MD5: b03464cb3b39f6eef19436344224d9bc
SHA1: 82227729be2dbfb22a283b1793717102acd30b7d
SHA256: 8a6ac87aef1b02ab59e037254e28ec8963bb5d46f384f619f56c8786ef4563d5
SSDeep: 49152:wwPcDMe0FNDMTTwr92yjAdxD uYRUAiuoaGGn5sQXi:fP8Me0fMv0UyjAdxD nqSDsQXi
Size: 2678784 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2017-01-15 22:22:06
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Dropped creates the following process(es):

CDM.exe:3436

The Dropped injects its code into the following process(es):

%original file name%.exe:2180

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2180 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\%original file name%.exe (18248 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\error[1].htm (2704 bytes)
C:\CDM.exe (1810 bytes)

The process CDM.exe:3436 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\dlldy[1].htm (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\gengxin[1].htm (232 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\dlldy[1].htm (17 bytes)
C:\Proxy.dll (326 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\UVH22G43.txt (109 bytes)

Registry activity

The process %original file name%.exe:2180 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\b03464cb3b39f6eef19436344224d9bc_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\b03464cb3b39f6eef19436344224d9bc_RASMANCS]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\b03464cb3b39f6eef19436344224d9bc_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\b03464cb3b39f6eef19436344224d9bc_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\b03464cb3b39f6eef19436344224d9bc_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\b03464cb3b39f6eef19436344224d9bc_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\b03464cb3b39f6eef19436344224d9bc_RASAPI32]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process CDM.exe:3436 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\CDM_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\CDM_RASMANCS]
"ConsoleTracingMask" = "4294901760"

"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\CDM_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\CDM_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\CDM_RASMANCS]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ÎÒµÄÆô¶¯Ïî" = "C:\CDM.exe"

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.dywt.com.cn)
Language: Chinese (Simplified, PRC)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://rj.xie6.cn/gengxin.asp?id=845&bs=MAYI&_r=31114	162.159.211.13
hxxp://120.24.185.26/yixiuge/xxl.txt
hxxp://rj.xie6.cn/dlldy.asp?cz=hqfwq&bs=MAYI	162.159.211.13
hxxp://rj.xie6.cn/dlldy.asp?cz=hqzjip	162.159.211.13
hxxp://im2.n.shifen.com/search/error.html
hxxp://hi.baidu.com/aegifjftrggluze/item/be185dc989cae4f4984aa0df	123.125.114.169
hxxp://im.baidu.com/search/error.html	123.125.114.169

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /search/error.html HTTP/1.1

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0

Host: im.baidu.com

Cache-Control: no-cache

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Mon, 15 May 2017 16:10:51 GMT

Server: Apache

Last-Modified: Mon, 07 Dec 2015 10:58:51 GMT

ETag: "a92"

Accept-Ranges: bytes

Content-Length: 2706

Connection: Keep-Alive

Content-Type: text/html
<html>.<head>..<title>....--..............</title
>..<META http-equiv=content-type content="text/html; charset=gb2
312">.<META content="MSHTML 6.00.2462.0" name=GENERATOR></
HEAD>.</head>.<style type="text/css">..p1 {..FONT-SIZE:
 14px; LINE-HEIGHT: 24px; FONT-FAMILY: "....".}...f12 {..FONT-SIZE: 12
px; LINE-HEIGHT: 20px.}..p2 {..FONT-SIZE: 14px; LINE-HEIGHT: 24px; col
or: #333333.}.</style>.<body text=#000000 vLink=#0033cc aLink
=#800080 link=#0033cc bgColor=#ffffff .topMargin=0>.<center>.
<table width=650 border=0 align="center">.  <tr height=60>
.    <td width=139 valign="top" height="66"><a href="hXXps://
VVV.baidu.com"><img src="img/logo.gif" border="0"></a>&
lt;/td>.    <td valign="bottom" width="100%">.      <table
 width="100%" border="0" cellpadding="0" cellspacing="0">.        &
lt;tr bgcolor="#e5ecf9">.          <td height="24"> <
b class="p1">..............</b></td>.          <td h
eight="24" class="p2">.            <div align="right"><a  
href="hXXps://VVV.baidu.com">........</a>   </div>
</td>.        </tr>.        <tr>.          <td he
ight="20" class="p2" colspan="2"></td>.        </tr>.  
  </table></td>.  </tr>.</table>.<br>.&l
t;table width=650 border=0 align="center" cellpadding=8 cellspacing=0&
gt;.  <tr> .    <td  align=center><div align="left"
<<< skipped >>>

GET /gengxin.asp?id=845&bs=MAYI&_r=31114 HTTP/1.1

Accept: */*

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

Cache-Control: no-cache

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)

Host: rj.xie6.cn

HTTP/1.1 200 OK

Date: Mon, 15 May 2017 16:10:48 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=def4c611713752abe0eabf8024a3df3121494864647; expires=Tue, 15-May-18 16:10:47 GMT; path=/; domain=.xie6.cn; HttpOnly

Cache-Control: private

Vary: Accept-Encoding

Set-Cookie: ASPSESSIONIDACRBABCB=AJNNEIOAKOHEHOMEHOLIDDEG; path=/

X-Powered-By: ASP.NET

Server: yunjiasu-nginx

CF-RAY: 35f75e9056a64e2a-DME
e8..416B1BD09594E42FB1E8ADF1280D5C2B5AB6E09F50956C14DC636013AF636312D2
5D5BEE288489943286E61CDC686615DD646611D9116367D8166613DC116364DD686718
DC656217D8156712DC156367DD686718DC616660DC616718D8166619DD116411DD6267
67DD686618D8156710DD636611..0..HTTP/1.1 200 OK..Date: Mon, 15 May 2017
 16:10:48 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Co
nnection: keep-alive..Set-Cookie: __cfduid=def4c611713752abe0eabf8024a
3df3121494864647; expires=Tue, 15-May-18 16:10:47 GMT; path=/; domain=
.xie6.cn; HttpOnly..Cache-Control: private..Vary: Accept-Encoding..Set
-Cookie: ASPSESSIONIDACRBABCB=AJNNEIOAKOHEHOMEHOLIDDEG; path=/..X-Powe
red-By: ASP.NET..Server: yunjiasu-nginx..CF-RAY: 35f75e9056a64e2a-DME.
.e8..416B1BD09594E42FB1E8ADF1280D5C2B5AB6E09F50956C14DC636013AF636312D
25D5BEE288489943286E61CDC686615DD646611D9116367D8166613DC116364DD68671
8DC656217D8156712DC156367DD686718DC616660DC616718D8166619DD116411DD626
767DD686618D8156710DD636611..0......


GET /dlldy.asp?cz=hqfwq&bs=MAYI HTTP/1.1

Accept: */*

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

Cache-Control: no-cache

User-Agent: 30098

Host: rj.xie6.cn

Cookie: __cfduid=def4c611713752abe0eabf8024a3df3121494864647; ASPSESSIONIDACRBABCB=AJNNEIOAKOHEHOMEHOLIDDEG

HTTP/1.1 200 OK

Date: Mon, 15 May 2017 16:10:50 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Cache-Control: private

Vary: Accept-Encoding

Set-Cookie: ASPSESSIONIDAQCCBCDD=HBBGIMLABLFLAMCBHJOBEMBL; path=/

X-Powered-By: ASP.NET

Server: yunjiasu-nginx

CF-RAY: 35f75ea0a6554e2a-DME
2b..ok:222.186.56.243:5600|222.186.56.243:5500|..0......


GET /dlldy.asp?cz=hqzjip HTTP/1.1

Accept: */*

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

Cache-Control: no-cache

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Host: rj.xie6.cn

Cookie: __cfduid=def4c611713752abe0eabf8024a3df3121494864647; ASPSESSIONIDACRBABCB=AJNNEIOAKOHEHOMEHOLIDDEG; ASPSESSIONIDAQCCBCDD=HBBGIMLABLFLAMCBHJOBEMBL

HTTP/1.1 200 OK

Date: Mon, 15 May 2017 16:10:51 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Cache-Control: private

Vary: Accept-Encoding

X-Powered-By: ASP.NET

Server: yunjiasu-nginx

CF-RAY: 35f75ea4d23b4e2a-DME
11..ip:194.242.96.218..0..HTTP/1.1 200 OK..Date: Mon, 15 May 2017 16:1
0:51 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connect
ion: keep-alive..Cache-Control: private..Vary: Accept-Encoding..X-Powe
red-By: ASP.NET..Server: yunjiasu-nginx..CF-RAY: 35f75ea4d23b4e2a-DME.
.11..ip:194.242.96.218..0..

GET /yixiuge/xxl.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: 120.24.185.26

Cache-Control: no-cache

HTTP/1.1 404 Not Found

Server: nginx

Date: Mon, 15 May 2017 16:11:03 GMT

Content-Type: text/html

Content-Length: 564

Connection: keep-alive

Vary: Accept-Encoding
<html>..<head><title>404 Not Found</title><
/head>..<body bgcolor="white">..<center><h1>404 N
ot Found</h1></center>..<hr><center>nginx</
center>..</body>..</html>..<!-- a padding to disable
 MSIE and Chrome friendly error page -->..<!-- a padding to disa
ble MSIE and Chrome friendly error page -->..<!-- a padding to d
isable MSIE and Chrome friendly error page -->..<!-- a padding t
o disable MSIE and Chrome friendly error page -->..<!-- a paddin
g to disable MSIE and Chrome friendly error page -->..<!-- a pad
ding to disable MSIE and Chrome friendly error page -->..HTTP/1.1 4
04 Not Found..Server: nginx..Date: Mon, 15 May 2017 16:11:03 GMT..Cont
ent-Type: text/html..Content-Length: 564..Connection: keep-alive..Vary
: Accept-Encoding..<html>..<head><title>404 Not Foun
d</title></head>..<body bgcolor="white">..<center
><h1>404 Not Found</h1></center>..<hr><c
enter>nginx</center>..</body>..</html>..<!-- a
 padding to disable MSIE and Chrome friendly error page -->..<!-
- a padding to disable MSIE and Chrome friendly error page -->..<
;!-- a padding to disable MSIE and Chrome friendly error page -->..
<!-- a padding to disable MSIE and Chrome friendly error page -->
;..<!-- a padding to disable MSIE and Chrome friendly error page --
>..<!-- a padding to disable MSIE and Chrome friendly error 
<<< skipped >>>

GET /aegifjftrggluze/item/be185dc989cae4f4984aa0df HTTP/1.1

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0

Host: hi.baidu.com

Cache-Control: no-cache

HTTP/1.1 302 Found

Date: Mon, 15 May 2017 16:10:48 GMT

Server: Apache

Location: hXXp://im.baidu.com/search/error.html

Content-Length: 221

Connection: Keep-Alive

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://im.baidu.com/search/error.html">here</a>.</p&
gt;.</body></html>.HTTP/1.1 302 Found..Date: Mon, 15 May 2
017 16:10:48 GMT..Server: Apache..Location: hXXp://im.baidu.com/search
/error.html..Content-Length: 221..Connection: Keep-Alive..Content-Type
: text/html; charset=iso-8859-1..<!DOCTYPE HTML PUBLIC "-//IETF//DT
D HTML 2.0//EN">.<html><head>.<title>302 Found<
;/title>.</head><body>.<h1>Found</h1>.<p
>The document has moved <a href="hXXp://im.baidu.com/search/erro
r.html">here</a>.</p>.</body></html>...

The Dropped connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.bak

t$(SSh

~%UVW

u$SShe

iu2.iu

K(.wS

user32.dll

gdiplus.dll

{A068799B-7551-46b9-8CA8-EEF8357AFEA4}

hXXp://120.24.185.26/yixiuge/xxl.txt

Proxy.dll

Kernel32.dll

kernel32.dll

\CDM.exe

software\microsoft\windows\CurrentVersion\Run\

\Proxy.dll

@.reloc

f9z.vk

__MSVCRT_HEAP_SELECT

CreateIoCompletionPort

GetProcessHeap

KERNEL32.dll

MsgWaitForMultipleObjects

USER32.dll

GDI32.dll

ADVAPI32.dll

ole32.dll

WS2_32.dll

SHLWAPI.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

WININET.dll

OLEAUT32.dll

WINMM.dll

GetCPInfo

proxy_AA555.dll

8@HNetCfg.FwMgr

hXXps://

hXXp://

https

http:

Client: VVV.xie6.cn

https:

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

/gengxin.asp?id=

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)

@/dlldy.asp?cz=hqfwq&bs=MAYI

/dlldy.asp?cz=hqzjip

4@0.0.0.0

<@WinINet.dll

ws2_32.dll

urlmon

URLDownloadToFileA

program internal error number is %d.

%s%x.tmp

:"%s"

:"%s".

zcÁ

7!8 808:8

0#0 040=0

5$5(5,5054585<5@5

$0004080

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

Broken pipe

Inappropriate I/O control operation

Operation not permitted

RASAPI32.dll

WinExec

GetKeyState

GetViewportOrgEx

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

RegCreateKeyA

ShellExecuteA

SHELL32.dll

COMCTL32.dll

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

RegCreateKeyExA

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

;3 #>6.&

'2, / 0&7!4-)1#

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

#include "l.chs\afxres.rc" // Standard components

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADC:\CDM.exe

VVV.168guaji.com

1.2.18

F%*.*f

MSWHEEL_ROLLMSG

MSVFW32.dll

AVIFIL32.dll

InternetCrackUrlA

InternetCanonicalizeUrlA

(*.avi)|*.avi

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

c:\%original file name%.exe

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

%S'vSG$wL"'vHN0rH&<

F.VnQ2

f.La1}ONz.

,vPK85\K82EV$rME5jMI:1\K8%U

aqt%v(1!gjezjf|9.sa%n{r4v{~;-jy!o~:-o~=4rb}<ase<m|>-o~*$?"?l.8>

.yyh"

z$5."$%X{}zGx%}//v~

&.dUz;,D`:?S;(%Fr

".dUz;-D/{8

9.dUz; D/{.

8<(&8=):

.vcH~

:j%c;n

.Sz~XGy

!H}~JJ:$GMldAN:$/.adACe~/-bsGC{%

%uPZW

%uN|-

O:J%S2

qvyB4>~b.pr]i.6

tT.zc

&nfY.}wA.qx

d.eMD

mdS%sfG

`{LxE%s

..skt

ZzY[.UQ

z_[.UQ

.PIZ(

AUrl/ 

Up0%xs

8U.Ix

.GiD}DF

%.bqA@D}[GNp

UúS

$H;%f

m.XQs,L

c.jK%Q

c/qC%s0Dxw>

4k{5#$q>;%s41ct;0~`61fg 3%{%3g=33;*d2i iois4bl&hn>s0fntQ

>httpu

hTTP/h

hXXp://hi.baidu.com/aegifjftrggluze/item/be185dc989cae4f4984aa0df

baidu.com

1.6.2.1

(*.*)

1.0.0.0

(hXXp://VVV.dywt.com.cn)

%original file name%.exe_2180_rwx_006CB000_00002000:

>httpu

hTTP/h

hXXp://hi.baidu.com/aegifjftrggluze/item/be185dc989cae4f4984aa0df

baidu.com

CDM.exe_3436:

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

u$SShe

iu2.iu

K(.wS

Proxy.dll

Kernel32.dll

kernel32.dll

user32.dll

gdiplus.dll

{A068799B-7551-46b9-8CA8-EEF8357AFEA4}

\CDM.exe

software\microsoft\windows\CurrentVersion\Run\

\Proxy.dll

@.reloc

f9z.vk

__MSVCRT_HEAP_SELECT

CreateIoCompletionPort

GetProcessHeap

KERNEL32.dll

MsgWaitForMultipleObjects

USER32.dll

GDI32.dll

ADVAPI32.dll

ole32.dll

WS2_32.dll

SHLWAPI.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

WININET.dll

OLEAUT32.dll

WINMM.dll

GetCPInfo

proxy_AA555.dll

8@HNetCfg.FwMgr

hXXps://

hXXp://

https

http:

Client: VVV.xie6.cn

https:

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

/gengxin.asp?id=

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)

@/dlldy.asp?cz=hqfwq&bs=MAYI

/dlldy.asp?cz=hqzjip

4@0.0.0.0

<@WinINet.dll

ws2_32.dll

urlmon

URLDownloadToFileA

program internal error number is %d.

%s%x.tmp

:"%s"

:"%s".

zcÁ

7!8 808:8

0#0 040=0

5$5(5,5054585<5@5

$0004080

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

Broken pipe

Inappropriate I/O control operation

Operation not permitted

RASAPI32.dll

WinExec

GetKeyState

GetViewportOrgEx

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

RegCreateKeyA

ShellExecuteA

SHELL32.dll

COMCTL32.dll

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

RegCreateKeyExA

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

;3 #>6.&

'2, / 0&7!4-)1#

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

C:\CDM.exe

#include "l.chs\afxres.rc" // Standard components

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

1.6.2.1

(*.*)

1.0.0.0

(hXXp://VVV.dywt.com.cn)

%original file name%.exe_2180_rwx_01580000_00002000:

>httpu

hTTP/h

hXXp://hi.baidu.com/aegifjftrggluze/item/be185dc989cae4f4984aa0df

baidu.com

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   CDM.exe:3436

2. Delete the original Dropped file.
   
3. Delete or disinfect the following files created/modified by the Dropped:
   

   C:\%original file name%.exe (18248 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\error[1].htm (2704 bytes)
   C:\CDM.exe (1810 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\dlldy[1].htm (43 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\gengxin[1].htm (232 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\dlldy[1].htm (17 bytes)
   C:\Proxy.dll (326 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\UVH22G43.txt (109 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "ÎÒµÄÆô¶¯Ïî" = "C:\CDM.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.