.dat desktop.ini desktop.ini Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) HTTP/1.0 HTTP/1.0 %s %s Reply-To: %s Reply-To: %s From: %s From: %s To: %s To: %s Subject: %s Subject: %s Date: %s Date: %s Cc: %s Cc: %s %a, %d %b %Y %H:%M:%S %a, %d %b %Y %H:%M:%S SMTP SMTP (*.htm;*.html)|*.htm;*.html (*.htm;*.html)|*.htm;*.html its:%s::%s its:%s::%s ;3 #>6.& ;3 #>6.& '2, / 0&7!4-)1# '2, / 0&7!4-)1# .PAVCOleException@@ .PAVCOleException@@ .PAVCObject@@ .PAVCObject@@ .PAVCSimpleException@@ .PAVCSimpleException@@ .PAVCMemoryException@@ .PAVCMemoryException@@ .?AVCNotSupportedException@@ .?AVCNotSupportedException@@ .PAVCResourceException@@ .PAVCResourceException@@ .PAVCUserException@@ .PAVCUserException@@ .?AVCCmdTarget@@ .?AVCCmdTarget@@ .?AVCCmdUI@@ .?AVCCmdUI@@ .?AVCTestCmdUI@@ .?AVCTestCmdUI@@ .PAVCOleDispatchException@@ .PAVCOleDispatchException@@ .PAVCArchiveException@@ .PAVCArchiveException@@ zcÁ zcÁ hXXp://VVV.asssjj.com/?6.72|W| hXXp://VVV.asssjj.com/?6.72|W| c:\%original file name%.exe c:\%original file name%.exe #include "l.chs\afxres.rc" // Standard components #include "l.chs\afxres.rc" // Standard components The procedure entry point %s could not be located in the dynamic link library %s The procedure entry point %s could not be located in the dynamic link library %s The ordinal %u could not be located in the dynamic link library %s The ordinal %u could not be located in the dynamic link library %s winmm.dll winmm.dll rasapi32.dll rasapi32.dll winspool.drv winspool.drv shell32.dll shell32.dll oleaut32.dll oleaut32.dll comctl32.dll comctl32.dll 3, 1233, 0, 0 3, 1233, 0, 0 13456789 13456789 1, 0, 6, 6 1, 0, 6, 6 (*.*) (*.*) 6.9.0.1 6.9.0.1 VVV.ucbug.com VVV.ucbug.com %original file name%.exe_2880_rwx_0073C000_00003000:
kernel32.dll kernel32.dll user32.dll user32.dll The procedure entry point %s could not be located in the dynamic link library %s The procedure entry point %s could not be located in the dynamic link library %s The ordinal %u could not be located in the dynamic link library %s The ordinal %u could not be located in the dynamic link library %s winmm.dll winmm.dll ws2_32.dll ws2_32.dll rasapi32.dll rasapi32.dll gdi32.dll gdi32.dll winspool.drv winspool.drv advapi32.dll advapi32.dll shell32.dll shell32.dll ole32.dll ole32.dll oleaut32.dll oleaut32.dll comctl32.dll comctl32.dll oledlg.dll oledlg.dll wininet.dll wininet.dll comdlg32.dll comdlg32.dll RegOpenKeyExA RegOpenKeyExA ShellExecuteA ShellExecuteA InternetCanonicalizeUrlA InternetCanonicalizeUrlA 6.9.0.1 6.9.0.1 VVV.ucbug.com VVV.ucbug.com VVV.ucbug.com VVV.ucbug.com %original file name%.exe_2880_rwx_019F0000_0003D000:
`.rsrc `.rsrc L$(h%f L$(h%f SSh0j SSh0j msctls_hotkey32 msctls_hotkey32 TVCLHotKey TVCLHotKey THotKey THotKey \skinh.she \skinh.she }uo,x6l5k%x-l h }uo,x6l5k%x-l h 9p%s m)t4`#b 9p%s m)t4`#b e"m?c&y1`Ð
e"m?c&y1`Ð
SetViewportOrgEx SetViewportOrgEx SetViewportExtEx SetViewportExtEx SetWindowsHookExA SetWindowsHookExA UnhookWindowsHookEx UnhookWindowsHookEx EnumThreadWindows EnumThreadWindows EnumChildWindows EnumChildWindows `c%US.4/ `c%US.4/ !#$
!#$
.text .text `.rdata `.rdata @.data @.data .rsrc .rsrc @.UPX0 @.UPX0 `.UPX1 `.UPX1 `.reloc `.reloc f`c%US. f`c%US. KERNEL32.DLL KERNEL32.DLL COMCTL32.dll COMCTL32.dll GDI32.dll GDI32.dll MSIMG32.dll MSIMG32.dll MSVCRT.dll MSVCRT.dll MSVFW32.dll MSVFW32.dll USER32.dll USER32.dll SkinH_EL.dll SkinH_EL.dll 1, 0, 6, 6 1, 0, 6, 6