MD5: d1bf0daf141e99639e16c5ef7013914b
SHA1: b139df4aabedb0ac772cc4e7fc8fc50c032cab1e
SHA256: e47693010f6ce108168e0fe77839847ea4215bdf19445f9bba73bd1cf5364276
SSDeep: 98304:q/AWtxah7aSwIfeaG4u61Zje8tNJj669cERHEkN nCFKxmeVMj9nXT1x:ctwhOQe56188tUdkSCFKxmeV6nXTP
Size: 7562880 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company: AirInstaller
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1156

The Trojan injects its code into the following process(es):

¡¡%original file name%.exe:1824

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1156 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\¡¡%original file name%.exe (53149 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lb.txt (7868 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\lb.txt (0 bytes)

Registry activity

The process %original file name%.exe:1156 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B FA 8A F2 6B 47 D5 BF 49 BE FA CE E0 97 F9 73"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process ¡¡%original file name%.exe:1824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF EE A3 CD 1E 72 4A 8B DA 7F 94 A3 E5 AE 9D B4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://www.lieyingdlq.com/ly.txt	50.117.126.132

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /ly.txt HTTP/1.1

Content-Type: text/html

Host: VVV.lieyingdlq.com

Accept: text/html, */*

User-Agent: Mozilla/3.0 (compatible; Indy Library)

HTTP/1.1 200 OK

Content-Length: 2371

Content-Type: text/plain

Last-Modified: Thu, 19 Jun 2014 03:05:21 GMT

Accept-Ranges: bytes

ETag: "6cf46a4e6b8bcf1:39ca4"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Sat, 20 Sep 2014 04:14:04 GMT
[Server]..;....:............|..........|..........|....|........=.....
....... .. ..  ..  .. .. ....|............|127.0.0.1|7000|1.85=.......
.....................  [........]..|............|127.0.0.1|7000|1.85=.
...........................  [........]..|............|127.0.0.1|7000|
1.85=............................  [........]..|............|127.0.0.1
|7000|1.85=............................  [........]..|............|127
.0.0.1|7000|1.85=.................... .. ..  ..  .. .. ....|..........
..|222.33.233.254|7000|1.85=.................... .. ..  ..  .. .. ....
|........|121.199.43.221|7000|1.85=............................  [....
....]..|............|127.0.0.1|7001|1.85=............................ 
 [........]..|............|121.12.172.70|7019|1.85=...................
.........  [........]..|............|112.91.17.91|7019|1.85=..........
..................  [........]..|............|127.0.0.1|7001|1.85=....
................ .. ..  ..  .. .. ....|............|127.0.0.1|7003|1.8
5=..........................................|............|127.0.0.1|70
03|1.85=.................... .. ..  ..  .. ...... |............|127.0.
0.1|7003|1.85=..........................................|............|
127.0.0.1|7003|1.85=.................K..VVV.lieyingdlq.com...L..|.....
.......|127.0.0.1|7002|1.85=...................K.K .............. .L.L
..|............|127.0.0.1|7002|1.85=.....................K.K..........
.L.L......|............|127.0.0.1|7003|1.85=.................. .K....Q
Q:779389988.L ....|............|127.0.0.1|7003|1.85=..............
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

.itext

.data

.WFNOWL

.PUXJPA

.LMNMOY

.VWFMVD0

.LXRAGM

.HHSQQF

.LQVCIE

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

%s[%d]

%s_%d

USER32.DLL

comctl32.dll

EInvalidGraphicOperation

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes

ole32.dll

uxtheme.dll

DWMAPI.DLL

PasswordCharH

OnKeyDown

OnKeyPress

OnKeyUp

OnKeyUplAC

Uh%XC

clWebSnow

clWebFloralWhite

clWebLavenderBlush

clWebOldLace

clWebIvory

clWebCornSilk

clWebBeige

clWebAntiqueWhite

clWebWheat

clWebAliceBlue

clWebGhostWhite

clWebLavender

clWebSeashell

clWebLightYellow

clWebPapayaWhip

clWebNavajoWhite

clWebMoccasin

clWebBurlywood

clWebAzure

clWebMintcream

clWebHoneydew

clWebLinen

clWebLemonChiffon

clWebBlanchedAlmond

clWebBisque

clWebPeachPuff

clWebTan

clWebYellow

clWebDarkOrange

clWebRed

clWebDarkRed

clWebMaroon

clWebIndianRed

clWebSalmon

clWebCoral

clWebGold

clWebTomato

clWebCrimson

clWebBrown

clWebChocolate

clWebSandyBrown

clWebLightSalmon

clWebLightCoral

clWebOrange

clWebOrangeRed

clWebFirebrick

clWebSaddleBrown

clWebSienna

clWebPeru

clWebDarkSalmon

clWebRosyBrown

clWebPaleGoldenrod

clWebLightGoldenrodYellow

clWebOlive

clWebForestGreen

clWebGreenYellow

clWebChartreuse

clWebLightGreen

clWebAquamarine

clWebSeaGreen

clWebGoldenRod

clWebKhaki

clWebOliveDrab

clWebGreen

clWebYellowGreen

clWebLawnGreen

clWebPaleGreen

clWebMediumAquamarine

clWebMediumSeaGreen

clWebDarkGoldenRod

clWebDarkKhaki

clWebDarkOliveGreen

clWebDarkgreen

clWebLimeGreen

clWebLime

clWebSpringGreen

clWebMediumSpringGreen

clWebDarkSeaGreen

clWebLightSeaGreen

clWebPaleTurquoise

clWebLightCyan

clWebLightBlue

clWebLightSkyBlue

clWebCornFlowerBlue

clWebDarkBlue

clWebIndigo

clWebMediumTurquoise

clWebTurquoise

clWebCyan

clWebPowderBlue

clWebSkyBlue

clWebRoyalBlue

clWebMediumBlue

clWebMidnightBlue

clWebDarkTurquoise

clWebCadetBlue

clWebDarkCyan

clWebTeal

clWebDeepskyBlue

clWebDodgerBlue

clWebBlue

clWebNavy

clWebDarkViolet

clWebDarkOrchid

clWebMagenta

clWebDarkMagenta

clWebMediumVioletRed

clWebPaleVioletRed

clWebBlueViolet

clWebMediumOrchid

clWebMediumPurple

clWebPurple

clWebDeepPink

clWebLightPink

clWebViolet

clWebOrchid

clWebPlum

clWebThistle

clWebHotPink

clWebPink

clWebLightSteelBlue

clWebMediumSlateBlue

clWebLightSlateGray

clWebWhite

clWebLightgrey

clWebGray

clWebSteelBlue

clWebSlateBlue

clWebSlateGray

clWebWhiteSmoke

clWebSilver

clWebDimGray

clWebMistyRose

clWebDarkSlateBlue

clWebDarkSlategray

clWebGainsboro

clWebDarkGray

clWebBlack

Proportional

AutoHotkeys`

AutoHotkeys

\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\

TKeyEvent

TKeyPressEvent

HelpKeyword

crSQLWait

%s (%s)

imm32.dll

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

GlassFrame.Bottom

GlassFrame.Enabled

GlassFrame.Left

GlassFrame.Right

GlassFrame.SheetOfGlass

GlassFrame.Top

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

User32.dll

MAPI32.DLL

msShiftSelect

%s, ClassID: %s

olepro32.dll

IWebBrowser

IWebBrowserApp

IWebBrowser2

TWebBrowserStatusTextChange

TWebBrowserProgressChange

TWebBrowserCommandStateChange

TWebBrowserTitleChange

TWebBrowserPropertyChange

TWebBrowserBeforeNavigate2

TWebBrowserNewWindow2

TWebBrowserNavigateComplete2

TWebBrowserDocumentComplete

TWebBrowserOnVisible

TWebBrowserOnToolBar

TWebBrowserOnMenuBar

TWebBrowserOnStatusBar

TWebBrowserOnFullScreen

TWebBrowserOnTheaterMode

TWebBrowserWindowSetResizable

TWebBrowserWindowSetLeft

TWebBrowserWindowSetTop

TWebBrowserWindowSetWidth

TWebBrowserWindowSetHeight

TWebBrowserWindowClosing

TWebBrowserClientToHostWindow

TWebBrowserSetSecureLockIcon

TWebBrowserFileDownload

TWebBrowserNavigateError

%TWebBrowserPrintTemplateInstantiation

TWebBrowserPrintTemplateTeardown

TWebBrowserUpdatePageStatus

%TWebBrowserPrivacyImpactedStateChange

TWebBrowser

TWebBrowserD

OnWindowSetResizable<

OnWindowSetLeft

OnWindowSetTop

OnWindowSetWidth

OnWindowSetHeightd

Port

1.2.3

1.0.4

h.nOF

KERNEL32.DLL

CommonalityKey

PrivateKey

\Software\Microsoft\Windows\CurrentVersion

BuildImportTable: can't load library:

BuildImportTable: ReallocMemory failed

BuildImportTable: GetProcAddress failed

BTMemoryLoadLibary: BuildImportTable failed

BTMemoryGetProcAddress: no export table found

BTMemoryGetProcAddress: DLL doesn't export anything

BTMemoryGetProcAddress: exported symbol not found

Unsupported Method

User canceled operation

Password

Could not load CreateObject function from 7za.dll

Perhaps 7za.dll not found

%s, %.2d %s %.4d %s %s

EIdCanNotBindPortInRange

EIdInvalidPortRange

C:\Builds\TpAddons\IndyNet\System\IdStreamVCL.pas

C:\Builds\TpAddons\IndyNet\System\IdGlobal.pas

getservbyport

WSAAsyncGetServByPort

WSAJoinLeaf

WS2_32.DLL

Wship6.dll

EIdIPVersionUnsupportedU

TIdSocketListWindows

TIdStackWindowsU

IdStackWindows

127.0.0.1

C:\builds\TpAddons\IndyNet\System\IdStack.pas

ftpTransfer

ftpReady

ftpAborted

ClientPortMin<

ClientPortMax

PortSVW

EIdPortRequired` L

EIdTCPConnectionError

EIdObjectTypeNotSupported

Port<

C:\builds\TpAddons\IndyNet\Core\IdIOHandler.pas

"EIdTransparentProxyUDPNotSupported

TIdTCPClientCustom

TIdTCPClientCustoml_L

IdTCPClient

TIdTCPClient

BoundPort<

%EIdSocksUDPNotSupportedBySOCKSVersion

saUsernamePassword

Password<

0.0.0.1

0.0.0.0

DefaultPort

TIdTCPConnection

TIdTCPConnectionH

IdTCPConnection

ISO_646.irv:1991

ISO_646.basic:1983

ISO_646.irv:1983

csISO16Portuguese

csISO84Portuguese2

windows-936

csShiftJIS

ISO-8859-1-Windows-3.0-Latin-1

csWindows30Latin1

ISO-8859-1-Windows-3.1-Latin-1

csWindows31Latin1

ISO-8859-2-Windows-Latin-2

csWindows31Latin2

ISO-8859-9-Windows-Latin-5

csWindows31Latin5

csMicrosoftPublishing

Windows-31J

csWindows31J

windows-1250

windows-1251

windows-1252

windows-1253

windows-1254

windows-1255

windows-1256

windows-1257

windows-1258

C:\builds\TpAddons\IndyNet\Protocols\IdCoder3to4.pas

TIdEncoder3to4.Encode: Calculated length exceeded (expected

TIdEncoder3to4.Encode: Calculated length not met (expected

password

CommentURL

C:\builds\TpAddons\IndyNet\Protocols\IdZLibCompressorBase.pas

IdHTTPHeaderInfo

ProxyPassword<

ProxyPort

Mozilla/3.0 (compatible; Indy Library)

%d%s%d

TIdHTTPOption

IdHTTP

TIdHTTPOptions

TIdHTTPProtocolVersion

IdHTTP8

TIdHTTPOnRedirectEvent

TIdHTTPOnHeadersAvailable

TIdHTTPResponse

TIdHTTPResponsed

TIdHTTPRequest

TIdHTTPProtocol8

TIdCustomHTTP

TIdCustomHTTP8

TIdHTTP

TIdHTTPh

HTTPOptions

EIdHTTPProtocolException

C:\builds\TpAddons\IndyNet\Protocols\IdHTTP.pas

HTTPS

https

HTTP/1.0 200 OK

HTTP/

m_EdPasswdt

m_EdNewPasswd

EdNewIdKeyPress

hXXp://VVV.LyDlq.com

TFormLoadPass

FrmLoadPass

EditNewPass2p

EditNewPasst

EditOldPassx

EditNameKeyPress

TFormChangePass

TFormChangePassL

FrmChangePass

Data\Prguse.wil

Data\Prguse.wzl

IdHTTP1t

IdHTTP1WorkBegin

IdHTTP1Work

MaxKeySize

Invalid key size

%UUUU1E

%UUUU3

\\.\PhysicalDrive0

\\.\SMARTVSD

RzBmpButtonWebHome|

RzBmpButtonWeb

RzBmpButtonGetBakPassWord

RzBmpButtonChgPassWord

WebBrowser

WebBrowserDownloadComplete

BtnLoadPassClick

BtnEditPassClick

BtmLoginClick

LoadGamesGuard.exe

\drivers\mnfs.sys

\drivers\1397hub.sys

\drivers\1396hub.sys

\GPgKb.sys

\drivers\dkcs.sys

\drivers\sdcp.sys

IEXPLORE.EXE

LoginUp

DownUrl

.\ServerList.ini

GameUrl

HomeUrl

LogoUrl

MoneyUrl

ShowInitialMsg

BoxWindows

.Tn{@

GamesGuard.dat

!Game.ini

ServerPort

LoginNo

.\Client.ini

LoginVer

LoginPwd

Data.dta

MBApTQm_VCEoURljYrah

MBApTQm_VCEoURljYrat

MBApTQm_VCEoURljYseh

hXXp://

.update

ClientList.Dta

Mir2.exe

*.Wil

*.exe

\SystemRoot\system32\drivers\wimfilter.sys

\drivers\wimfilter.sys

Portable Network Graphics

ntdll.dll

\SystemRoot\SysWOW64\ntdll.dll

\SystemRoot\System32\ntdll.dll

\SystemRoot\SysWOW64\kernel32.dll

\SystemRoot\System32\kernel32.dll

Kernel32.dll

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

inflate 1.0.4 Copyright 1995-1996 Mark Adler

;3 #>6.&

'2, / 0&7!4-)1#

?456789:;<=

!"#$%&'()* ,-./0123

advapi32.dll

RegOpenKeyExA

RegCloseKey

user32.dll

GetKeyboardType

UnhookWindowsHookEx

SetWindowsHookExA

MsgWaitForMultipleObjectsEx

MsgWaitForMultipleObjects

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutNameA

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

EnumWindows

EnumThreadWindows

EnumChildWindows

ActivateKeyboardLayout

gdi32.dll

SetViewportOrgEx

GetViewportOrgEx

version.dll

GetProcessHeap

GetCPInfo

RegOpenKeyA

RegFlushKey

RegCreateKeyExA

shell32.dll

ShellExecuteA

comdlg32.dll

wsock32.dll

gdiplus.dll

GdiplusShutdown

ADVAPI32.DLL

iphlpapi.dll

H0%Dh

K%x-p

#.UZG

xh.OHZ

.Qv,Jp

9,.CAF

p.Xhk

C.qo]d

9p.ef

hE.ni

' %C#E

:.xg#6

.cC2!

$Ex6'%S

D$$.cz

/.Xeb

%uK-2

333333333333333333

33333833

3333339

3333333333333338

:*"*"$3338

3333333

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

`.rdata

@.data

.rsrc

@.reloc

t.hPL

__MSVCRT_HEAP_SELECT

USER32.dll

OLEAUT32.dll

KERNEL32.dll

7za.dll

000000000

:#<)<9<?<

1(14104<4

< <(<,<0<4<

Mir2Login2

KWindows

0IdHTTPHeaderInfo

UrlMon

]FrmChangePass

FormChangePass

Font.Charset

Font.Color

Font.Height

Font.Name

Font.Style

Picture.Data

2007:02:07 02:59:30

urlTEXT

MsgeTEXT

HhXXp://ns.adobe.com/xap/1.0/

<x:xapmeta xmlns:x='adobe:ns:meta/' x:xaptk='XMP toolkit 2.8.2-33, framework 1.5'>

<rdf:RDF xmlns:rdf='hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#' xmlns:iX='hXXp://ns.adobe.com/iX/1.0/'>

<rdf:Description about='uuid:a1975220-b60f-11db-b931-c8e8dfd9ba45'

xmlns:xapMM='hXXp://ns.adobe.com/xap/1.0/mm/'>

<xapMM:DocumentID>adobe:docid:photoshop:a197521e-b60f-11db-b931-c8e8dfd9ba45</xapMM:DocumentID>

EditOldPass

PasswordChar

EditNewPass

EditNewPass2

PicIdle.Data

PicDown.Data

PicUp.Data

FormLoadPass

2007:03:06 08:02:29

<rdf:Description about='uuid:ea54afb1-cb74-11db-9adb-a5021ffa588c'

<xapMM:DocumentID>adobe:docid:photoshop:ea54afaf-cb74-11db-9adb-a5021ffa588c</xapMM:DocumentID>

:20111229

Bitmaps.TransparentColor

RzBmpButtonWebHome

7z.sfx

.VZEbJ]\&

Z%SEse

ÌzN

ö[d.

}]g%1S

.khi)

.fL0_

2%"%C

.RTA)

.pX[3hOa(F

d.Ewyr

:2.tO

_sssh0 `

-GF^%XW

c%Saz

.EOqdg

%uyqAUD

-.UBaZ

Zocrtl

Xp.hZWBe_x1

q8%S)$

.IS9Y

.qyyy}}

ltY.NY

R%di3

TIdHTTP

IdHTTP1

ProxyParams.BasicAuthentication

ProxyParams.ProxyPort

Request.ContentLength

Request.Accept

Request.BasicAuthentication

Request.UserAgent

2Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

2007:02:07 02:59:57

<rdf:Description about='uuid:3be681c9-b614-11db-b931-c8e8dfd9ba45'

<xapMM:DocumentID>adobe:docid:photoshop:2ef6df80-b614-11db-b931-c8e8dfd9ba45</xapMM:DocumentID>

%U}d4*hx

m_EdPasswd

650101-1455111

2000/02/02

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

<requestedExecutionLevel

TFORMCHANGEPASS

TFORMLOADPASS

Code: %d

Transparent proxy cannot bind. UDP Not supported by this proxy.$Buffer terminator must be specified.!Buffer start position is invalid.

Reply Code is not valid: %s

Unknown Protocol(Request method requires HTTP version 1.1DThis authentication method is already registered with class name %s.

Command not supported.

Address type not supported."%d: Circular links are not allowed

File "%s" not found

Object type not supported.

Invalid Port Range (%d - %d)

%s is not a valid service.

%s is not a valid IPv6 address:The requested IPVersion / Address family is not supported.

Set Size Exceeded.)UDP is not support in this SOCKS version.

Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.

Stack already created.1Only one TIdAntiFreeze can exist per application.&Cannot change IPVersion when connected$Can not bind in port range (%d - %d)

Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.

Protocol not supported.

Socket type not supported."Operation not supported on socket.

Protocol family not supported.0Address family not supported by protocol family.

Socket is not connected..Cannot send or receive after socket is closed.

Socket Error # %d

Operation would block.

Operation now in progress.

Operation already in progress.

Socket operation on non-socket.

OThis operation is not valid because the current image contains no valid header.4The new size provided for image resizing is invalid.

Invalid stream operation

JPEG error #%d

JPEG Image File4Failed attempting to retrieve time zone information.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)

Resolving hostname %s.

Connecting to %s.

Disconnected.jThis "Portable Network Graphics" image is not valid because it contains invalid pieces of data (crc error)yThe "Portable Network Graphics" image could not be loaded because one of its main piece of data (ihdr) might be corruptedUThis "Portable Network Graphics" image is invalid because it has missing image parts.[Could not decompress the image because it contains invalid compressed data.

Description: BThe "Portable Network Graphics" image contains an invalid palette.

The file being readed is not a valid "Portable Network Graphics" image because it contains an invalid header. This file may be corruped, try obtaining it again.nThis "Portable Network Graphics" image is not supported or it might be invalid.

This "Portable Network Graphics" image is not supported because either it's width or height exceeds the maximum size, which is 65535 pixels length.

There is no such palette entry.dThis "Portable Network Graphics" image contains an unknown critical part which could not be decoded.pThis "Portable Network Graphics" image is encoded with an unknown compression scheme which could not be decoded.cThis "Portable Network Graphics" image uses an unknown interlace scheme which could not be decoded.-The chunks must be compatible to be assigned.jThis "Portable Network Graphics" image is invalid because the decoder found an unexpected end of the file.8This "Portable Network Graphics" image contains no data.oSome operation could not be performed because the system is out of resources. Close some windows and try again.

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s

Value must be between %d and %d

Invalid clipboard format Clipboard does not support Icons

Cannot open clipboard/Menu '%s' is already being used by another form

- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.,Multiselect mode must be on for this feature

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'

%s property out of range

Scan line index out of range!Cannot change the size of an icon Invalid operation on TOleGraphic

Unsupported clipboard format

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Thread creation error: %s

Thread Error: %s (%d)*Windows socket error: %s (%d), on API '%s'

Asynchronous socket error %d

No help found for %s

Invalid stream format$''%s'' is not a valid component name

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Failed to get data for '%s'

Failed to set data for '%s'

Resource %s not found

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Unable to write to %s

Operation not supported

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted(Exception %s in module %s at %p.

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

I/O error %d

_ChangePassword

¡¡%original file name%.exe_1824_rwx_00155000_00001000:

NDOWS;%WinDir%\System32\Wbem;c:\Program Files\Wireshark

%WinDir%\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\

NDOWS;%WinDir%\System32\Wbem;c:\Program Files\Wiresh

¡¡%original file name%.exe_1824_rwx_00158000_00002000:

rpcrt4.dll

%original file name%.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1156
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\¡¡%original file name%.exe (53149 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\lb.txt (7868 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.