Trojan.Generic.14489098_789eee9815

by malwarelabrobot on June 6th, 2015 in Malware Descriptions.

Trojan.Generic.14489098 (B) (Emsisoft), Trojan.Generic.14489098 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, mzpefinder_pcap_file.YR, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 789eee98159c0032e03dcb7b6902d1a2
SHA1: 9d8723cff877153e632c3bbc6fcc0b83f0b69f6f
SHA256: 89c72134e46441fe2db0a421c0165bdd7497838a75fb7267f0b99d9bcf2a4f6f
SSDeep: 49152:Fq0Iz5k30VZ Ht1nUqgvkjBB1JvEj6FWYO:YJ5k30n HfnpgvktFWN
Size: 4677632 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2015-05-06 14:01:02
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:1864

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1864 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AdrjRtbAja.ini (204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\gx[1].htm (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AdrjRtbAja.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014041520140416 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014041520140416\index.dat (0 bytes)

Registry activity

The process %original file name%.exe:1864 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015060520150606]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012015060520150606\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015060520150606]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015060520150606]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 F3 4F 42 42 57 41 8D 91 81 B3 96 54 0D 27 6A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015060520150606]
"CacheRepair" = "0"
"CachePrefix" = ":2015060520150606:"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014041520140416]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
e5ce7ed8a90e3a60126909442736d473 c:\nwzf1.51.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ChaoJiZ.Com
Product Name: ??Z???????
Product Version: 1.0.0.0
Legal Copyright: ChaoJiZ.Com ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ??Z???????
Comments: ??Z???????
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 781219 782336 4.54209 1e9117f228953da24e842a4bd10ebf13
.rdata 786432 3678920 3682304 4.45233 b3b5f66e6624c757be18bb0fd4c2afcf
.data 4468736 423307 114688 3.956 01d12614b1fab22313e8d8ccde3d0587
.rsrc 4894720 94004 94208 4.0946 f14ed20bf71ce120527dbe09c65ff31c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://b9llivez6jyo3zs6m2nxj8ces1wjxrio.waf.aliyun.com/soft/nwzf/update.txt
hxxp://b9llivez6jyo3zs6m2nxj8ces1wjxrio.waf.aliyun.com/
hxxp://b9llivez6jyo3zs6m2nxj8ces1wjxrio.waf.aliyun.com/soft/nwzf/gx.htm
hxxp://down.chaojiz.com/nwzf1.51.exe 120.26.115.207
hxxp://www.chaojiz.com/ 42.121.43.1
hxxp://www.chaojiz.com/soft/nwzf/update.txt 42.121.43.1
hxxp://www.chaojiz.com/soft/nwzf/gx.htm 42.121.43.1


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /nwzf1.51.exe HTTP/1.1
Host: down.chaojiz.com
Accept: */*
Referer: hXXp://down.chaojiz.com
User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Pragma: no-cache
Cache-Control: no-cache
Connection: close


HTTP/1.1 200 OK
Content-Length: 7593984
Content-Type: application/octet-stream
Last-Modified: Thu, 04 Jun 2015 12:47:04 GMT
Accept-Ranges: bytes
ETag: "7d52448fc49ed01:298"
Server: Microsoft-IIS/6.0
Date: Fri, 05 Jun 2015 07:27:36 GMT
Connection: close
MZ......................@................................... .........
..!..L.!This program cannot be run in DOS mode....$.......O...........
....p.......d.......d.......]...&...............'...=...............i.
......=...q...............%...................Rich....................
........PE..L....HpU.................P ...H.....4.(......` ...@.......
...................`y...............................................h.
D.....w..p............................................................
...............` .t............................text...GD ......P .....
............ ..`.rdata..H.<..` ...<..` .............@[email protected]...
[email protected]......`r.............@.
.@....................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>


GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.chaojiz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Fri, 05 Jun 2015 07:27:28 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Content-Location: hXXp://VVV.chaojiz.com/index.html
Last-Modified: Tue, 05 May 2015 08:08:35 GMT
Content-Encoding: gzip
920..............ko.W.3H...Tb[i=c.AH..j...K..P.Pe.=..u.3..8..|..5.<
6DK. *....iXmi..(.e...O..=w..}...iV .6..;...9..9......8=2.....X9..9...
..$.$.B..$..8.>89..)...h..5.XD.dU.b...2...S....X..u#-M..f(..%v.....
.K.......39U3#m......9C..B.s..................sy."...(.k....0...r.U..X
lH@R[.....(.yZ..X..~.%3.ab R.R.c...X*..V.;.k............. _......;dV..
..C.Dkr.G.I\*..br...K.......p..........|..*77...s..........>.v.....
...;..]............-...d/^.......uS.x..,|..'. ..{d/_.KW*.....e.y:.....
A........... ..m-...=.{.^....b.XpvV.Vn.z...hj...v6.9..%&.....^..>.Z
..X.<....1.....p..........K..-.$c.V..4H.f......l.F[%.$..8..L..bSL.p
.sX!2.....{[email protected].......$.T.........Wr^.8."..c.)$.I .V[)m....2
.o~/ O..* U...9.[<.4..0..T...@H........)D..C.........y{.2..}R...U:.
.-.....&...hR.g..s.T.7..X...i.....I.....{.g.D....9>O..r..f}$.g.eBWJ
H.T]V"....5..iY6_..i0.2...l.f....'..........X..x....i....J/..B<....
1T=.......)[email protected]. .5.FV.........ih..D.2.!4..M..t.v.C.J@s.....
..K2|@4.q...2Pk.X..Z.9..UI..`.hX.(..s.E.wa_%.~........M...X8.Y......E.
.......[;...0R.S]%TsG...G}...^... ..fm..-.O...4)...&....8.<...f!.h.
......gS^`...ru.......ruk......)..h.T.....h....O.7......RX.(.V.t...6.u
..e{s......k.....b...N.....X.dS.>.|;c.~i{.n.......... ...*a..f.i...
[email protected]\..YM.g;....lg.A...RAu3.kV....O....c.
'jw.V...>xQ{..7.M.d.|\.w6...!.n_..e.V'...p....C.q..7......l. _).4.`
C..M>.;{..&.r..f.}b.j.7..].^.4......K}sr.][email protected]/%...9......
....qu/[email protected]).I='.R...|.o|[email protected]..}<.}.d.e-s...../X...K..y.d..
<<< skipped >>>


GET /soft/nwzf/update.txt HTTP/1.1
Accept: Accept text/html, application/xhtml xml, */*
Accept-Language: zh-CN
Referer: hXXp://VVV.chaojiz.com/soft/nwzf/update.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: VVV.chaojiz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Fri, 05 Jun 2015 07:27:34 GMT
Content-Type: text/plain
Content-Length: 204
Connection: keep-alive
Vary: Accept-Encoding
Last-Modified: Thu, 04 Jun 2015 11:50:01 GMT
Accept-Ranges: bytes
ETag: "f7a0a996bc9ed01:298"
[........]........=1.51..........=hXXp://down.chaojiz.com/nwzf1.51.exe
..........=....Z........ V1.51 ..................=hXXp://VVV.chaojiz.c
om/nwzf.html..........=hXXp://VVV.chaojiz.com/soft/nwzf/gx.htm..HTTP/1
.1 200 OK..Server: Tengine/2.0.2..Date: Fri, 05 Jun 2015 07:27:34 GMT.
.Content-Type: text/plain..Content-Length: 204..Connection: keep-alive
..Vary: Accept-Encoding..Last-Modified: Thu, 04 Jun 2015 11:50:01 GMT.
.Accept-Ranges: bytes..ETag: "f7a0a996bc9ed01:298"..[........]........
=1.51..........=hXXp://down.chaojiz.com/nwzf1.51.exe..........=....Z..
...... V1.51 ..................=hXXp://VVV.chaojiz.com/nwzf.html......
....=hXXp://VVV.chaojiz.com/soft/nwzf/gx.htm....



GET /soft/nwzf/gx.htm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.chaojiz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Fri, 05 Jun 2015 07:27:36 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Last-Modified: Thu, 04 Jun 2015 11:40:24 GMT
Content-Encoding: gzip
28b...............o.P...w.... .(..,....&...Lft.FB..Fg`N...\N.....\.Z..
\\.L..a......Y.......9..s~..........1.[ZX.:....t:.^...?<.G..#......
t.{ks.w.|A..C.....fs8.6y|n...e...X...w..v.f8.. ........^<..H.e...a&
;..tf%....:.k...e&.....F.X..=O..r.....o$r.,.P:...4G.0.]j.T=Z6%.!....Jj
....2.....<-..H......./.p4y..hT.._.S.%..a7..F..E..{........)......L
.N...k....`}9.....2K..AK.B`..0j.a...0.m...b..X....U#......8..b.D...[..
>..0....>..b.&.|.}.F.pd.......P66..,.d/....?.v.:..|.....Z.q..1..
3 !.e.P..!WW.4ULT...3V......>l.....3.A....g...$.T...}.....H.!.R?."?
[email protected],...B..` ..H..........5.O.k; .7.F.
.d .p8ww.&..e,._2..~..&.r..alshu..?...e.|.....0..HTTP/1.1 200 OK..Serv
er: Tengine/2.0.2..Date: Fri, 05 Jun 2015 07:27:36 GMT..Content-Type: 
text/html..Transfer-Encoding: chunked..Connection: keep-alive..Vary: A
ccept-Encoding..Last-Modified: Thu, 04 Jun 2015 11:40:24 GMT..Content-
Encoding: gzip..28b...............o.P...w.... .(..,....&...Lft.FB..Fg`
N...\N.....\.Z..\\.L..a......Y.......9..s~..........1.[ZX.:....t:.^...
?<.G..#......t.{ks.w.|A..C.....fs8.6y|n...e...X...w..v.f8.. .......
.^<..H.e...a&;..tf%....:.k...e&.....F.X..=O..r.....o$r.,.P:...4G.0.
]j.T=Z6%.!....Jj....2.....<-..H......./.p4y..hT.._.S.%..a7..F..E..{
........)......L.N...k....`}9.....2K..AK.B`..0j.a...0.m...b..X....U#..
....8..b.D...[..>..0....>..b.&.|.}.F.pd.......P66..,.d/....?.v.:
..|.....Z.q..1..3 !.e.P..!WW.4ULT...3V......>l.....3.A....g...$.T..
.}.....H.!.R?."[email protected],...B..` ..H..
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1864:

.text
`.rdata
@.data
.rsrc
t$(SSh
~%UVW
u$SShe
Kernel32.dll
shlwapi.dll
dbghelp.dll
kernel32.dll
ole32.dll
Comdlg32.dll
GetProcessHeap
|*.exe
(*.*)|*.*
hXXp://VVV.qym2.com/soft/nwzf/update.txt
hXXp://VVV.chaojiz.com/soft/nwzf/update.txt
/Nw_Config.ini
\data\setsoft.ini
hXXp://VVV.chaojiz.com
hXXp://VVV.chaojiz.com
_ChaoJiZ.exe
t%SVh
user32.dll
advapi32.dll
MsgWaitForMultipleObjects
RegCreateKeyA
RegOpenKeyA
RegEnumKeyA
RegCloseKey
RegFlushKey
RegOpenKeyExA
RegCreateKeyExA
RegDeleteKeyA
{84A90340-1CE7-4C96-8FFC-FB0124DE9AD7}
.ChaoJiZ
b6OjAvc1uo2i8unkFXdAvt6G8a5xuLevDPvwwv0472658500aiaQHGi9Gf5g0mAx6GKo1kXqOz37f5dQIuLlUZhSoiDvWkJ42HFtZu03QzkyQb51StxaeHcjChaojiZ.ComHNlRiTaCmka9
VVV.chaojiz.com
c:\chaojiz.com.pbk
\ChaoJiZ.Log
c:\log.txt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters
window.baidu_time(
P1kAlMiG2Kb7FzP5tM1QBI6DSS92c31Apgjk9lVK7dmpdonxRWChaojiZ.Com
VVV.chaojiz.com
VVV.chaojiz.com_QQ472658500
PreferredPort=VPN3-0
PreferredDevice=WAN Miniport (PPTP)
CustomAuthKey=0
IpAddress=0.0.0.0
IpDnsAddress=0.0.0.0
IpDns2Address=0.0.0.0
IpWinsAddress=0.0.0.0
IpWins2Address=0.0.0.0
IpAssign=1
TcpWindowSize=0
PreSharedKey=
Port=VPN3-0
Device=WAN Miniport (PPTP)
PhoneNumber=182.92.171.116
>c:\log.txt
cmd.exe /c rasdial
|cmd.exe /c rasdial
Shell.Application
/disconnect>c:\log.txt
cmd.exe /c rasdial ChaoJiZ_Com /disconnect>c:\log1.txt
c:\log1.txt
<4,$?7/'
(3-!0,1'8"5.*2$
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
application/x-www-form-urlencoded
WinHttp.WinHttpRequest.5.1
SetClientCertificate
hXXp://
keye
pz?F%F
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
CCmdTarget
CNotSupportedException
commctrl_DragListMsg
COMCTL32.DLL
__MSVCRT_HEAP_SELECT
EnumChildWindows
EnumWindows
USER32.dll
GDI32.dll
KERNEL32.dll
gdiplus.dll
IMM32.dll
ShellExecuteA
SHELL32.dll
comdlg32.dll
WINSPOOL.DRV
ADVAPI32.dll
COMCTL32.dll
SHLWAPI.dll
WINMM.dll
SetWindowsHookExA
GetKeyState
UnhookWindowsHookEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetCPInfo
exui.dll
exui_yuansukeyouziji_kuozhanjiekou
%*.*f
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Broken pipe
Inappropriate I/O control operation
Operation not permitted
gdi32.dll
imm32.dll
shell32.dll
winspool.drv
comctl32.dll
winmm.dll
RASAPI32.dll
iphlpapi.dll
MPR.dll
WS2_32.dll
VERSION.dll
WinExec
GetWindowsDirectoryA
CreateDialogIndirectParamA
GetViewportOrgEx
GetViewportExtEx
OLEAUT32.dll
oledlg.dll
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
eapi.fne
(link.ini)
extra_args=/NODEFAULTLIB:"LIBC.LIB"
extra_args=/NODEFAULTLIB:"EAPI_STATIC.LIB"
extra_args=/NODEFAULTLIB:"mysql_static.lib"
2:33544711
VVV.exui.cc
bbs.exui.cc =====
[email protected]
2014. 08.30.1
\lib\ex_ui\AttributeEditorexui.dll
.pi]\L}L
/.rE*L)k
ex_ui keye
msimg32.dll
.pK>NG`
P>f%S9e
.qn{\
.mkBT
.qc]b
diTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:DDD122E7A584E2118FF1FE0FC3DAB2B7" xmpMM:DocumentID="xmp.did:A0B65855870011E2AFB69C04A7201614" xmpMM:InstanceID="xmp.iid:A0B65854870011E2AFB69C04A7201614" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:22F24EC22D86E211815A8FDDD6268239" stRef:documentID="xmp.did:DDD122E7A584E2118FF1FE0FC3DAB2B7"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
11/15/11
VVV.meitu.com
[m.tT
4@{B96B3CAF-0728-11D3-9D7B-0000F81EF32E}
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C81E1B0B7A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C81E1B0A7A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>w
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C81E1B0F7A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C81E1B0E7A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C86695B87A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C86695B77A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>p
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C86695BC7A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C86695BB7A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C86695C07A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C86695BF7A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>G
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C8A76F497A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C8A76F487A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>]
{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
N.trB&#
.cqn$
lib\ex_ui\AttributeEditorexui.dll
Ole32.dll
GdiPlus.dll
GetAsyncKeyState
program internal error number is %d.
%s%x.tmp
:"%s"
:"%s".
.?AVCCmdTarget@@
.?AVCCmdUI@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCTestCmdUI@@
zcÁ
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
(*.htm;*.html)|*.htm;*.html
.PAVCResourceException@@
.PAVCUserException@@
.PAVCArchiveException@@
right-curly-bracket
left-curly-bracket
#include "l.chs\afxres.rc" // Standard components
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
hXXps://VVV.verisign.com/rpa0
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
_ChaoJiZ.exe
Www.ChaoJiz.Com
@ping 127.0.0.1 -n
del Restart.bat
\Restart.bat
[email protected]
.exe|.rar|.zip|.gif|.jpg|.mp3|.rm
VBScript.RegExp
1.1 - ChaoJiZ.Com
hXXp://VVV.chaojiz.com/forum.php?mod=viewthread&tid=6
1.2.18
@%*.*f
MSWHEEL_ROLLMSG
MSVFW32.dll
AVIFIL32.dll
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
VVV.dywt.com.cn
USER32.DLL
[%s:%d]
Range: bytes=%s-
[%s:%d]
PASS %s
PASS ******
USER %s
E:\e5\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp
SIZE %s
PORT
User-Agent: %s
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Referer: %s
Host: %s
GET %s HTTP/1.1
HTTP/1.1
Cookie: %s
%d, %s
\\192.168.0.129\TCP\1037
NSPlayer/9.0.0.2980; {%s}; Host: %s
rmff_fix_header: assuming data.size=%i
rmff_fix_header: assuming data.num_packets=%i
rmff_fix_header: assuming prop.num_packets=%i
rmff_fix_header: setting prop.data_offset from %i to %i
rmff_fix_header: correcting prop.num_streams from %i to %i
rmff_fix_header: correcting prop.size from %i to %i
%s %s %s
Session: %s
Cseq: %u
%*s %s
%*s %u
CSeq: %u
rtsp://%s:%i
rtsp://%s:%i/%s
ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586
GUID: 00000000-0000-0000-0000-000000000000
[%s:%d]
User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)
Range: npt=%s-
%s/streamid=1
%s/streamid=0
Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play
If-Match: %s
RealChallenge2: %s, sd=%s
Title: %s
Copyright: %s
Author: %s
real: Content-length for description too big (> %uMB)!
Require: com.real.retain-entity-for-setup
SupportsMaximumASMBandwidth: 1
Bandwidth: %u
Challenge1: %s
hash output: %x %x %x %x
hash input: %x %x %x %x
stream=%u;rule=%u,
Illegal character '%c' in input.
.PAVCOleException@@
.PAVCOleDispatchException@@
GET /nwzf1.51.exe HTTP/1.1
Host: down.chaojiz.com
Referer: hXXp://down.chaojiz.com
User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
c:\%original file name%.exe
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
(*.*)
1.1.0.0
ChaoJiZ.Com
ChaoJiZ.Com
1.0.0.0


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1864

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\AdrjRtbAja.ini (204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\gx[1].htm (1 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now