MD5: 7c48316b2376ff78a962f4b728f16212
SHA1: d6d26c317091aefe0be78b11c07e431296553a47
SHA256: 9b4876f682a75e09cf7160af5e9c6a538a6478211c42528013c3dd349132872b
SSDeep: 12288:Yu3XomVNAOBa12Z0yq/Z0/QLDJ byYNEXdyedmyTbAneCtg5q:Yu3Xx1E1ht/ cDJyEXdy0ciq
Size: 753664 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:3380

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\flvcd\flvcd_downrtmp.exe (82347 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\flvcd\flvjoin.exe (12112 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\flvcd\mp4join.exe (45240 bytes)

Registry activity

The process %original file name%.exe:3380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: flvcd.com
Product Name: Nano
Product Version: 0.4.7
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 0.4.7.11
File Description: ??Nano??????
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://download.flvcd.com/bigrats_update/flvcd_downrtmp.exe	124.232.150.42
hxxp://download.flvcd.com/bigrats_update/flvjoin.exe	124.232.150.42
hxxp://download.flvcd.com/bigrats_update/mp4join.exe	124.232.150.42

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /bigrats_update/mp4join.exe HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*

Connection: Keep-Alive

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101

Host: download.flvcd.com

HTTP/1.1 200 OK

Date: Tue, 31 Jan 2017 02:55:29 GMT

Server: Apache/2.2.27 (CentOS)

Last-Modified: Thu, 01 Dec 2016 16:26:41 GMT

ETag: "e21247-32400-5429b4960c49b"

Accept-Ranges: bytes

Content-Length: 205824

Connection: close

Content-Type: application/octet-stream
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........$...E...E..
.E..v.&..E...3 ..E...3...E...3..EE...=-..E...E...E...3...E...3#..E..Ri
ch.E..........PE..L.....?T.....................D...............0....@.
......................................@...............................
......,....................................2..........................
.....................................................text.... ........
..................`....rdata.......0......................@....data...
............................@....rsrc...............................@.
...reloc...........^..................@....aspack.. ..................
........`....adata...............$..............@.....................
......................................................................
......................................................................
......................................................................
............................................ .......<G.7.M...&....4
h.V...l.D....vi7H.#m..R...@yH"..5.m......^V...v..JYTVi.M.......e. ad.l
*R@c7.d$.=..o../{....f-......yo;.....y.6.....v.q...6.L.Zf.q2....Z.....
...r.W..U.A.r..n.......w...^...>y..<...}...?....1.*..LY=.o.....B
..12.XA.....v........!@.ir..".....#0 J..JM...@.n...o..,TB(*.(V.m$.b W.
:x...O..;..SP..c.....2...Wfy..U...5.$i%..T..;7.......y.6......bGp.]@..
Z..!H.#RYT..-K>..2.1..U.1....6Q...v.{..c....\..d.["<.rG.-....a&.
..7r.h..dj..>._.M.....m....qB|#H.k\W..b...#k.8...5.m^.-gu)...40
<<< skipped >>>

GET /bigrats_update/flvjoin.exe HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*

Connection: Keep-Alive

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101

Host: download.flvcd.com

HTTP/1.1 200 OK

Date: Tue, 31 Jan 2017 02:55:13 GMT

Server: Apache/2.2.27 (CentOS)

Last-Modified: Thu, 01 Dec 2016 16:26:33 GMT

ETag: "e21236-f200-5429b48db2d63"

Accept-Ranges: bytes

Content-Length: 61952

Connection: close

Content-Type: application/octet-stream
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........z....L...L
...L...L...L...L,..L...L...L...L...L...L...L...L...L...L...LRich...L..
......PE..L....3>T.................N...v...............`....@......
....................@......~.....@.................................. .
.,....................................a...............................
................................................text....P.............
.............`....rdata...@...`......................@....data....@...
.......................@....rsrc...............................@....re
loc... ..........................@....aspack.. .......................
...`....adata.......0......................@..........................
......................................................................
......................................................................
......................................................................
............................................... .......3...4&....FP*J.
`...Hh..H..wf....6..NK.!... ..V}>.jw.s..[G.m.S...[-|,.<.....H ..
.`...c<...~h.ay.E...........?(^s..s....y.A.{vS.v>[!r..v......sAl
.V.l...oW6<.dZ..6.F.q.....{..y.8=............^.......f......`D..,l.
.=././........._^.....^......n....9.i"<.m..m.7..VnXw.:'B8.. .yF:].@
s(....u&#.Z} ..$..nJ.....&.W[A.I#.......-d..t...2.#..6.RV.s..&Y.......
..h...@..pc.z.#.(.]...d.G..A..DBX..c.S.JX..a..j...wpOI.Y.*......A.Y...
.......Q.\b.NC;f.W.......1...!?U..X...1YQ~...^.U.....T.M...L...o.`
<<< skipped >>>

GET /bigrats_update/flvcd_downrtmp.exe HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*

Connection: Keep-Alive

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101

Host: download.flvcd.com

HTTP/1.1 200 OK

Date: Tue, 31 Jan 2017 02:55:04 GMT

Server: Apache/2.2.27 (CentOS)

Last-Modified: Thu, 01 Dec 2016 16:26:38 GMT

ETag: "e2123e-74e34-5429b493088f3"

Accept-Ranges: bytes

Content-Length: 478772

Connection: close

Content-Type: application/octet-stream
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L......P
."..p............t.......2..`.............@...........................
......x......... ..............................@......................
.........................................`............................
...........................text....r.......t..................`.P`.dat
a...,!......."...x..............@.`..rdata...3.......4................
..@.`@.bss.....0............................`..idata.......@..........
............@.0..CRT.........P......................@.0..tls.... ....`
......................@.0./4...........p........................@B/19.
...................................B/35...............................
.....B/51.....>..............................B/63..................
..................B/77.....)..............................B/89........
...........................0B/102....-..............................B/
113....0............ .................B........U......HCF....f.U......
,CF....f.U..S..4...E...t..D$......D$.......$...........$..@..Dp.......
.........E..E......D$....D..D$...F...$..F..D$..E..D$...n....$F...uP..n
......D....N.............m.....D$....F..D$....F...$.........m....$..o.
.........$CF....D..D$..C...$..m....$F..D$..C0..$..m....$F..D$..CP..$..
m...i.......'....U.......$.......CF.........&....U.......$.......CF...
......&....U..S....E.....=....w;=....rK......D$.......$......m........
...........1....[]...=....tY=....t.=....u...=.....t&.tE=....u..D$.
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.idata

.rdata

P.reloc

P.rsrc

.aspack

.adata

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

u%CNu

%s[%d]

%s_%d

.Owner

EInvalidGraphicOperation

comctl32.dll

USER32.DLL

uxtheme.dll

UrlMon

%s%s%s%s%s%s%s%s%s%s

Proportional

MAPI32.DLL

TStatusBarh%D

vsReport

OnKeyDown

OnKeyPressh

OnKeyUp

TComboBoxExEnumerator

ole32.dll

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeyword

crSQLWait

%s (%s)

imm32.dll

OnExecute

AutoHotkeys|

AutoHotkeys

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreviewp

WindowState

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

tcPW

TNT Internal Error: TWideComponentHelper.Create should never be encountered.

c:\hp\delphi7se\Lib\TntClasses.pas

c:\hp\delphi7se\Lib\TntActnList.pas

PasswordChar\ G

c:\hp\delphi7se\Lib\TntStdCtrls.pas

Internal Error: TntCombo_AutoCompleteKeyPress is only for csSimple and csDropDown style combo boxes.

c:\hp\delphi7se\Lib\TntMenus.pas

Internal Error: SyncHotKeyPosition Failed ("%s" <> "%s").

c:\hp\delphi7se\Lib\TntControls.pas

Internal Error: SubClassUnicodeControl.Control is not Unicode.

.UnicodeClass

Uh.rI

TntUnicodeVcl.DestroyWindow

c:\hp\delphi7se\Lib\TntForms.pas

!"#$%&*;<=>@[]^_`{|}

c:\hp\delphi7se\Lib\imgutil.pas

c:\hp\delphi7se\Lib\Winskinini.pas

%s_%s

ttntpanel.unicodeclass

ttntsilentpaintpanel.unicodeclass

xcFastReport

TWWKeyCombo=Combobox

TWWTempKeyCombo=combobox

TO32DBFLEXEDIT=Edit

5.60.03.29

BUTTON.RADIO

BUTTON.CHECKBOX

3333333

Progress.Chunk

Tab.Pane

Trackbar.ThumbHorz

Trackbar.ThumbVert

Trackbar.ThumbLeft

Trackbar.ThumbRight

Trackbar.ThumbUp

Trackbar.ThumbDown

UpDown.Horz

UpDown.Vert

user32.dll

DisableProcessWindowsGhosting

Internal Error: Control does not support ITntGlyphButton.

c:\hp\delphi7se\Lib\TntButtons.pas

c:\hp\delphi7se\Lib\TntComCtrls.pas

Internal Error in TTntListColumns.Create().

Internal Error in TTntCustomListView.Create().

Internal Error: OnCreateItemClass.ItemClass must inherit from TTntListItem.

Operation would block

Operation now in progress

Operation already in progress

Socket operation on non-socket

Protocol not supported

Socket type not supported

Operation not supported on socket

Protocol family not supported

Address family not supported by protocol family

WinSock DLL cannot support this application

wsock32.dll

Unable to load wsock32.dll -

Winsock startup error ws2_32.dll -

ws2_32.dll

Unable to load ws2_32.dll -

wship6.dll

Unable to load wship6.dll -

advapi32.dll

TIcsMsgMap

c:\hp\delphi7se\Lib\OverbyteIcsWndControl.pas

MsgLow not defined

Msg value out of bound

Msg not registered

windows-1250

windows-1251

windows-1252

windows-1253

windows-1254

windows-1255

windows-1256

windows-1257

windows-1258

gb2312 csgb2312 gbk cp936 ms936 windows-936

shift_jis ms_kanji csshiftjis

windows-874

us-ascii ascii us ansi_x3.4-1968 iso-ir-6 ansi_x3.4-1986 iso_646.irv:1991 iso646-us ibm367 cp367 csascii

IcsNtlmMsgs (c) 2004-2012 F. Piette V8.00

TNTLM_Msg2_Info

TIcsBufferHandler.Remove: Invalid Len

TIcsBufferHandler.Remove: nothing to remove

wsoTcpNoDelay

wsoNoHttp10Tunnel

THttpTunnelAuthType

THttpTunnelServerAuthTypes

THttpTunnelErrorEvent

TCustomHttpTunnelWSocket

Port

LocalPort

SocksPort

SocksPasswordx

HttpTunnelAuthType

HttpTunnelPassword

HttpTunnelPort

HttpTunnelServer

HttpTunnelUsercode$

OnHttpTunnelError

OnHttpTunnelConnectedT

0.0.0.0

Cannot change Port if not closed

Cannot change LocalPort if not closed

255.255.255.255

Winsock Resolve Port: Invalid Port.

Winsock Resolve Port: Invalid Proto.

Winsock Resolve Port: Cannot convert port '

GetPeerPort

c:\hp\delphi7se\Lib\OverbyteIcsWSocket.pas

setsockopt(IPPROTO_TCP, TCP_NODELAY)

Connect: No Port Specified

Connect (Invalid operation in OnChangeState)

listen: port not assigned

TCustomWSocket.Shutdown

SetSocketFamily: New API requires winsock 2.2 and Windows XP, property "SocketFamily" reset to "sfIPv4"

Multi-Status (WebDAV)

Unsupported Media Type

Unprocessable Entity (WebDAV)

Locked (WebDAV)

Failed Dependency (WebDAV)

Blocked by Windows Parental Controls

HTTP Version Not Supported

Insufficient Storage (WebDAV)

HTTP status code

Not a HTTP status code

Proxy server must support HTTP/1.1

Not a HTTP tunnel error

HTTP Proxy -

Can't change socks port if not closed

Can't use Socks when HTTP proxy is used as well

Listening is not supported thru socks server

TCP is the only protocol supported thru socks server

IPv6 not supported with current socks version

0.0.0.1

command not supported

address type not supported

TCP is the only protocol supported by HTTP proxies

HTTP/1.1

HTTP/1.

Listening is not supported thru HTTP proxy servers

Can't change HTTP proxy authentication if not closed

Can't change HTTP proxy password if not closed

Can't change HTTP proxy port if not closed

Can't change HTTP proxy if not closed

Can't use HTTP proxy when Socks is used as well

Can't change HTTP proxy usercode if not closed

THttpTunnelWSocket - DataAvailable error

Received header line too long. Increase HttpTunnelBufferSize.

THttpTunnelWSocket - Fatal: Invalid state in TriggerDataAvailable

THttpTunnelWSocket - Fatal: Internal error in WMHttpTunnelReconnect

TIcsURL (c) 1997-2012 F. Piette V8.00

http:

EHttpContentCodingException

THttpContentCoding

THttpCCodIdentity

THttpCCodStar

THttpContCodItem

THttpContCodHandler

%s;q=%s

%s, %s;q=%s

%s, %s

THttpCli (c) 1997-2014 F. Piette V8.10

EHttpException

THttpRequest

httpABORT

httpGET

httpPOST

httpPUT

httpHEAD

httpDELETE

httpCLOSE

httpPATCH

httpOPTIONS

httpTRACE

OverbyteIcsHttpProt

THttpAuthType

httpAuthNone

httpAuthBasic

httpAuthNtlm

httpAuthDigest

THttpBeforeAuthEvent

THttpRequestDone

THttpCliOption

httpoNoBasicAuth

httpoNoNTLMAuth

httpoBandwidthControl

httpoEnableContentCoding

httpoUseQuality

httpoNoDigestAuth

THttpCliOptions

THttpCli

OverbyteIcsHttpProtG

ProxyPort

Password

ProxyPassword

%2.2d %s %4.4d %2.2d:%2.2d:%2.2d

application/x-www-form-urlencoded

Mozilla/4.0

State = httpReady

State = httpNotConnected

State = httpConnected

State = httpDnsLookup

State = httpDnsLookupDone

State = httpWaitingHeader

State = httpWaitingBody

State = httpBodyReceived

State = httpWaitingProxyConnect

State = httpClosing

State = httpAborting

PrepareNTLMAuth begin, FStatusCode = %d FProxyAuthNTLMState=%d FAuthNTLMState=%d

PrepareNTLMAuth end, FStatusCode = %d FProxyAuthNTLMState=%d FAuthNTLMState=%d

Login

https

HTTP/

httpChunkDone, end of document

HTTP/1.0

hXXp://

hXXps://

HTTP component

HTTP component has nothing to post, put or patch

options.htm

document.htm

HTTP no status code (connection closed prematurely)

Insupported HTTP version

LeftPopup

olepro32.dll

IWebBrowser

IWebBrowserAppL

IWebBrowser2

TWebBrowserStatusTextChange

TWebBrowserProgressChange

TWebBrowserCommandStateChange

TWebBrowserTitleChange

TWebBrowserPropertyChange

TWebBrowserBeforeNavigate2

TWebBrowserNewWindow2

TWebBrowserNavigateComplete2

TWebBrowserDocumentComplete

TWebBrowserOnVisible

TWebBrowserOnToolBar

TWebBrowserOnMenuBar

TWebBrowserOnStatusBar

TWebBrowserOnFullScreen

TWebBrowserOnTheaterMode

TWebBrowser

1.2.5

TntEdit1KeyDown

\getset.bak

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101

hXXp://VVV.flvcd.com/diy/diy00

hXXp://VVV.flvcd.com/diy.php?id=

hXXp://VVV.flvcd.com/getset.php?url=

HttpOnly

</durl>

"url":"

</url>

<url>

'port':'

'key':'

"clipsURL":[

<metadata name="url">

"clipsURL":["

",port:

keyUrl=

Mozilla/5.0 (MSIE 9.0; Windows NT 6.1; Trident/5.0)

.html

.HTML

hXXp://data.vod.itc.cn/stream/

hXXp://data.vod.itc.cn/

?key=

&key1=

&keya=

&keyb=

port=

keya=

keyb=

tv.sohu.com

hXXp://pptv.soooner.com:19765/ppvaplaybyopen?url=

#EXT-X-KEY:METHOD=AES-128,URI="

hXXp://air.flvcd.com/51cto?key=

hXXp://VVV.flvcd.com/interface/getlink.php?url=

ssl/host.shtml

ssl/ssl.shtml?r=

media1.icourses.cn/

media2.icourses.cn/

hXXp://k.youku.com/player/getFlvPath/sid/

m3u8key:

flvcd.com

</key>

<key>

&vkey=

\flvcd\flvcd_downrtmp.exe

\flvcd\flvcd_downrtmp.exe" -r "

\flvcd\flvcd_downrtmp.exe" -r "

.mp4" --flv "

" --swfUrl "

" --pageUrl "

.mp4" --swfUrl "

VVV.flvcd.com

&type=web.fpp

regeturl_run=

flvcd_downrtmp.exe

InetURL:/1.0

\flvcd\minfo.exe

ProxyPort

.text

\flvcd\flvjoin.exe" "

\flvcd\mp4join.exe" "

\flvcd\nbing.bat

cmd /C "

\flvcd\nbing.bat"

ffmpeg.exe

\flvcd\ffmpeg.exe" -y -i

.mp4"

.avi"

\flvcd\ffmpeg.exe" -i

.flv"

\flvcd\ffmpeg.exe" -i

flvbind.exe

mp4box.exe

.mp4"

\flvcd\flvbind.exe" "

\flvcd\mp4box.exe"

grfKeyState

TComTargetExecEvent

CmdGroup

nCmdID

nCmdexecopt

hhctrl.ocx

URLMON.DLL

SHDOCLC.DLL

IWebBrowserApp

IWebBrowser28

TEWBWindowSetResizable

TEWBWindowSetLeft

TEWBWindowSetTop

TEWBWindowSetWidth

TEWBWindowSetHeight

bstrUrlContext

bstrUrl

OnWindowSetResizableh

OnWindowSetLeft

OnWindowSetTop

OnWindowSetWidth0

OnWindowSetHeightx

rcmDefault

rcmDebug

DontExecuteScripts

DontExecuteJava

DontExecuteActiveX

DisableUrlIfEncodingUTF8

EnableUrlIfEncodingUTF8

CheckFontSupportsCodePage

DisableSubmitUrlInUTF8

EnableSubmitUrlInUTF8

lpMsg

PMsg

pguidCmdGroup

TTranslateUrlEvent

pchURLIn

ppchURLOut

CmdID

pszUrl

pszUrlContext

szPassWord

ErrorUrl

OptionKeyPath

OverrideOptionKeyPath

OnTranslateUrl

OnCommandExec

'%s' is not supported.

WebocPopupManagement

ValidateNavigateUrl

HttpUsernamePasswordDisable

GetUrlDomFilePathUnencoded

XmlHttp

PTF://

AppEvents\Schemes\Apps\Explorer\Navigating\.Current

.Current

\ieframe.dll

\shdocvw.dll

\StringFileInfo\%0.4x%0.4x\%s

TMsgEvent

TKeyEventEx

Bypass

poPortrait

OnKeyDown0}V

0.750000

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)(

EmbeddedWB hXXp://bsalsa.com/

(bigrats web browser for nano 0.4.7.11r)

hXXp://v.t.sina.com.cn/share/share.php?url=

TntFormKeyDown

ListView1KeyDown

TntListView2KeyDown

TntListView3KeyDown

Nano v0.4.7.11

Bigrats Nano v0.4.7.11 release

\flvcd\nanoset.ini

FLVCDHotKey

\flvcd\mainlist.dxq

@@.flv@@.mp4@@.f4v@@.m4v@@.flx@@.hlv@@.rm@@.rmvb@@.3gp@@.wmv@@.fmv@@.flvx@@

@@.flx@@.flvx@@.hlv@@.fmv@@

\flvcd\baq.txt

Nano 0.4.7.11

\flvcd\nanolist\*.lt

hXXp://VVV.flvcd.com/diy/

\flvcd\mainlist_bak.dxq

C:\flvcd

hXXp://VVV.flvcd.com/interface/parsem-flvcd.php?id=

&url=

hXXp://video.baidu.com/v?&word=

hXXp://VVV.google.com.hk/search?q=

\flvcd\flvjoin.dll

\flvcd\mp4join.exe

\flvcd\flvjoin.exe

\flvcd\bing.exe

\convert.exe

\mencoder.exe

\ffmpeg.exe

{CAF49BBB-AC40-4FDE-8797-51D5AEB5FLVCD}

\mainlist_bak.dxq

\mainlist.dxq

C:\flvcd\mainlist.dxq

C:\flvcd\mainlist_bak.dxq

!!""##$$%%&&''(())**  ,,--..//0123456789:;<=>?

?456789:;<=

!"#$%&'()* ,-./0123

<4,$?7/'

(3-!0,1'8"5.*2$

inflate 1.2.5 Copyright 1995-2010 Mark Adler

hu`%C

iu2.iu

GetKeyboardType

RegOpenKeyExA

RegCloseKey

RegQueryInfoKeyA

RegFlushKey

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyExA

WinExec

GetCPInfo

CreatePipe

version.dll

gdi32.dll

SetViewportOrgEx

GetViewportOrgEx

VkKeyScanW

UnregisterHotKey

UnhookWindowsHookEx

SetWindowsHookExW

SetWindowsHookExA

RegisterHotKey

MsgWaitForMultipleObjects

MapVirtualKeyW

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextW

GetKeyNameTextA

GetAsyncKeyState

EnumWindows

EnumThreadWindows

ActivateKeyboardLayout

shell32.dll

ShellExecuteW

SHFileOperationA

wininet.dll

InternetOpenUrlA

HttpQueryInfoA

UrlMkSetSessionOption

winmm.dll

333333333333333333

33333833

3333339

3333333333333338

:*"*"$3338

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

KWindows

&OverbyteIcsUrl

TntWindows

.TntComCtrls

0OverbyteIcsHttpProt

'OverbyteIcsNtlmMsgs

OverbyteIcsHttpContCod

?HTTPApp

>WebConst

nano 0.4.7.11

Font.Charset

Font.Color

Font.Height

Font.Name

Font.Style

KeyPreview

Picture.Data

Glyph.Data

0.4.7.11 Build 160425

}}~}}~}}~}}~}}~}}~}}~}}~~~

}}~}}~}}~}}~}}~}}~}}~}}~}}~}}~}}~~~

hXXp://weibo.com/flvcd

.LGBA)

'%D"8h

Items.Strings

Icon.Data

Skin3rd.Strings

#V.zTo

cK^.ShM

bNTPORTPU[^~

PrintOptions.Margins.Left

PrintOptions.Margins.Right

PrintOptions.Margins.Top

PrintOptions.Margins.Bottom

PrintOptions.HTMLHeader.Strings

PrintOptions.Orientation

C:\FDownload\

D:\FDownload\

E:\FDownload\

F:\FDownload\

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

urlmon.dll

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

Unspecified error (%d) from %s.

.flv.bc

.mp4.bc

.f4v.bc

.m4v.bc

hXXp://VVV.flvcd.com/nil

hXXp://VVV.flvcd.com/null2

\success.wav

lxdns.com/|503|

hXXp://VVV.flvcd.com/util/pptv_key.php

TOM.COM

.html.bc

hXXp://download.flvcd.com/bigrats_update/flvcd_downrtmp.exe

\minfo.exe

Explorer.exe

errorUrl

\bigratesupdate.ini

hXXp://download.flvcd.com/bigrats_update/bigratesupdate.ini

\touch.exe

\nano.exe

\shuffle.exe

\commence.exe

\upgrade.exe

: nano 0.4.7.11 build 160425

flvcd@126.com

\nano.exe.tmp

hXXp://VVV.flvcd.com

mainlist.dxq

mainlist.bak.dxq

hXXp://VVV.flvcd.com/start.htm

hXXp://VVV.flvcd.com/flvcdgame_5.htm

\flvjoin.exe

\mp4join.exe

hXXp://VVV.flvcd.com/flvcdgame_1.htm

hXXp://VVV.flvcd.com/flvcdgame_2.htm

hXXp://VVV.flvcd.com/flvcdgame_3.htm

\bing.exe

hXXp://VVV.flvcd.com/flvcdgame_6.htm

hXXp://download.flvcd.com/bigrats_update/flvjoin.exe

hXXp://download.flvcd.com/bigrats_update/mp4join.exe

hXXp://VVV.flvcd.com/convert/index.htm

\upgrade.exe.bc

hXXp://VVV.flvcd.com/bigrats_updata/upgrade.exe

\flvcd_downrtmp.exe

\lt.dxq

Thai (Windows)

Turkish (Windows)

Vietnamese (Windows)

Western European (Windows)"GetCoding must be overridden in %s"Invalid buffer size for decryption

JPEG error #%d

Cyrillic (Windows)

Greek (Windows)

Hebrew (Windows)

OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s

Arabic (Windows)

Baltic (Windows)

Central European (Windows)

Invalid ownerE%d is an invalid PageIndex value. PageIndex must be between 0 and %d=This control requires version 4.70 or greater of COMCTL32.DLL

Date exceeds maximum of %s

Date is less than minimum of %s4You must be in ShowCheckbox mode to set to this date#Failed to set calendar date or timeúiled to set maximum selection range$Failed to set calendar min/max rangeúiled to set calendar selected range

No help keyword specified.

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

Failed to clear tab control Failed to delete tab at index %d"Failed to retrieve tab at index %d Failed to get object at index %d"Failed to set tab "%s" at index %d Failed to set object at index %d

Cannot open clipboard/Menu '%s' is already being used by another form

No help found for %s#No context-sensitive help installed$No topic-based help system installed

Value must be between %d and %d

Invalid clipboard format Clipboard does not support Icons

$Parent given is not a parent of '%s'

%s property out of range

Scan line index out of range!Cannot change the size of an icon Invalid operation on TOleGraphic

Unsupported clipboard format

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Failed to get data for '%s'

Failed to set data for '%s'

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Thread creation error: %s

Thread Error: %s (%d)0Tab position incompatible with current tab style0Tab style incompatible with current tab position

Unable to write to %s

Invalid stream format$''%s'' is not a valid component name

Invalid property element: %s

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Failed to create key %s

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Operation not supported

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

Invalid variant operation

Invalid NULL variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

I/O error %d

"FLVCD.COM"

0.4.7.11

0.4.7

%original file name%.exe_3380_rwx_006AE000_00002000:

kernel32.dll

user32.dll

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

advapi32.dll

oleaut32.dll

version.dll

gdi32.dll

ole32.dll

comctl32.dll

shell32.dll

wininet.dll

urlmon.dll

winmm.dll

GetKeyboardType

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

flvcd.com

0.4.7.11

0.4.7

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Roaming\flvcd\flvcd_downrtmp.exe (82347 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\flvcd\flvjoin.exe (12112 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\flvcd\mp4join.exe (45240 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.