MD5: 7ca92dfc2a2bdf53e79c2dc53d46985b
SHA1: 6b1d18e146b51fdaeceaddc8bcc9d4947995c2e0
SHA256: 4bdd959c2212e91b976c22713f7976ad9ba8d720233b7cdc711ee0c3c8ebc851
SSDeep: 98304:E9BV5D6WD8pe80B8YNuWp7FXGLGMfLeKxmm4adMw7NRcHSQCPxjvLLLLLLLLLLL :IVEWQpr2F2L9L2ae8FPx
Size: 9486336 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: PolyEnE001byLennartHedlund, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2013-01-21 07:28:32
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

WMIADAP.EXE:1568
GetOS.dll:1376

The Trojan injects its code into the following process(es):

%original file name%.exe:800

File activity

The process WMIADAP.EXE:1568 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\PerfStringBackup.INI (3361 bytes)
%System%\wbem\Performance\WmiApRpl_new.ini (10 bytes)
%System%\perfc009.dat (151 bytes)
%System%\perfh009.dat (3509 bytes)
%System%\PerfStringBackup.TMP (1471032 bytes)

The Trojan deletes the following file(s):

%System%\wbem\Performance\WmiApRpl.ini (0 bytes)
%System%\PerfStringBackup.TMP (0 bytes)

The process %original file name%.exe:800 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\4922a.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\492f7.tmp (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\49480.tmp (3361 bytes)
C:\GetOS.dll (226 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\492a8.tmp (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\49431.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\494bf.tmp (1425 bytes)
%System%\fayasys.sys (32 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\4922a.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\492f7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\49480.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\492a8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\49431.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\494bf.tmp (0 bytes)

Registry activity

The process WMIADAP.EXE:1568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\%System%\DRIVERS]
"ACPI.sys[ACPIMOFResource]" = "LowDateTime:904845312,HighDateTime:29924928***Binary mof compiled successfully"
"intelppm.sys[PROCESSORWMI]" = "LowDateTime:904845312,HighDateTime:29924928***Binary mof compiled successfully"

[HKLM\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance]
"Performance Refresh" = "0"

[HKLM\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\%System%\DRIVERS]
"HTTP.sys[UlMofResource]" = "LowDateTime:904845312,HighDateTime:29924928***Binary mof compiled successfully"

[HKLM\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\%System%]
"advapi32.dll[MofResourceName]" = "LowDateTime:904845312,HighDateTime:29924928***Binary mof compiled successfully"

[HKLM\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\%System%\DRIVERS]
"ipnat.sys[IPNATMofResource]" = "LowDateTime:904845312,HighDateTime:29924928***Binary mof compiled successfully"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib]
"Updating" = "WmiApRpl"

[HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance]
"First Help" = "3675"
"Last Counter" = "3702"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib]
"Last Help" = "3673"

[HKLM\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\%System%\DRIVERS]
"mssmbios.sys[MofResource]" = "LowDateTime:904845312,HighDateTime:29924928***Binary mof compiled successfully"

[HKLM\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance]
"Performance Data" = "60 04 00 00 02 00 00 00 00 00 00 00 10 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib]
"Last Counter" = "3672"

[HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance]
"Last Help" = "3703"
"First Counter" = "3674"
"Object List" = "3674 3680 3696"

[HKLM\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance]
"Performance Refreshed" = "1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\WBEM\WDM\DREDGE]

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance]
"Disable Performance Counters"
"Library Validation Code"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib]
"Updating"

[HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance]
"First Help"
"Last Counter"
"Last Help"
"First Counter"
"Object List"

The process GetOS.dll:1376 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 6B DF 69 55 BA 5B DB 6F E2 0D 79 F0 D1 79 C9"

[HKLM]
"OS" = "XP"

The process %original file name%.exe:800 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 9E 0D F2 50 35 FF 31 02 AC 6B 9D FD 31 74 4A"

[HKLM]
"fb" = "fy"
"lujing" = "c:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\fayasys.sys" the Trojan controls creation and closing of processes by installing the process notifier.
The Trojan installs the following kernel-mode hooks:

ZwDeviceIoControlFile

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 1.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description:
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://feeds.qzone.qq.com/cgi-bin/cgi_rss_out?uin=150166555	58.250.135.157
hxxp://feeds.qzone.qq.com/cgi-bin/cgi_rss_out?uin=156839889	58.250.135.157
img8.ph.126.net	209.170.78.73

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /cgi-bin/cgi_rss_out?uin=150166555 HTTP/1.1

User-Agent: ObjGameData

Host: feeds.qzone.qq.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Connection: close

Server: QZHTTP-2.38.18

Date: Fri, 09 May 2014 14:55:25 GMT

Content-Type: text/xml; charset=utf-8

Content-Length: 590
<?xml version="1.0" encoding="utf-8"?>..<?xml-stylesheet type
="text/xsl" href="hXXp://feeds.qzone.qq.com/rss.xsl" version="1.0"?>
;..<rss version="2.0" xmlns:qz="hXXp://qzone.qq.com">..<chann
el>..<title><![CDATA[150166555]]></title>..<de
scription><![CDATA[150166555]]></description>..<link
>hXXp://150166555.qzone.qq.com</link>..<lastBuildDate>F
ri, 09 May 2014 14:55:25 GMT</lastBuildDate>..<generator>Q
zone</generator>..<language>zh-cn</language>..<co
pyright>Copyright (C), 2005-2013, Tencent Tech. Co., Ltd.</copyr
ight>..<pubDate>Fri, 09 May 2014 14:55:25 GMT</pubDate>
..</channel>..</rss>..

GET /cgi-bin/cgi_rss_out?uin=156839889 HTTP/1.1

User-Agent: ObjGameData

Host: feeds.qzone.qq.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Connection: close

Server: QZHTTP-2.38.18

Date: Fri, 09 May 2014 14:55:30 GMT

Content-Type: text/xml; charset=utf-8

Content-Length: 2828
<?xml version="1.0" encoding="utf-8"?>..<?xml-stylesheet type
="text/xsl" href="hXXp://feeds.qzone.qq.com/rss.xsl" version="1.0"?>
;..<rss version="2.0" xmlns:qz="hXXp://qzone.qq.com">..<chann
el>..<title><![CDATA[Speed]]></title>..<descri
ption><![CDATA[Asm.........]]></description>..<link&
gt;hXXp://156839889.qzone.qq.com</link>..<lastBuildDate>Fr
i, 09 May 2014 14:55:30 GMT</lastBuildDate>..<generator>Qz
one</generator>..<language>zh-cn</language>..<cop
yright>Copyright (C), 2005-2013, Tencent Tech. Co., Ltd.</copyri
ght>..<pubDate>Fri, 25 Jan 2013 11:07:42 GMT</pubDate>.
.<item>..<title><![CDATA[......OK]]></title>..
<link>hXXp://user.qzone.qq.com/156839889/blog/1359112062</lin
k>..<description><![CDATA[******687474703A2F2F696D67382E70
682E3132362E6E65742F776B4334574D4953794D56315F506B546F514E696F773D3D2F
363539373730393638323432343333323336382E6A7067      ...]]></desc
ription>..<category><![CDATA[............]]></catego
ry>..<author><![CDATA[156839889@qq.com(Speed)]]></au
thor>..<comments>hXXp://user.qzone.qq.com/156839889/blog/1359
112062#comment</comments>..<qz:effect>8389120</qz:effec
t>..<pubDate>Fri, 25 Jan 2013 11:07:42 GMT</pubDate>..&
lt;guid>hXXp://user.qzone.qq.com/156839889/blog/1359112062</guid
>..</item>..<item>..<title><![CDATA[123]]&
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

.tTPV

FTPjK

FtPj;

F.PjRWj

u.WWj

u.VVj

u$SShe

shell32.dll

kernel32.dll

KERNEL32.DLL

ntdll.dll

user32.dll

Shlwapi.dll

psapi.dll

shlwapi.dll

advapi32.dll

123.dll

XLDownload.dll

ShellExecuteA

RtlFormatCurrentUserKeyPath

MsgWaitForMultipleObjects

XLURLDownloadToFile

{15EB1853-EE4C-468f-BAA5-63D186FDB911}

{B6F7542F-B8FE-46a8-9605-98856A687097}

www.941qq.com

EnumWindows

http://www.941cq.com

http://www.941qq.com/ly.txt

http://218.60.65.138:81

http://feeds.qzone.qq.com/cgi-bin/cgi_rss_out?uin=283634178

http://www.btcha.com/time.php?t=1

http://www.time.ac.cn/timeflash.asp?user=flash

http://www.000fy.com/time.txt

http://www1.941cq.com/time.txt

http://www.941cq.com/time.txt

/Main1.rar

/Main2.rar

\Map\3.map

\*.Fhmwy

.Fhmwy

00000000941qq.com

941qq.com

Map\3.map

\sf.dll

.nsp0

.nsp1

.nsp2

USER32.DLL

GDI32.DLL

WINMM.DLL

WINSPOOL.DRV

ADVAPI32.DLL

SHELL32.DLL

OLE32.DLL

OLEAUT32.DLL

COMCTL32.DLL

WS2_32.DLL

COMDLG32.DLL

RegCloseKey

jXe~%f

*|%x|

%.lX}

el.wR5

.pdR/

J.ld`

{C%FS

X" $%F

*g.FEn

.VUy/:

O.lj0

"$%sV

fß(t^

Ft%f:

2JA%ct

ñ4<

-.BQ)

-SShQ?

|W.nIc

Ì^pf

I6lF%s

mk.Sc

.Jccp

40.zU]5

*d%sL

cÀM

Y>_%C

pu.LA

M0d`%ch

:%XFH

=w.uS8;5r

q%sJZx%

V1.LW

`.WFd5

_-z.XAS/

.EFA-$

%f(k,\

z?P".Io

U/.xj

>t.Ql

YZ}g{B%U

7c7

.zy\G

.Ar^=

6y%stgZ

M%q$%D

CC%fO

=ÍA

tP.hs

-k.ayy

>j.lN

\123.dll

.idata

.reloc

dbgdel.cpp

%s(%d) : %s

_CrtDbgReport: String too long or IO Error

Second Chance Assertion Failed: File %s, Line %d

Debug %s!

Program: %s%s%s%s%s%s%s%s%s%s%s

Invalid allocation size: %u bytes.

Client hook allocation failure at file %hs line %d.

_CrtCheckMemory()

_CrtIsValidHeapPointer(pUserData)

Allocation too large or negative: %u bytes.

Client hook re-allocation failure at file %hs line %d.

DAMAGE: after %hs block (#%d) at 0xX.

DAMAGE: before %hs block (#%d) at 0xX.

memory check error at 0xX = 0xX, should be 0xX.

%hs located at 0xX is %u bytes long.

%hs allocated at file %hs(%d).

DAMAGE: on top of Free block at 0xX.

Bad memory block found at 0xX.

_CrtMemCheckPoint: NULL state pointer.

_CrtMemDifference: NULL state pointer.

crt block at 0xX, subtype %x, %u bytes long.

normal block at 0xX, %u bytes long.

client block at 0xX, subtype %x, %u bytes long.

%hs(%d) :

#File Error#(%d) :

Data: <%s> %s

__MSVCRT_HEAP_SELECT

portuguese-brazilian

KERNEL32.dll

GetCPInfo

2008\123\Debug\123.pdb

\Main1.dll

\Main2.dll

:Mian1.dll

:Mian2.dll

@.reloc

GetKeyState

GetAsyncKeyState

GetKeyboardLayout

MapVirtualKeyExA

lymir2.dat

00605453

00605450

00000000

\*.exe

\1.txt

\2.txt

Kernel32.dll

www.94185.com

90 90 90 90 90 90

http://www.941qq.com/hanhua.txt

http://feeds.qzone.qq.com/cgi-bin/cgi_rss_out?uin=150166555

00517634

00517138

!www.zaosf.com

www.zaosf.com

00761848

00634604

00768260

?456789:;<=

!"#$%&'()* ,-./0123

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

CCmdTarget

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

RASAPI32.dll

GetProcessHeap

WinExec

USER32.dll

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegDeleteKeyA

RegEnumKeyA

RegOpenKeyA

RegCreateKeyExA

ADVAPI32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

COMCTL32.dll

WSOCK32.dll

HttpQueryInfoA

HttpSendRequestA

HttpOpenRequestA

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

GetMsgProc

%x.tmp

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

\StringFileInfo\%s\Comments

\StringFileInfo\%s\ProductVersion

\StringFileInfo\%s\ProductName

\StringFileInfo\%s\OriginalFilename

\StringFileInfo\%s\LegalTrademarks

\StringFileInfo\%s\LegalCopyright

\StringFileInfo\%s\InternalName

\StringFileInfo\%s\FileDescription

\StringFileInfo\%s\CompanyName

\StringFileInfo\%s\FileVersion

000%x

http://dywt.com.cn

service@dywt.com.cn

 86(0411)88995834

 86(0411)88995831

Windows

(ESPINN.dll(NN

This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit www.dywt.com.cn/info

CallerInfoCopyCmd

SetIPPort

GetIPPort

"C:\Windows\System32\ESPI11.dll"

ProviderInstallCopyCmd

SockDataCopyCmd

SockAddrCopyCmd

enetintercept_fnSockAddrSetIPPort

enetintercept_fnSockAddrGetIPPort

enetintercept_fnInstallCopyCmd

enetintercept_fnSockDataCopyCmd

enetintercept_fnSockAddrCopyCmd

enetintercept_fnCallerInfoCopyCmd

%s\ESPI%d.dll

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

LOCK CMPXCHG8B may crash some processors when executed

Win95/98 may crash when VxD call is executed in user mode

Win95/98 may crash when NOT ESP is executed

Win95/98 may crash when NEG ESP is executed

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

#include "l.chs\afxres.rc" // Standard components

PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX

1!2,203

8#9-9~:9<

11N1

5%5S5^5

7*80809<9

<&<7<=<\<

4%4s4

7G89

0!0&0 02090?0

5^6#7*7:7

7$8(8,80848

:$;(;,;0;4;

4.595?5]5

6x7F7b7

2%2D2^2r2}2

0 141@1\1|1

000400444

> >$>(>,>

6 6$6(6,6064686<6`6

^}• 
61.164.116.107
60.191.248.29
121.14.154.17
124.232.153.162
1.0.4.89
wool.dll
http://www.789is.com/gg.txt
tempq.itm
http://hi.baidu.com/12345667666666/blog/item/1d47552a4e9d0aba023bf651.html
Data\Hum.wil
Data\hum.wzl
20111214
20111211-1
2012-01-11
2012-01-07
2012-01-04
2012-01-02(1)
2011-12-23
20111221
20111216
20111215
20111206
20111127
20111118
20111203
O.xS#
-F}WA
.lm|%wg 
-6}kS
.YU^v
.UYVxY
FB.rFk
5]F(%xc
/.cdu
~%x?H
r:\I#
.dhYT
zy^k.PW
$H%s;
%w.Wt
.Rn5 
h.PM3
".OvfU
.QkpI
.SGIe
S$.cV
.Wq5s
1.2.18
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
MSWHEEL_ROLLMSG
MSVFW32.dll
AVIFIL32.dll
EnumChildWindows
MSIMG32.dll
(*.avi)|*.avi
RICHED32.DLL
RICHED20.DLL
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
glViewport
glTexEnvfv
glTexEnvf
\glu32.dll
\Opengl32.dll
glPassThrough
PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
93:9:|:4;
=%>9>?>{>
1%1u1
=!>1>7>=>
9%9.9:9`9
8'848:8}8
4L4o4
00N0
9)949?9|9
2 2U2_2}2
1!2f2
3H4D4M4s4
9%9X9o9
7%8U8
213F3Q3
8”9D9
8%8u8
:";';2;<;
00D0M0X0r0
01D1l1
11P1\1q1|1
9%9S9`9l9
5Y5?5{5
99x9
3 3-393N3Y3}3
11F1Q1
;#;/;8;^;
1 2S2
8!8&8 82898?8
1,2024282<2
8 8$8(8,8084888<8
=">6>=>}>
0!232 424
2 2$2(2,2024282
4 4$4(4,4
6#7 72797
6 6$6(6,6
7$8(84888
\jz.dat
http://www.070wg.com/wushuang.txt
http://www.941cq.com/tongyi.txt
http://www.941cq.com/m6.txt
http://www.941cq.com/hanhua.txt
RASAPI32.DLL
WININET.DLL
%fQ-!
.cLE3
~y.En
D l&%F`
c.Aef
v<.AX
.Bd/()
m8.kt!
O{%d*k
h%u|=
v.HzF
9%u%1
v.KW_h
%F Li
F.-uB}QP
$UP*%U
$.mJ"
^.iJB
tp
.Zq*w
pc'%x
.OWD/
MM.NQ
E%SXUM
#%d&__
2-dV}
'-W}& 
.xQ, 
!.VY1
.my)E
Y2
.EKE;K
%x
.pv)O
BCw.LR5
d:i
`t.jo
.XhT:G
yW"%U
Ws.ou?
IS?%U
{%X5)
%SmyA
_amUY%U
.MrQ%
%S|}Z
.lclf
DÅ:%
]W.Yf
.dt.v
.lri7z,
:ognK%D
.Kb
5.Yet*V
v.hI>
~F-y}
.fO()"
%f@$E
(-n}m
C.RfOC
bHD%F
1%Xwo
2(1%X
9.ybZ
%So1s
.oMjn
-6.JU
%Senz
|.TPa]
?I%x]
.uMUz
.Xuf'^Z
.JE)D
;i.mW
>`Qc[ý
p%Ù
CftP
G\.cR
h.oI#R
p2.ZH
|rA*N%x
C.JFo
.myxNW
M%CGmF
r%XDj
y;-s}
..BPZ]
*<*.ks
.Th-CP
Go~%XBa
`49&%U
T.QVk
Y\*.nkL
.fIpp
~x8%x
R&-.WhTVzX
%sgh/ja
%4U !
LH.IOij
-Wd}P~
,.yo"
pJ!%dp
.sGNc"
>c%Up
s.CVODCj
tlbCx;I]%u
Q.Lm*
^1%C$I
~.IR`
s<>P\1.txt
\\.\JJDD
\\.\JJDD1
\*.sys
h.rdata
H.data
\Debug\Win32DriveModule.pdb
\??\%System%\MYKERNEL
status%d
ntoskrnl.exe
HAL.dll
6$6-6E6K6Z6c6s6}6
5!5'50555
? ?*?4?9???
%System%\
\fayasys.sys
\FyOk\WinDDK\FXGameProtect.pdb
HTTP/1.1 301 Moved Permanently
Location: %s
explorer.exe
Wininet.dll
InternetOpenUrlA
http://feeds.qzone.qq.com/cgi-bin/cgi_rss_out?uin=156839889
F:\WINDDK\7600.16385.1\inc\ddk\wdm.h
ZwSetValueKey
ZwCreateKey
ZwQueryValueKey
ZwOpenKey
KeDelayExecutionThread
ZwDeleteKey
ZwDeleteValueKey
fayasys.sys
\GetOS.dll
Us.rK
`~.wK2
.UTjr
>D%xByM
_T.XL
.lfsv
K%x: 
E.twJ
%c=^|
OIT%u
VN.Mf{$
=%f T
Ûe{
3L".po
.Rr;#
5.VpWzx
o%x&"n]
~go!.zDw
v#.kN*
u%X\X
\AFx.sys
\asdkjsfie.sys
\dasdwerwetfsd.sys
\win3.sys
\win5.sys
\win6.sys
\win7.sys
win3.sys
win5.sys
AFx.sys
asdkjsfie.sys
dasdwerwetfsd.sys
360sd.exe
qqpctray.exe
360safe.exe
ksafetray.exe
kxetray.exe
\temp1.exe
http://61.160.207.134:8888
\temp2.exe
\XLDownload.dll
tFSSSh
v.Ht$Ht
SSSSh
udPj
.tgPV
C.PjRVj
u.VV3
90000000
1.2.1.0
client.stat.xunlei.com
XXXXXX
\pub_store.dat
c:\windows\temp
101111111111
222222222222
111111111111
000000000000
filter%u
\\.\PhysicalDrive0
\\.\Scsi0:
\\.\IDE21201.VXD
.\UnknownBase.cpp
HTTP/1.1
.stat
*.stat
%a, %d %b %Y %H:%M:%S GMT
HTTP-Version
HTTP/1.1
http://
HTTP Version not supported
Unsupported Media Type
mscoree.dll
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
internal state. The program cannot safely continue execution and must
continue execution and must now be terminated.
GetProcessWindowStation
f:\svn\XL7\xl7_client\src\XLDownload\FirstParttern\src\XLDownload\ProductRelease\XLDownload.pdb
SETUPAPI.dll
zlib1.dll
RegDeleteKeyW
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ShellExecuteW
ShellExecuteExW
dbghelp.dll
XLGetErrorMsg
* *-33>'
# .24::.QR
.AGFFF[U[XX^^^vX
.db\i\bdx
[[;<11&%
89 ;84>11&&%4
41/71&%>
"!!!""""#"""#!!!"!!!"!!!""""#!!!""""#"""#!!!"!
"!! "!!!"!
""""#!!!"!!!"!!!"!
.- *.--,.,%
.---.-,*.,$
----.---.---.---.---.---.---.---.---.,,,----. '#-
 (#----.
.,,,-,'".
,(#.---. $
,)$.---.---.---.,,,-,,,----.---.---.,,,-
,*'-,,,- #
81*:999::87;81):7-":840:999:81*:
7.#:84/:999:975:987:7.$:70':974:7/':
83.:999:
7.%:999:82 :
70(:999:998:976:
83.:999:7-#:7-#:83.:999:7.$:7-#:84/:999:
7.$:999:963:
mXArmaSqlZFq
%CO#f
666~444y111r--.gA2
J!!!M"""O###R###S$$$U%%%V%%%W%%%X%%%W%#"T$HN}
G K"""P###S%%%V&&&Y'''\(((^(((_)))`)))`)))`)))`(((^(((]&&&Z%%%X%%%V###R!!!N
G!!!M###S%%%X(((_   d---i///n111r222v444y555|666~666
G!!!M$$$U'''\***c---j000q333w555}888
=(>.>5>?>
6)7/757<7
8 8$8(8,8084888
9&:,:0:4:8:
2 2$2(2,202
http://ocsp.verisign.com0
"http://crl.verisign.com/tss-ca.crl0
Thawte Certification1
0http://crl.verisign.com/ThawteTimestampingCA.crl0
2Terms of use at https://www.verisign.com/rpa (c)091.0,
/http://csc3-2009-crl.verisign.com/CSC3-2009.crl0D
https://www.verisign.com/rpa0
http://ocsp.verisign.com0;
/http://csc3-2009-aia.verisign.com/CSC3-2009.cer0
3Class 3 Public Primary Certification Authority - G21:08
https://www.verisign.com/cps0*
https://www.verisign.com/rpa04
#http://crl.verisign.com/pca3-g2.crl0
#http://logo.verisign.com/vslogo.gif04
http://www.xunlei.com 0
\zlib1.dll
1.2.5
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
inflate 1.2.5 Copyright 1995-2010 Mark Adler
MSVCR71.dll
:941qq.com
:941qq.com
:www.941qq.com
:www.008fy.com
.hl3r
(.Yr%o
GetWindowsDirectoryA
RegCreateKeyA
oledlg.dll
www.dywt.com.cn
Service Pack %d
Windows 2003
Windows XP
Windows 2000
Windows NT
Windows ??
Windows Millenium Edition
Windows 98 Second Edition
Windows 98 SP1
Windows 98
Windows 95 OSR2
Windows 95 SP1
Windows 95
Windows CE
Microsoft Windows Me
Microsoft Windows 98
Microsoft Windows 95
Microsoft Windows 2003
Microsoft Windows XP
Microsoft Windows 2000
Microsoft Windows NT
1.1.3
;3 #>6.&
'2, / 0&7!4-)1#
(*.htm;*.html)|*.htm;*.html
.PAVCOleException@@
.PAVCOleDispatchException@@
2dfc2a2bdf53e79c2dc53d46985b.exe
c:\%original file name%.exe
1.0.0.0
(http://www.eyuyan.com)
(*.*)
\DosDevices\%System%\drivers\etc\hosts
http://helpbbs.xunlei.com/thread.php?fid=189
2003-2010
.td.cfg
http://thunderplatform.xunlei.com
%s_%d
http://www.xunlei.com
http://down.sandai.net/thunder7/ThunderPlatform.exe
(123448)
http://interface.thunderplatform.xunlei.com/img/UpdateAdvertise.cab
version.txt
download_interface.dll
DownloadServerNeedFileList.dat
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
asyn_tcp_socket
\/*:?"<>|
1, 2, 1, 0
!"#$%&'()* ,-./0123456789:;<=>?@
For more information visit http://www.zlib.net/

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   WMIADAP.EXE:1568
   GetOS.dll:1376
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   %System%\PerfStringBackup.INI (3361 bytes)
   %System%\wbem\Performance\WmiApRpl_new.ini (10 bytes)
   %System%\perfc009.dat (151 bytes)
   %System%\perfh009.dat (3509 bytes)
   %System%\PerfStringBackup.TMP (1471032 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\4922a.tmp (4545 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\492f7.tmp (1425 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\49480.tmp (3361 bytes)
   C:\GetOS.dll (226 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\492a8.tmp (3361 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\49431.tmp (4545 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\494bf.tmp (1425 bytes)
   %System%\fayasys.sys (32 bytes)

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.