Gen.Variant.Zusy.123384_2e4f489427

by malwarelabrobot on June 24th, 2015 in Malware Descriptions.

Gen:Variant.Zusy.123384 (B) (Emsisoft), Gen:Variant.Zusy.123384 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericPhysicalDrive0.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 2e4f4894272d6140620fe8929bdc909f
SHA1: 78e6eecaf7e501f89750670bb41cd55131299fdc
SHA256: cbbf3115a335eb41df51f676e54ca44c488d21e33e66de0784675f0d45292074
SSDeep: 24576:ljKgI4op5LEBmbTpWW7uRIKhrbmhTZaqdiXSp0c02uFG6dAk3CM5uIG3z95:lTmbD03hOhTZaqdwk0c05HGi5uIe5
Size: 2080768 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: ??? ??????????
Created at: 2015-04-25 16:38:19
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:464

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\logo2[1].gif (390 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
C:\SkinH_EL.dll (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\waplogin[1].htm (2 bytes)

Registry activity

The process %original file name%.exe:464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1429969099"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 BB 83 0D E0 26 65 91 25 56 F4 44 E9 B2 3D B6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
147127382e001f495d1842ee7a9e7912 c:\SkinH_EL.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ?????
Product Name: 58????????
Product Version: 6.1.0.0
Legal Copyright: ???????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 6.1.0.0
File Description: 58???????
Comments: QQ:1076080880
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 879318 880640 4.46773 d0581a2460b6b2a788b5498b64c0c587
.rdata 884736 1000370 1003520 5.33148 528ec81e81892499d244dd5596736cca
.data 1888256 375466 98304 3.77968 bcca99e2d83cbc4d72ae2250df548f50
.rsrc 2265088 93888 94208 2.4393 043538e2426f1b2e5888f1699059fdf6

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://passport.58.com/pso/waplogin 211.151.163.197
hxxp://yunpan.cn/cAGw8vFbtpPbZ 58.68.151.135
hxxp://l-bjcc.yunpan.cn/lk/cAGw8vFbtpPbZ
hxxp://wuba.xdwscache.glb0.lxdns.com/wap/logo2.gif
hxxp://3843a4.l12.yunpan.cn/lk/cAGw8vFbtpPbZ 111.206.65.252
img.58cdn.com.cn 203.130.61.92


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /pso/waplogin HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: passport.58.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Tue, 23 Jun 2015 13:53:30 GMT
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
P3P: CP='CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR'
Content-Encoding: gzip
Vary: Accept-Encoding
4e2.............V[o.D.~...a..<....I.^.IW ..."@...=.5.=...nX.@.(mZRD
AT..J4......M..g.......v.t7.@.|.9.w.s...6..\..K.P[.......o.!...Aa....&
lt;.........P3.^h..{.!..;....~..n..v.*.Z....I.M....8.TMa....Tc.=......
.T*%.D.Q....................V.$YK.]&(.....c/........\..FF.U......*.h. 
d....R.......P,[email protected]}d.......V.{......,...6uN#.m..v...Q.. !.l.
...cJ....(k3.S...-. .*>5M.k......O....l..>.y`...q.U.-..}...s.2..
..\!..U......P...`...|..........,.T..Cy. .....K!wl... .....N..V.;...T.
U...O...........Q........8. ..\...9...Zc1..J..i4....Gb^..........'xa. 
..PH... 5...c........8..F.|...t.y.../g.'.1I.U.Ij..0K.ez..A^..fO._...(.
D.........,O.1T........3...>.x....1...?.4..f...OV%....I5w.......Y..
.7....yIy'...#o.....A.......H..3. ....\%q......dU.'....0 ....?j...LQ5.
Kp....Q....=..... .....-.......x^m..&.*......<M{..P;...tuu<.....
.5M.......>...`..&.>J.h....ftgst......._........\.).=....OG..F..
....#"..!...d.D..%S...919.....F0:...a...'[email protected].
.........f.S.....n\..8..} E.{)..;..0.%.5..rp.0.P..g..%........_.H.C...
...].?.....pm..$g#..........ep.Z......7...>I._..T*3...>.A.obRf%.
..R.'.......w...j3..........a..T.SqV...S...._..X....mm.............../
G../@.X8........g..T([email protected].;............<....v......;..W....o.
;k..Z.'i..g.w.?........O...X.....0..
<<< skipped >>>


GET /lk/cAGw8vFbtpPbZ HTTP/1.1
Referer: hXXp://yunpan.cn/cAGw8vFbtpPbZ
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Connection: Keep-Alive
Host: 3843a4.l12.yunpan.cn


HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Tue, 23 Jun 2015 13:53:34 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-control: private
1c33..<!DOCTYPE html>.<html  >.<head>.<meta chars
et="utf-8">.<meta http-equiv="Content-Type" content="text/html; 
charset=utf-8">.<meta name="renderer" content="webkit">.<l
ink rel="icon" href="/favicon-16.ico" sizes="16x16">.<link rel="
icon" href="/favicon-32.ico" sizes="32x32">..    <meta name="Key
words" content="...... ...fastcatzq,5250520zz,zhu@qaz@123,seemefly,cc5
20,may67702730,yw15821119785,yang752238...,............,............,.
..............,............,............,360......,360......">.    
<meta name="Description" content="...... ...fastcatzq,5250520zz,zhu
@qaz@123,seemefly,cc520,may67702730,yw15821119785,yang752238..........
......................................................................
.........................360..........................................
............">...<title>.................. - 360......</ti
tle>.<script>var G_start_time = new Date;</script>..   
 <!--[if (lt IE 8.0)]><link type="text/css" rel="stylesheet" 
href="hXXp://s7.qhimg.com/static/1334fbb3cb4b3f9a/link/share-extract.c
ss"><![endif]--><!--[if (!IE)|(gte IE 8.0)]><!-->
<link type="text/css" rel="stylesheet" href="hXXp://s6.qhimg.com/st
atic/109aeacdfd137f48/link/share-extract_datauri.css"><!--<![
endif]-->...<script type="text/javascript" src="hXXp://s6.qhimg.
com/static/b33bb71cd5f0896e/components/1141.js" ></script>..&
lt;!--[if lt IE 9]>.<script type="text/javascript">(funct
<<< skipped >>>


GET /cAGw8vFbtpPbZ HTTP/1.1
Referer: hXXp://yunpan.cn/cAGw8vFbtpPbZ
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
Host: yunpan.cn
Connection: Keep-Alive


HTTP/1.1 302 Moved Temporarily
Server: nginx/1.6.2
Date: Tue, 23 Jun 2015 13:53:32 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: hXXp://3843a4.l12.yunpan.cn/lk/cAGw8vFbtpPbZ
0..HTTP/1.1 302 Moved Temporarily..Server: nginx/1.6.2..Date: Tue, 23 
Jun 2015 13:53:32 GMT..Content-Type: text/html..Transfer-Encoding: chu
nked..Connection: keep-alive..Location: hXXp://3843a4.l12.yunpan.cn/lk
/cAGw8vFbtpPbZ..0..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_464:

.text
`.rdata
@.data
.rsrc
t%SVh
t$(SSh
~%UVW
t.It It
u$SShe
SkinH_EL.dll
ole32.dll
wininet.dll
user32.dll
kernel32.dll
advapi32.dll
shlwapi.dll
OLEACC.DLL
gdiplus.dll
gdi32.dll
ExitWindowsEx
EnumWindows
SetWindowsHookExA
MsgWaitForMultipleObjects
GdiplusShutdown
RegCreateKeyA
RegOpenKeyA
RegEnumKeyA
RegCloseKey
RegFlushKey
RegOpenKeyExA
RegCreateKeyExA
RegDeleteKeyA
STR_UINTIP=1;STR_QLOGIN_VERSION_ERR=2;STR_NO_UIN=3;STR_NO_PWD=4;STR_NO_VCODE=5;STR_INV_UIN=6;STR_INV_VCODE=7;STR_UIN=8;STR_PWD=9;STR_VCODE=10;STR_VCODE_TIP=11;STR_CHANGE_VCODE=12;STR_REMEMBER_PWD=13;STR_1_DAY=14;STR_1_WEEK=15;STR_1_MONTH=16;STR_HALF_YEAR=17;STR_1_YEAR=18;STR_FORGET_PWD=19;STR_LOGIN=20;STR_RESET=21;STR_SWITCH_QLOGIN=22;STR_LOGIN_TITLE=23;STR_QLOGIN_INTRO=24;STR_QLOGINING=25;STR_QLOGIN_HELP=26;STR_SWITCH_NORMAL=27;STR_QLOGIN=28;STR_QLOGIN_BUSY=29;STR_QLOGIN_OFFLINE=30;STR_QLOGIN_OTHER_ERR=31;STR_BACK=32;STR_RETRY=33;function ptui_str(A){A-=1;if(A>=0&&A<g_strArray.length){return g_strArray[A]}return""}function ptui_mapStr(B){for(i=0;i<B.length;i  ){var A=document.getElementById(B[i][1]);if(A!=null){if("A"==A.nodeName||"U"==A.nodeName||"OPTION"==A.nodeName){if(A.innerHTML==""){A.innerHTML=ptui_str(B[i][0])}}else{if("INPUT"==A.nodeName){if(A.value==""){A.value=ptui_str(B[i][0])}}else{if("IMG"==A.nodeName){A.alt=ptui_str(B[i][0])}}}}}}function ptui_onUserFocus(C,A){var B=document.getElementById(C);if(ptui_str(STR_UINTIP)==B.value){B.value=""}B.style.color=A}function ptui_onUserBlue(C,A){var B=document.getElementById(C);if(""==B.value){B.value=ptui_str(STR_UINTIP);B.style.color=A}}var g_speedArray=new Array();function ptui_setSpeed(B){if(B<=0){return }var A=g_speedArray.length;g_speedArray[A]=new Array(B,new Date())}function ptui_reportSpeed(B){if(Math.random()>0.1){return }url="hXXp://isdspeed.qq.com/cgi-bin/r.cgi?flag1=6000&flag2=1&flag3=1";for(var A=0;A<g_speedArray.length;A  ){url=url "&" g_speedArray[A][0] "=" (g_speedArray[A][1]-B)}imgSendTimePoint=new Image();imgSendTimePoint.src=url}function ptui_showDiv(A,B){var C=document.getElementById(A);if(null==C){return }if(B){C.style.display="block"}else{C.style.display="none"}}function ptui_notifySize(B){try{obj=document.getElementById(B);if(obj){if(parent.ptlogin2_onResize){width=1;height=1;if(obj.offsetWidth>0){width=obj.offsetWidth}if(obj.offsetHeight>0){height=obj.offsetHeight}parent.ptlogin2_onResize(width,height)}}}catch(A){}}function ptui_notifyClose(){try{if(parent.ptlogin2_onClose){parent.ptlogin2_onClose()}else{if(top==this){window.close()}}}catch(A){window.close()}}function ptui_setUinColor(D,B,A){var C=document.getElementById(D);if(ptui_str(STR_UINTIP)==C.value){C.style.color=A}else{C.style.color=B}}function ptui_onEnableLLogin(B){var A=B.low_login_enable;var C=B.low_login_hour;if(A!=null&&C!=null){C.disabled=!A.checked}}function ptui_changeImgEx(D,C,F,E){var A=document.getElementById("imgVerify");if(A!=null){A.src=E "?aid=" C "&" Math.random();var B=document.getElementById("verifycode");if(B!=null&&B.disabled==false&&F){B.focus();B.select()}}}function ptui_changeImg(B,A,C){ptui_changeImgEx(B,A,C,"hXXp://ptlogin2." B "/getimage")}function ptui_changeImgHttps(B,A,C){ptui_changeImgEx(B,A,C,"./getimage")}function ptui_checkQQUin(qquin){if(qquin.length==0){return false}if(!(new RegExp(/^\w ((-\w )|(\.\w ))*\@[A-Za-z0-9] ((\.|-)[A-Za-z0-9] )*\.[A-Za-z0-9] $/).test(qquin))){if(qquin.length<5||qquin.length>12||parseInt(qquin)<1000){return false}var exp=eval("/^[0-9]*$/");return exp.test(qquin)}return true}function ptui_checkPwdOnInput(){if(document.getElementById("p").value.length>=16){return false}return true}function ptui_onLogin(A){try{if(parent.ptlogin2_onLogin){if(!parent.ptlogin2_onLogin()){return false}}if(parent.ptlogin2_onLoginEx){var D=A.u.value;var B=A.verifycode.value;if(ptui_str(STR_UINTIP)==D){D=""}if(!parent.ptlogin2_onLoginEx(D,B)){return false}}}catch(C){}return ptui_checkValidate(A)}function ptui_onLoginEx(B,C){if(ptui_onLogin(B)){var A=new Date();A.setHours(A.getHours() 24*30);setCookie("ptui_loginuin",B.u.value,A,"/","ui.ptlogin2." C);return true}return false}function ptui_setDefUin(B,A){if(A==""||A==null){A=getCookie("ptui_loginuin")}if(A!=""&&A!=null){B.u.value=A}}function ptui_onReset(A){try{if(parent.ptlogin2_onReset){if(!parent.ptlogin2_onReset()){return false}}}catch(B){}return true}function ptui_initFocus(B){try{var A=B.u;var D=B.p;var E=B.verifycode;if(A.value==""||ptui_str(STR_UINTIP)==A.value){A.focus();return }if(D.value==""){D.focus();return }if(E.value==""){E.focus()}}catch(C){}}function ptui_checkValidate(B){var A=B.u;var C=B.p;var D=B.verifycode;if(A.value==""||ptui_str(STR_UINTIP)==A.value){alert(ptui_str(STR_NO_UIN));A.focus();return false}if(C.value==""){alert(ptui_str(STR_NO_PWD));C.focus();return false}if(D.value==""){alert(ptui_str(STR_NO_VCODE));D.focus();return false}if(!ptui_checkQQUin(A.value)){alert(ptui_str(STR_INV_UIN));A.focus();A.select();return false}if(D.value.length!=4){alert(ptui_str(STR_INV_VCODE));D.focus();D.select();return false}C.setAttribute("maxlength","32");preprocess(B);return true}function getCookieVal(B){var A=document.cookie.indexOf(";",B);if(A==-1){A=document.cookie.length}return unescape(document.cookie.substring(B,A))}function getCookie(D){var B=D "=";var F=B.length;var A=document.cookie.length;var E=0;while(E<A){var C=E F;if(document.cookie.substring(E,C)==B){return getCookieVal(C)}E=document.cookie.indexOf(" ",E) 1;if(E==0){break}}return null}function setCookie(C,E){var A=setCookie.arguments;var H=setCookie.arguments.length;var B=(2<H)?A[2]:null;var G=(3<H)?A[3]:null;var D=(4<H)?A[4]:null;var F=(5<H)?A[5]:null;document.cookie=C "=" escape(E) ((B==null)?" ":(";expires =" B.toGMTString())) ((G==null)?" ":(";path = " G)) ((D==null)?" ":(";domain =" D)) ((F==true)?";secure":" ")}var hexcase=1;var b64pad="";var chrsz=8;var mode=32;function preprocess(A){var B="";B =A.verifycode.value;B=B.toUpperCase();A.p.value=md5(md5_3(A.p.value) B);return true}function md5_3(B){var A=new Array;A=core_md5(str2binl(B),B.length*chrsz);A=core_md5(A,16*chrsz);A=core_md5(A,16*chrsz);return binl2hex(A)}function md5(A){return hex_md5(A)}function hex_md5(A){return binl2hex(core_md5(str2binl(A),A.length*chrsz))}function b64_md5(A){return binl2b64(core_md5(str2binl(A),A.length*chrsz))}function str_md5(A){return binl2str(core_md5(str2binl(A),A.length*chrsz))}function hex_hmac_md5(A,B){return binl2hex(core_hmac_md5(A,B))}function b64_hmac_md5(A,B){return binl2b64(core_hmac_md5(A,B))}function str_hmac_md5(A,B){return binl2str(core_hmac_md5(A,B))}function md5_vm_test(){return hex_md5("abc")=="900150983cd24fb0d6963f7d28e17f72"}function core_md5(K,F){K[F>>5]|=128<<((F)2);K[(((F 64)>>>9)<<4) 14]=F;var J=1732584193;var I=-271733879;var H=-1732584194;var G=271733878;for(var C=0;C<K.length;C =16){var E=J;var D=I;var B=H;var A=G;J=md5_ff(J,I,H,G,K[C 0],7,-680876936);G=md5_ff(G,J,I,H,K[C 1],12,-389564586);H=md5_ff(H,G,J,I,K[C 2],17,606105819);I=md5_ff(I,H,G,J,K[C 3],22,-1044525330);J=md5_ff(J,I,H,G,K[C 4],7,-176418897);G=md5_ff(G,J,I,H,K[C 5],12,1200080426);H=md5_ff(H,G,J,I,K[C 6],17,-1473231341);I=md5_ff(I,H,G,J,K[C 7],22,-45705983);J=md5_ff(J,I,H,G,K[C 8],7,1770035416);G=md5_ff(G,J,I,H,K[C 9],12,-1958414417);H=md5_ff(H,G,J,I,K[C 10],17,-42063);I=md5_ff(I,H,G,J,K[C 11],22,-1990404162);J=md5_ff(J,I,H,G,K[C 12],7,1804603682);G=md5_ff(G,J,I,H,K[C 13],12,-40341101);H=md5_ff(H,G,J,I,K[C 14],17,-1502002290);I=md5_ff(I,H,G,J,K[C 15],22,1236535329);J=md5_gg(J,I,H,G,K[C 1],5,-165796510);G=md5_gg(G,J,I,H,K[C 6],9,-1069501632);H=md5_gg(H,G,J,I,K[C 11],14,643717713);I=md5_gg(I,H,G,J,K[C 0],20,-373897302);J=md5_gg(J,I,H,G,K[C 5],5,-701558691);G=md5_gg(G,J,I,H,K[C 10],9,38016083);H=md5_gg(H,G,J,I,K[C 15],14,-660478335);I=md5_gg(I,H,G,J,K[C 4],20,-405537848);J=md5_gg(J,I,H,G,K[C 9],5,568446438);G=md5_gg(G,J,I,H,K[C 14],9,-1019803690);H=md5_gg(H,G,J,I,K[C 3],14,-187363961);I=md5_gg(I,H,G,J,K[C 8],20,1163531501);J=md5_gg(J,I,H,G,K[C 13],5,-1444681467);G=md5_gg(G,J,I,H,K[C 2],9,-51403784);H=md5_gg(H,G,J,I,K[C 7],14,1735328473);I=md5_gg(I,H,G,J,K[C 12],20,-1926607734);J=md5_hh(J,I,H,G,K[C 5],4,-378558);G=md5_hh(G,J,I,H,K[C 8],11,-2022574463);H=md5_hh(H,G,J,I,K[C 11],16,1839030562);I=md5_hh(I,H,G,J,K[C 14],23,-35309556);J=md5_hh(J,I,H,G,K[C 1],4,-1530992060);G=md5_hh(G,J,I,H,K[C 4],11,1272893353);H=md5_hh(H,G,J,I,K[C 7],16,-155497632);I=md5_hh(I,H,G,J,K[C 10],23,-1094730640);J=md5_hh(J,I,H,G,K[C 13],4,681279174);G=md5_hh(G,J,I,H,K[C 0],11,-358537222);H=md5_hh(H,G,J,I,K[C 3],16,-722521979);I=md5_hh(I,H,G,J,K[C 6],23,76029189);J=md5_hh(J,I,H,G,K[C 9],4,-640364487);G=md5_hh(G,J,I,H,K[C 12],11,-421815835);H=md5_hh(H,G,J,I,K[C 15],16,530742520);I=md5_hh(I,H,G,J,K[C 2],23,-995338651);J=md5_ii(J,I,H,G,K[C 0],6,-198630844);G=md5_ii(G,J,I,H,K[C 7],10,1126891415);H=md5_ii(H,G,J,I,K[C 14],15,-1416354905);I=md5_ii(I,H,G,J,K[C 5],21,-57434055);J=md5_ii(J,I,H,G,K[C 12],6,1700485571);G=md5_ii(G,J,I,H,K[C 3],10,-1894986606);H=md5_ii(H,G,J,I,K[C 10],15,-1051523);I=md5_ii(I,H,G,J,K[C 1],21,-2054922799);J=md5_ii(J,I,H,G,K[C 8],6,1873313359);G=md5_ii(G,J,I,H,K[C 15],10,-30611744);H=md5_ii(H,G,J,I,K[C 6],15,-1560198380);I=md5_ii(I,H,G,J,K[C 13],21,1309151649);J=md5_ii(J,I,H,G,K[C 4],6,-145523070);G=md5_ii(G,J,I,H,K[C 11],10,-1120210379);H=md5_ii(H,G,J,I,K[C 2],15,718787259);I=md5_ii(I,H,G,J,K[C 9],21,-343485551);J=safe_add(J,E);I=safe_add(I,D);H=safe_add(H,B);G=safe_add(G,A)}if(mode==16){return Array(I,H)}else{return Array(J,I,H,G)}}function md5_cmn(F,C,B,A,E,D){return safe_add(bit_rol(safe_add(safe_add(C,F),safe_add(A,D)),E),B)}function md5_ff(C,B,G,F,A,E,D){return md5_cmn((B&G)|((~B)&F),C,B,A,E,D)}function md5_gg(C,B,G,F,A,E,D){return md5_cmn((B&F)|(G&(~F)),C,B,A,E,D)}function md5_hh(C,B,G,F,A,E,D){return md5_cmn(B^G^F,C,B,A,E,D)}function md5_ii(C,B,G,F,A,E,D){return md5_cmn(G^(B|(~F)),C,B,A,E,D)}function core_hmac_md5(C,F){var E=str2binl(C);if(E.length>16){E=core_md5(E,C.length*chrsz)}var A=Array(16),D=Array(16);for(var B=0;B<16;B  ){A[B]=E[B]^909522486;D[B]=E[B]^1549556828}var G=core_md5(A.concat(str2binl(F)),512 F.length*chrsz);return core_md5(D.concat(G),512 128)}function safe_add(A,D){var C=(A&65535) (D&65535);var B=(A>>16) (D>>16) (C>>16);return(B<<16)|(C&65535)}function bit_rol(A,B){return(A<<B)|(A>>>(32-B))}function str2binl(D){var C=Array();var A=(1<<chrsz)-1;for(var B=0;B<D.length*chrsz;B =chrsz){C[B>>5]|=(D.charCodeAt(B/chrsz)&A)<<(B2)}return C}function binl2str(C){var D="";var A=(1<<chrsz)-1;for(var B=0;B<C.length*32;B =chrsz){D =String.fromCharCode((C[B>>5]>>>(B2))&A)}return D}function binl2hex(C){var B=hexcase?"0123456789ABCDEF":"0123456789abcdef";var D="";for(var A=0;A<C.length*4;A  ){D =B.charAt((C[A>>2]>>((A%4)*8 4))&15) B.charAt((C[A>>2]>>((A%4)*8))&15)}return D}function binl2b64(D){var C="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /";var F="";for(var B=0;B<D.length*4;B =3){var E=(((D[B>>2]>>8*(B%4))&255)<<16)|(((D[B 1>>2]>>8*((B 1)%4))&255)<<8)|((D[B 2>>2]>>8*((B 2)%4))&255);for(var A=0;A<4;A  ){if(B*8 A*6>D.length*32){F =b64pad}else{F =C.charAt((E>>6*(3-A))&63)}}}return F};/* |xGv00|ccbfd68b5fceb62707a9e4ce87b8c813 */
1076080880
hXXp://yunpan.cn/cAGw8vFbtpPbZ
<meta name="Keywords" content="
86265112
fJ.WM_
CX%xm
Õ6m*
n.BjCw
%s;7*
0%x@w
%C^L:
%s T5
]E4%F(
.Funr
k%UPp
fg.VG
%C',@
>Ùd
0'.Ll
[I(3/#N0.bd
j"%u=w
q%Xn`
@|H.NI
.wdd!
S|%u4
*.Ea]S
Q.CGo
fTpe
.LLbX
-.Mdl
\-A}=3K
Y:.akpS
$.Zcqn
.WE= T!N
#?%s(C(
u.Jck~
zx/%FN[
%s=\RI
}j%c%Y)
Rx.GR
4o#.dM
IeS`%C
[n 4\.UY 
,4.qO,
gQ'.Io
%cLur?
s%DHB
]I%%X
5r.US
:mD].tB
f%fUZ
.fOuV12
*_.dC
&-N}<
({?.cQm
.Cqx~c
.`.Qw
**.dU
!n]%x
%X,Cr
&.PFy{xh
.um ZZE7L
/^p%u$
I.NoQY
zu.ew
D/.nT
b\SkinH_EL.dll
C$%cmb
.ppM|
 aZ.mO
%-^
.hk;~
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
WinHttp.WinHttpRequest.5.1
MSXML2.ServerXMLHTTP.6.0
MSXML2.ServerXMLHTTP.5.0
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
hXXp://
hXXps://
Adodb.Stream
hXXp://open.baidu.com/special/time/
window.baidu_time(
PRTG Enterprise Console.exe
HttpAnalyzerStdV7.exe
WSExplorer1.3.exe
WinPcap_4_1_3.exe
Wireshark.exe
IceSword.exe
Ollydbg.exe
loaddll.exe
hXXp://m.m.58.com/infoall/?path=/infoall/
<a href="hXXp://m.58.com/(.*?)/(.*?)" key=
&password=
hXXps://passport.58.com/pso/domclientunionlogin
hXXp://my.58.com/xinxiguanli
&LV=
&UN=
<=
&SK=
&PPT=
&PPK=
&PPU=UID=
hXXp://m.webapp.58.com/refresh/step1?
hXXp://m.webapp.58.com/refresh/step2?
72709396
1005----
1016----
1029----
1039----
1057----
1067----
1078----
1086----
1096----
1734----
2015----
2032----
2036----
2038----
2039----
2040----
2041----
2042----
2043----
2044----
2045----
2046----
2047----
2049----
2050----
2051----
2052----
2053----
2054----
2055----
2192----
2247----
2236----
2258----
2284----
2292----
2296----
2299----
2302----
2303----
2307----
2315----
2319----
2323----
2325----
2328----
2329----
2335----
2336----
2340----
2342----
2344----
2346----
2347----
2350----
2354----
2360----
2363----
2364----
2361----
2362----
2368----
2380----
2381----
2389----
2390----
2392----
2393----
2394----
2395----
2397----
2398----
2404----
2408----
2421----
2422----
2429----
2501----
3157----
3163----
3177----
3184----
3198----
3209----
3222----
3236----
3251----
3266----
3279----
3306----
3328----
3350----
3359----
3434----
3445----
3453----
3470----
3479----
3369----
5632----
5633----
5653----
5669----
5695----
5709----
5722----
5733----
5756----
5772----
5845----
5853----
5898----
5918----
5928----
5942----
6700----
6718----
6729----
6745----
6752----
6760----
6770----
6776----
6788----
6793----
6803----
6921----
6964----
7112----
7133----
7154----
7289----
7303----
7428----
7452----
7453----
7458----
7624----
7923----
7969----
8408----
8467----
8470----
8531----
8556----
8572----
8658----
8672----
8684----
8694----
8738----
8832----
8951----
9026----
9039----
9101----
9124----
9179----
9303----
9311----
9329----
9342----
9336----
9364----
9384----
9394----
9407----
9417----
9422----
9429----
9441----
9452----
9455----
9464----
9465----
9475----
9366----
9510----
9527----
9533----
9539----
9545----
9556----
9563----
9564----
9578----
9587----
9597----
9616----
9625----
9630----
9635----
9636----
9655----
9676----
9686----
9695----
9702----
9704----
9715----
9723----
9751----
9760----
9765----
9799----
9808----
9814----
9829----
9836----
9846----
9851----
9858----
9869----
9875----
9886----
9894----
9896----
9905----
9921----
9934----
9940----
9936----
9949----
9959----
9967----
9983----
9998----
10012----
10035----
10063----
10078----
10083----
10093----
10102----
10111----
10116----
10138----
10157----
10167----
10177----
10193----
10214----
10224----
10254----
10260----
10279----
10285----
10307----
10320----
10336----
10356----
10381----
10419----
10430----
10441----
10443----
10449----
10456----
10462----
10470----
10500----
10506----
10510----
10514----
10530----
10541----
10549----
10553----
10567----
10736----
10868----
10884----
11053----
11176----
11201----
11238----
11254----
11271----
11313----
12221----
df365ed","apn":"WIFI","lat":""}&shoujishipai=
c-b128-4c25-b24f-bee0
","X-Wap-Proxy-Cookie":"none","uuid":"89418d
"channelid":"3","version":"5.7.3.0","productorid":"1","ua":"GT-N
","PPU":"UID=
","cid":"
","maptype":"
","platform":"android","os":"android","lon":"","locationstate":"0","location":",,","osv":"2.3.4","imei":"
&category=%E4%BA%8C%E6%89%8B%E6%89%8B%E6%9C%BA&ObjectType=%E8%8B%B9%E6%9E%9C&xinghao=iPhone5s&shoujineicun=16GB&formatsource=mypublish&headerData={"uid":"
&IM=1076080880&gobquzhi=Content=
hXXp://p.webapp.58.com/
","13941
%Documents and Settings%\Administrator\Local Settings\Temporary Internet Files
Referer: hXXp://pic2.58.com/ui7/post/PictureUpload_zip_s1.swf
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; EmbeddedWB 14.52 from: hXXp://VVV.bsalsa.com/ EmbeddedWB 14.52; .NET CLR 2.0.50727)
Host: pic.kuche.com
hXXp://pic.kuche.com/postpic/upload?flash=1/
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\cookies
\*.txt
hXXp://passport.58.com/pso/waplogin
hXXp://m.m.58.com/infoall/?path=/infoall
hXXps://passport.58.com/reg/
@163.com
&cpassword=
&mobile=&mobilecode=&password=
&nickName=
hXXps://passport.58.com/doregister
*.txt
|*.txt
]]></instruction><photo_url></photo_url><fb_validate_type></fb_validate_type><code><![CDATA[]]></code></sendinfo>
<?xml version="1.0" encoding="UTF-8"?><sendinfo><operate>basicresume</operate><enttrade></enttrade><enttype></enttype><entsize></entsize><entname><![CDATA[
Referer: hXXp://qy.webapp.58.com/addenterprise?s5&t=1&topcate=job&id=9224¤tcate=job&localid=2&location=&geotype=baidu&geoia=undefined&formatsource=home&os=android
User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.4; zh-cn; GT-N7000 Build/GRJ22) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
hXXp://qy.webapp.58.com/ajax/addenterprise
hXXp://verifycode.58.com/img/get?num=
]]></instruction><photo_url></photo_url><fb_validate_type>1</fb_validate_type><code><![CDATA[
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
function time(){return Math.random()}
hXXp://qy.m.58.com/m_company
58.com
.58.com/
hXXp://qy.58.com/(.*?)/
hXXp://qy.58.com/
VBScript.RegExp
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
window.location.reload()
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
text|password|file
comdlg32.dll
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
09408590
[email protected]
192.168.1.1
1076080880
hXXp://mltv.taobao.com
1.2.18
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
AVIFIL32.dll
RASAPI32.dll
GetProcessHeap
WinExec
GetCPInfo
KERNEL32.dll
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
WINSPOOL.DRV
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
OLEAUT32.dll
oledlg.dll
WSOCK32.dll
DeleteUrlCacheEntry
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
\\.\Scsi0:
\\.\PhysicalDrive0
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
(*.htm;*.html)|*.htm;*.html
VVV.dywt.com.cn
index.dat
desktop.ini
x86 Family %s Model %s Stepping %s
X-X-X-X
(*.avi)|*.avi
RICHED32.DLL
RICHED20.DLL
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
operator
keywords
glViewport
glTexEnvfv
glTexEnvf
\glu32.dll
\Opengl32.dll
glPassThrough
msscript.ocx
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
yunpan.cn
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
1, 0, 6, 6
(*.*)
6.1.0.0

%original file name%.exe_464_rwx_10001000_00039000:

L$(h%f
SSh0j
msctls_hotkey32
TVCLHotKey
THotKey
\skinh.she
}uo,x6l5k%x-l h
9p%s m)t4`#b
e"m?c&y1`Ð<
SetViewportOrgEx
SetViewportExtEx
SetWindowsHookExA
UnhookWindowsHookEx
EnumThreadWindows
EnumChildWindows
`c%US.4/
!#$<#$#=
.text
`.rdata
@.data
.rsrc
@.UPX0
`.UPX1
`.reloc


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\logo2[1].gif (390 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    C:\SkinH_EL.dll (88 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\waplogin[1].htm (2 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now