Gen.Variant.Graftor.2540_1c0f9025e8

by malwarelabrobot on November 9th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Graftor.2540 (B) (Emsisoft), Gen:Variant.Graftor.2540 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 1c0f9025e87aae814eb87ab32e49bf4e
SHA1: 7ff4aef8e15cd33219ac41e78f4b90e847a6a597
SHA256: 11ce55c9af9384dc3ac15d2a33c1597b80efdd15876125707b9e7539a5a6807c
SSDeep: 49152:m6SodEuj8VwcZmOuEJgjF7ktFWezv20lK2AlppMRm1X1SQ0dynDS:JSouuj8eCmOuEJ6kqW2ZpL1leyDS
Size: 4104192 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PolyEnE001byLennartHedlund, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2014-08-11 10:27:40
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:584
5336¼«¿Í.exe:1724

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:584 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Fonts\5336¼«¿Í.exe (17629 bytes)
%Documents and Settings%\%current user%\My Documents\SVCHOST.exe (3699 bytes)

The process 5336¼«¿Í.exe:1724 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Õâ¸ö.sys (18 bytes)

Registry activity

The process %original file name%.exe:584 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 52 41 EF 94 AF 14 15 EF ED FE 16 D4 98 63 B7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\My Documents]
"svchost.exe" = "易语言程序"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process 5336¼«¿Í.exe:1724 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 D6 AD 1B D8 DC B5 47 07 EB 40 2A FE E9 8E 29"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.2345.com/?ktt659189"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"HomePage" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ÎÒµÄÆô¶¯Ïî" = "%Documents and Settings%\Administrator\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯\IEXPLORE.exe"

Dropped PE files

MD5 File path
42b23743e20c12d6e101e513bf87097f c:\Documents and Settings\"%CurrentUserName%"\Application Data\Õâ¸ö.sys
659c2355c7bfc03e20bf94cfc9d7db80 c:\Documents and Settings\"%CurrentUserName%"\My Documents\SVCHOST.exe
65236a140ef2f52fc8691148f74a2fd4 c:\WINDOWS\Fonts\5336¼«¿Í.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following kernel-mode hooks:

ZwQuerySystemInformation
ZwReadVirtualMemory
ZwWriteVirtualMemory

Propagation

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 433006 434176 4.54187 dfcd456bcb66c166cb0bb21c298e969f
.rdata 438272 3572982 3575808 4.95199 33c56e5cbea00b9379f44961a4c6ff18
.data 4014080 199722 61440 3.32314 4cac040f4174f6f8ea5d0f7b8dab95b6
.rsrc 4214784 26868 28672 3.66791 62ae8c11e5b2b5f2992eea32881ea50d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://yy.com/ 183.61.179.207
hxxp://cc00077.h.cnc.ccgslb.com.cn/js/plugins.js
hxxp://cc00077.h.cnc.ccgslb.com.cn/img/loading.gif
hxxp://cc00077.h.cnc.ccgslb.com.cn/js/webyy.js?v20.js
hxxp://cc00077.h.cnc.ccgslb.com.cn/js/index.js?v15.0.js
hxxp://cc00077.h.cnc.ccgslb.net/duowan.js
hxxp://ylog.hiido.com/c.gif?act=web&zd=_2b1acc1@yy|_e3d75f1@yy|www@yy|&ui=0.15621836609516887&sp=0&fl=11&sl=0&ss=2&bs=6&mb=0&nw=0&fd=0&hiido=0&sn=0&ls=0&vr=15&ut=1415470029326&wd=0&passport=&sns=null 222.186.49.20
hxxp://hm.e.shifen.com/h.js?34a908ea88275f6ef0a72588f9c0be86
hxxp://hm.e.shifen.com/hm.gif?cc=1&ck=1&cl=32-bit&ds=1276x846&et=0&fl=11.6&ja=1&ln=en-us&lo=0&nv=1&rnd=1182576063&si=34a908ea88275f6ef0a72588f9c0be86&st=1&v=1.0.68&lv=1&tt=频道 : 5336 | YY语音
hxxp://cc00077.h.cnc.ccgslb.com.cn/img/close.jpg
hxxp://cc00077.h.cnc.ccgslb.com.cn/r/rc/main/main/1/43/main.swf
hxxp://yy.com/crossdomain.xml 183.61.179.207
hxxp://yy.com//get-data/5336?subSid=1705313832&type=main&_=39769061 183.61.179.207
hxxp://c3.web.yy.com/img/close.jpg 183.95.152.108
hxxp://www.duowan.com/duowan.js 61.240.138.8
hxxp://c2.web.yy.com/js/plugins.js 222.161.226.8
hxxp://hm.baidu.com/hm.gif?cc=1&ck=1&cl=32-bit&ds=1276x846&et=0&fl=11.6&ja=1&ln=en-us&lo=0&nv=1&rnd=1182576063&si=34a908ea88275f6ef0a72588f9c0be86&st=1&v=1.0.68&lv=1&tt=频道 : 5336 | YY语音 61.135.185.140
hxxp://c3.web.yy.com/img/loading.gif 183.95.152.108
hxxp://hm.baidu.com/h.js?34a908ea88275f6ef0a72588f9c0be86 61.135.185.140
hxxp://c1.web.yy.com/js/webyy.js?v20.js 222.161.226.9
hxxp://c1.web.yy.com/js/index.js?v15.0.js 222.161.226.9
hxxp://c1.web.yy.com/r/rc/main/main/1/43/main.swf 222.161.226.9


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Outdated Windows Flash Version IE

Traffic

GET /js/plugins.js HTTP/1.1
Accept: */*
Referer: hXXp://yy.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c2.web.yy.com
Connection: Keep-Alive
Cookie: JSESSIONID=yf318d5bhhcj05o91xcm2ied6c6wa.yf3


HTTP/1.1 200 OK
Content-Type: application/x-javascript; charset=utf-8
Content-Encoding: gzip
Server: nginx
Date: Sat, 08 Nov 2014 15:48:23 GMT
Last-Modified: Thu, 28 Aug 2014 08:29:53 GMT
Expires: Sun, 09 Nov 2014 15:48:23 GMT
Cache-Control: max-age=86400
Age: 8284
Content-Length: 41729
Powered-By-ChinaCache: HIT from CNC-CC-b-3g7.3
............{_...7...U`.y.:[email protected]].p..y..9{.
&..W.k..W..' ..{......?..m}o}>..o...v.oQ....K....o.kk............V.
v.o_].sOK..Q.m....=....v....u..iw.^....i?7.Ns...s.~.......?h.......8.a
....^.~......t....L:i.........................ZC.....v...H.\..v.ku/x..
.0y..aZ...r.z.s.r./....O....ji.T.jk........|r.....[.\..N........;...x.
....Z.^?J.x...y..|....i#..m...d#.....~7.M....e......2Jv.Y...a..(y.._.M
...k...r...6.O.....g.......u../...Q..|....E..x..3.=........J.._..;.uA.
...f..G!<.<9[....7...._.U....7..Q.~v6.>.. }z.Q.gggk.e.?lN....
_[........,\.....Z...Z..~.I0.....e.3H...Ng.Z=.(PKg...'a.m.;.F...7a....
....iy...K.l.......i.W{.6rgkM...,`.G..w..[.....@qX..;.z7.v..../(.M....
..../..4.(...V.....9....Z.....k.f.J....z>.(.AX...ni|[..y.x)N~...i.v
..v.%;Q.%........x...{..mJ.~...].o...uk..G.S.......Z...;5n...Q.a.|...%
.....a.}.%../.t.G./.d...*..1.k*......6..NK9....eo]^F..uN.G. >..V...
...9(...`Fe..b.w..R..=...t..h...Qj.....w....:^.....q......G ..G.ZwE<
;f.k.Ut....; ....cG.~.2'..xA..^.p~.....R.w.4.[F....u~.Z.J....$y.7pv"Z=
.m.R:N(N...(=.6B...G....zs:....;....q.2...iu.y.{..%.....$....$=.{?.i.[
a..4yYn...d#N.LW. @7.....O.V. P..^i.........N'E[......)...~....(......
....._.T...]r..\..[W\...mF.m.F..f.A=._....V..y..MQz......m.....m0S[K..
...4.=..... ..U:T..../..O..6.h._.o[}z..d.^... q,.4.'/..t.x.}.2..j..N=.
t!Q....%6.(.."#...m.\.i...`...i..}...:t'D.w1.....Pi....9.7. .<qB...
...RFI..T'<.?/.A$s-..#..,e.........NV*..a..]P-. ..0P..i.].f .....r.
..|X.:.%.l8]..g.2...j.8...u...6a...;.-....x.f.U.....[...zz.*.`V..*
<<< skipped >>>


GET /img/close.jpg HTTP/1.1
Accept: */*
Referer: hXXp://yy.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c3.web.yy.com
Connection: Keep-Alive
Cookie: JSESSIONID=yf318d5bhhcj05o91xcm2ied6c6wa.yf3; hiido_ui=0.15621836609516887; Hm_lvt_34a908ea88275f6ef0a72588f9c0be86=1415470045; Hm_lpvt_34a908ea88275f6ef0a72588f9c0be86=1415470045


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 08 Nov 2014 11:48:43 GMT
Content-Type: image/jpeg
Content-Length: 604
Last-Modified: Thu, 20 Feb 2014 07:37:14 GMT
Expires: Sun, 09 Nov 2014 11:48:43 GMT
Cache-Control: max-age=86400
Age: 22699
Powered-By-ChinaCache: HIT from CNC-DX-2-3g3.9
HTTP/1.1 200 OK..Server: nginx..Date: Sat, 08 Nov 2014 11:48:43 GMT..C
ontent-Type: image/jpeg..Content-Length: 604..Last-Modified: Thu, 20 F
eb 2014 07:37:14 GMT..Expires: Sun, 09 Nov 2014 11:48:43 GMT..Cache-Co
ntrol: max-age=86400..Age: 22699..Powered-By-ChinaCache: HIT from CNC-
DX-2-3g3.9........JFIF.....d.d......Ducky.......<......Adobe.d.....
......................................................................
......................................................................
................l.....................................................
............A.!1.2...R3.a...."..s................................?....
.t...r.roNMsy..U......g...y.ZK.- ii.C. .......Q.....F...F.Dpy..|N.&...
..... ........i....J.ZJ\B.))"..r.T.d..J...I.....s.N. z...r....UT....N.
..x.3oJ..(......`.6.ms.t...$O...Z )qlq.Z.N.J.ZM.............6..Ba%....
F..A.ms...@%tT....)!~....}d.I....0.{...'.....V.l.r<.i..L.....



GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yy.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 08 Nov 2014 18:06:24 GMT
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: JSESSIONID=yf318d5bhhcj05o91xcm2ied6c6wa.yf3;Path=/
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Language: zh-CN
Content-Encoding: gzip
a..............596...VQo.6.~.....E.{.D;NZG..li....bK..if..e1.DM...I.bX
_...h........0.}..?3.m.....(..5CmC&E.w.............5..(D.o|z..*..!7[..
\Z..n]Y...j.....8.......}....L,B...9h.".../...j*.rh....I./..A.....q.L.
i.--iq..Qo.3m...G.DW....,Lu27..Dr.0.K. .6.....Ehjj.cO..P.T.0....A.^...
hq.xz.............D...h.|}nz.6Y.....G..$ . ..m......q..B...,..IX.:...N
Y..$...U.:....p..2w.[9....H.7.79.q...%.....b..Yi.............F...0....
.."J.Z/."]]s..gsn..3.....e.._.|p.....h.ml.y.........Zb.R....D.e.....M.
...`..._..'.$...3..o.:........x.......<}...w...:|.D...xzp..........
.zT..xF...........Q..C=....9?..vEo....'...h.....@..]...../.<C{H.2.1
.b.3......."..yl5l.P..q_...K.P...{..m...4...r.v...G.;.T..g."........@.
..G..$Ot....L..&,.d\Z....@..*.)-#E... O.Zy...9`..d...IA.......I.. ....
..{.5..V4....X.Z.m,&gS\..=.k..a.....X...=.;*.....R....2RM....7`.......
L9-.....S.@).{?......#]\E.d.2_...J.*..V..8..c..B....o..U.....i.4...B..
....|~.......hgOH)"...q.L.BN....n.H.m..cQ4..'.....`[email protected]_.$u
....M..*Ff6........p`.J..*1...Xg....;.E{..s.le."...5j.....e.;n.n.dXK%f
....P..bM...*.q...F.e..n....2...m....W.mg$.s.Tfng.......y..f0..Vv.....
: .-p...id..2|.....u....v..p.....g.w.{M..M<....]\[email protected]
&......n..........K5}..,...y.z"..G....ZG .#.....r.&..2...\.Z.C....WfZ.
%/e.,F.Op8.7...Q...q..5...Z.K.6...<........b../...k_..v...sv...*K..
........^..,OX..C#.a.'F...h..E../,@uSY..u.i/6....8. ..tU...Q...S..t..w
..q....J.W.k.n......Q.....U.(.../....Z.?Q .H.\].......:-V.y.....0..ont>....
<<< skipped >>>

GET /crossdomain.xml HTTP/1.1


Accept: */*
Accept-Language: en-US
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yy.com
Connection: Keep-Alive
Cookie: JSESSIONID=yf318d5bhhcj05o91xcm2ied6c6wa.yf3; hiido_ui=0.15621836609516887; Hm_lvt_34a908ea88275f6ef0a72588f9c0be86=1415470045; Hm_lpvt_34a908ea88275f6ef0a72588f9c0be86=1415470045


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 08 Nov 2014 18:07:14 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
Last-Modified: Thu, 20 Feb 2014 07:37:13 GMT
Content-Encoding: gzip
a..............a4..m.K..0.D. q.(K$S.'.,Q...........H\.....n4.7.../S.ST
W.....t8.........J..0P..Q... ..z....9..l`...V..u5qE..:..2^Fd..]S.B.)..
.z....4..3Z.....r.#..%....,s..7...>Q$.O......0......


GET //get-data/5336?subSid=1705313832&type=main&_=39769061 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://c1.web.yy.com/r/rc/main/main/1/43/main.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yy.com
Connection: Keep-Alive
Cookie: JSESSIONID=yf318d5bhhcj05o91xcm2ied6c6wa.yf3; hiido_ui=0.15621836609516887; Hm_lvt_34a908ea88275f6ef0a72588f9c0be86=1415470045; Hm_lpvt_34a908ea88275f6ef0a72588f9c0be86=1415470045


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 08 Nov 2014 18:07:16 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 695
Connection: keep-alive
Set-Cookie: __wyy=d5707d6ff3d24401a7e02f7f2d1602fc;Path=/;Domain=.yy.com;Expires=Sun, 08-Nov-2015 18:07:16 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Accept-Charset: big5, big5-hkscs, compound_text, euc-jp, euc-kr, gb18030, gb2312, gbk, ibm-thai, ibm00858, ibm01140, ibm01141, ibm01142, ibm01143, ibm01144, ibm01145, ibm01146, ibm01147, ibm01148, ibm01149, ibm037, ibm1026, ibm1047, ibm273, ibm277, ibm278, ibm280, ibm284, ibm285, ibm297, ibm420, ibm424, ibm437, ibm500, ibm775, ibm850, ibm852, ibm855, ibm857, ibm860, ibm861, ibm862, ibm863, ibm864, ibm865, ibm866, ibm868, ibm869, ibm870, ibm871, ibm918, iso-2022-cn, iso-2022-jp, iso-2022-jp-2, iso-2022-kr, iso-8859-1, iso-8859-13, iso-8859-15, iso-8859-2, iso-8859-3, iso-8859-4, iso-8859-5, iso-8859-6, iso-8859-7, iso-8859-8, iso-8859-9, jis_x0201, jis_x0212-1990, koi8-r, koi8-u, shift_jis, tis-620, us-ascii, utf-16, utf-16be, utf-16le, utf-32, utf-32be, utf-32le, utf-8, windows-1250, windows-1251, windows-1252, windows-1253, windows-1254, windows-1255, windows-1256, windows-1257, windows-1258, windows-31j, x-big5-hkscs-2001, x-big5-solaris, x-euc-jp-linux, x-euc-tw, x-eucjp-open, x-ibm1006, x-ibm1025, x-ibm1046, x-ibm1097, x-ibm1098, x-ibm1112, x-ibm1122, x-ibm1123, x-ibm1124, x-ibm1364, x-ibm1381, x-ibm1383, x-ibm33722, x-ibm737, x-ibm833, x-ibm834, x-ibm856, x-ibm874, x-ibm875, x-ibm921, x-ibm922, x-ibm930, x-ibm933, x-ibm935, x-ibm937, x-ibm939, x-ibm942, x-ibm942c, x-ibm943, x-ibm943c, x-ibm948, x-ibm949, x-ibm949c, x-ibm950, x-ibm964, x-ibm970, x-iscii91, x-iso-2022-cn-cns, x-iso-2022-cn-gb, x-iso-8859-11, x-jis0208, x-jisautodetect, x-johab, x-macarabic, x-maccentraleurope, x-maccroatian, x-maccyrillic, x-macdingbat, x-macgreek, x-machebrew, x-maciceland, x-macroman, x-macromania, x-macsymbol, x-macthai, x-macturkish, x-macukraine, x-ms932_0213, x-ms950-hkscs, x-ms950-hkscs-xp, x-mswin-936, x-pck, x-sjis_0213, x-utf-16le-bom, x-utf-32be-bom, x-utf-32le-bom, x-windows-50220, x-windows-50221, x-windows-
<<< skipped >>>


GET /img/loading.gif HTTP/1.1
Accept: */*
Referer: hXXp://yy.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c3.web.yy.com
Connection: Keep-Alive
Cookie: JSESSIONID=yf318d5bhhcj05o91xcm2ied6c6wa.yf3


HTTP/1.1 200 OK
Content-Type: image/gif
Content-Length: 8543
Server: nginx
Date: Sat, 08 Nov 2014 09:24:13 GMT
Last-Modified: Thu, 20 Feb 2014 07:37:14 GMT
Expires: Sun, 09 Nov 2014 09:24:13 GMT
Cache-Control: max-age=86400
Age: 31337
Powered-By-ChinaCache: HIT from CNC-DX-2-3g3.8
GIF89a$.#.......|.....................................................
......................................................................
....................z.................................................
.......}..............................................................
.....................x.....y..........................................
..........................~...........................................
...................................................................y..
......................................................................
..........................v...........................................
...................w.....w...........z.......................z........
......................................................................
...........!..NETSCAPE2.0.....!.......,....$.#.....i..(.W/a...C....a.|
..H...a..1.f...g....Hr.A`..A.0... '.1;&LbI.'[email protected]..........
A.4.y...h..A.*.j.....c...V...~...X3...n.f..ZZI.IC [email protected] ...[b..p.#..
........Y1......y.I`[email protected]....);.,...;...=;..^...xAdt......&..Q..b.1.
#..@...#.l..P.A....u..h.m.ID~...b.)A1.....fD3..uE.F...."Gta.H#./...K*C
.u.AvpC......-.....$d..|4.G.I".1..G.P./...A&,r..3..v./.... \pA......#W
p0..WHU.}8.3..Q.`B.x@.#4_.pE...c..%%E..qP.G#&.F.Xz\....\..3.`v...P....
[email protected][email protected] .L.....2..2.......(.U..]...&.
@......bP..,..-^x..-.`a(.).". A....|01.0..#-0...L.^ ...~Xp...%e.8....%
P8....(..1..s.1.<[email protected](...5......%.9_l..>_.cE..<.L3.0........r
TbE7..tPJ.8.L.$W.L....2......&.`C.!ED.I)i r.%..3.'.....}...6....=.
<<< skipped >>>


GET /h.js?34a908ea88275f6ef0a72588f9c0be86 HTTP/1.1
Accept: */*
Referer: hXXp://yy.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: hm.baidu.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Set-Cookie: HMVT=34a908ea88275f6ef0a72588f9c0be86|1415470016|; Path=/; Domain=hm.baidu.com
Set-Cookie: HMACCOUNT=1030A188B5FEFB46; Path=/; Domain=hm.baidu.com; Expires=Sun, 18 Jan 2038 00:00:00 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Etag: 5b6992daf5016061c987b5d17dd4cf17
Cache-Control: max-age=0, must-revalidate
Content-Encoding: gzip
Content-Type: application/javascript
Connection: Keep-Alive
Content-Length: 6962
Date: Sat, 08 Nov 2014 18:06:56 GMT
Server: apache
HTTP/1.1 200 OK..Set-Cookie: HMVT=34a908ea88275f6ef0a72588f9c0be86|141
5470016|; Path=/; Domain=hm.baidu.com..Set-Cookie: HMACCOUNT=1030A188B
5FEFB46; Path=/; Domain=hm.baidu.com; Expires=Sun, 18 Jan 2038 00:00:0
0 GMT..P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA P
RE COM NAV OTC NOI DSP COR"..Etag: 5b6992daf5016061c987b5d17dd4cf17..C
ache-Control: max-age=0, must-revalidate..Content-Encoding: gzip..Cont
ent-Type: application/javascript..Connection: Keep-Alive..Content-Leng
th: 6962..Date: Sat, 08 Nov 2014 18:06:56 GMT..Server: apache.........
......%.(function(){var c={id:"34a908ea88275f6ef0a72588f9c0be86",dm:["
yy.com","yy.com"],etrk:[],js:"tongji.baidu.com/hm-web/js/",icon:'',br:
false,ctrk:true,align:1,nv:1,vdur:1800000,age:31536000000,rec:0,rp:[],
trust:0,vcard:0,.Zm..6...OA..A1.v.f-D.....mIw..............N.....H<
.!].".GB:::..sD*..hc.-y...I...h..F...l$..=}..E.fA....hj..._..MA....m?N
t|.a].c..E4.&.s..N.M....t.).p`.,.r...b&..,.....?.I..:.....qy.Nt..."..f
"^d.c....l.D.`j..x,2......'..w...oA..H$}...rX"f.Rl.....W.q.!-........q
9.Z ..;.o.Z.....g.Pd.0.jKq....g..WB..4:.#9(.A..Gc.KS....j..%.,<..=.
....U.&.Th..c2...4.d/..*..x..B....Qp...dW;...1Q..r.C...Tb."..L.|......
..Y.V.z..WUl....Tc..j....HS.C.%.."..e...2...%y..8....p8..v..w=..13.f..
.............Q...(...|d.|..s...L.bK.bO.g%.0...%. .ML?....N...Y.!K.h..C
[w~..mh1.>.o.6..[6../....}.Kp...yO...`i..d..f..H6#l...c3.......?..}
 .%.~6.N...*.#[email protected]........_Ql5$Z.....Z.... .0i?..G-..........
...%.(function(){var c={id:"34a908ea88275f6ef0a72588f9c0be86",dm:[
<<< skipped >>>

GET /hm.gif?cc=1&ck=1&cl=32-bit&ds=1276x846&et=0&fl=11.6&ja=1&ln=en-us&lo=0&nv=1&rnd=1182576063&si=34a908ea88275f6ef0a72588f9c0be86&st=1&v=1.0.68&lv=1&tt=频道 : 5336 | YY语音 HTTP/1.1


Accept: */*
Referer: hXXp://yy.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: hm.baidu.com
Connection: Keep-Alive
Cookie: HMVT=34a908ea88275f6ef0a72588f9c0be86|1415470016|; HMACCOUNT=1030A188B5FEFB46


HTTP/1.1 200 OK
Cache-Control: private, max-age=0, no-cache
Pragma: no-cache
Content-Type: image/gif
X-Content-Type-Options: nosniff
Connection: Keep-Alive
Content-Length: 43
Date: Sat, 08 Nov 2014 18:07:02 GMT
Server: apache
GIF89a.............!.......,...........L..;HTTP/1.1 200 OK..Cache-Cont
rol: private, max-age=0, no-cache..Pragma: no-cache..Content-Type: ima
ge/gif..X-Content-Type-Options: nosniff..Connection: Keep-Alive..Conte
nt-Length: 43..Date: Sat, 08 Nov 2014 18:07:02 GMT..Server: apache..GI
F89a.............!.......,...........L..;..



GET /js/webyy.js?v20.js HTTP/1.1
Accept: */*
Referer: hXXp://yy.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c1.web.yy.com
Connection: Keep-Alive
Cookie: JSESSIONID=yf318d5bhhcj05o91xcm2ied6c6wa.yf3


HTTP/1.1 200 OK
Content-Type: application/x-javascript; charset=utf-8
Content-Encoding: gzip
Server: nginx
Date: Sat, 08 Nov 2014 17:08:27 GMT
Last-Modified: Thu, 28 Aug 2014 08:29:53 GMT
Expires: Sun, 09 Nov 2014 17:08:27 GMT
Cache-Control: max-age=86400
Age: 3492
Content-Length: 4645
Powered-By-ChinaCache: HIT from CNC-CC-b-3g8.1
...........Z...D..*.&...F.....e*$pp.6..c.&..%[email protected]
kS..l..E.v.....oq.~.a......iu........4.^a...-...?....Jv......B.,7.e...
4.....yv...S..?|......\>].=..^?...i...k..hx..ZM3.9r...A..3f..d(t...
^d........4....I..GA..........S .. ...8..gI...{......-r....>.'.x..o
.....[?..|.......im..a.DY."._|p......x?.qx.....8~.......y'A.o~}..Ww...
.t8d.a.w...................8..].3......y..W...y............Y....>}.
....5.sg>d.. *......~x.....M..z....kW.o.!.....{}C}.Q...X9A.D{......
.......n....1_p..n.=..X....(...49...z.?..h.....n.={}.....Z....v.......
.......{..s......$dbf.Xy....~.2c....Fe...w ..8....5[.4.....l.P.~...p.[
.....6.by..>.}@o.686..$..O..I..........m{..dK...{.m..w-y...$....0..
z..n...x..N>a.km'ftk2.Y:.C...5.L&.... :JLt.$5O....O..g7t..3..u.JcC_
..cm..... 1.W].`!.]....M..0g.O. .V..15.......p.j.l.`..g.V...\....j...o
..uc.a:..N..H...x..e.N..}V...p....p..R...v/uu.F.!M}'`.Xi.j..j}.....h..
.4...j..}QM...X.\.8........1<..M..-0..z .........(e.X.......-..q..d
......`....9i....$f.4....p...k..O...(..,.S..'/.g.hU7..it.O....l..M.iS.
....~...W....j..s.2......".=..>..}....~..s..p.H=....._....g..._...v
..r=......F.~..1..\.X....A..G.._i..T.qL$4i-....E.H......DH..b....V;...
.QH;..QA...11.5<.....c..4..#...# {..=qi..u..OJ...t..X...<u.L..c.
......(.Z..hJ.'\......a[R....\.9....@.:C..}..4....l.}.r....(._Ni..BR.u
. u../T..VsWI.K.M..B3.......<z...i.a.....j.....<.....-..v..o....
.......~...od.r.............#MCC<e/...".Y.Z?f]....N...X.....d.p....
..=.7.....6.80)[DK......A.....}..'..ok...aKkj..w..;....#?LY.&g.=..
<<< skipped >>>

GET /js/index.js?v15.0.js HTTP/1.1


Accept: */*
Referer: hXXp://yy.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c1.web.yy.com
Connection: Keep-Alive
Cookie: JSESSIONID=yf318d5bhhcj05o91xcm2ied6c6wa.yf3


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 08 Nov 2014 13:08:12 GMT
Content-Type: application/x-javascript; charset=utf-8
Last-Modified: Thu, 30 Oct 2014 09:19:08 GMT
Expires: Sun, 09 Nov 2014 13:08:12 GMT
Cache-Control: max-age=86400
Content-Encoding: gzip
Age: 17909
Content-Length: 1326
Powered-By-ChinaCache: HIT from CNC-CC-b-3g8.1
...........V[..4.. ...&.l&......P*@...T.*FN...u...l..H}.../ ...$x-/...
9-...8.\;S..;.....;.9..Q.B..*4..^...V".L..m....=....r.r.......3.?.L...
!(.I4q..M.....#Xk.9.5.....3_...f....fn..........6.}?......N.s.....d...
.....J.Q..[.`.i]..q....!5W....\[email protected]~(gL.t..
...I.dM....F.xc...5...%I..M.)4.F.r....q..,.......T.A...W.S.?..6W....&g
t;....s.J.......`bRf..X...*%..in....x[....fB....x9..*6C........v).=...
. .q>....p...D.@/...?....r..... .... .-.Q.....Ls..@{....p...el.!/.%
.K.Bh......>K. .[IB.2D...)..[...M....-..\.4D. .f.SQ....u.....Jo..n.
[email protected]{.F.*..[.8eC.!.U..Pe..06^...q....:._~2uP..C..>:.3
3.6.c....c.....d... .>..C.A...gS;..z<.=....O...T&...}m....j.....
....zY...-..e..J_V...'.u..Y..oK......8..........K'.8pm3IqI.m.  .L....]
V.....o..B...5?......m..V[.5.F..1.B8....-...v64..]o... ..E..F.....C.xF
..}.. .S.h%L.Z.Fz`..SR..3g.I...GO....._.~...._......................}.
..7.Y.S..t .C...;...lh..e....\...."...A..le....IY.T..y...i.R.{IO =os".
.=....M.<........1....2X>b.a..J....d1..Fn..v(.Z.a.. ..{o#.......
&.m}>............D......M3.[.....Cg.....,.7N...... ..iW....S1....UH
..nX #x..V..R7P..f..B........8.*.*...(.4...J0:.5....c... .F.)..%......
^.;Ua..nt....=z..........O.V....X...Tm....e.5o......1.K.xN..n......U..
.\..9.|z&L.......2..........%.Eh.Y7.n....d..t...Ym.. . YA$.sal..^X...F
.y...... RxK.......c.....
<<< skipped >>>


GET /duowan.js HTTP/1.1
Accept: */*
Referer: hXXp://yy.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.duowan.com
Connection: Keep-Alive


HTTP/1.0 200 OK
Content-Type: application/x-javascript; charset=utf-8
Vary: Accept-Encoding
Content-Encoding: gzip
Server: nginx
Date: Sat, 08 Nov 2014 18:05:12 GMT
Last-Modified: Tue, 04 Nov 2014 03:03:52 GMT
ETag: "54584218-27b2"
Expires: Sat, 08 Nov 2014 18:10:12 GMT
Cache-Control: max-age=300
X-UA-Compatible: IE=EmulateIE7
Age: 90
Content-Length: 4690
Powered-By-ChinaCache: HIT from CNC-LQ-h-3W7.11
Connection: keep-alive
..........}Z{w.<......@}..]\.....]d..\[email protected]._ $.w.....'......
.hf4..c*.J'.k..E..6T...T...r..'.........S. ...|...O..5...].5t.$.K./...
.8t..2...>1C=...[.._j.o..A.K..mO=........}..F.........kK*..N...-'..
..V..{]4>.........A'.......;......{..7w$..*.3.L.. .T.TAIz].a.B;Tffl
M.3I&..}u ....=7F.X.v@......|5...E.......b..e.........n.<.........E
.6.....N.7.tw...~.<....Jo.r..}&_Jo..c..j.$...l.......P.Bg.d....c...
V.sy....I..._..29M!r.M..YS:........P..q.y,.4=...Q....2...T.~......}..q
`[email protected].*[email protected].%s.=(.|
~i...\@G.....D9....o....S.k....K..`...>Tn..... .....Q...LG,.G.V...@
?.q......D....BF....[...3....M..S......m<.b\......e.[.T..(..3S....j
.... ....J... .>g<....W....Rk...S\....#KD..l'.......f..z........
.9.. r.-#*i.rZ..8[..ZU.......-.....$...3..j.(.8W.."........25.7o.sI...
[email protected]..!...]..6(d\ ..5f\ .#"....H.ld...W.RW...yL.[..Rk..6&k.W..6"..A
.:E..:6...*..Lp...4..G.a.6.}...f...uT..(.j.a.4.......1C ws... tt......
. ...).P....^..... .'.CO..%l..kT?I......C.T...9..D.._...|]...|].d.....
...4..,...Q,H.... .....4.D..~..H_..,O...(.=A..}...u.g.K.6.Q..P........
.r.,.W.6.....|...o./[email protected]).....7...........0
.H{....{...*.Z.._gZ.........]0.....A.YW7Y..u.C..B..|.AU....5.H.-.>c
.......w...vF0.t.....L.I.s....`i..P#..(.{....<.2MG...#....r.0....V.
.. I.!..K...K'..'_.;'......0.O.....B...H;V..............N_...<...).
)/.v-....K.E..=...........U?<.e.8....;.....y.`..P.y.p...6=.)...F...
..T.?.........D...$....w....Y.c:.#t.....0j...^N|'...#f.`.I.*...:..
<<< skipped >>>


GET /c.gif?act=web&zd=_2b1acc1@yy|_e3d75f1@yy|www@yy|&ui=0.15621836609516887&sp=0&fl=11&sl=0&ss=2&bs=6&mb=0&nw=0&fd=0&hiido=0&sn=0&ls=0&vr=15&ut=1415470029326&wd=0&passport=&sns=null HTTP/1.1
Accept: */*
Referer: hXXp://yy.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ylog.hiido.com
Connection: Keep-Alive


HTTP/1.1 200 OK 



GET /r/rc/main/main/1/43/main.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://yy.com/
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c1.web.yy.com
Connection: Keep-Alive
Cookie: JSESSIONID=yf318d5bhhcj05o91xcm2ied6c6wa.yf3; hiido_ui=0.15621836609516887; Hm_lvt_34a908ea88275f6ef0a72588f9c0be86=1415470045; Hm_lpvt_34a908ea88275f6ef0a72588f9c0be86=1415470045


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 08 Nov 2014 09:09:47 GMT
Content-Type: application/x-shockwave-flash;charset=UTF-8
Content-Length: 10735
Last-Modified: Wed, 20 Nov 2013 02:27:55 GMT
Expires: Sun, 09 Nov 2014 09:09:47 GMT
Cache-Control: max-age=86400
Age: 32238
Powered-By-ChinaCache: HIT from CNC-CC-b-3g8.2
CWS.QG..x..<.t[..w.{zWO.-......$&N..d!..!.....`;d."..%.%.I..RL...-4
.........[..oi..&...B..F........}O^...o<...s....3s.>s....c3.....
.q.c..........k;...mC.h.....C..pmu...[..............5.../........w[e41
.|.`..H....d8.u....F.....\...L.G...r._......d.zQ."d4.....C.....p$.....
[email protected]$..n ..8...6.Rg..|1Z.B..&.]1EM/...........?..
DVb..).bx...'B........V}..^..........>.G.....``ES..M.BFo2..#.......
h....^X}...........|!k.2..F..;."(...L..r.;Q.;.5..7.eo.].....wF>.^b.
~.!........._|w....?:.j._.\}.z...R.....N/|`......g.>......yv={k{[1.
...,...........d.....n.p.3..PjsW.......Cm//e.,..ji.`.=.......Vo.".V...
)..(J`....f...Kes..J.....i.....)a=w..\.k.8.-......E......R..F_...o.z.=
.i.........=.;.. ...^......:?..Jy...#U...oI.......6...=...U.[y...T....
$...XA. .v..9C_$...G.......S0..{.....U....~...266:..:z...w..........#.
$ *7k.k._~.#>[email protected]..,...@\4..d....V}.H2.Ih.....x
..=wM<6..$.bpN..)...3.....x8.}.K.G..>....Qe....Dg=.N.G..M]I.6 &g
t;.#:[...,.O..#[email protected]]............]..*d3.k.W...m..6.iC.....J4..
.v..}8@o......<.5.a@{..,.P...hm......,&.4.Q...H...0.6.$.9.H...V.y:.
..6.Rk.m...".a%..'U...".. .M..f.@~<0.N$...D.7..y....C...Y......z...
.fb...[...f...fl_....,F'.m.E.bC.....D.".-.H..Y....MQ.$..0...2....t.e.y
4jm..kB...."\.A.i.aF..N[..........n.y..@....`.k.gt..D;J.....N..\...I(.
............jE....R7l ..u:...iÜ...5...{..af.......cj.c...)...G8O....
...cO.}.[6.,.%......<k......R,eIy1.3YT.....k......'M[.k.$E.zh<w"
..3.~-....}y....G.6......(....h.1.w...d..}80.3....!!e.....%.(.m...
<<< skipped >>>






The Trojan connects to the servers at the folowing location(s):







%original file name%.exe_584:




.text
`.rdata
@.data
.rsrc
t$(SSh
~%UVW
u$SShe
MsgWaitForMultipleObjects
|$D.tm
KERNEL32.DLL
kernel32.dll
ntdll.dll
psapi.dll
GetAsyncKeyState
{E5000198-4471-40e2-92BC-D0BA075BDBB2}
\rsr.ini
\EyLogin.dll
.upx0
.upx1
.reloc
@.rsrc
u[K^.tW
3.WL8^
.zf38
.lG;O
^%7s*j
.>%U$
=a6%u7
.Kb3|6
#;%C 
_.jp[
CMD]z
 k.wR:H2
Y>4s%C
U`.yX
-j}PM
xIC^6*%F
JgJ%F
-Km492:-B}a
[email protected]?:
5.PsWF<
.Vb<h
4.IJ:'
Hic.uF|)}
[I.NXRL
].zFb
9.Oq2K
ZNf%d
7a.QO!
AP.HO
&kÞ
4\Ï
#=-
h%u@8
W::%d
fn.mz
.lH))
.IPbD>)
\_Eß
 .Kh$
w_o%F
".ol%
-ZKPf}
;.GO?q
.RC6)
%S!z 
}oI.du
4%u8*
'.aG~{
\.jNP'
IPHLPAPI.DLL
ADVAPI32.dll
CKERNEL32.dll
RegEnumKeyExW
ole32.dll
}..RfyK
%DH!U
{%dMMcbtMxY
%S,D9@p,l
9%9SE
OLEAUT32.dll
.laWZNI
%USER32.dll
.li}\
.toSZZ]({L
WLDAP32.dll
.KT\B
c.Muk
di[%D
[d!%dl
.JR'j
4.nr7=
;)
6S%S=
:.bwJ
w.qh)
Fy.Jsw Qg
.cZf{K
k.kGO
K^%s,
JjÂ
IL.JDb<IM
.KxkNGv
k.iA.
sc|eO%SN
8{.Vb
8.Tef
3.mJ{;
.Nq<>
*.wJa
{\%.UG
U| S%UL'
[".iL
M3M!*#
g.xwM
.kFR*
1YK,M.LG
E647%C
".aO!
{.Pj7
Pm!.CO
N.KI?8
>.ZgJ
%D&O[
d.zL#
Q2.rJ
^Q.rV
k.Rh<
g{Z%s
5.jTt
.gERS
Q%XL?a
a.Uq@
q&.Pz
.rAuz0
7;J3$.NP@
Rj.Jf
Psr%UG7
%SUi2
r:.YC
fv\b.nff
%u]Q\=
: :$:(:,:0:4:8:<:|:
3,4044484<4
9™9C9U9
9 9$9(9,9094989
7%7S7p7
2 2$2(2,2
9-9}9
6!7?7]7{7
9 =1=7=@=1>8>
9':,:(;-;
=!>3>;?@?
3$3/363=3
2 3?3L3
9!: :0:?:
=%>*>5>>>
: :(:0:|:
0 0@0`0|0
0$0(0,0004080
1 1$1(1,181|4
d.hJq|
user32.dll
:.NA5
WS2_32.dll
GetCpuID
SetAppKey
UserLogin
UserLoginSingle
EyLogin.DLL
%x,3;<-R
9XVs8%u?
.Rewv
T.oc >
.KmrK
%SA{MT"
H.Lc4u,L
L(#%f>I
%uf`[x
\fuwuw\trunk\EyLogin\Vs2008\EyLogin\EyLogin\Release\EyLogin.pdb
'%APPID%' = s 'EyLogin'
'EyLogin.DLL'
EyLogin.EyLoginSoft.1 = s 'EyLoginSoft Class'
CLSID = s '{C691BF80-87AF-43A7-AD56-28D5DA857FBD}'
EyLogin.EyLoginSoft = s 'EyLoginSoft Class'
CurVer = s 'EyLogin.EyLoginSoft.1'
ForceRemove {C691BF80-87AF-43A7-AD56-28D5DA857FBD} = s 'EyLoginSoft Class'
ProgID = s 'EyLogin.EyLoginSoft.1'
VersionIndependentProgID = s 'EyLogin.EyLoginSoft'
'TypeLib' = s '{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}'
stdole2.tlbWWW
O~EyLoginW
EyLoginSoftWd
IEyLoginSoftd
SetAppKeyWWW
appKeyWWd
UserLoginWWW
interfaceKeyd
9UserLoginSingleW
@LGetCpuIDd
keyWd
EyLogin 1.0
EyLoginSoft ClassW
IEyLoginSoft
Created by MIDL version 7.00.0500 at Tue May 20 12:58:25 2014
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
1.8.8
\EyLogin.dll"
EyLogin.EyLoginSoft
hXXp://VVV.2345.com/?ktt659189
DNF.exe
hXXp://yy.com/#9050/373700640
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CNotSupportedException
%*.*f
CCmdTarget
__MSVCRT_HEAP_SELECT
GetProcessHeap
WinExec
KERNEL32.dll
GetKeyState
USER32.dll
GetViewportOrgEx
GDI32.dll
WINMM.dll
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
ShellExecuteA
SHELL32.dll
COMCTL32.dll
oledlg.dll
GetCPInfo
UnhookWindowsHookEx
SetWindowsHookExA
CreateDialogIndirectParamA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
RegCreateKeyExA
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
.PAVCException@@
%s:%d
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.*)|*.*||
windows
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
%d / %d
%d/%d
out.prn
(*.prn)|*.prn|
%d.%d
.PAVCNotSupportedException@@
(%d-%d):
Bogus message code %d
(&07-034/)7 '
%ld%c
(*.htm;*.html)|*.htm;*.html
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCArchiveException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCOleException@@
.PAVCOleDispatchException@@
zcÁ
#include "l.chs\afxres.rc" // Standard components
\IEXPLORE.exe
software\microsoft\windows\CurrentVersion\Run\
h.rdata
H.data
.vmp0
b.kjlkasj
".reloc
DNF.EXE
ntoskrnl.exe
HAL.dll
I:\!S
hXXp://VVV.2345.com/?kyy9050
shlwapi.dll
TenSafe.exe
QQDL.exe
TXPlatform.exe
QQLogin.exe
SOFTWARE\DNF\TerSafe.dll\
SOFTWARE\DNF\TerSafe.EXE\
taskkill /f /im DNF.exe.manifest
WINDOWS\svstem32\TesSafe.svs\
WINDOWS\svstem32\TesSafe.sys\
\DNF.cfg.spk
\BugTrace.ini
\BugTrace.log
\DNF.exe.manifest.spk
\start\BugTrace.cfg
\start\BugTrace.log
\start\BugTrace.dll.spk
\start\TenProtect\BugTrace.cfg
\start\TenProtect\BugTrace.ini
\start\TenProtect\BugTrace.dll.spk
\loginInfo.inf
\DNF_CHINA.cfg
\Tenio.ini
\TenioCs.ini
\TenioPath.ini
\TenioTS.ini
\version.inf
\DNF.cfg
\start\InstallPerformance.txt
\start\BugTrace.ini
\start\Tenio.ini
\start\UserSetting.ini
WChannelScript.pvf
\DNF.exe.manifest
\*.keyset
\start\TenProtect\*.dmp
\*.trc
\*.zip
Tensp.dll
2039389
1044950
1044980
dnf.exe
Super-EChXXp://VVV.super-ec.cnhXXp://VVV.eyybc.com/forum-17-1.html/forum-12-1.html/memcp.php/ip.asp/time.asp/gonggao.txt/ec-user6.php/ec-bd.php/ec-jh.php
hXXp://VVV.super-ec.cn
<input type="text" name="field_2new" size="25" value="" disabled class="txt" />" class="txt" />Function Getcpuid()
Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")
getcpuid=cpu.ProcessorId
\Device\\\.\
F%*.*f
MSWHEEL_ROLLMSG
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
GetWindowsDirectoryA
RegisterHotKey
UnregisterHotKey
RegCreateKeyA
WININET.dll
<tr><td bgcolor=buttonface>Y</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>X</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>Height</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>Width</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>RECT</td><td bgcolor=white>(%d, %d)-(%d, %d)</td></tr>
<tr><td bgcolor=buttonface>Styles</td><td bgcolor=white>0xX</td></tr>
<tr><td bgcolor=buttonface>Control ID</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>Handle</td><td bgcolor=white>0xX</td></tr>
.comment {color:green}
burlywood
\winhlp32.exe
%d%d%d
rundll32.exe shell32.dll,
\SVCHOST.exe
u.hh{G
hXXp://yy.com/#5336/1705313832
YY.exe
hXXp://VVV.yy.com/go.html#5336
EnumWindows
VVV.dywt.com.cn
SVCHOST.EXE
AE814EB87AB32E49BF4E.EXE
c:\%original file name%.exe
&-.TXLpzs 2,
"* 15!'#
1, 0, 2, 2
EyLogin.dll
(*.*)
1.0.0.0
(hXXp://VVV.eyuyan.com)
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\ntoskrnl.exe

SVCHOST.exe_892:




.text
`.rdata
@.data
.rsrc
t$(SSh
~%UVW
u.hh{G
u$SShe
hXXp://yy.com/#5336/1705313832
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CNotSupportedException
%*.*f
CCmdTarget
ole32.dll
__MSVCRT_HEAP_SELECT
user32.dll
GetProcessHeap
WinExec
KERNEL32.dll
GetKeyState
USER32.dll
GetViewportOrgEx
GDI32.dll
WINMM.dll
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
OLEAUT32.dll
COMCTL32.dll
oledlg.dll
WS2_32.dll
GetCPInfo
UnhookWindowsHookEx
SetWindowsHookExA
CreateDialogIndirectParamA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
RegCreateKeyExA
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
.PAVCException@@
%s:%d
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.*)|*.*||
windows
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
%d / %d
%d/%d
out.prn
(*.prn)|*.prn|
%d.%d
.PAVCNotSupportedException@@
(%d-%d):
Bogus message code %d
(&07-034/)7 '
%ld%c
(*.htm;*.html)|*.htm;*.html
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCArchiveException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCOleException@@
.PAVCOleDispatchException@@
zcÁ
%Documents and Settings%\%current user%\My Documents\SVCHOST.exe
#include "l.chs\afxres.rc" // Standard components
(*.*)
1.0.0.0
(hXXp://VVV.eyuyan.com)






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Scan a system with an anti-rootkit tool.
    2. 

  2. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    %original file name%.exe:584
    5336¼«¿Í.exe:1724
    

    3. 

  3. Delete the original Trojan file.
    4. 

  4. Delete or disinfect the following files created/modified by the Trojan:
    

    %WinDir%\Fonts\5336¼«¿Í.exe (17629 bytes)
    %Documents and Settings%\%current user%\My Documents\SVCHOST.exe (3699 bytes)
    %Documents and Settings%\%current user%\Application Data\Õâ¸ö.sys (18 bytes)
    

    5. 

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ÎÒµÄÆô¶¯Ïî" = "%Documents and Settings%\Administrator\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯\IEXPLORE.exe"
    

    6. 

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    7. 

  7. Reboot the computer.
    8. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now