Gen.Variant.Strictor.66973_a4347ea798

by malwarelabrobot on November 2nd, 2015 in Malware Descriptions.

Gen:Variant.Strictor.66973 (B) (Emsisoft), Gen:Variant.Strictor.66973 (AdAware), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a4347ea798e49f935160505f16d4ac65
SHA1: 7a10f3f8449197132203a84ecc08fe7d73b87312
SHA256: d0524f8eaabe7809f6489d8e8a589950f0da8a4e5e5b0e6cb75b41048b1c3827
SSDeep: 49152:wTisOkp7aIg/V4ghOIVHGadHbQTecD9waN:Sisnp7aICV4ghOIVmadHxIZ
Size: 1794048 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2014-09-11 08:45:46
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:1756

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:

ZonesLockedCacheCounterMutex
ZonesCounterMutex
ZonesCacheCounterMutex
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
ESPI_GMEM_MUTEX 1.0
RasPbFile
ShimCacheMutex

File activity

The process %original file name%.exe:1756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89RXH4Q1\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MP3B50BV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZWQWT2P\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZWQWT2P\shorten[1].htm (601 bytes)
%WinDir%\empty.exe (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6GZ47IH4\desktop.ini (67 bytes)
C:\ESPI11.dll (122 bytes)
%System%\ESPI11.dll (601 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZWQWT2P\shorten[1].htm (0 bytes)
C:\ESPI11.dll (0 bytes)

Registry activity

The process %original file name%.exe:1756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
"PackedCatalogItem" = "43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65"

[HKLM\System\CurrentControlSet\Services\WinSock2\ESPI11]
"1002" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
"1003" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Services\WinSock2\ESPI11]
"1001" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\System\CurrentControlSet\Services\WinSock2\ESPI11]
"1004" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
"1005" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005]
"PackedCatalogItem" = "43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004]
"PackedCatalogItem" = "43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
"PackedCatalogItem" = "43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 4E A6 49 7E AE BB 50 17 43 D0 3C E1 40 42 F7"

[HKLM\System\CurrentControlSet\Services\WinSock2\ESPI11]
"FileName" = "%System%\ESPI11.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
"PackedCatalogItem" = "43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
b4c2caaa15d4e505ad2858ab15eafb58 c:\WINDOWS\system32\ESPI11.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ????????
Product Name: ????????
Product Version: 1.0.0.2
Legal Copyright: ???????? ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.2
File Description: ????????
Comments: ????????
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 1196690 1200128 4.4318 8c0a20710bf11389b9601b40cb74c9dc
.rdata 1204224 415204 417792 3.88417 1ae50e80ee33e61c16e7b8d23937b2f4
.data 1622016 515946 131072 4.11024 f1e46c6fbd35b8074e98ce770b9c0bed
.rsrc 2138112 39184 40960 3.84044 04374b1f55aba9d7ed1cff5f18c57c4c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://XfPrCz6TBB77G2jVnVxIRK8jlGyIuwwt.waf.aliyun.com/v1/data/link_conv/rd_dispatcher.php?orig_link=
hxxp://www.waqiang.com/index.php/url/shorten 110.76.38.82
hxxp://www.rdcnzz.com/v1/data/link_conv/rd_dispatcher.php?orig_link= 140.205.155.57


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

POST /index.php/url/shorten HTTP/1.1
Referer: hXXp://VVV.waqiang.com/index.php/url/shorten
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: VVV.waqiang.com
Content-Length: 23
Cache-Control: no-cache

url=hXXp://52shuacf.com
HTTP/1.1 200 OK
Date: Sun, 01 Nov 2015 02:21:26 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Set-Cookie: PHPSESSID=ig3fcfjcqfhs52lbl672079de0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6568
Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xm
lns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-eq
uiv="Content-Type" content="text/html; charset=utf-8" />..<title
>..................................................................
............</title>..<meta name="description" content=".....
......................................................................
......................................................................
..............................................................140.....
........................." /> ..<meta name="keywords" content=".
................. ..................  ............  ..................
...... ........................ ............ .................. ......
.................." /> ..<link type="text/css" rel="stylesheet" 
href="/themes/url/style.css" />..<!--[if IE 6]>...<script 
type="text/javascript" src="/themes/url/DD_belatedPNG.js" ></scr
ipt>...<script type="text/javascript">...DD_belatedPNG.fix('#
footer');...</script>..<![endif]-->..</head>..<bo
dy>..<div class="logo"><a href="/index.php/url/index">.
....................</a></div><script type="text/javasc
ript">..    function checkform_shorten(){...var v = document.getEle
mentById('url').value;...if(v == '' || v == 'hXXp://') {....alert('...
..............................');....document.getElementById('url'
<<< skipped >>>


GET /v1/data/link_conv/rd_dispatcher.php?orig_link= HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.rdcnzz.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.3
Date: Sun, 01 Nov 2015 02:21:25 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
Vary: Accept-Encoding
HTTP/1.1 200 OK..Server: Tengine/2.0.3..Date: Sun, 01 Nov 2015 02:21:2
5 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-al
ive..Vary: Accept-Encoding..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1756:

.text
`.rdata
@.data
.rsrc
t$(SSh
~%UVW
u$SShe
kernel32.dll
wininet.dll
user32.dll
gdiplus.dll
ws2_32.dll
gdi32.dll
shlwapi.dll
msimg32.dll
comctl32.dll
COMCTL32.DLL
GdiPlus.dll
ole32.dll
Gdiplus.dll
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
MsgWaitForMultipleObjects
GdiplusShutdown
GdipSetPenLineJoin
GdipGetPenLineJoin
GdipSetStringFormatHotkeyPrefix
GdipGetStringFormatHotkeyPrefix
{B6F7542F-B8FE-46a8-9605-98856A687097}
crossfire.exe
\ESPI11.dll
.inidata
@.reloc
CNotSupportedException
CCmdTarget
commctrl_DragListMsg
__MSVCRT_HEAP_SELECT
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
WS2_32.dll
COMCTL32.dll
GetCPInfo
UnhookWindowsHookEx
SetWindowsHookExA
GetKeyState
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GDI32.dll
WINSPOOL.DRV
comdlg32.dll
SHELL32.dll
SWNPM.dll
.PAVCException@@
.PAVCArchiveException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
4"5(5,50545
8!8/878=8
3"32383|3"4
2 3=3Q3^3h3r3z3
4 41484[4}4
9$9(9,90989
<0=4=8=<=
2010057101
2010053601
2010044501
2010044601
2010037901
2010038001
2010042601
2010053701
2010042701
2010040701
2010049501
2010058801
2010024104
2010013804
2010013304
2010014304
2010009504
2010018404
2010014204
2010042204
2010010404
2010008504
2010014104
2010046301
2010046401
2010016303
2010016404
2010035303
2010012204
2010023004
2010015504
2010019202
2010015604
2010019402
2010019302
2010039701
2010039601
2010039401
2010039301
2010027102
2010027002
2010007104
2010012104
2010012803
2010012903
2010012703
2010013104
2010009904
2010010004
2010010104
2010006104
2010006204
2010006304
2010008404
1000001101
1000001301
1000001501
1000001201
2010028102
2010018904
2010037201
2010037101
2010014704
2010014401
2010018803
2010036001
1000003403
1000000901
1000001401
1000000501
1000000701
1000000804
1000001001
1000002001
1000002103
1000002201
1000002703
1000002903
1000003003
1000003103
1000003203
2010035504
2010008104
2010010704
2010007504
2010044804
2010037701
2010041801
2010011104
2010022602
2010056103
2010029504
2010044904
2010031004
2010028904
2010026704
2010042304
2010015404
2010009304
2010034304
2010047704
2010054304
2010054001
2010053901
2010054101
2010054604
2010029701
2010006004
2010051105
hXXp://52shuacf.com
/soft.txt
hXXp://VVV.rdcnzz.com/v1/data/link_conv/rd_dispatcher.php?orig_link=
<script>window.location
hXXp://VVV.waqiang.com/index.php/url/shorten
readonly="readonly" value="hXXp://t.cn/
hXXp://t.cn/
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
https
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
hXXps://
hXXp://
----546258
----125845
----404117
----080191
----397495
----767377
----599731
----103255
----223293
----139403
----514900
----448821
----543935
----544612
----944309
----821015
----424679
----802840
----977270
----542651
----455645
----784651
----487418
----184152
Adobe Photoshop CS5 Windows
2014:04:06 17:29:23
urlTEXT
MsgeTEXT
hXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:crs="hXXp://ns.adobe.com/camera-raw-settings/1.0/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" crs:AlreadyApplied="True" photoshop:ColorMode="3" xmp:CreateDate="2014-04-06T17:27:52 08:00" xmp:ModifyDate="2014-04-06T17:29:23 08:00" xmp:MetadataDate="2014-04-06T17:29:23 08:00" dc:format="image/jpeg" xmpMM:InstanceID="xmp.iid:34EA24EB6DBDE311A59BB4935657BAC0" xmpMM:DocumentID="xmp.did:32EA24EB6DBDE311A59BB4935657BAC0" xmpMM:OriginalDocumentID="xmp.did:34EA24EB6DBDE311A59BB4935657BAC0"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:34EA24EB6DBDE311A59BB4935657BAC0" stEvt:when="2014-04-06T17:29:23 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
.yU,g
hXXp://f1.freep.cn/170_529394/new/
`hXXp://VVV.2345.com/?k83824709
127.0.0.1
@ping 127.0.0.1 -n
del Restart.bat
\Restart.bat
0.0.0.0
\empty.exe
`.data
could not empty working set for process #%d [%s]
could not empty working set for process #%d
USAGE: empty.exe {pid | task-name}
AdjustTokenPrivileges failed with %d
LookupPrivilegeValue failed with %d
OpenProcessToken failed with %d
empty.pdb
msvcrt.dll
CloseWindowStation
SetProcessWindowStation
OpenWindowStationA
GetProcessWindowStation
EnumWindows
EnumWindowStationsA
ntdll.dll
OLEAUT32.dll
?{B96B3CAF-0728-11D3-9D7B-0000F81EF32E}
=@{B96B3CAB-0728-11D3-9D7B-0000F81EF32E}
0008<=!"
$%'''000'''!"
0007<;387 0/& *& *& *#('!&%
453453$%#
2014:07:11 14:34:03
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:crs="hXXp://ns.adobe.com/camera-raw-settings/1.0/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" crs:AlreadyApplied="True" photoshop:ColorMode="3" xmp:CreateDate="2014-07-11T11:19:42 08:00" xmp:ModifyDate="2014-07-11T14:34:03 08:00" xmp:MetadataDate="2014-07-11T14:34:03 08:00" dc:format="image/jpeg" xmpMM:InstanceID="xmp.iid:8A2F9743C508E411826BA62B5A8B94C8" xmpMM:DocumentID="xmp.did:892F9743C508E411826BA62B5A8B94C8" xmpMM:OriginalDocumentID="xmp.did:892F9743C508E411826BA62B5A8B94C8"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:892F9743C508E411826BA62B5A8B94C8" stEvt:when="2014-07-11T14:34:03 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:8A2F9743C508E411826BA62B5A8B94C8" stEvt:when="2014-07-11T14:34:03 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
}4D%U
ckk.pc
g.Xc 
1.2.18
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
MSWHEEL_ROLLMSG
MSVFW32.dll
AVIFIL32.dll
RASAPI32.dll
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
VERSION.dll
GetProcessHeap
WinExec
EnumChildWindows
CreateDialogIndirectParamA
GetViewportOrgEx
GetViewportExtEx
MSIMG32.dll
RegCreateKeyA
RegDeleteKeyA
RegCreateKeyExA
RegEnumKeyA
RegOpenKeyA
ShellExecuteA
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
%s\ESPI%d.dll
hXXp://dywt.com.cn
[email protected]
 86(0411)88995834
 86(0411)88995831
Windows
(ESPINN.dll(NN
This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit VVV.dywt.com.cn/info
CallerInfoCopyCmd
SetIPPort
GetIPPort
"C:\Windows\System32\ESPI11.dll"
ProviderInstallCopyCmd
SockDataCopyCmd
SockAddrCopyCmd
enetintercept_fnSockAddrSetIPPort
enetintercept_fnSockAddrGetIPPort
enetintercept_fnInstallCopyCmd
enetintercept_fnSockDataCopyCmd
enetintercept_fnSockAddrCopyCmd
enetintercept_fnCallerInfoCopyCmd
hXXp://VVV.eyuyan.com
 86(0411)39895834
 86(0411)39895831
DelAllKeyValues
DelKeyValue
GetAllKeys
GetKeyValue
AddKeyValue
DSGetErrMsg
BiTreeGetCurNodeKey
ListGetCurNodeKey
ListUpdateNodeFromKey
ListRemoveNodeFromKey
edatastructure_fnMapDelAllKeyValues
edatastructure_fnMapDelKeyValue
edatastructure_fnMapGetAllKeys
edatastructure_fnMapGetKeyValue
edatastructure_fnMapAddKeyValue
edatastructure_fnBiTreeGetCurNodeKey
edatastructure_fnListGetCurNodeKey
edatastructure_fnListUpdateNodeFromKey
edatastructure_fnListRemoveNodeFromKey
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
VVV.dywt.com.cn
.PAVCResourceException@@
.PAVCUserException@@
zcÁ
adonly="readonly" value="hXXp://t.cn/
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
(2004-2010)
5.2.3790.0 built by: dnsrv_dev(v-smgum)
empty.exe
Windows
Operating System
5.2.3790.0
(*.*)
1.0.0.2


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1756

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89RXH4Q1\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MP3B50BV\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZWQWT2P\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZWQWT2P\shorten[1].htm (601 bytes)
    %WinDir%\empty.exe (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6GZ47IH4\desktop.ini (67 bytes)
    C:\ESPI11.dll (122 bytes)
    %System%\ESPI11.dll (601 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now