Gen.Variant.Zusy.97797_88b64b50f8

by malwarelabrobot on November 30th, 2014 in Malware Descriptions.

UDS:DangerousObject.Multi.Generic (Kaspersky), Gen:Variant.Zusy.97797 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericInjector.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 88b64b50f8cd2c8d4cca3576af96b18f
SHA1: f79e4ed08c0848d6577ac77d355ee0b802035102
SHA256: 0654efc1d48f92c7ed559738714e7125a6d8ef4302fcf1f562128a73af09d359
SSDeep: 49152:K3yZofCH6JJ7A4A7lDhTzPORV/tPnY/4c:2yZH6J9LAphTzPARtPCv
Size: 2363392 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC50, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2014-11-04 18:37:56
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

mscorsvw.exe:1912

The Trojan injects its code into the following process(es):

%original file name%.exe:1320

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1320 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\logger[1].js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\core[1].php (748 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YniCc.dll (3716 bytes)
%System%\BackInC.sys (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\bds_s_v2[1].js (378 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\yni[1].htm (899 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (161 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\getnum[1]._getShare&type=load&t=1417253630007 (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (418 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bdsstyle[1].css (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\is[1].png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\shell_v2[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\myrar.exe (148 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (196 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (5880 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\sc[1].png (579 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].php (1074 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041720130418 (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%System%\BackInC.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041720130418\index.dat (0 bytes)

Registry activity

The process mscorsvw.exe:1912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "2340000"

The process %original file name%.exe:1320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014112920141130]
"CacheLimit" = "8192"
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014112920141130]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014112920141130\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014112920141130]
"CachePrefix" = ":2014112920141130:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 BB AA 1B D1 AA D5 F5 D6 D2 F5 46 1E 3F FC 86"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014112920141130]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013041720130418]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
523276b0dae10cc57c08737029682c3b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\YniCc.dll
95668cbcb37a29e1554c5e3472bf9188 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\myrar.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 732887 733184 4.46952 38feab9ef898399b2cd1af2e8ffb929d
.rdata 737280 1529236 1531904 4.81032 981033196f1b0a9af25e77019d824189
.data 2269184 267306 65536 3.51456 9c1d794defd9257d4cfd4cfc4bea4cd1
.vmp0 2539520 2616 4096 4.08184 3f2cba4134905abcd4317a20fd68557e
.rsrc 2543616 23796 24576 3.44479 ea066d14470af9b1be5f5645e48965b8

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.yni.cc/yni.txt 58.218.211.239
hxxp://www.yni.cc/?admin 58.218.211.239
hxxp://www.yni.cc/images/bt_in.jpg 58.218.211.239
hxxp://bae.jomodns.com/static/js/shell_v2.js?cdnversion=11
hxxp://all.cnzz.com.danuoyi.tbcache.com/stat.php?id=5903035&web_id=5903035
hxxp://bae.jomodns.com/static/js/logger.js?cdnversion=393682
hxxp://bae.jomodns.com/static/js/bds_s_v2.js?cdnversion=393682
hxxp://bae.jomodns.com/static/css/bdsstyle.css?cdnversion=20131219
hxxp://api.share.n.shifen.com/getnum?url=http://www.yni.cc/?admin&callback=bdShare.fn._getShare&type=load&t=1417253630007
hxxp://bae.jomodns.com/static/images/is.png?cdnversion=20131219
hxxp://z6.cnzz.com/stat.htm?id=5903035&r=&lg=en-us&ntime=none&cnzz_eid=1893028559-1417272088-&showp=1024x768&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&h=1&rnd=1953223682 42.156.140.19
hxxp://bae.jomodns.com/static/images/sc.png?cdnversion=20120720
hxxp://all.cnzz.com.danuoyi.tbcache.com/core.php?web_id=5903035&t=z
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=250415370 42.120.219.171
hxxp://cnzz.mmstat.com/app.gif?&cna=HckADfcAVj4CAbhrJiYkNkni 42.120.219.171
hxxp://static.n.shifen.com/v.gif?pid=307&type=3071&sc=80,48,1024,740&desturl=&apitype=1&linkid=i32s7vmxc4i&velo_load=1531&velo_cssload=703&velo_jsLoad=984&cite_uid=771984&cite_type=1&cite_mini=0
hxxp://bdimg.share.baidu.com/static/js/shell_v2.js?cdnversion=11 211.90.25.48
hxxp://pcookie.cnzz.com/app.gif?&cna=HckADfcAVj4CAbhrJiYkNkni 42.120.219.171
hxxp://bdimg.share.baidu.com/static/css/bdsstyle.css?cdnversion=20131219 211.90.25.48
hxxp://bdimg.share.baidu.com/static/js/bds_s_v2.js?cdnversion=393682 211.90.25.48
hxxp://v1.cnzz.com/stat.php?id=5903035&web_id=5903035 1.99.192.15
hxxp://bdimg.share.baidu.com/static/js/logger.js?cdnversion=393682 211.90.25.48
hxxp://bdimg.share.baidu.com/static/images/sc.png?cdnversion=20120720 211.90.25.48
hxxp://bdimg.share.baidu.com/static/images/is.png?cdnversion=20131219 211.90.25.48
hxxp://api.share.baidu.com/getnum?url=http://www.yni.cc/?admin&callback=bdShare.fn._getShare&type=load&t=1417253630007 61.135.162.115
hxxp://nsclick.baidu.com/v.gif?pid=307&type=3071&sc=80,48,1024,740&desturl=&apitype=1&linkid=i32s7vmxc4i&velo_load=1531&velo_cssload=703&velo_jsLoad=984&cite_uid=771984&cite_type=1&cite_mini=0 115.239.211.92
hxxp://c.cnzz.com/core.php?web_id=5903035&t=z 66.102.255.55


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /v.gif?pid=307&type=3071&sc=80,48,1024,740&desturl=&apitype=1&linkid=i32s7vmxc4i&velo_load=1531&velo_cssload=703&velo_jsLoad=984&cite_uid=771984&cite_type=1&cite_mini=0 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yni.cc/?admin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: nsclick.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=AE58B413FC36C05AA33E2F1482B73605:FG=1


HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: max-age=0
Content-Type: image/gif
ETag: "4280832337"
Accept-Ranges: bytes
Last-Modified: Fri, 23 Oct 2009 08:06:04 GMT
Expires: Sat, 29 Nov 2014 14:41:35 GMT
Content-Length: 0
Date: Sat, 29 Nov 2014 14:41:35 GMT
Server: BWS/1.0
Connection: Keep-Alive
HTTP/1.1 200 OK..Pragma: no-cache..Cache-Control: max-age=0..Content-T
ype: image/gif..ETag: "4280832337"..Accept-Ranges: bytes..Last-Modifie
d: Fri, 23 Oct 2009 08:06:04 GMT..Expires: Sat, 29 Nov 2014 14:41:35 G
MT..Content-Length: 0..Date: Sat, 29 Nov 2014 14:41:35 GMT..Server: BW
S/1.0..Connection: Keep-Alive..



GET /static/js/logger.js?cdnversion=393682 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yni.cc/?admin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: bdimg.share.baidu.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: JSP3/2.0.4
Date: Sat, 29 Nov 2014 14:41:29 GMT
Content-Type: text/javascript
Content-Length: 2404
Connection: close
ETag: "1772769857"
Last-Modified: Wed, 26 Nov 2014 05:56:07 GMT
Expires: Sat, 29 Nov 2014 15:10:16 GMT
Age: 73
Cache-Control: max-age=1800
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
...........X.o.8.. .Q.....d.......{..E.6...1.E.l52..('...~....;mq(....
9.o..zjp.|^{J...(v...;..'..I....E.X.v.e.}.7. .."....DZ.... ...t..u./..
0Q...A$..!..!.I8....Eg...d84.....5&.Y{......T(.`):.J'...%l....&... Z*.
s%....D."CB.N..........he.\8.. ..Mg.....hT. ..r...B9........#y......r.
....1.r..-..-.zC;.n{........mwd.....1v.u3.V..-K:k.q._...*.....b...~1.;
.a.>..4lB.......|1a......g.\.b...../Y.P..R...,..n8."._`.......eMH.V
uJ}..3..2[G..H.!bGfw..}.o..z*....BG.....M ...)e...,Z.....1?.0.....^.`u
.Aw..W.F$........%...Z...F3.5..L#...d....;...6........^.yF...g...Ar...
.GS...../vwe...w...?&...Jn.t3.&..-....A...".{Z.......(.j.?kO....;.....
...yV......W...(.. m.. .../..d..~~1...N...V.N../...r..YF..?...;.M.8...
3r......{.Y.p....[&}.oj..._bq .^V0E..-......"...M|.|[email protected]
I....kY..1d..O.wh..C.^.ca$2....J`...X2....U...z8.c....kj..`..<....D
..J%..Y.......9...fs.?.p..mN..tU.....Qs....k$.U.F@...^QT...........%..
.P.....c!....QA..q .F.ub..|sE.../)...g .P..5b..X..c.kk.......,eA.p..jE
.E.$..Y. _G..D0. .k....5dV..#. ...0......p.iq..ZdN(........A.*^.rd....
..L.....2!..y..>%...H.TH.c.e,a9u. .N.SI....x..H...kt{[.."...... .-.
.......i.!\............r.J.'......C.>..)=ys...%..&n..E.c...........
.$J.c8....(.aH#.....1.\l......~%0.{..;D*.FU....!Tz.h...... .p..8..z*.c
.:........[..3..^..-...1z....0.....J6b.6..Ob..>u.M....S7Gh...Ai...N
d,.?.M..........y....#..|.....n...............j.......s........k}R....
?.3.@....'........`UW.3X,.dv...!...U.|b.......L.k..g._."..&G.|..f...$.
...P. I/.#6..0$...............~...O6.....}.Zx... x...}.h.B.').y}..
<<< skipped >>>


GET /yni.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.yni.cc
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Length: 7
Content-Type: text/plain
Last-Modified: Sun, 10 Aug 2014 16:26:42 GMT
Accept-Ranges: bytes
ETag: "c126bdeb7b4cf1:8a8"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 29 Nov 2014 14:42:27 GMT
v0808.1....


GET /?admin HTTP/1.1


Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.yni.cc
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 5684
Content-Type: text/html
Content-Location: hXXp://VVV.yni.cc/index.htm
Last-Modified: Tue, 18 Nov 2014 15:35:09 GMT
Accept-Ranges: bytes
ETag: "7c15a43c453d01:8a8"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 29 Nov 2014 14:42:29 GMT
<style type="text/css">..<!--..body {...background-color: #00
0000;..}...STYLE3 {color: #FF3300; }...STYLE4 {...color: #FF3300;...fo
nt-size: 12px;..}...STYLE5 {...color: #FF0000;...font-size: 12px;...fo
nt-weight: bold;..}...STYLE6 {color: #FFFFFF}...STYLE88 {...color: #00
FF66;...font-size: 12px;...font-weight: bold;..}...STYLE89 {color: #CC
CCCC; font-size: 12px; }...STYLE90 {font-size: 12px}...STYLE91 {color:
 #FFFFFF; font-size: 12px; }...STYLE93 {font-weight: bold; font-family
: "...."; color: #ffffff;}...STYLE98 {color: #CCCCCC}...STYLE100 {colo
r: #FF0000}...STYLE99 {color: #00FF66}...STYLE115 {color: #99FF33; fon
t-size: 20px; font-weight: bold; }...STYLE116 {color: #FF6633}..body,t
d,th {...color: #FFFFFF;..}...STYLE117 {color: #FF0066; font-size: 20p
x; font-weight: bold; }...STYLE118 {color: #9900CC}..-->..</styl
e><title>CF........,CF....,CF........,CF..........Www.Yni.Cc&
lt;/title>..<div align="center">..  <p class="STYLE115">
;CF..................Www.Yni.Cc</p>..  <p class="STYLE117">
;<a href="hXXp://VVV.yni.cc/tz.htm" class="STYLE118">319CF......
..QQ..122319319</a></p>..  <meta name="keywords" conten
t="CF........,CF....,CF........,CF........" />..<meta name="desc
ription" content="CF........,CF....,CF........,CF........" />....&l
t;br />..</div>..<div align="center">..  <table widt
h="385" height="205" border="1" bordercolor="#CCFF99">..    <tbo
dy>..      <tr>..        <td bgcolor="#000000" height=
<<< skipped >>>

GET /images/bt_in.jpg HTTP/1.1


Accept: */*
Referer: hXXp://VVV.yni.cc/?admin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.yni.cc
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Content-Length: 1308
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 29 Nov 2014 14:42:30 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.or
g/TR/html4/strict.dtd">..<HTML><HEAD><TITLE>.....
.......</TITLE>..<META HTTP-EQUIV="Content-Type" Content="tex
t/html; charset=GB2312">..<STYLE type="text/css">..  BODY { f
ont: 9pt/12pt .... }..  H1 { font: 12pt/15pt .... }..  H2 { font: 9pt/
12pt .... }..  A:link { color: red }..  A:visited { color: maroon }..&
lt;/STYLE>..</HEAD><BODY><TABLE width=500 border=0 c
ellspacing=10><TR><TD>..<h1>............</h1&g
t;....................................................<hr>..<
p>................</p>..<ul>..<li>...............
.........................................</li>..<li>......
......................................................................
......</li>..<li>....<a href="javascript:history.back(1
)">....</a>....................</li>..</ul>..<
h2>HTTP .... 404 - ..................<br>Internet ........ (I
IS)</h2>..<hr>..<p>..............................<
;/p>..<ul>..<li>.... <a href="hXXp://go.microsoft.co
m/fwlink/?linkid=8180">Microsoft ............</a>..........&l
dquo;HTTP”..“404”........</li>..<li>....
“IIS ....”...... IIS ...... (inetmgr) ....................
....“........”..“............”..“.......
...........”........</li>..</ul>..</TD><
<<< skipped >>>


GET /core.php?web_id=5903035&t=z HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yni.cc/?admin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Content-Length: 748
Connection: keep-alive
Date: Sat, 29 Nov 2014 14:41:33 GMT
Last-Modified: Sat, 29 Nov 2014 14:41:33 GMT
Expires: Sat, 29 Nov 2014 14:56:33 GMT
Via: cache23.l2de1[1787,200-0,M], cache54.l2de1[1788,0], cache2.us1[1939,200-0,M], cache2.us1[1940,0]
X-Cache: MISS TCP_REFRESH_MISS dirn:7:682641498
X-Swift-SaveTime: Sat, 29 Nov 2014 14:41:33 GMT
X-Swift-CacheTime: 900
!function(){var p,q,r,a=encodeURIComponent,b="5903035",c="",d="",e="on
line_v3.php",f="z6.cnzz.com",g="1",h="text",i="z",j="站长&
#32479;计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="0",n
=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f),o
.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k.call
Request([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k.createScript
Icon(n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/website.php?web_id
=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.cnzz.com/img/" 
c ".gif",p="<a href='" q "' target=_blank title='" j "'><img 
border=0 hspace=0 vspace=0 src='" r "'></a>"):p="<a href='
" q "' target=_blank title='" j "'>" j "</a>",k.createIcon([p
])))}();)..



GET /static/images/is.png?cdnversion=20131219 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yni.cc/?admin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: bdimg.share.baidu.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: JSP3/2.0.4
Date: Sat, 29 Nov 2014 14:41:30 GMT
Content-Type: image/png
Content-Length: 12294
Connection: close
ETag: "1643694967"
Last-Modified: Thu, 20 Nov 2014 04:28:35 GMT
Expires: Sun, 30 Nov 2014 16:04:55 GMT
Age: 238539
Cache-Control: max-age=604800
Accept-Ranges: bytes
.PNG........IHDR.......<.......5*....tEXtSoftware.Adobe ImageReadyq
.e<...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0M
pCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmp
tk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        ">
; <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"&
gt; <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xa
p/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="htt
p://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Ph
otoshop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:FB2478DF60B711E38EB
0C15A38F52D2D" xmpMM:DocumentID="xmp.did:FB2478E060B711E38EB0C15A38F52
D2D"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FB2478DD60B71
1E38EB0C15A38F52D2D" stRef:documentID="xmp.did:FB2478DE60B711E38EB0C15
A38F52D2D"/> </rdf:Description> </rdf:RDF> </x:xmpme
ta> <?xpacket end="r"?>.Yl.....PLTE......."..j0..o...........
.hm.. ..N......k.1...P.dW.G/....D2....e..xV..0..........{..u.%y.......
.......LlG...-0\....!v............C.....q.f.....667...#..6y.Kl.....p.X
...............OM.30..........Y............oo."......q..........T5....
......Ug..... .....4d.......Z.?.WW-..4.L7..B........Y..J.1.....ii.....
....87...c...Z.....ts2..E..T..n.i .....N._.../1.H......OM.9T.wv..&..".
..v..!..K....J.........U........B...U..................*B....E........
..........]__K........A..........Q#Y...G.......n.R..Y......R..........
.....t..W..5[.........j...........}.r..U....}......y....3r...h2p.5
<<< skipped >>>


GET /getnum?url=http://VVV.yni.cc/?admin&callback=bdShare.fn._getShare&type=load&t=1417253630007 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yni.cc/?admin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: api.share.baidu.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Set-Cookie: BAIDUID=AE58B413FC36C05AA33E2F1482B73605:FG=1; max-age=31536000; expires=Sun, 29-Nov-15 14:41:30 GMT; domain=.baidu.com; path=/; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
Content-Type: application/javascript
Content-Length: 50
Date: Sat, 29 Nov 2014 14:41:30 GMT
Server: apache
bdShare.fn._getShare({"errno":0,"num":[24,"24"]})...



GET /stat.php?id=5903035&web_id=5903035 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yni.cc/?admin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: v1.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Transfer-Encoding: chunked
Connection: keep-alive
Date: Sat, 29 Nov 2014 14:41:28 GMT
Last-Modified: Sat, 29 Nov 2014 14:41:28 GMT
Cache-Control: max-age=5400,s-maxage=5400
Via: cache29.l2hk1[208,200-0,M], cache15.l2hk1[210,0], cache4.us1[547,200-0,M], cache5.us1[549,0]
X-Cache: MISS TCP_REFRESH_MISS dirn:7:510277739
X-Swift-SaveTime: Sat, 29 Nov 2014 14:41:29 GMT
X-Swift-CacheTime: 5399
5a2..(function(){function k(){this.c="5903035";this.R="z";this.N="";th
is.K="";this.M="";this.r="1417272088";this.P="z6.cnzz.com";this.L="";t
his.u="CNZZDATA" this.c;this.t="_CNZZDbridge_" this.c;this.F="_cnzz_CV
" this.c;this.G="CZ_UUID" this.c;this.v="0";this.A={};this.a={};this.l
a()}function g(a,b){try{var c=.[];c.push("siteid=5903035");c.push("nam
e=" f(a.name));c.push("msg=" f(a.message));c.push("r=" f(h.referrer));
c.push("page=" f(e.location.href));c.push("agent=" f(e.navigator.userA
gent));c.push("ex=" f(b));c.push("rnd=" Math.floor(2147483648*Math.ran
dom()));(new Image).src="hXXp://jserr.cnzz.com/log.php?" c.join("&")}c
atch(d){}}var h=document,e=window,f=encodeURIComponent,l=decodeURIComp
onent,n=unescape,p=escape;k.prototype={la:function(){try{this.U(),this
.J(),this.ia(),this.H(),this.o(),.this.ga(),this.fa(),this.ja(),this.j
(),this.ea(),this.ha(),this.ka(),this.ca(),this.aa(),this.da(),this.qa
(),e[this.t]=e[this.t]||{},this.ba("_cnzz_CV")}catch(a){g(a,"i failed"
)}},oa:function(){try{var a=this;e._czc={push:function(){return a.B.ap
ply(a,arguments)}}}catch(b){g(b,"oP failed")}},aa:function(){try{var a
=e._czc;if("[object Array]"==={}.toString.call(a))for(var b=0;b<a.l
ength;b  ){var c=a[b];switch(c[0]){case "_setAccount":e._cz_account="[
object String]"==={}.toString.call(c[1])?c[1]:String(c[1]);.break;case
 "_setAutoPageview":"boolean"===typeof c[1]&&(e._cz_autoPageview=c[1])
}}}catch(d){g(d,"cS failed")}},qa:function(){try{i..b50..f("undefined"
===typeof e._cz_account||e._cz_account===this.c){e._cz_account=thi
<<< skipped >>>


GET /app.gif?&cna=HckADfcAVj4CAbhrJiYkNkni HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yni.cc/?admin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: pcookie.cnzz.com


HTTP/1.1 200 OK
Server: Tengine
Date: Sat, 29 Nov 2014 14:41:34 GMT
Content-Type: image/gif
Content-Length: 43
Connection: keep-alive
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: cna=HckADfcAVj4CAbhrJiYkNkni; expires=Tue, 26-Nov-24 14:41:34 GMT; path=/; domain=.cnzz.com
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;..



GET /static/js/shell_v2.js?cdnversion=11 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yni.cc/?admin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: bdimg.share.baidu.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: JSP3/2.0.4
Date: Sat, 29 Nov 2014 14:41:28 GMT
Content-Type: text/javascript
Content-Length: 571
Connection: close
ETag: "3685372755"
Last-Modified: Wed, 26 Nov 2014 05:56:07 GMT
Expires: Wed, 30 Jul 2014 21:06:50 GMT
Cache-Control: max-age=1800
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
...........SQk.0.. ...D..n...3...A..Z.RJQ..."[F.x...}..7i;..........s 
.d..J. ;..].........I...........n..%.d......|.SVn*.1.k.H[5.......{....
..%e=..]H..P....k..jpl..]#[email protected].#.=....7.....B."..l-B6...6L..^&`.".
....!.....j59.A...VVm..w.Yc(1.F.z)P...u.p.........R..(..R..0;..~..P...
.B..?%..#.aDY...2;!@...[9...`...........}[email protected].. ,]p.d.|...
..K........(nE..B..G...5.Z.\4..*/.Qt1.1l..c]O..w.k..{..7a..`..... ....
...0R..aL[4...k[..........H...U.}.^..6<....i.<.........>[email protected].
.Xr....=e.....a...V..7E.J.VO...(.....'..~.?&}....|.._._.1._...H....i&l
t;N.uP......`.o...;o...HTTP/1.1 200 OK..Server: JSP3/2.0.4..Date: Sat,
 29 Nov 2014 14:41:28 GMT..Content-Type: text/javascript..Content-Leng
th: 571..Connection: close..ETag: "3685372755"..Last-Modified: Wed, 26
 Nov 2014 05:56:07 GMT..Expires: Wed, 30 Jul 2014 21:06:50 GMT..Cache-
Control: max-age=1800..Accept-Ranges: bytes..Vary: Accept-Encoding..Co
ntent-Encoding: gzip.............SQk.0.. ...D..n...3...A..Z.RJQ..."[F.
x...}..7i;..........s .d..J. ;..].........I...........n..%.d......|.SV
n*.1.k.H[5.......{......%e=..]H..P....k..jpl..]#[email protected].#.=....7.....
B."..l-B6...6L..^&`.".....!.....j59.A...VVm..w.Yc(1.F.z)P...u.p.......
..R..(..R..0;..~..P....B..?%..#.aDY...2;!@...[9...`...........}..=vPc4
[email protected].. ,]p.d.|.....K........(nE..B..G...5.Z.\4..*/.Qt1.1l..c]O..w
.k..{..7a..`..... .......0R..aL[4...k[..........H...U.}.^..6<....i.
<.........>[email protected]....=e.....a...V..7E.J.VO...(.....'..~.?&}...
.|.._._.1._...H....i<N.uP......`.o...;o...HTTP/1.1 200 OK..Serv
<<< skipped >>>


GET /stat.htm?id=5903035&r=&lg=en-us&ntime=none&cnzz_eid=1893028559-1417272088-&showp=1024x768&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&h=1&rnd=1953223682 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yni.cc/?admin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: z6.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine/1.4.1
Date: Sat, 29 Nov 2014 14:41:30 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Tue, 28 May 2013 02:57:17 GMT
Connection: close
Accept-Ranges: bytes
GIF89a.............!.......,...........D..;..



GET /static/js/bds_s_v2.js?cdnversion=393682 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yni.cc/?admin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: bdimg.share.baidu.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: JSP3/2.0.4
Date: Sat, 29 Nov 2014 14:41:29 GMT
Content-Type: text/javascript
Content-Length: 9992
Connection: close
ETag: "1764475539"
Last-Modified: Wed, 26 Nov 2014 05:56:07 GMT
Expires: Sat, 29 Nov 2014 14:46:10 GMT
Age: 1519
Cache-Control: max-age=1800
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
...........|.r.......;liQ.7.`d..2x.._.Mw..!@[email protected]>ab.i
>g..gLfU......9...RUVUVVVV.J..{0..Nt.P...f.`....5.(...".W....QZ?@..
.m<.4t..%...[.....z..........G.#.....jn.>..~.....|....i.......wU
..K..M.2.D...{,...[..Qx....H..#.gx7..I.}.5. ..........{..yp...2....?..
.....3..=.#.{.w..........p}{[.....z .P.Y.V....K..b.H./..=..`\oa...... 
(..L..U..-g.#.7....R.'.1V..?....;..;{.z..w..o.....cAI..0.....@8....?..
....j.C.C..K..c..E.......q,.=....Os....h..h..h;..2'.eND.......;....a.,
...'...Da.....a?X-U..Iw.-....[.o......>@w5..;..F.Vs.6...m^Uj.3(z...
[email protected]@........1..d.xP.....K[..5..: ..{.SC..s.@ .'...<........
.K[...O.............{9......fS`..Z...q.5Z2.j......L6.[s!.....m..he..D?
.CD.-:.L.......{.M.ax..q.......S.&8.@\..4..g{d.5.]......s...`..pIM....
...F0?.b'.ts.....|..a..{../B.4....fX./.........KooW....K|M."..........
U..=.....2.....|o....H-.*..yc"...6......]..{..[...N....$.... .A.2R..[]
...8k..)a..v.........!..d..M...L[.>...........:.T>....8.......T.
....f..h^..]...g.7...0.....5......H\...\...Z.. ..>N..?....xXa...<
;..s.:$X.@3.|2.B.H.....xX.c...X..X......p.c-.....S.UGe.......#F#g5.qV.
.)bsj.#.....d.t<-...4*$..M..&..H..H.qq.....J-..p.(..vvQi`G...".m..s
>...H8y.EgM....a......v..T._...p...2a.8...t..W*..i...e. 2....:....^
....#.oY....C..8f............H.......2aK.b.XN.....~....8..8%..?..U.|^.
(...i..d....8.Q.!}....!.s....~.s$C.<.N.g.2....L......."..l...N ..Ri
Pd.DX.TZ...P*...3.-....H......].S...\[email protected]..}.s..\..G...".I."
..i.(...V.....q.........:..a.........j.X.R.._...8....A............
<<< skipped >>>


GET /9.gif?abc=1&rnd=250415370 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yni.cc/?admin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cnzz.mmstat.com
Connection: Keep-Alive


HTTP/1.1 302 Found
Server: Tengine
Date: Sat, 29 Nov 2014 14:41:33 GMT
Content-Type: image/gif
Content-Length: 43
Connection: keep-alive
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: cna=HckADfcAVj4CAbhrJiYkNkni; expires=Tue, 26-Nov-24 14:41:33 GMT; path=/; domain=.mmstat.com
Set-Cookie: sca=3f406078; path=/; domain=.cnzz.mmstat.com
Set-Cookie: atpsida=89409adb1a04822d96666676_1417272093; expires=Tue, 26-Nov-24 14:41:33 GMT; path=/; domain=.cnzz.mmstat.com
Location: hXXp://pcookie.cnzz.com/app.gif?&cna=HckADfcAVj4CAbhrJiYkNkni
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;..



GET /static/css/bdsstyle.css?cdnversion=20131219 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yni.cc/?admin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: bdimg.share.baidu.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: JSP3/2.0.4
Date: Sat, 29 Nov 2014 14:41:29 GMT
Content-Type: text/css
Content-Length: 2021
Connection: close
ETag: "2645184860"
Last-Modified: Wed, 26 Nov 2014 05:56:04 GMT
Expires: Sat, 29 Nov 2014 15:09:43 GMT
Age: 61
Cache-Control: max-age=1800
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
...........Z.....~.5.E...../..6...w.A...EY.H...3.1........m.....ER.x..
 ...L.....U..........|..........].699P.X<[email protected].|...vF.Y
,9..i..})hT...%9.Y.9qM..U....R.-.....?..(giJ...fUJO........-/#.>...
....Fn........qKO.M......ae..-.....a.z.ET......}R....2^.8v.C..Q.Y....U
.K....P.m?x..Bl......d...h..3V.]#R.9.f..v.|..a....C*V9...~.RU-_..Y....
8.;*#7.O.=A............{"....".e..3e...V.....-.#W.6.`...K.5N.&S.....8!
............RM9..........j.~...Vv..L.H....wy#D.#...x;...i...NKlol...04
:C...`...)k...DI.w...rD........0._.!w..C....O...l......3`O_^....X.Q..Z
{p..I...|a......I.Z..V.9.].s..`... ..kyA...b..V&.^3rl....R.a......*8..
7{]..y..4D........(zG.lf........gL.B.y..l..#.K}..*O.6......C..b...dO..
.Y...o........z......`U.>...v<U.<e...r.......3B..`2zQ..u.{.4.
...5F7S..8P...-.4B..[.. >.b,.8...V..>..P.'[email protected]...]\fJ4j
..E...p......m....B8;iQ.K...BpZ......_..o)>a..-pV.BIST.x.|KO^j_.V..
.......:h..4..19.8.u...ug!..-.,3<.sV..x. ........l.....&.z...p. .e.
7:.....B.F.t%. ,...T{.(..5j'.W.".j....I67Z.../OC....B.'.....o79...r?..
]..q.,..[......?.#.UFl.....D.........i.<;..qv_..h.....=x. .x|p.....
.[.w....lwg...;`...;..P....Z..m.........G).....].y!.E.z.t.<#% ^....
.;0R.*{....s.U.0..!k.&.2._4........no'...p..c5.... ..lv_7$`...".E!4..u
..v........`55S9..^...^p?.].P....Zo*}.j..~....P......P....?*.=.M...c.p
..x.v..O.&U.............tX.I3.^hM.Wg....^..j......2%.X.:.On.34;.q..(p.
.qJ.....I8.. ....a..E:$..3aGq...j=......h...^zm.....v _.9........oPE.}
0h.|.<O..........]A..-.-b.!.N.....M... 3..7?.Q_....KW`.5 b.].~.
<<< skipped >>>


GET /static/images/sc.png?cdnversion=20120720 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yni.cc/?admin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: bdimg.share.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=AE58B413FC36C05AA33E2F1482B73605:FG=1


HTTP/1.1 200 OK
Server: JSP3/2.0.4
Date: Sat, 29 Nov 2014 14:41:31 GMT
Content-Type: image/png
Content-Length: 579
Connection: close
ETag: "2645188378"
Last-Modified: Wed, 26 Nov 2014 05:56:06 GMT
Expires: Fri, 05 Dec 2014 07:41:56 GMT
Age: 111575
Cache-Control: max-age=604800
Accept-Ranges: bytes
.PNG........IHDR...`...\[email protected] ImageReadyq.e&
lt;...*PLTE.............................................;....tRNS.....
.........E.......IDATx....n.0..a.MI....n.C.....@........l........y....
~..,.........p.J.$P...j.w.(.......P9....#..7.........p.....`m...1f.A .
..0.s....3.^x..W.g.TH..g.P..d....w....n W.:........c.q)....E*]......A.
(....L.6.........,...F._.s>......s.:..G........h..>;...H/...3E& 
..A.?.q]^..(@...!.X......v.........]m..&..:@]...)..........A.a.....r..
..........o.....o..s.?.F<.......@g...*R.EH....o......{....n0.8.@...
...y9||..`.tm>.........IEND.B`.HTTP/1.1 200 OK..Server: JSP3/2.0.4.
.Date: Sat, 29 Nov 2014 14:41:31 GMT..Content-Type: image/png..Content
-Length: 579..Connection: close..ETag: "2645188378"..Last-Modified: We
d, 26 Nov 2014 05:56:06 GMT..Expires: Fri, 05 Dec 2014 07:41:56 GMT..A
ge: 111575..Cache-Control: max-age=604800..Accept-Ranges: bytes...PNG.
.......IHDR...`...\[email protected] ImageReadyq.e<..
.*PLTE.............................................;....tRNS..........
[email protected]....~..,.
........p.J.$P...j.w.(.......P9....#..7.........p.....`m...1f.A ...0.s
....3.^x..W.g.TH..g.P..d....w....n W.:........c.q)....E*]......A.(....
L.6.........,...F._.s>......s.:..G........h..>;...H/...3E& ..A.?
.q]^..(@...!.X......v.........]m..&..:@]...)..........A.a.....r.......
.....o.....o..s.?.F<.......@g...*R.EH....o......{[email protected]
||..`.tm>.........IEND.B`.HTTP/1.1 200 OK..Server: JSP3/2.0.4..
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1320:

.text
`.rdata
@.data
.vmp0
`.rsrc
t%SVh
t$(SSh
~%UVW
u$SShe
kernel32.dll
shlwapi.dll
wininet.dll
user32.dll
KERNEL32.DLL
imm32.dll
helpsrf.ime
ntdll.dll
gdiplus.dll
GdiPlus.dll
Kernel32.dll
Ole32.dll
gdi32.dll
Gdiplus.dll
User32.dll
Gdi32.dll
dwmapi.dll
ole32.dll
MsgWaitForMultipleObjects
CreatePipe
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
ShellExecuteA
UnloadKeyboardLayout
GetKeyboardLayoutList
EnumThreadWindows
GetKeyboardLayout
ActivateKeyboardLayout
GetKeyboardLayoutNameA
GdipGetStringFormatHotkeyPrefix
GdipSetStringFormatHotkeyPrefix
#in_password
Client.exe
BaiduAn.Setup.youqian.3.0.0.3971_1000118039.exe
hXXp://dlsw.br.baidu.com/ditui/zujian/BaiduAn.Setup.youqian.3.0.0.3971_1000118039.exe
lssdjt_10033-0.rar
hXXp://down.lssdjt.org/down/lssdjt_10033-0.rar
lssdjt_10033-0.exe
cmd.exe /c
command.exe /c
mylist.lst
myrar.exe
?hXXp://w.x.baidu.com/go/mini/2/30077
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
https
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
hXXp://
hXXp://VVV.yni.cc/?admin
hXXp://VVV.yni.cc/yni.txt
hXXp://VVV.yni.cc/?gxing
\YniCc.dll
`.reloc
@.rsrc
winmm.dll
GetAsyncKeyState
127.0.0.1
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
GetProcessHeap
WinExec
KERNEL32.dll
GetKeyState
USER32.dll
GetViewportOrgEx
GDI32.dll
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
COMCTL32.dll
oledlg.dll
WININET.dll
GetCPInfo
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
mogui.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
(*.htm;*.html)|*.htm;*.html
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
=0=4=8=<=
6$7(7,7074787<7@7 8=8
1%2S5g5
9%9S:g:
> >$>(>,>0>4>8>
3<3h3x3~3
:$:(:,:0:4:8:<:@:
:/;:;@;^;
2!2F2[2n2
6-6U6i6}6
6 6$6(6,6064686<6`6
=$=(=,=0=4=8=<=
#include "l.chs\afxres.rc" // Standard components
hXXp://VVV.wz123.com/?shge
hXXp://VVV.yni.cc/?js
Keyboard Layout\Preload\
SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
S-1-5-21-1060284298-606747145-682003330-500\Keyboard Layout\Preload
crossfire.exe
calc.exe
.idata
.rdata
P.reloc
P.rsrc
Assertion "%s" failed in file "%s" at line %d
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; Kew;)
Winlogon.exe
1.1.4
GetKeyboardType
advapi32.dll
oleaut32.dll
wsock32.dll
:!:%:):-:1:5:9:
MZ.nR
-.Tqz
?Mi.Bp
L.JÓ
KWindows
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADnotepad.exe
.rsrc
!"#$%&'()* ,-./012345
l.ccUTF-8
USER32.DLLw.
X-
Yo/.pdb
re.LtdJALL RIGHTS
hXXp://w
CTCPCliJ
MSVCRTd
?QGET %s HTTP/1.1
*gzip,.fl
uRlp
n%c$Eo!y
.OVWc
.DCQ_(
p%u7V
. .UT
2%ScG
%u;)C&>
G6C.kwFt
v#%I%f
PF.gc g
PMsg
v%*.*
>X-
b.do5p
.np|@
`.Rb_
a,&.xml
ucmdn0epy
mtrp.cb85
p.Dl7;d
aTUrlMk*
=iM.Mj(
v.Vnsg1
4?..cB
urlmon{
$;(;,;0;4
= =$=(=,={=
$ÕX
vOJ%C
MEK%C
3MHL.TX
.kIIlzx
Q{.UPC
`.INC`*K@4F
5.Sw,5
6%F;%2
T.Zfl
Z.wiK.
Z7i.ct
%^&*()_ 
=xzgWEBe 
.Sa3X
.toLowe
O1.rwdns
d.xB;
zwsp.fQ
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
NETAPI32.dll
PSAPI.DLL
xxx.exe
eee.exe
@.reloc
IMM32.dll
imehost.dll
ImeProcessKey
:):3:9:|:
= =$=(=,=0=4=8=
? ?$?(?,?
9 9$9(9,90949@9
.RP0)
.yy(,
[email protected]#
9Ak%D
>3.dd
u*%u$
]P.KG;
%x:u2
y8%U;
6I.fdf5
.bFt 
4b{%f
=E.If#w
.*s(%d)V
mpÜMT|
%Xs5E
!"#$%&'(
m/%d/%yA, ·x[
~7\*V%s
.gegk
`P.iyJ
ADVAPI32.DLL
SHELL32.DLL
USER32.DLL
10/05/12
\.YVV
Ï[H
L <
\BackInC.sys
h.rdata
H.data
B.reloc
d:\work\envoy\backin\curr2\backinc\objfre_wlh_x86\i386\BackInC.pdb
ntoskrnl.exe
HAL.dll
keybd_event
MapVirtualKeyW
BackInDll.dll
AppKbVkSendKeyAndStatus2String
KeyDown
KeyPress
KeyUp
VKSendAkeysAsync_KB
VKSendAkeysSeq_KB
VKSendAkeysSingle_KB
VKSendAkeysSync_KB
VKSendKeyAction_MU
VKSendKeyEx_KB
VKSendKeyEx_MU
VKSendMsVirtualKeyAsync_KB
VKSendMsVirtualKeySingle_KB
VKSendMsVirtualKeySync_KB
7"8(8,80848
<,<4<:<@<
*0004080<0
0 3$3(3,3034383<3
09/27/12
{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
Ex_DirectUI_MsgBox
RASAPI32.dll
GetWindowsDirectoryA
RegCreateKeyA
RegDeleteKeyA
WSOCK32.dll
InternetCrackUrlA
InternetCanonicalizeUrlA
VVV.dywt.com.cn
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCOleException@@
.PAVCOleDispatchException@@
8d4cca3576af96b18f.exe
c:\%original file name%.exe
(*.*)
1.0.0.0
1, 0, 0, 0
hXXp://blog.163.com/envoy_0769@yeah/
1.0.0.1 built by: WinDDK
BackInC.sys
1.0.0.1
Unknown key: x
!"#$%&'()* ,
\\.\BackInC_Device
Right Windows
Windows
1, 0, 0, 1
BackInDll.Dll
(hXXp://VVV.eyuyan.com)


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    mscorsvw.exe:1912

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\logger[1].js (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\core[1].php (748 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\YniCc.dll (3716 bytes)
    %System%\BackInC.sys (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\bds_s_v2[1].js (378 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\yni[1].htm (899 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (161 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (165 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\getnum[1]._getShare&type=load&t=1417253630007 (50 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (170 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][2].txt (418 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bdsstyle[1].css (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (205 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\is[1].png (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\shell_v2[1].js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\myrar.exe (148 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (196 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (5880 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\sc[1].png (579 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].php (1074 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now