MD5: 08624f039c8b6f3292f3b80c87c854e6
SHA1: 3a9df87ff8a3316fce0de9a8d317729a32090cd5
SHA256: cf9e69037fdcb03fd3ca802b21a6c2ca25c9fba4a93e06708d7d32157a76262b
SSDeep: 49152:d w20/0so8x5TGyTB/w0IpdFKxcyMEQCb:gw280D8lt/qpdsxEEN
Size: 2269184 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: Accounting Active
Created at: 2014-10-25 23:00:23
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:212

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:212 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\B4.tmp (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@163[1].txt (169 bytes)
%System%\drivers\etc\hosts (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B2.tmp (4545 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1060 bytes)
C:\%original file name%.exe{E1FDD738-726C-43dc-B235-A9DBFB466F98} (15506 bytes)
C:\RCXB6.tmp (295602 bytes)
C:\%original file name%.exe (15506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B3.tmp (3361 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\B2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B4.tmp (0 bytes)
C:\%original file name%.exe{E1FDD738-726C-43dc-B235-A9DBFB466F98} (0 bytes)
%System%\drivers\etc\hosts (0 bytes)

Registry activity

The process %original file name%.exe:212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F 62 BA 86 3D A0 F9 44 37 70 21 57 B7 03 39 29"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\[email protected],"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 3143 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://blog.163.com/blog/static/217955126201481611851233/
hxxp://cfyuanji.blog.163.com/blog/static/217955126201481611851233/	115.238.126.133

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /blog/static/217955126201481611851233/ HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: cfyuanji.blog.163.com

Cache-Control: no-cache

GET /blog/static/217955126201481611851233/ HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: cfyuanji.blog.163.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 02 Jan 2015 18:06:50 GMT

Content-Type: text/html;charset=GBK

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Frame-Options: SAMEORIGIN

Set-Cookie: NTESBLOGSI=91041E2A2A847E1E094724B5E7276C9B.blog110-8010; Domain=.blog.163.com; Path=/

Set-Cookie: usertrack=c 5 hVSm3jqdz1 iSZMxAg==; expires=Sat, 02-Jan-16 18:06:50 GMT; domain=.163.com; path=/

P3P: policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"
4ff..  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "ht
tp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..  <html xmlns
="hXXp://VVV.w3.org/1999/xhtml" xml:lang="zh" lang="zh">..  <hea
d>..    <meta http-equiv="X-UA-Compatible" content="IE=7" />.
.    <meta http-equiv="content-type" content="text/html;charset=gbk
"/>..    <meta http-equiv="content-style-type" content="text/css
"/>..    <meta http-equiv="content-script-type" content="text/ja
vascript"/>..    <meta name="version" content="neblog-1.0"/>.
.    <script type="text/javascript">..      ..      ..      docu
ment.uniqueID!=document.uniqueID&&!!location.hash&&(location.hash=loca
tion.hash); ..      document.domain = location.hostname.replace(/^.*\.
([\w] \.[\w] )$/,'$1');..      window.focus();..      window.getMusicT
imeStamp=function(){return 'b56f1e1b945d2e948588c7c8a4eda915';};..    
</script>..<title>........ - cfyuanji...... - ........<
/title>..<meta name="author" content="cfyuanji,cfyuanji"/>..&
lt;meta name="keywords" content="........,....,cfyuanji,cfyuanji......
,........,....,blog"/>..<meta name="description" content="......
..,cfyuanji..........,........,"/>..<meta name="robots" content=
"noindex">..  <script type="text/javascript">..    (function(
){..     var R=24,C=11,a=[];..     for(var i=0;i<C;i  ..5a8..)for(v
ar j=0;j<R;a.push('.icn0-' i j '{background-position:' (i>0?('-'
 i*40 'px'):'0') ' ' (j>0?('-' j*20 'px'):'0') ';}'),j  );..   
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

t$(SSh

|$D.tm

~%UVW

u$SShe

kernel32.dll

advapi32.dll

ntdll.dll

Kernel32.dll

user32.dll

Shlwapi.dll

Psapi.dll

RegOpenKeyExA

MsgWaitForMultipleObjects

00000000

gdi32.dll

Client.exe

tcls\Client.exe

BugTrap.dll

@.reloc

tGHt.Ht&

message.txt

MAPI32.DLL

PSAPI.DLL

IMPORTANT

d/d/d d:d:d

%s.bmp

%s%d.bmp

FLT_INVALID_OPERATION

FLT_DENORMAL_OPERAND

EAX=X EBX=X ECX=X EDX=X

ESI=X EDI=X FLG=X

EBP=X ESP=X EIP=X

CS=X DS=X SS=X ES=X FS=X GS=X

Windows NT 3.51

Windows 95

Windows NT 4.0

Windows 98

Windows Me

Windows 2000

Windows XP

Windows Server 2003

Windows Vista

Windows 7

OS Version: %s %s

Build Number: %s

%s_ddd-ddd.%s

error_report

line %s

line %s %s byte(s)

%s() %s byte(s)

cmdline

usermsg

report

This %s was automatically generated

by BugTrap for Win32-x86 on %s

error report

Operating System:

KERNEL32.DLL

crashdump.dmp

errorlog.%s

UxTheme.dll

reports

\StringFileInfo\xx\ProductVersion

\StringFileInfo\xx\ProductName

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

x,

hex(x):

dword:x

; Error: cannot open registry key [

Windows Registry Editor Version 5.00

BT01Error Report

"%s" Error Report

wininet.dll

BugTrap-1.3.3661.37713.dmp

DBGHELP.DLL

--BUGTRAP-7A1D6378-1294-491B-996C-37D4FF91D184--

Content-Type: multipart/form-data; boundary=BUGTRAP-7A1D6378-1294-491B-996C-37D4FF91D184

--BUGTRAP-7A1D6378-1294-491B-996C-37D4FF91D184

Content-Disposition: form-data; name="reportData"; filename="report.dat"

Content-Disposition: form-data; name="reportFileExtension"

hXXp://

%s\TEMP%lu

Unuspported URL scheme

Invalid URL

zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

1.2.3

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

d:\1.

_ERS\BugTrapSrc\BugTrap\Win32\Bin\BugTrap.pdb

WS2_32.dll

COMCTL32.dll

PathCreateFromUrlA

UrlIsA

PathIsURLA

SHLWAPI.dll

VERSION.dll

HttpEndRequestA

HttpSendRequestExA

HttpOpenRequestA

InternetCrackUrlA

WININET.dll

GetConsoleOutputCP

KERNEL32.dll

USER32.dll

SetViewportOrgEx

GDI32.dll

RegCloseKey

RegEnumKeyExA

ADVAPI32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

GetProcessHeap

BT_ExportRegistryKey

BT_GetReportFilePath

BT_GetReportFormat

BT_GetSupportEMail

BT_GetSupportHost

BT_GetSupportPort

BT_GetSupportURL

BT_SetReportFilePath

BT_SetReportFormat

BT_SetSupportEMail

BT_SetSupportHost

BT_SetSupportPort

BT_SetSupportServer

BT_SetSupportURL

zcÁ

check.avi Video #1

[,|46~=_

O$%C)*>*.?,(6&*8'#2!

$KÜB

)J'1G.JUEFC?WQRQOOOOOOOONNNKKKHHHEEECCC???:::444///   '''$$$

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

161@1`1~1

6'747 :5:?:`:

:.;4;8;<;@;

2*3034383<3

'6\~%System%\drivers\etc\hosts

127.0.0.1 cfluoye.cc

127.0.0.1 cfluoye.net

127.0.0.1 cfluoye.com

127.0.0.1 cfluoye.cn

127.0.0.1 cfluoye.tk

127.0.0.1 cfwudao.cc

127.0.0.1 cfwudao.net

127.0.0.1 cfwudao.com

127.0.0.1 cfwudao.cn

127.0.0.1 cfwudao.tk

127.0.0.1 cfmogu.cc

127.0.0.1 cfmogu.net

127.0.0.1 cfmogu.com

127.0.0.1 cfmogu.cn

127.0.0.1 cfmogu.tk

127.0.0.1 cfty.cc

127.0.0.1 cfty.net

127.0.0.1 cfty.com

127.0.0.1 cfty.cn

127.0.0.1 cfty.tk

127.0.0.1 cftianyue.cc

127.0.0.1 cftianyue.net

127.0.0.1 cftianyue.com

127.0.0.1 cftianyue.cn

127.0.0.1 cftianyue.tk

127.0.0.1 cfbingyue.cc

127.0.0.1 cfbingyue.net

127.0.0.1 cfbingyue.com

127.0.0.1 cfbingyue.cn

127.0.0.1 cfbingyue.tk

127.0.0.1 cfpanguan.cc

127.0.0.1 cfpanguan.net

127.0.0.1 cfpanguan.com

127.0.0.1 cfpanguan.cn

127.0.0.1 cfpanguan.tk

127.0.0.1 cflingyu.cc

127.0.0.1 cflingyu.net

127.0.0.1 cflingyu.com

127.0.0.1 cflingyu.cn

127.0.0.1 cflingyu.tk

127.0.0.1 cfmaidang.cc

127.0.0.1 cfmaidang.net

127.0.0.1 cfmaidang.com

127.0.0.1 cfmaidang.cn

127.0.0.1 cfmaidang.tk

127.0.0.1 cfxingyu.cc

127.0.0.1 cfxingyu.net

127.0.0.1 cfxingyu.com

127.0.0.1 cfxingyu.cn

127.0.0.1 cfxingyu.tk

127.0.0.1 cfhongchen.cc

127.0.0.1 cfhongchen.net

127.0.0.1 cfhongchen.com

127.0.0.1 cfhongchen.cn

127.0.0.1 cfhongchen.tk

127.0.0.1 cfyalan.cc

127.0.0.1 cfyalan.net

127.0.0.1 cfyalan.com

127.0.0.1 cfyalan.cn

127.0.0.1 cfyalan.tk

127.0.0.1 VVV.cfwudao.cc

127.0.0.1 VVV.cfwudao.net

127.0.0.1 VVV.cfwudao.com

127.0.0.1 VVV.cfwudao.cn

127.0.0.1 VVV.cfwudao.tk

127.0.0.1 VVV.cfmogu.cc

127.0.0.1 VVV.cfmogu.net

127.0.0.1 VVV.cfmogu.com

127.0.0.1 VVV.cfmogu.cn

127.0.0.1 VVV.cfmogu.tk

127.0.0.1 VVV.cfty.cc

127.0.0.1 VVV.cfty.net

127.0.0.1 VVV.cfty.com

127.0.0.1 VVV.cfty.cn

127.0.0.1 VVV.cfty.tk

127.0.0.1 VVV.cftianyue.cc

127.0.0.1 VVV.cftianyue.net

127.0.0.1 VVV.cftianyue.com

127.0.0.1 VVV.cftianyue.cn

127.0.0.1 VVV.cftianyue.tk

127.0.0.1 VVV.cfbingyue.cc

127.0.0.1 VVV.cfbingyue.net

127.0.0.1 VVV.cfbingyue.com

127.0.0.1 VVV.cfbingyue.cn

127.0.0.1 VVV.cfbingyue.tk

127.0.0.1 VVV.cfpanguan.cc

127.0.0.1 VVV.cfpanguan.net

127.0.0.1 VVV.cfpanguan.com

127.0.0.1 VVV.cfpanguan.cn

127.0.0.1 VVV.cfpanguan.tk

127.0.0.1 VVV.cflingyu.cc

127.0.0.1 VVV.cflingyu.net

127.0.0.1 VVV.cflingyu.com

127.0.0.1 VVV.cflingyu.cn

127.0.0.1 VVV.cflingyu.tk

127.0.0.1 VVV.cfmaidang.cc

127.0.0.1 VVV.cfmaidang.net

127.0.0.1 VVV.cfmaidang.com

127.0.0.1 VVV.cfmaidang.cn

127.0.0.1 VVV.cfmaidang.tk

127.0.0.1 VVV.cfxingyu.cc

127.0.0.1 VVV.cfxingyu.net

127.0.0.1 VVV.cfxingyu.com

127.0.0.1 VVV.cfxingyu.cn

127.0.0.1 VVV.cfxingyu.tk

127.0.0.1 VVV.cfhongchen.cc

127.0.0.1 VVV.cfhongchen.net

127.0.0.1 VVV.cfhongchen.com

127.0.0.1 VVV.cfhongchen.cn

127.0.0.1 VVV.cfhongchen.tk

127.0.0.1 VVV.cfyalan.cc

127.0.0.1 VVV.cfyalan.net

127.0.0.1 VVV.cfyalan.com

127.0.0.1 VVV.cfyalan.cn

127.0.0.1 VVV.cfyalan.tk

127.0.0.1 VVV.cfluoye.cc

127.0.0.1 VVV.cfluoye.net

127.0.0.1 VVV.cfluoye.com

127.0.0.1 VVV.cfluoye.cn

127.0.0.1 VVV.cfluoye.tk

127.0.0.1 yy.cfyalan.cc

127.0.0.1 yy.cfyalan.net

127.0.0.1 yy.cfyalan.com

127.0.0.1 yy.cfyalan.cn

127.0.0.1 yy.cfyalan.tk

winmm.dll

GetAsyncKeyState

1026072572

(v1.0).txt

ZwReadVirtualMemorykernel32.dll

-1957298293

crossfire.exe

Super-EChXXp://VVV.super-ec.cnhXXp://VVV.eyybc.com/forum-17-1.html/forum-12-1.html/memcp.php/ip.asp/time.asp/gonggao.txt/ec-user6.php/ec-bd.php/ec-jh.php

hXXp://VVV.super-ec.cn

<input type="text" name="field_2new" size="25" value="" disabled class="txt" />" class="txt" />Function Getcpuid()

Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")

getcpuid=cpu.ProcessorId

ws2_32.dll

psapi.dll

shlwapi.dll

ifTp

x,-l}x

keYV7

?%XiS

.jiee

~.xnO

xl.mN

.XL}.Z

.CB<1

C:\]_

>%xB_

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

iphlpapi.dll

MPR.dll

WINMM.dll

WinExec

GetKeyState

GetViewportOrgEx

WINSPOOL.DRV

RegCreateKeyA

RegCreateKeyExA

ShellExecuteA

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

1.1.3

;3 #>6.&

'2, / 0&7!4-)1#

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

1"262=2}2

-03090?0

: ;$;(;,;0;

1%1S1\1i1{1

>!? ?0?:?

3 3$3(3,3034383

5 5$5(5,5

4*5a6U7

01Q1~1

Adobe Photoshop CS3 Windows

2014:10:12 17:58:49

urlTEXT

MsgeTEXT

hXXp://ns.adobe.com/xap/1.0/

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.1-c036 46.276720, Mon Feb 19 2007 22:40:08 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xap="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xapMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/" xmlns:exif="hXXp://ns.adobe.com/exif/1.0/" xap:CreateDate="2014-10-12T17:55:10 08:00" xap:ModifyDate="2014-10-12T17:58:49 08:00" xap:MetadataDate="2014-10-12T17:58:49 08:00" xap:CreatorTool="Adobe Photoshop CS3 Windows" dc:format="image/jpeg" photoshop:ColorMode="3" photoshop:History="" xapMM:InstanceID="uuid:CF772E16F651E4118F20C69095130466" tiff:Orientation="1" tiff:XResolution="960000/10000" tiff:YResolution="960000/10000" tiff:ResolutionUnit="2" tiff:NativeDigest="256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;0AEF806470E7FAF8AB026717B2FA68C3" exif:PixelXDimension="190" exif:PixelYDimension="44" exif:ColorSpace="-1" exif:NativeDigest="36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;A7A55819FF2931235B313E10F9CADC5C"/> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>

.llSu,

.owIo

%u}5K

it.nl

#.Soe0

RASAPI32.dll

WSOCK32.dll

HttpQueryInfoA

HttpSendRequestA

InternetCanonicalizeUrlA

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

4e6.exe

c:\%original file name%.exe

{8F34BBF3-889B-4cbc-ADF2-5D3650F73CE7}PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING

mscoree.dll

Um den entwicklungsprozess zu unterst?zen wird dieses programm alle n?igen informationen ?er den absturz sammeln. Diese daten k?nen dann an den produktsupport ?ertragen, oder gespeichert werden.

Produktsupport:

To help the development process, this program will try and gather the information about the crash, and the state of your machine at the time of the crash. This data can then be submitted to product support or saved to a file.

Product support site:

hXXp://VVV.intellesoft.net

BugTrap - software error reporting tool

Operating System

Vorschau der Reportdateien

Preview Report Files

Report senden...

Sending error report

Vorschau der reportdateien.,Fehlerinformationen in eine datei speichern. Eine email an den produktsupport versenden.EEinen automatisch generierten report an den produktsupport versenden..Informationen ?er das betriebssystem anzeigen.6Alle laufenden prozesse und geladenen module anzeigen.

BugTrap"Terminate interrupted application.!Preview contents of report files.(Save detailed error information to file..Send custom e-mail message to product support.;Send automatically generated bug report to product support. Display information about operating system.*List running processes and loaded modules.

Neowiz Games"Terminate interrupted application.!Preview contents of report files.(Save detailed error information to file..Send custom e-mail message to product support.;Send automatically generated bug report to product support. Display information about operating system.*List running processes and loaded modules.

Fehlerbericht fertig.7Fehler: konnte den report nicht an den server versenden

Error report complete.,Error: can't send error report to the server

Bild einpassen

1.3.3661.37713

(*.*)

20141012175509

%original file name%.exe_212_rwx_0049B000_00006000:

00000000

ntdll.dll

user32.dll

gdi32.dll

Client.exe

tcls\Client.exe

BugTrap.dll

.text

`.rdata

@.data

.rsrc

@.reloc

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\B4.tmp (1425 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Cookies\Current_User@163[1].txt (169 bytes)
   %System%\drivers\etc\hosts (3 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\B2.tmp (4545 bytes)
   %Documents and Settings%\%current user%\Cookies\index.dat (1060 bytes)
   C:\%original file name%.exe{E1FDD738-726C-43dc-B235-A9DBFB466F98} (15506 bytes)
   C:\RCXB6.tmp (295602 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\B3.tmp (3361 bytes)

4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.