Gen.Variant.Barys.2621_50c967eef4

by malwarelabrobot on October 25th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Barys.2621 (B) (Emsisoft), Gen:Variant.Barys.2621 (AdAware), Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericEmailWorm.YR, GenericInjector.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 50c967eef42832cb79c8740229bf6cab
SHA1: 4ddccd3c4734d67e0d56b94a913ea7999d433126
SHA256: e42c4e438e216699e7fbcf9717dfaeb90dfdde44059305b646484e9f302270eb
SSDeep: 196608:ixXCTGsYohPWR8/UOaMlxgDNOOgjIDlJ34F5IN:2XCijhRnIM4Pe8
Size: 7151616 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-10-01 15:53:48
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:864

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:864 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\B4.tmp (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ip2city[1].htm (383 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B7.tmp (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B2.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B5.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B6.tmp (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B3.tmp (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hm3path.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hm2path.tmp (3 bytes)
%System%\DFkss.ini (34 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\B4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B7.tmp (0 bytes)
%System%\drivers\etc\hosts (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B3.tmp (0 bytes)

Registry activity

The process %original file name%.exe:864 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA D4 29 3A 11 1D F4 29 7A D4 37 75 07 B7 31 36"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 1666458 1667072 4.44563 05071716dc0b091118ba136d3772354c
.rdata 1671168 3662836 3665920 5.43853 71bac63b9cf15af6115cdd0183b0067f
.data 5337088 388721 110592 3.95719 90e53f1c8e2510c39f4642611594587a
.rsrc 5726208 26656 28672 2.88027 36f408cf13171154193caead28df0408
.vmp0 5754880 1559577 1560576 5.39927 5b26e85753f89140ea4544e42f962b9f
.vmp1 7315456 111304 114688 5.44117 1066013788bb0b7605865eed40da62b7

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://yd.ecoma.glb0.lxdns.com/ip2city.asp
hxxp://www.ip138.com/ip2city.asp 218.92.221.155
city.ip138.com 123.134.186.209


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY Internal Host Getting External IP Address - ip2city.asp

Traffic

GET /ip2city.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: hXXp://VVV.ip138.com/ip2city.asp
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: VVV.ip138.com
Cache-Control: no-cache


HTTP/1.0 302 Moved Temporarily
Server: Cdn Cache Server V2.0
Date: Fri, 24 Oct 2014 03:44:42 GMT
Content-Length: 0
Location: hXXp://city.ip138.com/ip2city.asp







The Trojan connects to the servers at the folowing location(s):







%original file name%.exe_864:




.text
`.rdata
@.data
.rsrc
@.vmp0
`.vmp1
e~L$J%U
%FGdi0
t$(SSh
~%UVW
u$SShe
kf-N}
kernel32.dll
Kernel32.dll
ntdll.dll
user32.dll
ole32.dll
WinINet.dll
shlwapi.dll
advapi32.dll
Wininet.dll
Shlwapi.dll
gdiplus.dll
SHLWAPI.DLL
GdiPlus.dll
VERSION.DLL
Imagehlp.dll
Crypt32.dll
gdi32.dll
msimg32.dll
winmm.dll
MsgWaitForMultipleObjects
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
InternetOpenUrlA
SetWindowsHookExA
RegOpenKeyA
RegEnumKeyA
RegCloseKey
RegOpenKeyExA
ImageGetCertificateHeader
ImageGetCertificateData
EnumWindows
RtlGetProcessHeaps
GetAsyncKeyState
GetProcessHeap
GetKeyState
{18C0788E-59AE-4112-B452-6BF0C1B727FB}
\.pL.
Windows
0,8999($
.SCK_LINES/9
.jJ^\
.ERZDLL$
%fLH^A
n.ef"
g%s_%d
=.Xh"
.Hjsp"
ANSI_CHARSE.Dc
O7E(AL("%s
KeywnF
.cu%t
\-ú
.NDFR8P
 Ix.Lv?h]#
keysK<
A.DHq*-
8X%Fx
L.@%u
.QunW
.da]o
.PP` 
.pas8
6.Pob
oOV?.DD@
.ChS-v
#yfP.re
KERNEL32.DLL
comctl32.dll
oleaut32.dll
version.dll
wsock32.dll
rsadll.dll
0.0.0.0
hXXp://VVV.ip138.com/ip2city.asp
http=
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
hXXp://
Windows XP
Windows 7
f.QB.
.Uf[g
%C'=9
,2.pw*
z>Windows 2000
@Windows Server 2003
@Windows Vista
@Windows 8
@kAsLU2IKWfCQ6LOIjvUObm6VY59ELn5ooBAMpNmVcw5 x3F4COx20neF9Yp8u89o6srSIBE0eKQXoplXv3n8c2G6HjMQsJEkQNkmHdtvSTtgnHnvZocNvpSejN2meb G5jS7i2vi0JPdhvZfl9N049XhUrlbm4uVV2iK2 04Pxhi1jxUsFjLW9oXEQD2sfNHtxehfBMNZ4OwSlfgp3dthyEEINGshN3UU6ZYWSCWtT1WZhfct1rK a224MhQVm6mnarE9lGvM1Y1ODcDI/ofhJXJ5xlsKxoZZNVB6ocDwvDRGgYm76dkaE0zbvaNZAcC/Shz2AmI4MW8MKJX6v9bc6qPZ 5Llb/AGh6MT7KuUXpDYWTzJV3v4gyHM6nnky//pZuFopPN0jmPP0wrTSLsEtbdc1efEr91ozAFOdxh J0F1MQ0LDcHotL8RE1czAoKscqWRFnVDALbckxUI9e3z7cmg/1IOAbA7RzWgV0yvmm65hbyAH15NPc6G4 Z8Jr9My7vzKou HvhGGS/sTpMgZiBxwDRBFGifKKpFBYg/6ymJyW3GhyCfcey3iDY/P7XIpe08Fws1lQfQymAsTX2je4Qnsda8xcfqeeilCfXl/ONpDQXZFKGHqmi9qABouXYmbfo/uKrf5SS8iEMiVpb2eL52WfUDaF4LlhmjYjujspRmm1IQ/PABZjyQodQGU4y/ROnqt1eGIEh83yjQKs3vTLdkk3Seq9Wdtr K yla3hUaVcCHbxJynxb uKaXZoJ8qfyaFcd6vCgF9km67QZcsu 3GToObHT4SeDyTP4d1HX8t0DcxABllCx8c9nr5TlENy ToAdWX4g4ffFh5UlsdGm4qXFFqDhe8N3clfdOiUe5xAlokoOyQbHiJlORLStEmIAWLjr71RVv/rm2MosmIC/FyqbTBu9StKpn22UBMvfPesQ9QzIOvrwayXRfoNO 9kvqgQa9OPnEaSXr9XrHjvj5RiFYDU7qV8qZ/xqZ4IyMS7Q6HkY6wQruwPWJ9ao5zm37JeWjCMCGQ72w9mc5zDAPD7UqbV5etGgVxR suON0zQIqPCyWsyHZC5y5PuJu0hvk5XNIA2vHuRycbcvgLKoxMePGKAHmYs08aIFZeK4R51osF7BWf0DOam9sxkJvWNR/b6iPhsfwukYTL9FEE6GGP5kdZsz82PHxPZ/4RKaW48inMRAHbzjHAYplWfoU BeGBjY9yXoOMTxpH8HlLgVLcBW944G9/GDnScIDkLJyEurJ9JhA7eMsiwrs0LMVYKRTAkTbQ ZE9BV0aImcuAwJ ZJjcbu/RBRw/sTWMqlOzFgYaJv4hHecWLj SF3zDTXx7Fc/8ore3U ZqdID S2Vg4vgwtOOpiM5WHR5Hxs8t6b4qoiKDBKocQqEvsodlX6NM6K3OH/0JJpcColC2QUwBpGdLuLx77xlCLolzm3YZazqoFYbT/UHnvZqKcukriCNkYZTpE2QCPKM2cL4YvV8GeWO 1Ve25x6EGhfuz8F32FjzfB7cqQ kIPEeJY6h6BJv0OyF0 lkyawC1DG6O8x44LZzEHzj 5NvCwRkA778EOzKquA61OCkykbKVtXlhrV4mcDKSUjXxdoz4mF2KN W0NVvOfzCqLjaVNgkg7oHaZDopUqgg5EZd/TELkrJ7K4Lj9s6C8bANebRG2GPDSFbdsBNh4do8uS RJbQ==
\DFkss.ini
password
\hm2path.tmp
\hm3path.tmp
ad.ini
hXXp://198.40.60.248:9999/getword.php?wgname=dfyo
1970-1-1 00:00:01
!!!))),,,
\update.exe
MSXML2.XMLHTTP.6.0
MSXML2.XMLHTTP.5.0
MSXML2.XMLHTTP.4.0
MSXML2.XMLHTTP.3.0
MSXML2.XMLHTTP
Microsoft.XMLHTTP.1.0
Can't create XMLHTTP connection object
Mozilla/4.0 (compatible; MSiE 6.0; Windows NT 5.1;)
application/x-www-form-urlencoded
errmsg_s
x.yvr
x.yvkd
Uo.eo
YJ%DtvQ
%S!K]n.
VVV.daofengwg.com
:VVV.daofengwg.com
:|:czkey:|:
[email protected]
.exe|.rar|.zip|.gif|.jpg|.mp3|.rm
User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)
\ly.dat
\SKY.dat
ws2_32.dll
!Game.ini
ServerPort=30471
LoginNo=15683
ServerAddr=127.0.0.1
ShowInitialMsg=1
GameLogin.exe
.Silvana
%5x(Vk&
9vp%c
?P"7~%Fr9
2ma%D$
0:#O.dS
%UatH-.
l.YDq
7s[!m]D
qp.hE
}.WoN
X.Nb\
LN&5.Uw
/.DD5
p6G.uC
PT}%U^/
v%xO@{J
_$$.Vs
G%X' 
.%7X\
.xN^yUD
V.vK[V
Tz.WhsR
t53%.mz
H%x:m
_/.eI7
.bm7/
Q%cgG
6.TW'i
s.yq`R;
 .Ch-6
JtcPh
IFoT.nsu
,.lulnS
of%XRpV<
.7q.ew
5.hJE
#.Ej`
=ô%
?.Oaa
t_e.hO
.xn`sv
.BS`N
m.Gn9
Üyk
5GOP.sE
oT`%Dg2uE
%xe.N
!%FO`
YM.uyKF
jN %d
.yMpC
<@",'#0;
iYI>.fe9
%1sR;
`5.CxiN
cm%D,
u:A,%Uz*
/z CMd
z Cmd
]z÷
ES.ks
%U5j)V
Haf%d
.dO$W
B.gL,
8[.FJAE
wfTPq
m&%sI%
\.bRM
x%sGA^
mNf%Di
E.Du:
t.MQ`@
%Uh(.VqJ
.AIXx
y.CRQ
osSHT
`H1%d
K.YYF
2.HH=
V!.fE
;D%uWe
.ZeWFF
8`X.wK
0-lY}
5 #.GQ
].YHu
f.Xc)Q
|[.JM
[.DYH
.NBZ^
.cj;C
Msg3a3
Vi.iF
B.TWx
%X<:[
%3xu>
8H%dnZ
qIh.pnU
.wm8[X
t.NE>
nR.Ur
6mSGQ}
V.UeUc]
.nK@L
-%uE4
d%X| i
e.cu3I
p[.tZ
.da?5)
.aKh;
s%fT/
l`.nn[6
%d:N9
`.DdY
^DL.lT
'.OEA
[$-F.tf
ÀA#!
bK.xT
z8.tH
V.Fv 
{)%S E
.Ob-S
T.TgE
/L%U!Q
MSG'#
of.%u76
6x[Í
%XdZx
R3.us#
.sZN=
%X?4z
R4<.Kj
$gD0j%X
#xL
.%F=q
.ThEcZv
.Eh"F]
8.db3
Msgbv<
g.ONcu
.xpva
%Fg^<
<30-:s\.jT
zv0>.ni
E.Ux*
wx.mE
.JIp@
>=9%C
'adn.Cb
i%dh.
O%uoM
<?%.F
.cas>=
.kknY
?.MNE;
mDxr%D
S|3h.JL
H4.fv
iJ.qY
`%se[
.dtaJ.%
%f}~)
.JGEM
(,.wU
{l.Dh
_S%%x
&Ë!w
JJ.GI
^%x;%El
.Nu.>yt
.zCxB
l:%fY
6%s)#
tCp:\
<`1eI%F
%2SeY5e
&%DM7
1t.lE
V.Fv(%
<Ww%c
.Qnka
T.CbN_
(.kL<9
g.td4R;
j,b.NT
%fI}r
.nC>V_
pny .FB
,D.WL
QF%Fs
>.qzN
.WBjf
^Nt.xo
.Pff9mq
j7%xz]
.qG'o
C[ß
:J_%c
J:_A^0c.HY
F_.ID
Ni%sT#F
T.jO1M
0#s\}%D
KS!F%f
b%s;>
V%dW)K
I.hiq
%xL]S
'v.dH
{8.ae
.hh=J
shell32.dll
Game.mdata
getpassward
CheckSky.dll
`.gl1
`.tls
.reloc
data\objects.wzl
dll at:%s
1.2.5
inflate 1.2.5 Copyright 1995-2010 Mark Adler
internal state. The program cannot safely continue execution and must
continue execution and must now be terminated.
mscoree.dll
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
GetProcessWindowStation
f:\ChuanQi\GLCore\GLCore\Release\CQ.pdb
USER32.dll
%FQ %_Q
GLCore.dll
SHLWAPI.dll
%F:G9{>
KERNEL32.dll
l%xx(~
>[A|%c
!-o%d{X
,000<0@0
0 0$000<0
6$787&888
01r1
(3,30343@3
Thawte Certification1
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
.Class 3 Public Primary Certification Authority0
<VeriSign Class 3 Public Primary Certification Authority - G50
hXXp://crl.verisign.com/pca3.crl0
hXXps://VVV.verisign.com/cps0
#hXXp://logo.verisign.com/vslogo.gif04
hXXp://ocsp.verisign.com0
hXXp://ts-ocsp.ws.symantec.com07
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
hXXps://VVV.verisign.com/rpa0
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
hXXps://VVV.verisign.com/cps0*
#hXXp://crl.verisign.com/pca3-g5.crl04
@.reloc
__MSVCRT_HEAP_SELECT
WS2_32.dll
GetCPInfo
jx.dll
\!Game.ini
WS2_32.DLL
mswsock.dll
program internal error number is %d.
:"%s"
:"%s".
zcÁ
3*4044484<4
3"3&3*3.32363:3>3
001A2B3C4D5Ec:\kss.ini
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\
ServiceName\\.\
Zy_Msg_WM_UPDATERECT
^@ZySoft.ZyUI.WindowClass.Window
ZySoft.ZyUI.WindowClass.ComboBox
ZySoft.ZyUI.WindowClass.menu
ZySoft.ZyUI.WindowClass.menu1
x@{}M%sk
*%D N
^.AVK0
)%xg'Xoo
Gl.zi
aóL=@
.aT[w
(^%x$
m.SkE
.IDAT
"""\\\222
hXXp://VVV.sf778.com/down
/up.rar?a=
VVV.jxdlq.com
LyDlq.Com
Www.WeDlq.Net
VVV.wsdlq.com
wshom.ocx
\LEG.dat
\gm2.dat
\Game2.dat
\mir2.dat
\yx.dat
*.yxlg
\3K.dat
?456789:;<=
!"#$%&'()* ,-./0123
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
iphlpapi.dll
MPR.dll
VERSION.dll
%SaBHz`
%x.tmp
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
%s,%d
%s.lnk
1.1.3
;3 #>6.&
'2, / 0&7!4-)1#
[%s:%d]
Range: bytes=%s-
[%s:%d]
PASS %s
PASS ******
USER %s
E:\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp
SIZE %s
PORT
User-Agent: %s
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Referer: %s
Host: %s
GET %s HTTP/1.1
Cookie: %s
%d, %s
\\192.168.0.129\TCP\1037
NSPlayer/9.0.0.2980; {%s}; Host: %s
rmff_fix_header: assuming data.size=%i
rmff_fix_header: assuming data.num_packets=%i
rmff_fix_header: assuming prop.num_packets=%i
rmff_fix_header: setting prop.data_offset from %i to %i
rmff_fix_header: correcting prop.num_streams from %i to %i
rmff_fix_header: correcting prop.size from %i to %i
%s %s %s
Session: %s
Cseq: %u
%*s %s
%*s %u
CSeq: %u
rtsp://%s:%i
rtsp://%s:%i/%s
ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586
GUID: 00000000-0000-0000-0000-000000000000
[%s:%d]
User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)
Range: npt=%s-
%s/streamid=1
%s/streamid=0
Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play
If-Match: %s
RealChallenge2: %s, sd=%s
Title: %s
Copyright: %s
Author: %s
real: Content-length for description too big (> %uMB)!
Require: com.real.retain-entity-for-setup
SupportsMaximumASMBandwidth: 1
Bandwidth: %u
Challenge1: %s
hash output: %x %x %x %x
hash input: %x %x %x %x
stream=%u;rule=%u,
Illegal character '%c' in input.
(%S)%M%D %y-%m-%d
After RemoveDC(), pen counter: %d, bursh counter: %d, font counter: %d
!!! Create pen ERROR! ErrNo.[%d]
  Create pen No.%d
!!! Create brush ERROR! ErrNo.[%d]
  Create brush No.%d
!!! Create font ERROR! ErrNo.[%d]
  Create font No.%d
- Delete pen No.%d
- Delete brush No.%d
- Delete font No.%d
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
right-curly-bracket
left-curly-bracket
0123456789
HTTP/1.1 200 OK
X-Powered-By: ASP.NET
ip138.com
38.com/ip2city.asp
70-1-1 00:00:01
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
2[=:(=6)*
X.ja(A
.Dp/g
|.oF<
n5F%F
7-.kf
4ut%XYR`
.oNW4
{nI5F%6sc@)Fd
8>%S$]D23
h.QnI
l^%F%&
^-S29f}m
.ST1J
3%Fnn
.gFo|m7h
3L.yN
Zõ~C
\l.oax
Z.UWf
.klNaa
_0M.zD"
A.Evh
.cM`=
.Uv)1
td.MfHq
u6O.WS
.OX]v
\-vSl}
crt2R
 }%.f
a=%C\;
[[%6s
s:%cT78
%fX^;w
3=V%F
a<!þ
.LeDE
%. O.bl$
%uv$T
>0õ
.oF:^_q
`Q.Ef=
%c}G*V
.KTFi{
9b[%6s
#M\%F
%SY19Zc
ZKw>g.Og
.StuH
g.IW_w
lnFtpU
D.tuT
.NOF&}
9.wF_
%FGpi3d
.ss=c
.ssPg
.OANX=
&O A.Wx
.YR0e=
.wdU2P
n5F%6s
%f]V)Rz*Kl
(!.VM
D$,%ug
.?dd.oxB
^%urA
.HQ A
Túqs{
%V%Fsd.G\
SQl1b0
&%Cx.M
.SS0q
ysQL]<ea
N%V-s}N/
C%5sx.W9<
>%S$M4
-.cZ)pA
hU.Uvf
2%f{e*
üuqo
y8.oLe
5N%UG
92^%F
GP-D}D]
o[>>%S
%FklI
.UV5>
.wGsHD
-z9}^
' =.Zx
YlovøX
N%F%F{
:.IIt
hIZ4.vWH
h-F%f{{
%C|ne
Fsd.Te
%U,}\
?P%ftN
$`.gI
Y.ohE
|h=>0%C
>e.un5E6
6MN-.ss=.6b)
>,@#T%f]n
[email protected]}
S2o6_.Wp
jLRt%u
O%U?"Cp
&gNHl%Fs0I;/ 
l"6
×Gl8
|E^%U
^þ~
w7=.gI#
_hI%S
YrAR^_0A.OPa
<.hD_4
`Q.EV
%F[\9
w:\*S
a:\,S
I(U
2nGh;%FW
s0Q^s;KERNEL32.dll
%F{ew
comdlg32.dll
WINMM.dll
H %U$
SHELL32.dll
j,e.WU-
LBcP
WININET.dll
GDI32.dll
COMCTL32.dll
OLEAUT32.dll
[email protected]"
6}}%CWG
.oV6|K$5fX
$aSADVAPI32.dll
DpIZC%F
.KDaQ}
HWINSPOOL.DRV
aT%fwe
DEFc=.oN
%X1r[
<Q3USER32.dll
WLDAP32.dll
ShellExecuteA
QN@WS2_32.dll
rekE%X
lRASAPI32.dll
MK%FKc
%.Whiz
TFRMCHRPASSWORD
TFRMGETPASSWORD
1.0.0.0
(hXXp://VVV.eyuyan.com)
(*.*)

%original file name%.exe_864_rwx_00AFA000_00001000:




I(U

%original file name%.exe_864_rwx_00B0F000_00001000:




ShellExecuteA
QN@WS2_32.dll

%original file name%.exe_864_rwx_01090000_00072000:




`.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
USER32.DLL
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s_%d
EInvalidGraphicOperation
comctl32.dll
uxtheme.dll
MAPI32.DLL
!"#$%xi
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
OnKeyDown
OnKeyPressl
OnKeyUp
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
AutoHotkeys
TMainMenuDp
TKeyEvent
TKeyPressEvent
HelpKeyword,
crSQLWait
%s (%s)
imm32.dll
readnowid.mtx
D:\ksreg_delphi\V9\_rsa_delphi_dll\UnitSock.pas
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
KWindows
UrlMon
GetCPInfo
RegOpenKeyExA
RegCloseKey
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
GetKeyboardType
38000=344
.idata
.edata
P.reloc
P.rsrc
#yfP.re
KERNEL32.DLL
advapi32.dll
gdi32.dll
user32.dll
version.dll
wsock32.dll
rsadll.dll
No help keyword specified.
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Alt  Clipboard does not support Icons/Menu '%s' is already being used by another form
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Unsupported clipboard format
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid property value List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\%current user%\Local Settings\Temp\B4.tmp (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ip2city[1].htm (383 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B7.tmp (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B2.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B5.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B6.tmp (3361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B3.tmp (3361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hm3path.tmp (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hm2path.tmp (3 bytes)
    %System%\DFkss.ini (34 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now