Gen.Variant.Strictor.82164_04433c711b

by malwarelabrobot on June 21st, 2015 in Malware Descriptions.

Gen:Variant.Strictor.82164 (B) (Emsisoft), Gen:Variant.Strictor.82164 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 04433c711b07a7fc83768d83f6d3d411
SHA1: 54572ec82018615df8f0769591630f10295ab0bd
SHA256: 9db245dd87f6c8443a3a05fd083965b03584f29ec09b2928c85001e76487ebd0
SSDeep: 12288:VAEmE5Up8075qqjaMyFuZCdScdgwEuoJYx:V7mE6yxqjlSuZCdXjOY
Size: 456192 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-04 15:35:59
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:464

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1276922814[1].htm (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)

Registry activity

The process %original file name%.exe:464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current]
"(Default)" = "%SystemRoot%\media\Windows XP Start.wav1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C F1 B7 D8 21 27 11 6B 86 5E 8F 9C CC 0E C1 55"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"%original file name%.exe" = "c:\%original file name%.exe"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: Window ?????
Product Version: 1.0.0.0
Legal Copyright: Window ?????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: Window ?????
Comments: Window ?????
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 884736 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 888832 360448 357376 5.49289 c70572046fb957009de474d2b6538f41
.rsrc 1249280 12288 8704 3.53421 cfd5092d88323c9f3dca2a9e57643d28
.rmnet 1261568 90112 89088 1.14228 97651fa9d4cf70a70bbb109b9247f597

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://m.yy.com/zone/1276922814 115.238.189.225
hxxp://m.yy.com/zone/1276922814/ 115.238.189.225
lgn.yy.com 120.132.133.53
aq.yy.com 113.108.228.234


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /zone/1276922814 HTTP/1.1
Referer: hXXp://m.yy.com/zone/1276922814
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: m.yy.com
Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 19 Jun 2015 23:11:48 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
Location: hXXp://m.yy.com/zone/1276922814/
<html>..<head><title>302 Found</title></hea
d>..<body bgcolor="white">..<center><h1>302 Found
</h1></center>..<hr><center>nginx</center&g
t;..</body>..</html>......


GET /zone/1276922814/ HTTP/1.1


Referer: hXXp://m.yy.com/zone/1276922814
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: m.yy.com
Cache-Control: no-cache
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Fri, 19 Jun 2015 23:12:02 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Last-Modified: Fri, 19 Jun 2015 23:12:02 GMT
1f11..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN
" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<h
tml xmlns="hXXp://VVV.w3.org/199..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_464:

`.rsrc
.rmnet
t%SVh
t$(SSh
|$D.tm
~%UVW
u$SShe
wininet.dll
kernel32.dll
ole32.dll
winmm.dll
ws2_32.dll
WinINet.dll
shlwapi.dll
User32.dll
user32.dll
gdiplus.dll
advapi32.dll
rasapi32.dll
Wininet.dll
urlmon.dll
shell32.dll
OLEACC.DLL
gdi32.dll
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
MsgWaitForMultipleObjects
GetWindowsDirectoryA
HttpAddRequestHeadersA
GdiplusShutdown
keybd_event
RegCloseKey
RegCreateKeyA
RegOpenKeyA
UrlMkSetSessionOption
RegEnumKeyA
RegFlushKey
RegOpenKeyExA
RegCreateKeyExA
RegDeleteKeyA
GetProcessHeap
ShellExecuteA
WinExec
software\microsoft\windows\CurrentVersion\Run\
VVV.yy.com
hXXp://VVV.yy.com/
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Current
hXXps://aq.yy.com/loginOut.do
hXXps://aq.yy.com/p/wklogin.do
&denyCallbackURL=hXXps://aq.yy.com/p/logincbk.do?cancel=1®CallbackURL=hXXps://aq.yy.com/welcome.do&UIStyle=xelogin&rdm=0.26365254551226436
hXXps://lgn.yy.com/lgn/oauth/authorize.do?oauth_token=
hXXps://lgn.yy.com/lgn/oauth/x/s/login_asyn.do
&denyCallbackURL=https://aq.yy.com/p/logincbk.do?cancel=1&UIStyle=xelogin&appid=1
&password=
callbackURL
hXXp://
hXXps://
@hXXp://m.yy.com/zone/1276922814
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
https
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
%System%\ntdll.dll
%System%\kernel32.dll
%System%\USER32.dll
%System%\GDI32.dll
%System%\ADVAPI32.dll
%System%\RPCRT4.dll
%System%\Secur32.dll
%System%\IMM32.DLL
%System%\LPK.DLL
%System%\USP10.dll
%System%\WINMM.dll
%System%\comdlg32.dll
%System%\msvcrt.dll
%System%\SHLWAPI.dll
%System%\SHELL32.dll
%System%\WINSPOOL.DRV
%System%\ole32.dll
%System%\OLEPRO32.DLL
%System%\OLEAUT32.dll
%System%\WS2_32.dll
%System%\WS2HELP.dll
%System%\uxtheme.dll
%System%\MSIMG32.dll
%System%\MSVCP60.dll
%System%\WININET.dll
%System%\CRYPT32.dll
%System%\MSASN1.dll
%System%\PSAPI.DLL
%System%\VERSION.dll
%System%\urlmon.dll
Web.dll
Winmm.dll
dsound.dll
@ping 127.0.0.1 -n
\*.*"
@ping 127.0.0.1 -n 1 >nul
del 123.bat
\123.bat
\TEMP.TMP
{Reg}((?:src=)['"]?).*?\.js['"]
{Reg}((?:hXXp://)['"]?).*?\.swf
{Reg}((?:url\()|(?:src=)['"]?).*?\.[jpg|gif|png]{3}
scripting.FileSystemObject
bbs.125.la_Cookie
Adodb.Stream
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
del C:\123.bat
\Restart.bat
(*.*)|*.*
(*.txt)|*.txt|
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
Software\Microsoft\Windows\CurrentVersion\Internet Settings\proxyserver
Software\Microsoft\Windows\CurrentVersion\Internet Settings\proxyenable
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
\data\Config.ini
;http=
<ie9>Mozilla/4.0 (compatible; MSIE 9.0; Windows NT6.1)</ie9>
<ie8>Mozilla/4.0 (compatible; MSIE 8.0; Windows NT6.0)</ie8>
<ie7>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT5.2)</ie7>
<ie6>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT5.1)</ie6>
>Mozilla/5.0 (compatible) AppleWebKit/534.21 (KHTML, like Gecko) Chrome/11.0.682.0 Safari/534.21</
>Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2</
<ipad>Mozilla/5.0(iPad; U; CPU iPhone OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B314 Safari/531.21.10</ipad>
<iphone>Mozilla/5.0 (iPhone; U; CPU OS 4_2_1 like Mac OS X) AppleWebKit/532.9 (KHTML, like Gecko) Version/5.0.3 Mobile/8B5097d Safari/6531.22.7 </iphone>
<android>Mozilla/5.0 (Linux; U; Android 2.3.3; zh-tw; HTC_Pyramid Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1</android>
<opera>Opera/9.80 (compatible; U) Presto/2.7.39 Version/11.00</opera>
<navigator>Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12)Gecko/20080219 Firefox/2.0.0.12 Navigator/9.0.0.6</navigator>
<safari>Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_7) AppleWebKit/534.16  (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4</safari>
{25336920-03F9-11CF-8FD0-00AA00686F13}
document.all.retjs.innerText=
adodb.stream
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Microsoft.XMLDOM
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
text|password|file
comdlg32.dll
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
VBScript.RegExp
application/x-www-form-urlencoded
WinHttp.WinHttpRequest.5.1
SetClientCertificate
Set fso = CreateObject("Scripting.FileSystemObject")
fso.DeleteFile("
sc.vbs")
\sc.vbs
sc.vbs
sc.bat"
sc.bat
del Restart.bat
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
(*.htm;*.html)|*.htm;*.html
its:%s::%s
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
.yy.com/zone/1276922814
/login_asyn.do
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
GetCPInfo
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
.text
`.rdata
@.data
.rsrc
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
GDI32.dll
OLEAUT32.dll
oledlg.dll
SHELL32.dll
USER32.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
4.vC=
Ji.Po
\q5%xSR
24683579
(*.*)
1.0.0.0

%original file name%.exe_464_rwx_00401000_0012F000:

t%SVh
t$(SSh
|$D.tm
~%UVW
u$SShe
wininet.dll
kernel32.dll
ole32.dll
winmm.dll
ws2_32.dll
WinINet.dll
shlwapi.dll
User32.dll
user32.dll
gdiplus.dll
advapi32.dll
rasapi32.dll
Wininet.dll
urlmon.dll
shell32.dll
OLEACC.DLL
gdi32.dll
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
MsgWaitForMultipleObjects
GetWindowsDirectoryA
HttpAddRequestHeadersA
GdiplusShutdown
keybd_event
RegCloseKey
RegCreateKeyA
RegOpenKeyA
UrlMkSetSessionOption
RegEnumKeyA
RegFlushKey
RegOpenKeyExA
RegCreateKeyExA
RegDeleteKeyA
GetProcessHeap
ShellExecuteA
WinExec
software\microsoft\windows\CurrentVersion\Run\
VVV.yy.com
hXXp://VVV.yy.com/
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Current
hXXps://aq.yy.com/loginOut.do
hXXps://aq.yy.com/p/wklogin.do
&denyCallbackURL=hXXps://aq.yy.com/p/logincbk.do?cancel=1®CallbackURL=hXXps://aq.yy.com/welcome.do&UIStyle=xelogin&rdm=0.26365254551226436
hXXps://lgn.yy.com/lgn/oauth/authorize.do?oauth_token=
hXXps://lgn.yy.com/lgn/oauth/x/s/login_asyn.do
&denyCallbackURL=https://aq.yy.com/p/logincbk.do?cancel=1&UIStyle=xelogin&appid=1
&password=
callbackURL
hXXp://
hXXps://
@hXXp://m.yy.com/zone/1276922814
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
https
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
%System%\ntdll.dll
%System%\kernel32.dll
%System%\USER32.dll
%System%\GDI32.dll
%System%\ADVAPI32.dll
%System%\RPCRT4.dll
%System%\Secur32.dll
%System%\IMM32.DLL
%System%\LPK.DLL
%System%\USP10.dll
%System%\WINMM.dll
%System%\comdlg32.dll
%System%\msvcrt.dll
%System%\SHLWAPI.dll
%System%\SHELL32.dll
%System%\WINSPOOL.DRV
%System%\ole32.dll
%System%\OLEPRO32.DLL
%System%\OLEAUT32.dll
%System%\WS2_32.dll
%System%\WS2HELP.dll
%System%\uxtheme.dll
%System%\MSIMG32.dll
%System%\MSVCP60.dll
%System%\WININET.dll
%System%\CRYPT32.dll
%System%\MSASN1.dll
%System%\PSAPI.DLL
%System%\VERSION.dll
%System%\urlmon.dll
Web.dll
Winmm.dll
dsound.dll
@ping 127.0.0.1 -n
\*.*"
@ping 127.0.0.1 -n 1 >nul
del 123.bat
\123.bat
\TEMP.TMP
{Reg}((?:src=)['"]?).*?\.js['"]
{Reg}((?:hXXp://)['"]?).*?\.swf
{Reg}((?:url\()|(?:src=)['"]?).*?\.[jpg|gif|png]{3}
scripting.FileSystemObject
bbs.125.la_Cookie
Adodb.Stream
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
del C:\123.bat
\Restart.bat
(*.*)|*.*
(*.txt)|*.txt|
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
Software\Microsoft\Windows\CurrentVersion\Internet Settings\proxyserver
Software\Microsoft\Windows\CurrentVersion\Internet Settings\proxyenable
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
\data\Config.ini
;http=
<ie9>Mozilla/4.0 (compatible; MSIE 9.0; Windows NT6.1)</ie9>
<ie8>Mozilla/4.0 (compatible; MSIE 8.0; Windows NT6.0)</ie8>
<ie7>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT5.2)</ie7>
<ie6>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT5.1)</ie6>
>Mozilla/5.0 (compatible) AppleWebKit/534.21 (KHTML, like Gecko) Chrome/11.0.682.0 Safari/534.21</
>Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2</
<ipad>Mozilla/5.0(iPad; U; CPU iPhone OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B314 Safari/531.21.10</ipad>
<iphone>Mozilla/5.0 (iPhone; U; CPU OS 4_2_1 like Mac OS X) AppleWebKit/532.9 (KHTML, like Gecko) Version/5.0.3 Mobile/8B5097d Safari/6531.22.7 </iphone>
<android>Mozilla/5.0 (Linux; U; Android 2.3.3; zh-tw; HTC_Pyramid Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1</android>
<opera>Opera/9.80 (compatible; U) Presto/2.7.39 Version/11.00</opera>
<navigator>Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12)Gecko/20080219 Firefox/2.0.0.12 Navigator/9.0.0.6</navigator>
<safari>Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_7) AppleWebKit/534.16  (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4</safari>
{25336920-03F9-11CF-8FD0-00AA00686F13}
document.all.retjs.innerText=
adodb.stream
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Microsoft.XMLDOM
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
text|password|file
comdlg32.dll
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
VBScript.RegExp
application/x-www-form-urlencoded
WinHttp.WinHttpRequest.5.1
SetClientCertificate
Set fso = CreateObject("Scripting.FileSystemObject")
fso.DeleteFile("
sc.vbs")
\sc.vbs
sc.vbs
sc.bat"
sc.bat
del Restart.bat
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
(*.htm;*.html)|*.htm;*.html
its:%s::%s
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
.yy.com/zone/1276922814
/login_asyn.do
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
GetCPInfo
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
.text
`.rdata
@.data
.rsrc
24683579
(*.*)


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1276922814[1].htm (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "%original file name%.exe" = "c:\%original file name%.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now