MD5: e32030bbecb8939847befd6e0832f074
SHA1: 68a4e0e18b7d26ccb3cce076cda7bbf6282107e9
SHA256: b5cd57687c41a81f84b4fe2e08fcb70e190f22dba560f2fdbefffc98932add12
SSDeep: 49152:3oHN0huFrxCh8ZmNAd3ricALqKh1XCfomNIRcoPEG53dMW5dUlgat:3oHvruNAd3riFqyX6oGIk 3dulx
Size: 2380256 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company: no certificate found
Created at: 2016-03-13 22:59:08
Analyzed on: WindowsXP SP3 32-bit

Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1276

Mutexes

The following mutexes were created/opened:

HGFSMUTEX
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
ShimCacheMutex

File activity

The process %original file name%.exe:1276 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\drivers\vdJzKrEN.sys (45 bytes)
%System%\drivers\etc\hosts (412 bytes)

The Trojan deletes the following file(s):

%System%\drivers\etcAB1MQ (0 bytes)
%System%\drivers\etc\hosts (0 bytes)

Registry activity

The process %original file name%.exe:1276 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 5F 49 8C 9F D3 09 83 15 7A BF 5F A6 E9 AF 70"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 412 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

Using the driver "UNKNOWN" the Trojan controls operations with a system registry by installing the registry notifier.
Using the driver ROOTKITPATH the Trojan substitutes IRP handlers in a file system driver (NTFS) to control operations with files:

MJ_CREATE
MJ_SET_INFORMATION

Using the driver ROOTKITPATH the Trojan substitutes IRP handlers in a file system driver (FastFAT) to control operations with files:

MJ_CREATE
MJ_SET_INFORMATION

Propagation

VersionInfo

Company Name: ?????
Product Name: ?????
Product Version: Phoenixer
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.1.0.0
File Description: ??????????
Comments: ?????????
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://a.fhdlq.com/Remote.txt	162.212.181.232
hxxp://pTK.fhdlq.com/Remote.txt
hxxp://c.fhdlq.com/Remote.txt	162.212.181.232
hxxp://b.fhdlq.com/Remote.txt	162.212.181.232
ptk.fhdlq.com	162.212.181.232
h.bbyyjy.com	192.126.126.104

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /Remote.txt HTTP/1.1

Host: pTK.fhdlq.com

Accept: text/html, */*

Accept-Encoding: identity

User-Agent: Mozilla/3.0 (compatible; Indy Library)

HTTP/1.1 400 Bad Request

Content-Type: text/html

Date: Mon, 11 Apr 2016 12:28:20 GMT

Connection: close

Content-Length: 39
<h1>Bad Request (Invalid Hostname)</h1>..

GET /Remote.txt HTTP/1.1

Host: b.fhdlq.com

Accept: text/html, */*

Accept-Encoding: identity

User-Agent: Mozilla/3.0 (compatible; Indy Library)

HTTP/1.1 400 Bad Request

Content-Type: text/html

Date: Mon, 11 Apr 2016 12:28:15 GMT

Connection: close

Content-Length: 39
<h1>Bad Request (Invalid Hostname)</h1>..

GET /Remote.txt HTTP/1.1

Host: c.fhdlq.com

Accept: text/html, */*

Accept-Encoding: identity

User-Agent: Mozilla/3.0 (compatible; Indy Library)

HTTP/1.1 400 Bad Request

Content-Type: text/html

Date: Mon, 11 Apr 2016 12:28:17 GMT

Connection: close

Content-Length: 39
<h1>Bad Request (Invalid Hostname)</h1>..

The Trojan connects to the servers at the folowing location(s):

.text

.itext

.data

.idata

.rdata

.vmp0

.reloc

.rsrc

.aspack

.adata

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

%s[%d]

%s_%d

.Owner

USER32.DLL

comctl32.dll

TaskDialogIndirect

EInvalidGraphicOperation

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes

ole32.dll

uxtheme.dll

DWMAPI.DLL

PasswordChar

OnKeyDownp

OnKeyPress$

OnKeyUpl

ssHorizontal

OnKeyUp

clWebSnow

clWebFloralWhite

clWebLavenderBlush

clWebOldLace

clWebIvory

clWebCornSilk

clWebBeige

clWebAntiqueWhite

clWebWheat

clWebAliceBlue

clWebGhostWhite

clWebLavender

clWebSeashell

clWebLightYellow

clWebPapayaWhip

clWebNavajoWhite

clWebMoccasin

clWebBurlywood

clWebAzure

clWebMintcream

clWebHoneydew

clWebLinen

clWebLemonChiffon

clWebBlanchedAlmond

clWebBisque

clWebPeachPuff

clWebTan

clWebYellow

clWebDarkOrange

clWebRed

clWebDarkRed

clWebMaroon

clWebIndianRed

clWebSalmon

clWebCoral

clWebGold

clWebTomato

clWebCrimson

clWebBrown

clWebChocolate

clWebSandyBrown

clWebLightSalmon

clWebLightCoral

clWebOrange

clWebOrangeRed

clWebFirebrick

clWebSaddleBrown

clWebSienna

clWebPeru

clWebDarkSalmon

clWebRosyBrown

clWebPaleGoldenrod

clWebLightGoldenrodYellow

clWebOlive

clWebForestGreen

clWebGreenYellow

clWebChartreuse

clWebLightGreen

clWebAquamarine

clWebSeaGreen

clWebGoldenRod

clWebKhaki

clWebOliveDrab

clWebGreen

clWebYellowGreen

clWebLawnGreen

clWebPaleGreen

clWebMediumAquamarine

clWebMediumSeaGreen

clWebDarkGoldenRod

clWebDarkKhaki

clWebDarkOliveGreen

clWebDarkgreen

clWebLimeGreen

clWebLime

clWebSpringGreen

clWebMediumSpringGreen

clWebDarkSeaGreen

clWebLightSeaGreen

clWebPaleTurquoise

clWebLightCyan

clWebLightBlue

clWebLightSkyBlue

clWebCornFlowerBlue

clWebDarkBlue

clWebIndigo

clWebMediumTurquoise

clWebTurquoise

clWebCyan

clWebPowderBlue

clWebSkyBlue

clWebRoyalBlue

clWebMediumBlue

clWebMidnightBlue

clWebDarkTurquoise

clWebCadetBlue

clWebDarkCyan

clWebTeal

clWebDeepskyBlue

clWebDodgerBlue

clWebBlue

clWebNavy

clWebDarkViolet

clWebDarkOrchid

clWebMagenta

clWebDarkMagenta

clWebMediumVioletRed

clWebPaleVioletRed

clWebBlueViolet

clWebMediumOrchid

clWebMediumPurple

clWebPurple

clWebDeepPink

clWebLightPink

clWebViolet

clWebOrchid

clWebPlum

clWebThistle

clWebHotPink

clWebPink

clWebLightSteelBlue

clWebMediumSlateBlue

clWebLightSlateGray

clWebWhite

clWebLightgrey

clWebGray

clWebSteelBlue

clWebSlateBlue

clWebSlateGray

clWebWhiteSmoke

clWebSilver

clWebDimGray

clWebMistyRose

clWebDarkSlateBlue

clWebDarkSlategray

clWebGainsboro

clWebDarkGray

clWebBlack

msimg32.dll

Proportional

%s%s%s%s%s%s%s%s%s%s

AutoHotkeys

\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\

TKeyEvent

TKeyPressEvent

HelpKeyword\

crSQLWait

%s (%s)

imm32.dll

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

GlassFrame.Bottom

GlassFrame.Enabled

GlassFrame.Left

GlassFrame.Right

GlassFrame.SheetOfGlass

GlassFrame.Top

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

User32.dll

tsShadow

TRzRegKey

hkeyClassesRoot

hkeyCurrentUser

hkeyLocalMachine

hkeyUsers

hkeyPerformanceData

hkeyCurrentConfig

hkeyDynData

TRzRegAccessKey

keyQueryValue

keySetValue

keyCreateSubKey

keyEnumerateSubKeys

keyNotify

keyCreateLink

keyRead

keyWrite

keyExecute

keyAllAccess

RegKey

\Software\Microsoft\Windows\CurrentVersion

%u / %u

MAPI32.DLL

msShiftSelect

TComboBoxExEnumerator

%s, ClassID: %s

shell32.dll

netapi32.dll

olepro32.dll

IWebBrowser

IWebBrowserApp

IWebBrowser2,

IShellWindows

TWebBrowserStatusTextChange

TWebBrowserProgressChange

TWebBrowserCommandStateChange

TWebBrowserTitleChange

TWebBrowserPropertyChange

TWebBrowserBeforeNavigate2

TWebBrowserNewWindow2

TWebBrowserNavigateComplete2

TWebBrowserDocumentComplete

TWebBrowserOnVisible

TWebBrowserOnToolBar

TWebBrowserOnMenuBar

TWebBrowserOnStatusBar

TWebBrowserOnFullScreen

TWebBrowserOnTheaterMode

TWebBrowserWindowSetResizable

TWebBrowserWindowSetLeft

TWebBrowserWindowSetTop

TWebBrowserWindowSetWidth

TWebBrowserWindowSetHeight

TWebBrowserWindowClosing

TWebBrowserClientToHostWindow

TWebBrowserSetSecureLockIcon

TWebBrowserFileDownload

TWebBrowserNavigateError

%TWebBrowserPrintTemplateInstantiation

TWebBrowserPrintTemplateTeardown

TWebBrowserUpdatePageStatus

%TWebBrowserPrivacyImpactedStateChange

TWebBrowser

OnWindowSetResizable

OnWindowSetLeft

OnWindowSetTop<

OnWindowSetWidth

OnWindowSetHeight

TShellWindowsWindowRegistered

TShellWindowsWindowRevoked

TShellWindows

TShellWindows4

Port

Uh%SJ

PSAPI.dll

1.0.4

OpenWebEvent

HTTP://

MaxKeySize

Invalid key size

supports

importNode

%s="%s"

Uh.hM

%s%s%s: %d%s%s

8.8.8.8

%s, %.2d %s %.4d %s %s

EIdCanNotBindPortInRange

EIdInvalidPortRange

C:\Builds\TpAddons\IndyNet\System\IdStreamVCL.pas

C:\Builds\TpAddons\IndyNet\System\IdGlobal.pas

getservbyport

WSAAsyncGetServByPort

WSAJoinLeaf

WS2_32.DLL

Wship6.dll

EIdIPVersionUnsupportedU

TIdSocketListWindows

TIdStackWindowsU

IdStackWindows

127.0.0.1

C:\builds\TpAddons\IndyNet\System\IdStack.pas

ftpTransfer

ftpReady

ftpAborted

ClientPortMin<

ClientPortMax

PortSVW

EIdPortRequired,

EIdTCPConnectionError

EIdObjectTypeNotSupported

Port<

C:\builds\TpAddons\IndyNet\Core\IdIOHandler.pas

"EIdTransparentProxyUDPNotSupported

TIdTCPClientCustom

TIdTCPClientCustom8

IdTCPClient

TIdTCPClient

BoundPort<

%EIdSocksUDPNotSupportedBySOCKSVersion

saUsernamePassword

Password<

Portl

0.0.0.1

0.0.0.0

DefaultPortl

TIdTCPConnection

IdTCPConnection

ISO_646.irv:1991

ISO_646.basic:1983

ISO_646.irv:1983

csISO16Portuguese

csISO84Portuguese2

windows-936

csShiftJIS

ISO-8859-1-Windows-3.0-Latin-1

csWindows30Latin1

ISO-8859-1-Windows-3.1-Latin-1

csWindows31Latin1

ISO-8859-2-Windows-Latin-2

csWindows31Latin2

ISO-8859-9-Windows-Latin-5

csWindows31Latin5

csMicrosoftPublishing

Windows-31J

csWindows31J

windows-1250

windows-1251

windows-1252

windows-1253

windows-1254

windows-1255

windows-1256

windows-1257

windows-1258

C:\builds\TpAddons\IndyNet\Protocols\IdCoder3to4.pas

TIdEncoder3to4.Encode: Calculated length exceeded (expected

TIdEncoder3to4.Encode: Calculated length not met (expected

password

Password

CommentURL

C:\builds\TpAddons\IndyNet\Protocols\IdZLibCompressorBase.pas

IdHTTPHeaderInfo

ProxyPassword<

ProxyPort

Mozilla/3.0 (compatible; Indy Library)

%d%s%d

TIdHTTPOption

IdHTTP

TIdHTTPOptions

TIdHTTPProtocolVersion

TIdHTTPOnRedirectEvent

TIdHTTPOnHeadersAvailable

TIdHTTPResponse

TIdHTTPResponse0

TIdHTTPRequest

TIdHTTPProtocol

TIdCustomHTTP

TIdHTTP

TIdHTTP4

HTTPOptions

EIdHTTPProtocolException

C:\builds\TpAddons\IndyNet\Protocols\IdHTTP.pas

HTTPS

https

HTTP/1.0 200 OK

HTTP/

.\Data\woool.dat.update

KERNEL32.DLL

\Data\config\maplist_2.0.xml|\Data\Data1.wpf|\Data\woool.dat

\config\maplist_2.0.xml|\Data1.wpf|\woool.dat

LocalPort

%s\cmd /c rd "%s" /S /Q

solokey

D:\PROGRAM FILES (X86)\CodeGear\RAD Studio\5.0\Plugin\cnvcl\Source\Common\CnIni.pas

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

blog.csdn.net

blog.sina.com.cn

blog.163.com

TMainWorkEngine::ProcessWorkRcd UnKonw WorkStatus#: %d

:%dK/%dK

VVV.weibo.com

.\Data\config\ItemCfg.INI

.\Data\config\default\BestItem.ini

safebox.dll

hXXp://upgrade.emodun.com/emo.dll

cliqos.dll

WidgetContent.IE.dll

cmd.exe

clbcatq.dll

winmm.dll

ws2_32.dll

ws2help.dll

lpk.dll

USP10.dll

winspool.drv

Wsock32.dll

dnsapi.dll

iphlpapi.dll

psapi.dll

urlmon.dll

UxTheme.dll

ntdll.dll

LoginDLL.dll

popup.dat

popupbf.dat

popuphf.dat

popupwb.dat

\drivers\RenewInline.sys

ws2_32.dll\hookdf\df4sb..

wsock32.dll\jacky\pj4sb..

hXXp://a.fhdlq.com/Remote.txt

hXXp://b.fhdlq.com/Remote.txt

hXXp://c.fhdlq.com/Remote.txt

hXXp://%s.fhdlq.com/Remote.txt

n%D,3

%url%

<iframe frameborder=0 scrolling="no" height="40" width="100%" src="%url%"></iframe>

162.212.181.233 VVV.zhaowoool.com

162.212.181.233 zhaowoool.com

162.212.181.233 iiwoool.com

162.212.181.233 VVV.iiwoool.net

162.212.181.233 VVV.999cssf.net

162.212.181.233 999cssf.net

162.212.181.233 VVV.qqqcssf.net

162.212.181.233 qqqcssf.net

162.212.181.233 woool578.com

162.212.181.233 VVV.woool578.com

162.212.181.233 wooolsf.com

162.212.181.233 VVV.wooolsf.com

162.212.181.233 VVV.917woool.com

hXXp://VVV.fhdlq.com/top.html

hXXp://VVV.45woool.com

RandomOpenUrl

EmbedUrl

RemoteUrl

stoDefaultKeyHandling

TRzShellControlDefKeyRec

Software\Microsoft\Windows\CurrentVersion\Explorer

WINDOWS

EditPasswordt

720101-146720

1977/10/15

720101-146720

650101-1455111

1980/10/10

EditPasswordl

EditNewPasswordp

TfrmChangePassword

LChgPassword

TfrmGetBackPassword

LGetBackPassword

btnUrl1

btnUrl2

btnUrl3

btnChangePassWord

btnGetPassword

btnUrl4

WebPanel

WebBrowser

WebBrowser1!

WebBrowserNavigateComplete2

btnUrl1Click

btnUrl2Click

btnUrl3Click

btnGetPasswordClick

btnUrl4Click

Data\FHDynProtect.dll

Data\Config.ini

$$%s!

*.exe

woool.exe

wooolcfg.exe

wooolII.exe

222.73.2.97

113.108.210.138

116.211.11.137

116.211.11.138

180.96.33.146

180.96.33.147

180.96.32.18

Software\MicroSoft\Windows\CurrentVersion\Explorer

.\Data\Game.ini

ServerPort

GroupNick0

.\Data\woool.dat

.\Data\Config\maplist_2.0.xml

Data\config\default\asstool.ini

hXXp://anti.fhdlq.com/tj.html?&ver=%d&control=%d&engine=%d&ClientVer=%e

woool.dat

hXXp://woool.sdo.com

.\wooolcfg.exe

18446744073709551615

0123456789ABCDEF1.0.4

inflate 1.0.4 Copyright 1995-1996 Mark Adler

;3 #>6.&

'2, / 0&7!4-)1#

?456789:;<=

*.yUW

!"#$%&'()* ,-./0123

advapi32.dll

RegOpenKeyExA

RegCloseKey

user32.dll

GetKeyboardType

UnhookWindowsHookEx

SetWindowsHookExA

MsgWaitForMultipleObjectsEx

MsgWaitForMultipleObjects

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutNameA

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

EnumWindows

EnumThreadWindows

EnumChildWindows

ActivateKeyboardLayout

gdi32.dll

SetViewportOrgEx

GetViewportOrgEx

version.dll

WinExec

GetWindowsDirectoryA

GetCPInfo

RegFlushKey

RegCreateKeyExA

ShellExecuteA

hP<p%f

`.itext

`.data

.vmp1

@.rsrc

M$F.vX

jW.As

8@%SdZ

%C_$$6B

#.EA,ixd<

%&'()* ,

-./01234

56789:;<

S.Fqm;

USER32.DqL

.phJ?

p%UsX?<.

%s~ZM

IUrlB:ui

.UNY%j

E\.Si

.mS^(

-@R%x

.or;Bx

wFc%U`

]-.At9

r%D?*

z%D#V

.Pp'Z

k.uSC

:yAx;.et

Yr%Ds

Q%d!O

a>%d_

`8%Ch

.AC"-1

.RV$J

kNÜ6

%UXA!

k6%c(

7`}Ftp

I:.WH

-B}qX

.BSGb

I.twI

Y)%X1"MD~

%cT Z

t;.Iy

F.wKl

f%Dws

q.tc7

(;b%D

|@m%F

<$l%f

-`[0%X6

i.DG{

3Q.Ip

0bT%S

.pTRd

@.AjP<=o

hl$.Dd

IE%x]H

8.Pt@

/~.dT

Ux %X

f%D@*

%s"tM

O.FzV

.IR-#r

K%D&H

%D{0'

N0.GjD

~.Xo/

.ma0Kn\w]

?.vfQ

W(×F

zU.hrE

[~MlSn%D

s.MpS

.iXo,gJ

.aPWK

C~%D?*E$_

{.vSe(C

z%D/J

/8%CR

^%Dsge|

U!%cI

UtilYx\-4}

Keyw

%s[ed]

P%ss_Fdd

@XV%CLq

C:\Bu

.wp^sb

JoinXL

J\û $T

S2_3c.DL

.xyiC

)2#%d

5;.uJ

E.XTHYJ

ost%x-ua

box.XGD

5%fPPU

L/%D-

8%CP!

Xý(L

$|$%X

|#%Ud

32.DL

@WebS

M`.iuSm

coLm''lx.Nd

<.tJ=

%U`;N

l.zY%

=uo%F

keyPs&<

T^.Ei

DuRLp

E8.DZ4

u%u:t

%s (%

j#S!.di_

*.KZ<

M,%D@J

%cj I)

b:\}'I

!&HL*:%XiW

.xr,C

xKey8

d5.tx%?

bm.EW

h.mahC

.JsF$\

A46.lK|pF)_

Ouser32.dll

7ole32.dll

K6%X[v

n.oX36

wsock32.dll

^user32.dll

9!9'9/949

6#6'6 6/6

7 7$7(7,70747

11

8 9˜9X9]9p9

64696\6|6

2 2$282@2\2

= =$=(=,=0=4=8=<=@=`=

7Œ8|8

6%7-797k7}7

2 2$2(2,20242

> >$>(>,>0>

878?8\8|8

2 2$2(2,2024282<2@2

< <$<(<,<0<4<

1#1*11181

2"2^2}2

3'3.32373

4gZ%D

dQ.te

.Aq'Z

h.rdata

H.data

h.reloc

uŸ v

TransportAddress

101.226.4.6

h.bbyyjy.com

h:\drv\moniter\objfre_win7_x86\i386\ProcessMointer.pdb

23:38:07

ZwQueryValueKey

ZwEnumerateKey

ZwOpenKey

KeDelayExecutionThread

ZwSetValueKey

ZwCreateKey

ZwDeleteKey

ntoskrnl.exe

HAL.dll

2 2<2@2\2`2|2

*hXXp://cs-g2-crl.thawte.com/ThawteCSG2.crl0

hXXp://ocsp.thawte.com0

Certification Services Division1806

#hXXp://crl.thawte.com/ThawtePCA.crl0

DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0

hXXp://wwwfhdlq.com 0

.pdata

h:\drv\mointerx64\objfre_win7_amd64\amd64\MointerX64.pdb

23:41:56

333333333333333333

33333833

3333339

3333333333333338

:*"*"$3338

3333333

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

KWindows

UrlMon

0IdHTTPHeaderInfo

frmChangePassword

Font.Charset

Font.Color

Font.Height

Font.Name

Font.Style

Picture.Data

Adobe Photoshop CS2 Windows

2011:09:26 16:56:06

.Photoshop 3.0

urlTEXT

MsgeTEXT

hXXp://ns.adobe.com/xap/1.0/

<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="3.1.1-111">

<rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">

xmlns:exif="hXXp://ns.adobe.com/exif/1.0/">

xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/">

xmlns:xap="hXXp://ns.adobe.com/xap/1.0/">

<xap:CreatorTool>Adobe Photoshop CS2 Windows</xap:CreatorTool>

xmlns:xapMM="hXXp://ns.adobe.com/xap/1.0/mm/"

xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#">

<stRef:instanceID>adobe:docid:photoshop:415a68a0-e403-11e0-929b-82eec65647bc</stRef:instanceID>

<stRef:documentID>adobe:docid:photoshop:415a68a0-e403-11e0-929b-82eec65647bc</stRef:documentID>

xmlns:dc="hXXp://purl.org/dc/elements/1.1/">

xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/">

IEC hXXp://VVV.iec.ch

.IEC 61966-2.1 Default RGB colour space - sRGB

CRT curv

EditPassword

EditNewPassword

Bitmaps.TransparentColor

Bitmaps.Up.Data

frmGetBackPassword

SelectionPen.Color

Items.Strings

WebBrowser1

0123456

Glyph.Data

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

<requestedExecutionLevel level="requireAdministrator"/>

hXXp://VVV.w3.org/2001/XMLSchema

hXXp://VVV.w3.org/2000/xmlns/

hXXp://VVV.w3.org/2001/XMLSchema-instance

TFRMCHANGEPASSWORD

TFRMGETBACKPASSWORD

\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

t\Device\Tcp

\Device\Udp

texture1.wpf

mmap.sgl

woool.dat.update

dnitems.sgl

DES4Client.dll

Data\map\skycity3.nmp

Data\map\0-3d.nmp

Data\woool.dat.update

Data\woool.dat

Data\map\0.nmp

data\DES4Client.dll

\Device\Tcp

data\map\0.nmp

Data\map\0-3d.nmp

UDP Not supported by this proxy.$Buffer terminator must be specified.!Buffer start position is invalid.

Reply Code is not valid: %s

Unknown Protocol(Request method requires HTTP version 1.1DThis authentication method is already registered with class name %s.

[Exception] TDownLoad::Execute "[Exception] TControlIE::Execute %s

Command not supported.

Address type not supported."%d: Circular links are not allowed

File "%s" not found

Object type not supported.

Set Size Exceeded.)UDP is not support in this SOCKS version.

Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.

Stack already created.1Only one TIdAntiFreeze can exist per application.&Cannot change IPVersion when connected$Can not bind in port range (%d - %d)

Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.

Invalid Port Range (%d - %d)

%s is not a valid service.

%s is not a valid IPv6 address:The requested IPVersion / Address family is not supported.

Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.

Operation would block.

Operation now in progress.

Operation already in progress.

Socket operation on non-socket.

Protocol not supported.

Socket type not supported."Operation not supported on socket.

Protocol family not supported.0Address family not supported by protocol family.

Line4Failed attempting to retrieve time zone information.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)

Resolving hostname %s.

Connecting to %s.

Socket Error # %d

Access denied.)"%s" DOMImplementation already registered

No matching DOM Vendor: "%s"<Selected DOM Vendor does not support this property or method;Property or Method "%s" is not supported by DOM Vendor "%s"

Node "%s" not found

IDOMNode required.Attributes are not supported on this node type

Invalid node type Mismatched paramaters to RegisterChildNodes Element does not contain a single text node4DOM Implementation does not support IDOMParseOptions

Node is readonlyCRefresh is only supported if the FileName or XML properties are set

Menu Bar '%s' is not a valid UInt64 value

Invalid stream operation

JPEG error #%d

Turquoise%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s

UTF-7 Invalid level (%d) for item "%s"

Invalid owner=This control requires version 4.70 or greater of COMCTL32.DLL

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

Unable to insert a line Clipboard does not support Icons

Text exceeds memo capacity/Menu '%s' is already being used by another form

- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.,Multiselect mode must be on for this feature#No OnGetItem event handler assigned

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'

No help found for %s#No context-sensitive help installed

Scan line index out of range!Cannot change the size of an icon Invalid operation on TOleGraphic

Unsupported clipboard format

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Thread creation error: %s

Thread Error: %s (%d)*Windows socket error: %s (%d), on API '%s'

Asynchronous socket error %d

Unable to write to %s

Invalid stream format$''%s'' is not a valid component name

Invalid property element: %s

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Failed to get data for '%s'

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Operation not supported

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

Invalid variant operation

Invalid NULL variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted(Exception %s in module %s at %p.

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

I/O error %d

:1980/01/01)

1.1.0.0

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   %System%\drivers\vdJzKrEN.sys (45 bytes)
   %System%\drivers\etc\hosts (412 bytes)

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.