MD5: 9a61377f7a267d0733acc68f3f3072cf
SHA1: 5e54992e3afc40333f0ddcf340790d48ad7e349f
SHA256: a4c9fcaad48bb22de6acd412eea7136e979c1c6617836f620fc62dbe2f26e20c
SSDeep: 49152:nGHQYGTwg AM HhgGibN4O9M3uLGgDekt3q wtw9JbtYDvPd3TR47jna/gRkVNOK:Gwt8wM HMvDH xl47za/D4GYEpuSh2e
Size: 4464640 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-05-03 21:14:58
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

regsvr32.exe:1780

The Trojan injects its code into the following process(es):

%original file name%.exe:2956

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process regsvr32.exe:1780 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ZCB_API.DLL (49 bytes)

The process %original file name%.exe:2956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ZCB_API.DLL (1 bytes)

Registry activity

The process regsvr32.exe:1780 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\TypeLib]
"(Default)" = "{D7111ECF-2415-46C6-AAD4-EE6802448456}"

[HKCR\Interface\{A5CF4797-7A19-403B-908C-E9F1CE93135E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\ProgID]
"(Default)" = "REGCOM.Register.Api.1"

[HKCR\TypeLib\{D7111ECF-2415-46C6-AAD4-EE6802448456}\1.0\0\win32]
"(Default)" = "c:\ZCB_API.DLL"

[HKCR\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}]
"(Default)" = "ZCBApiPlug Class"

[HKCR\Interface\{A5CF4797-7A19-403B-908C-E9F1CE93135E}\TypeLib]
"(Default)" = "{D7111ECF-2415-46C6-AAD4-EE6802448456}"

[HKCR\TypeLib\{D7111ECF-2415-46C6-AAD4-EE6802448456}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{A5CF4797-7A19-403B-908C-E9F1CE93135E}\TypeLib]
"Version" = "1.0"

[HKCR\REGCOM.Register.Api\CurVer]
"(Default)" = "REGCOM.Register.Api.1"

[HKCR\TypeLib\{D7111ECF-2415-46C6-AAD4-EE6802448456}\1.0]
"(Default)" = "ZCB_APILib"

[HKCR\REGCOM.Register.Api.1\CLSID]
"(Default)" = "{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}"

[HKCR\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\VersionIndependentProgID]
"(Default)" = "REGCOM.Register.Api"

[HKCR\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\InprocServer32]
"(Default)" = "c:\ZCB_API.DLL"

[HKCR\REGCOM.Register.Api.1]
"(Default)" = "ZCBApiPlug Class"

[HKCR\Interface\{A5CF4797-7A19-403B-908C-E9F1CE93135E}]
"(Default)" = "IZCBApiPlug"

[HKCR\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{A5CF4797-7A19-403B-908C-E9F1CE93135E}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\REGCOM.Register.Api]
"(Default)" = "ZCBApiPlug Class"

[HKCR\TypeLib\{D7111ECF-2415-46C6-AAD4-EE6802448456}\1.0\HELPDIR]
"(Default)" = "c:"

The process %original file name%.exe:2956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\9a61377f7a267d0733acc68f3f3072cf_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\9a61377f7a267d0733acc68f3f3072cf_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\9a61377f7a267d0733acc68f3f3072cf_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\9a61377f7a267d0733acc68f3f3072cf_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\9a61377f7a267d0733acc68f3f3072cf_RASMANCS]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ??
Product Name: ????
Product Version: 1.0.0.0
Legal Copyright: ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ????
Comments: ????
Language: Spanish (Spain, International Sort)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://jdyou_152.proxy.kaopuyun.net/Open/V1_4/Soft/Upgrade
hxxp://c.84zcb.com/Open/V1_4/Soft/Upgrade	125.77.22.178

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE User-Agent (Mozilla/4.0 (compatible))

Traffic

POST /Open/V1_4/Soft/Upgrade HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible)

Host: c.84zcb.com

Content-Length: 363

Cache-Control: no-cache

data=ZU/VMNyNxS1TnWRRj8GxQjWrbubxbK0I3z4lBE3kH1Lg0zx7Bm8NCL6F1dhzPiI3pLtLGO3rCd5V2DtXaBJo5sQ6HXo6eUWWiW cegStVRiwjeUVmrzou8S4yae3VVvMiUu3yRbPIdm1Ku8RJziEez//9TTQ5zmKRmAQQgmBI8iszeFbtvy4qONM0LFZeinZJbQVvlnxqWvlgwJYnCm/N6Mr3CVSYek/6osDNktRBY89J8tH7/VZBVvfiXpVcKfg5u JZAowUxbhQkiEuHHkjrmK5o/1Iw6ZVwBN8X0r1cBiBaWdZU/VMHEdcEWdhtEF&sign=9C296E0C2193E917A57032C94E3E6593
HTTP/1.1 200 OK

Date: Wed, 07 Dec 2016 22:25:26 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 728

Connection: keep-alive

Cache-Control: private

Server: Microsoft-IIS/7.5

X-AspNetMvc-Version: 4.0

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Cache-Control: no-cache
pmFeIO9K3DilnoBmWvXyvfWSsM8ondhCagHPiKq3tzTSPR2dpWuZt3QAv3xy5QaD/p/saU
4FM/nw8fIj0NVbcHHoZCA 5udmJ2SGitbb X5iiUpsjgcPXlASfhFZspBi5ZijI3RujBRh
fho3u6DP7F xhWh bYpWf2VPSTS8Yk8ZHtRH9vb8OG5N4B osfVMrnJRBdXJrJkqb1d//f
Ntodbm6Fujpth0JpuF1lzvGytVKRBDtaBvhQHGVmI2uDP4YlO BRvxfYWDr47imgN1Vuq/
74SuMNnB6CsXdQ3qGxIyhyKB4NBKDhho8SqgC3jHO/MJ9bZ9W8ZkcTFOTYiiOZhEQJJe1m
p5z3Q4sC2qiPqBDVEI1Z/aU61FZHHAjcCEmuPMy 1BDcNZPSzmAbYOg7Ux9i3F dBgFW8v
2L7kbrFyvtpLnVCVUhf1RiJDXjnpubue4eYV6uvWHtG2jXazhrrNuvyMf8FbEniFM20cmw
pdo3aUJd/tEcVYwd1mQ6HV8WQAM3tsCyF1TdrwXTcjeU65vLzByfGMnf2m3PiJmvJrdtLx
2OJ/Kllf2mzd03zJP6dG1yHpMzg0ewdx6MK6h4Pu3gySTPNpiBhV0MMMKhB5xnz4h0fH/j
W1GdfmdCsuqleWAzMYH5bw1YU8pm4o8ZFKg3zuYPJm3B/LANr4wK30hARWS/QOUq3bLXoA
L24TQto8H6ZhXiAoip7rXVJYiw==HTTP/1.1 200 OK..Date: Wed, 07 Dec 2016 22
:25:26 GMT..Content-Type: text/html; charset=utf-8..Content-Length: 72
8..Connection: keep-alive..Cache-Control: private..Server: Microsoft-I
IS/7.5..X-AspNetMvc-Version: 4.0..X-AspNet-Version: 4.0.30319..X-Power
ed-By: ASP.NET..Cache-Control: no-cache..pmFeIO9K3DilnoBmWvXyvfWSsM8on
dhCagHPiKq3tzTSPR2dpWuZt3QAv3xy5QaD/p/saU4FM/nw8fIj0NVbcHHoZCA 5udmJ2S
Gitbb X5iiUpsjgcPXlASfhFZspBi5ZijI3RujBRhfho3u6DP7F xhWh bYpWf2VPSTS8Y
k8ZHtRH9vb..

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.vmp0

`.vmp1

.reloc

t$(SSh

~%UVW

u$SShe

Bv.SCv=kAv

gdiplus.dll

GdiPlus.dll

user32.dll

kernel32.dll

Kernel32.dll

advapi32.dll

Ole32.dll

gdi32.dll

ole32.dll

Gdi32.dll

msimg32.dll

User32.dll

Gdiplus.dll

UxTheme.dll

GetKeyState

GdipSetStringFormatHotkeyPrefix

UnloadKeyboardLayout

GetKeyboardLayoutList

GetKeyboardLayout

ActivateKeyboardLayout

GetKeyboardLayoutNameA

RegOpenKeyA

RegDeleteKeyA

RegCloseKey

RegCreateKeyA

RegFlushKey

LoadKeyboardLayoutA

UnregisterHotKey

RegisterHotKey

{E5000198-4471-40e2-92BC-D0BA075BDBB2}

10/05/12

\.YVV

Ï[H

L <

z>REGCOM.Register.api.1

.UPX0

.UPX1

@.rsrc

GDI32.dll

%c,UJ

SHELL32.dll

IPHLPAPI.DLL

COMDLG32.dll

USER32.dll

%.Dyy

>#>0>=>~>

: ;%;3;8;\;

?!?%?)?-?1?

5#5'5 5/53575

3 3$3(3,3034383

9 9$9(9,9094989<9@9

5 5$5(5,505

667[7~7 86<~<

282`3@4}4

ZCB_API.dll

Y3%f{!.

Ke%Sc

hXa.ZktG

6C.Ceu}

J1.Rv

V.av^

SvCL.HC

*VsqL

d%sKC

%%CI7

'~V%y.gUeA

3F|

EJc%Xa

N%xu'

&*"8{@>[

'?.Wo

].Mjq

@1.cK

yr-W`AnV.XC

^r.wp

8%x]5

.koDI

gf%UT

%Gr%D

lCÂ1

=5}%s

p7.FX

-.ZkE6 

 C.gm

,.DFno

yP/.Wl

lr.SB

%U<{Fb

b).nh

bwMSG

.oVMO

G.zzg

%S Kh

n.RPX

]g#M.yV

E<%ut#

.IaUC

.yx4m

o.lS=F)h

>X.NM9

pn.FP

H3.Ye

>.ynD

&.nTT

VG#3.wiE

P8j%C

Zd.Jn

.Te>9

.kWkd`

.Cc|O

.xmOZ

h.YW&

F.pag

lD&.MY

]Hpu%U

Gq.zE

-q}?!

.KUh|

@q%c*

v$2.ZM

..SK1

Y}.Mc

%0s./

2.fx4

sms0%c

0.Td'

 .nK2

.HJ\;

a%D-l

.eos08

H.Mf^

1.uprVa

|Cq<s.Pi

%uIA0

Q!.Re%

.pY<l

h:\Fq

.OW`p

`*.Dh

e.mh"

~I.bf

Öo5L

.De;>

 {X%F&$Z.b

8<%Fn

H.ZB~

@>P iXB%sJ

2%Cu"~

RUrlt c=

@|G.ZT

w;%x5

.q.rgXj

`(W.WV

vmX.Iz 

7H.OD

=K.yy

oledlg.dll

KERNEL32.dll

HttpOpenRequestA

OLEACC.dll

WININET.dll

VERSION.dll

VJ.wA E

ShellExecuteW

SHLWAPI.dll

OLEAUT32.dll

e*%C$

2S".av

WINSPOOL.DRV

.QCRz

wH%C^,

,.iIm

uRLW84

05.Do

#-Z}V

mv.MK]M

iA.cD

%7u3mj

W%x=uLsaIc

\.pAO

4Ll%S

iS.Ac

[F.qg

.oodJ'

.KrTI

%s=!

d.Hz)

.mp{v

.jc&k

?.ee?!

ADVAPI32.dll

*a.DM

j%FK.dn

REGCOM.Register.Api.1 = s 'ZCBApiPlug Class'

CLSID = s '{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}'

REGCOM.Register.Api = s 'ZCBApiPlug Class'

CurVer = s 'REGCOM.Register.Api.1'

ForceRemove {9CF66319-AA2F-424A-BEEA-9E42E36BEA1A} = s 'ZCBApiPlug Class'

ProgID = s 'REGCOM.Register.Api.1'

VersionIndependentProgID = s 'REGCOM.Register.Api'

TypeLib = s '{D7111ECF-2415-46C6-AAD4-EE6802448456}'

stdole2.tlbWWW

API_LoginWWW

,7API_FindPasswordd

API_LoginOutd

API_QQLoginW

Created by MIDL version 7.00.0555 at Fri Mar 13 14:58:24 2015

Adobe Photoshop CS4 Windows

2012:08:09 14:06:56

urlTEXT

MsgeTEXT

hXXp://ns.adobe.com/xap/1.0/

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.2.2-c063 53.352624, 2008/07/30-18:12:18 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/" xmlns:exif="hXXp://ns.adobe.com/exif/1.0/" xmp:CreatorTool="Adobe Photoshop CS4 Windows" xmp:CreateDate="2012-08-08T20:24:02 08:00" xmp:ModifyDate="2012-08-09T14:06:56 08:00" xmp:MetadataDate="2012-08-09T14:06:56 08:00" dc:format="image/jpeg" photoshop:ColorMode="3" xmpMM:InstanceID="xmp.iid:E231D41CE8E1E111AB3B963D76532D14" xmpMM:DocumentID="xmp.did:F608B09855E1E1119ACECE19BFE94988" xmpMM:OriginalDocumentID="xmp.did:F608B09855E1E1119ACECE19BFE94988" tiff:Orientation="1" tiff:XResolution="720000/10000" tiff:YResolution="720000/10000" tiff:ResolutionUnit="2" tiff:NativeDigest="256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;7855E05107F0297301FDE5A0BAFB8095" exif:PixelXDimension="1400" exif:PixelYDimension="840" exif:ColorSpace="65535" exif:NativeDigest="36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;51BE28D0B80AE0E8B0E10EBEB20271CF"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:F608B09855E1E1119ACECE19BFE94988" stEvt:when="2012-08-08T20:45:06 08:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows"/> <rdf:li stEvt:action="converted" stEvt:parameters="from image/jpeg to application/vnd.adobe.photoshop"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:F708B09855E1E1119ACECE19BFE94988" stEvt:when="2012-08-08T20:45:06 08:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:E131D41CE8E1E111AB3B963D76532D14" stEvt:when="2012-08-09T14:06:56 08:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows" stEvt:changed="/"/> <rdf:li stEvt:action="converted" stEvt:parameters="from application/vnd.adobe.photoshop to image/jpeg"/> <rdf:li stEvt:action="derived" stEvt:parameters="converted from application/vnd.adobe.photoshop to image/jpeg"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:E231D41CE8E1E111AB3B963D76532D14" stEvt:when="2012-08-09T14:06:56 08:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:E131D41CE8E1E111AB3B963D76532D14" stRef:documentID="xmp.did:F608B09855E1E1119ACECE19BFE94988" stRef:originalDocumentID="xmp.did:F608B09855E1E1119ACECE19BFE94988"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>

%dYJH'

le~.leU

S%SKz

>{%UQ

,%f.F

F.ijA

}%UT0B

M%D(a

%.bx&

{O1%D

zuI{ %U

lO.mUY

d%u<Zj

%4SIo

w=%do

s~Iw%f

tj.zQ

i?.sG4]Z

u.rz;

U&S%xg

!ECE_[ò

$"D)DeXE

TN.WR

5f.jy

=n.Te

%SY>Vo

&<.nzQ

z:\DRM7

-x}W^

\}.Ord

z.Nh=i

x-x}WG

.WxK'

.IDATx

%cri\

:O .Zl

hXXp://f.hiphotos.baidu.com/album/s=740;q=90/sign=69bde5a33a292df593c3ae118c0a2d5d/4bed2e738bd4b31c7a52b43787d6277f9f2ff8d4.jpg

hXXp://b.hiphotos.baidu.com/album/s=740;q=90/sign=be24b17e7d1ed21b7dc92ce19d55acf9/eaf81a4c510fd9f9ee9a75e5252dd42a2934a4a8.jpg

hXXp://f.hiphotos.baidu.com/album/s=740;q=90/sign=f34523c6dab44aed5d4ebce08327f63c/8435e5dde71190ef039bb253ce1b9d16fcfa60dd.jpg

hXXp://f.hiphotos.baidu.com/album/s=740;q=90/sign=5fa5abb56b63f624185d3b07b77f9ac5/71cf3bc79f3df8dc7cbaaf1dcd11728b461028b2.jpg

hXXp://e.hiphotos.baidu.com/album/s=740;q=90/sign=94c20c64bc3eb13540c7b5bf9625d9ee/f3d3572c11dfa9ec9edb769b62d0f703908fc140.jpg

hXXp://f.hiphotos.baidu.com/album/s=740;q=90/sign=dc4d926a277f9e2f74351f0c2f0b9819/fcfaaf51f3deb48ff1928152f01f3a292cf57846.jpg

hXXp://e.hiphotos.baidu.com/album/s=740;q=90/sign=c80984f9d688d43ff4a993f64d25a326/f7246b600c338744dff20cf0510fd9f9d72aa002.jpg

hXXp://h.hiphotos.baidu.com/album/s=740;q=90/sign=d2fbf6429925bc312f5d039c6ee4fc8c/b21c8701a18b87d6d8718893070828381f30fd0f.jpg

9g.gq;

P.pS'

'#g Wv.NxyJ/T

U9^)%d

\Config.ini

@qq.com

explorer.exe

DFO.exe

API_LoginOut

\Qsdfdg.ime

\Qsdfdg.dll

NeopleLauncher.exe

`.vmp2

..jf.

IMM32.dll

h.ekc

-&M.mh

GetCPInfo

ImeProcessKey

imehost.dll

VP%f#lE

EnumThreadWindows

OffsetViewportOrgEx

SetViewportOrgEx

CreateDialogIndirectParamA

233.dll

WINMM.dll

ShellExecuteA

iCrT<

t!u!"

MSIMG32.dll

comdlg32.dll

RegCreateKeyExA

UnhookWindowsHookEx

GetViewportExtEx

lfY%D

.Qlf%

)2%2,222

<3?<#_<|

%soGdj

4%F$I

202?262>

RegOpenKeyExA

SetWindowsHookExA

COMCTL32.dll

GetProcessHeap

WS2_32.dll

."8fTP

:%cs/

4{/B

NË[

@5ML.wCr5

L}.PA

9.kF;

O43o.hA

/%x 4

p%[%u

&:.Cf

pf%sRs{b

<.Bx*

'%ud@$

lV.Tu

$;CZx#.LU

Z`'.yl

<= %s2

.ru?~

\J.RC

]'.kr

C.Rk!

<>]5 >82

z%cnu&

T@.Qc-

j{gr%S

.CNC_

 %xEh

l#g!Ü

%cOl^

-8}#y

GetViewportOrgEx

*a%f&

Cs

-,.eHI`y

.4A.zf}TG

h?%f#q

.fx}81&YH

.Zg5bJ

Y.Zl%$CP

{Zx%d

%MUF%x3

|5$%s

XN

%x.(17

be}%D

/4%c@El"

D3J9%xi

Ô3A

>3#{$'5,

Ej}%C

2$-K}

-=,%c

u%f?/&

%U3;.

Y %D,

L%DwYO!

.CDI}K

.VDS 

.TD3>&1

.gsd\D

0|.Ni

tUbg%D

RN}X%D

P.Dn'

.qDL4ifvU

.ObNHD

a.xi<

.Iw^.]D

FZ#2.Vd

vu.VD

/u.UG

(0{$@-.>

.?.RT

=*%u|uYuWu

():3[>[$

.NT7-

 %suQT7

>"3975]4

.sR)L

%CH.>~

x~.DWh

2ÛQk

C %U4

$`c%XQ

T=

.Qyu;D

vM$%F

.%DkVz"

nZ^%D

%uoa:

$c%5Uv,

.DBiw

?.sjH

r.CDc

:/%u7(

UDP L

%FqDg`

>udPlQ

.cDEj

Mw.Dm

D.Jmo

m4E.Jc

(;%u|*

eD;3 A91)D?7/'=5-%D

DOWQYC =%D

m_1#&.Cu%

"=t%D}3d

EnumChildWindows

ScaleViewportExtEx

SetViewportExtEx

WinExec

GetWindowsDirectoryA

Qsdfdg.dll

2@{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}

09/27/12

Windows

imm32.dll

Keyboard Layout

Keyboard Layout\Preload

.comment {color:green}

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

F%D,3

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

MSWHEEL_ROLLMSG

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

Tiphlpapi.dll

MPR.dll

i1p.vq

WSOCK32.dll

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

USER32.DLL

hXXp://VVV.baidu.com

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

<tr><td bgcolor=buttonface>Y</td><td bgcolor=white>%d</td></tr>

<tr><td bgcolor=buttonface>X</td><td bgcolor=white>%d</td></tr>

<tr><td bgcolor=buttonface>Height</td><td bgcolor=white>%d</td></tr>

<tr><td bgcolor=buttonface>Width</td><td bgcolor=white>%d</td></tr>

<tr><td bgcolor=buttonface>RECT</td><td bgcolor=white>(%d, %d)-(%d, %d)</td></tr>

<tr><td bgcolor=buttonface>Styles</td><td bgcolor=white>0xX</td></tr>

<tr><td bgcolor=buttonface>Control ID</td><td bgcolor=white>%d</td></tr>

<tr><td bgcolor=buttonface>Handle</td><td bgcolor=white>0xX</td></tr>

<table><tr><td><icon handle=0x%X></td><td>%s</td></tr></table>

burlywood

\winhlp32.exe

(*.htm;*.html)|*.htm;*.html

%d%d%d

rundll32.exe shell32.dll,

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

N.Jxd

*.JxbF

InternetCrackUrlA

u$B79%C

=.nCPgb

a.GTYOE

I%sbBW

msGT

pT.LZ

.DT-u

{QqÑT

YV-B}T

^x.WXZ

.7.:.%.0.

m.HS@E^

'.EXB

L\~.XT$

T.bthC

T$\%X

'G_

C.hNSM

MSX

7)'

K.qR\

$.TL(

.QkgM

Fp.Tq

%SrCT

.TUn:

}X.TWt

:'_.cT

^sn2.aD

%U1l >T

$r.lO

S7%fTX

v.uGT

4Tg-L}c

Â[ T

FTpGs?(

.iTsOE

4h1%U

.AT1o

;%F?h

.Tp8r

RTeq _%U~>Y

(w]%.FNT4

eJ.TI@

%xT4)

/.Te1L

/V.QG

s.SsIW_u

c;T%X

W:\6sun2

Gl%DxB

XTWœ

m@.zd

r@D-n}

cRT`@

.Qz5DS

V.RE/

.kTSn

{&.FT

`~/T}þ

T.hyszl

Nl_%uTW~1

.Tu[8

%xT4Rv

^7.VT

i*T%S.6

j)u.Tnb6

.jT[hwIka

$D%UV

wC~.TL=

.EWQ9y

YcRT

Q.wQ<

-V}$Tn4

.TD@io0

sN.oT0

xZ.SW

.STUG

@esh.Tz

3T.XB

.Ts\~k

TY%xmJ=

.Te<q

.TLg:

evK%ST*

_%Fj}

wd.gT'

z,j.vQ

f%STH

x.Sp-

.srT:

<y%Dl

%FTP?j

(g.No

2q.TD

.RC80

v,%DTb

X?.Lom

'.gXc3

k.yGT

m.TuYU

%0XT-$

tCP/v~!

.20%U=

H%C=Z

WT.SA 

B.cTj

%6UB(

PT.FU

f^".TE

Z=.ry

$%XO]{

.ac/A

J.OmxT@

A.RYv

.ZjTe

GFTP

bD3.VT

g.ZTx

PN%UC

%D},d

dZ.NT

.TL4&O

OQ%u0

.TdnB<W

@$VT%X

%Ud_qmya

T~.Lx

.ET.bZ

|.TA*

X2.PAL

.WRhI

>Cú

.RwqnHJ

(n.NT5-

#%XfU1

(z%xN

.Thp*I>

k.Thc

.vVTc<h

6J.pQ

\Tv.tr

|j.UWLC

[.TOHG 7

%C<wT

.GKT~

)~.csvT/Q

@.pV)!T

@#r3TÞ

N.DTUK

 t_%D

.vW]SB

.PT`%

.TOLn{

].qTX&6

.pU}5

7.3T%F

.BbT(

^.mXul

FY/.Cd^"

$.ej{

%uTIs

O.cj}

TZ&M%s

4yP.WkB;

b].XT

Y%XW'

O.PkU

A.bS\yT

7.dctY

TSqL

[.BTA

k.vb{

~T;A%dl

Q.mx>(

T.AvQ

r.xT"(

s4.oT

D4.WT

%FhfrT

8.yT[

]p.fU5

.Ts&9

T.hL4^

N$.zX

PTe.rw

=%DTY

5/U.Ke

7.kYv

.Tj'>

.TrC:

v.RTn

s:bx.jT;A

.wrD^

.uT9Q

od.TR

Yk.yc

7.TY9

TL.bV

q.Wn\

#oC.TwU

^.RVT

O-5W}

%sW{ZT

.qaE%T

,sTw%xB

S.LT,

.yY]k

.TSt_

s.TAk

0pT%s

4.rYd

;*T %d

T.YkI,pV

_W.ZX

*az.aM

cv2.NG

c.Tk*`

>W.wT

.XrT%

ACrT

?^`exE3

Ou %chyT

|X.gn

.VIlT}

T!.Bj

'.UPS;

7w.pC

.wT)D

f.Rvb

"p.PT>

;T%xC`}

BTKx.LZ

Wh.tG

V.wxY&

jÂW

so.iYt

pzUT.ko

[w%x"

.lu:T!Q

.vFbtU

.zUg'

cu.hT

wEÅ

!JV.Tlo

t=U%S

.wt(hO

.JTqR>E

p'~%.vq

JqU.qI

@.wYQ

Ys<TJ%u

TP%8U

Crtk

A-d}T

^%xmz

üQ 4

(%uTo

>TXZi.OR

[-v}4

Ufc.XT

sT b%U>

.Iq$7

T%f b

k%sTw

rTs

cRTd

,F&.TU

HQ;%XT%

qv.MTq.

%Sr7y

TH.bI

WW_dY0*tE.Tu

%c Vc(

$0<.hU

xQ.IV

m.se:t]

U.UYS3

H.raY

4.qVb/

m.qx-

.naj,

.eb4sV

jU.Sn

.TSi3

E%C=T

WQ%C/.

yYk.KE

Y!hn%.Sp

.iT::

IbinTCp

.TS{P*

a|%d_S

*-CT}a

Yg.OqA

HFtP4

J[v-Ta}

ST.pZ

D~^%S

q%CU0

S`mQ05%xh

d.dOo

O{T%F

0/X6.LT

NO7.LT

k-T}B

OkQT.qK

Si%xW

I.qx_

%f}TR

.orz_

i>T%u

a_.gZ$

f.UeU

P.eTu

I[.kTZ

.qk_P'

E.StF

AFeXE

WB%sT

6~C.Lx

B.nT1

*?.uT3

4(.sT

*.ZT;~1I

!.UA'

%UI f

)7.qt!

'".XI1

 h%U1

t.oTQ

0T.Oe

.swDM

<x`u%UB

m].Gk

=.UU#l

We$%f

n_.BU}5

v.RT3

0`.NP

Oq:SQl

fp.vI

4/$.jX

j.EtNT0(

%F[]3

t.ATa(;g<

{O%STC

SC

%0S[{

ZTA.UF

.OT'n

}.BeT

.xQ,4N

.qT:9{

=X;%f

i".WT

b}'"u.QT

Klk.TY5EV

F.WZ=

0aN-6}7

l.AT[

jWy%U

m|T.GM

T.Wþ

.ld:jT

.jThJ9

M0.tT

n.kTNjh

5.vRz

%4upU

H8N1.TQ

(PV.WsE

nZ.Td~

4`.TA:

%uT5(

JzT2%s

vT.gl

WMWn3-h}~

%dvWirQ

V.kUW

%DQNS

#-i.dQtCf

%UH[xs

1.pP]g

%jQ.MaS

5ý\M

t.ZT}EK5

%0XTJA{5>[

.vTeJw

).YH&s

,0.tQb

f.XT;

J2.yTHg"

Tku".XI

6.TeN

S.xoX@Twm

".YTa

qzc.oW=

.bsTmWlO5%JxT

IT.Xu$3

,.Trq

4.jTa

%sY8TQ

\.YIo

3HWc.uy

-AT}x

D.cU1

A.ULVWD

tT.kb

bUDP

UdpZ

^.uTy

To.ME

2G-e}

g.pT2

jIqXw%sT

.pnFT6&

5.QTh

42]%CT

%CZ(e

Te_%S

f.YTR5

?.kH]

FTpKu

rM/%C

|.Tw<-*A

.YTAP

)j.MT/

Ijr.NhT

T.zuP{o

.TMg@

c&.Xny

$WD.iT

WfTPE

.GUW\

 .Ty-FMd

Gw.jrT;

c.WEW

*K.iT

~`;%U

b%XqoA

W-.dP

2%U}z

j.ETyq

I1/).BT

;U.qy\

.iWhy!

(4'U%u

W"^j>.PT2ot9wN

v.gPT

-v}vY

k.UE{P

P.YUT`q;

1U.mja?

05i.GT

..TF$

IsQL

.xezG

lCRT

p5%xT(

.vS ]6

T.Yk\

l.eBqQ;

%Xhql

`Tv-S%Xp

mx.iT

@wo<)q.hXtX

.Uk{;

%XyX{

AT-n}

Xr.UT

T.Zlh

V.Ty!

.qTxgi 

;%UWg

.VW3/jf%

p.txe3WT

.pTDA

Q$[%U

j.Qa7z

V.WoZ

06l$FTpH

MSgTD

HT.IB

JWxs%F

wWmSg_k

Sw.eT,|x

Q!%xT5

`5.wXOY

~^.Yj

S%sfq

%dXrm

8u.vT'q

p!

h.Tdu{

fw/.TQ

@%xT3j

RT.Fzv

.PVAN

e.hLT

.mzTc

/.TUB

^p%U~

QMK.WZ

|gN.mTMe

a%x~?;T 

Ts%fT

L.Wr!~

q.dOhTB

%sRb4

zU.KL%P

rcH%X

.pHT9

.OxbF

$IxF$.iT

8PjK.zp

.TZt!H"

z.TxV

.XrU%

b$.iU

'FTpU

#T%Fs

8JeRT%X

t> r%xK

/.TVS

T-m}].S

.Tvo;

h%XT!

mC%XS

9%Xg:3

.Ts[;

^Po.eT

Ti%Sd

wT\.LW

5H%x|

bv8.Tv

q-H}{

.jsoe

&p%sT`!}

.rkfV

.CbHL0

.TxHL0u

.UU4*X

SQluN

-'8(@{?$

uNRuN$uN.uN

O _(b%x&

%Ud6C

u.Ijt

5B.onP

l.lwz]1o

-q(.Bp

HttpQueryInfoA

InternetCanonicalizeUrlA

%djNrPn

RASAPI32.dll

InternetOpenUrlA

yb@-z}

.dQ8$

c.lX}

w.CZS2Z

.dm~3|<

tcpt)

4%D"<\h1

_.PNi

Pi.Xc

'0Vh2}.zl\

M.xwl

F|.yz

.vnP@01x

s.lgnxZ

(l.aS6

H.SvvF`b7a

;LÒ

.MxPUf

4.VnU

.etn`

5#z.Mm.}O

rD.XK

5.uO\

Hi~~a%DW

8h*.vp6

UDpz

t.Ex73

.uWX]

0URL 

b.dg[ I

.tW(jz

.IL |

%fZ(\

.OpyP

%dR U

OOo.tz

u.lA3"

UL.Hq

6G.GK

Px<a%x

.cW X

07NZ#.yW

Vf.MZ

07[^\%U-{L

%Dtb(

%Xod 

O.tpy

.PW^U1I

.fx&eFiw

H.ivnD

.Wh5^

:a9d.lZ?(M

L{.Hhahb

(b!O.eY`

AUk.zoE

=Z&,gV%X

.Pnxl

.rh[^

.LD;3D

Ab!%u

bd.jb

_-d%X

^Z.yb

4Y<.Fr

<.mEz|

.EF%h

%XNTy

HttpSendRequestA

1.0.1.1007

1, 0, 0, 1

imedllhost09.ime

1.0.0.0

(*.*)

%original file name%.exe_2956_rwx_0091A000_00002000:

GetViewportExtEx

WININET.dll

UnregisterHotKey

RegCloseKey

KERNEL32.dll

GetWindowsDirectoryA

InternetCrackUrlA

RegOpenKeyExA

Bv.SCv=kAv

u$B79%C

%original file name%.exe_2956_rwx_00CC1000_00001000:

SetViewportOrgEx

HttpQueryInfoA

CreateDialogIndirectParamA

SetWindowsHookExA

%original file name%.exe_2956_rwx_6B583000_00162000:

b$m%F

.Rj$&

|%s}\6b'

.bgFM

Z.Tkh

<.Dxm

:=%s-

Va.GK

dDa.Du

KeyC

%.DM%R`}

4A.DLe

[;%7X

&s;Eh%S9W

'-.DT

_0Z6a.CXP,U

U%.C8

|%cm8

JWeB{

"%C,Z

G-c}(

&gkR.OC

I#i.En

%f|rIAU

{/LMZ

WeBx7p

GJ2k%sa

$mÃ

j{eD.jU

.DTkJ

%Flu-J 4a

.EVM~

tL.Ofd

:g.cOK[

LOÀ

Xy.DD

9%XPk

%X2Zo

.Gx Wy

mm%C )

k8%cmLb6

uZ.JZ

.aYf,

.CT_2k

-l

}KV%xH

-`a.RC

HTg.mI

-w}N.XS

t%.Cd

an.Ch

,`.WH

Gt-c}(

,I.zf

.eb_D

5Nj.fR

F"w.nW

.RsP:^

%Fg>n*

!.Lyi

.Ccp3

cu.wE

v.wPN[

%F:o6

a.wmr

.wH"b

!.Lum

'u%.DiIR

lm%CI

2g|%c<

%S5l<F

5.RcS_I

m.wEQi

RkeD.bW

cm8Í.

.DXF{

.ji0`wV

.ZU?E@

J?Eô

.Dpe<T

.DLs&

;b.Ed

y.Dp8

!.zPi1z

.qIvt

Q.DlSr

t-c}\

.WA%m%1m

.ISk_f

r.CzA

<`%xU

gr.fe=O

0h.Uc\-Y

%Fk@-

l.Yx2

%c|5K

.fT44

@$.wFX

~.Tkh

wlG-c}\

~3or=Bp.Cc

;i.KM

.ST. 

u.wEb[

hExe {

YZ;b.di

9.DTo

q.Dl$

"W1d=S.az)

A%d.S

.sK&Od:s

rXe%F

#%D|=

D.ryX

U .fZ

CmDe

%original file name%.exe_2956_rwx_6B6EF000_00001000:

%.Dyy

%original file name%.exe_2956_rwx_6B846000_00001000:

VJ.wA E

ShellExecuteW

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   regsvr32.exe:1780
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\ZCB_API.DLL (49 bytes)
   

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.