MD5: f81b2062b52c9b0cc6a42affae58a3d9
SHA1: 75ef32c46aff5708dfa09efe0ecfa181a110eca0
SHA256: 21e80617284aa0a84d4e56fcdc92235f0ea9b8551387f1fa0da34f7012906570
SSDeep: 24576:Rm3eDvhc4uhJ9ZWn8oAQ NyMzJe3VTS0sBmokFPwdvNOTTYHMtHL:Rnhc4uXWCRN5zJITtPws
Size: 1486848 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualBasicv50v60
Company: no certificate found
Created at: 2011-01-13 10:39:11
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

%original file name%.exe:912

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:

ZonesLockedCacheCounterMutex
ZonesCounterMutex
ZonesCacheCounterMutex
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
RasPbFile
ShimCacheMutex

File activity

The process %original file name%.exe:912 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\web7b\data.dll (3 bytes)
%Program Files%\web7b\update.exe (9098 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\Á÷Á¿Ææ±ø.lnk (539 bytes)
%Program Files%\web7b\web7b.ini (145 bytes)

Registry activity

The process %original file name%.exe:912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 9A 5A BC CE 8D 39 59 25 83 5B 03 37 16 AD 59"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: www.web7b.cn
Product Name: ????
Product Version: 2.2.6.8
Legal Copyright: www.web7b.cn ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.2.6.8
File Description: ????
Comments: [email protected]
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.jflrkmf

t%SVh

t$(SSh

~%UVW

<.up3

<8%u=

.FGy 

.tTPV

FTPjK

FtPj;

F.PjRWj

u.WWj

u.VVj

u$SShe

kernel32.dll

KERNEL32.DLL

ntdll.dll

WinINet.dll

user32.dll

Wininet.dll

MsgWaitForMultipleObjects

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

FindFirstUrlCacheEntryA

FindNextUrlCacheEntryA

FindCloseUrlCache

DeleteUrlCacheEntryA

{E5D631FE-E3C9-4eb3-A687-C89598FE6691}

Sqlite3

{B6F7542F-B8FE-46a8-9605-98856A687097}

{EB5A8679-6C96-4465-A329-7911418F2582}

WebBrowser

Sqlite

SqliteDB

SqliteDataset

" target="_blank">web7b</a>

<a href="hXXp://

web7b

ieframe.dll

web7b.ini

\web7b

&password=

hXXp://VVV.web7b.cn/soft/login.asp

http=

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Content-Type: application/x-www-form-urlencoded

hXXp://

hXXp://VVV.web7b.cn/list.asp?cz=wen

\Program Files\web7b\

update.exe

Shell.Explorer.2

DSound.dll

Winmm.dll

\data.dll

select * from MAIN.[url] where id=

password

adslpassword

hXXp://VVV.web7b.cn/soft/offline.asp?username=

hXXp://VVV.web7b.cn/soft/rw.asp?ml=close&username=

hXXp://VVV.web7b.cn

hXXp://VVV.web7b.cn/soft/rw.asp?ml=hqrw&username=

hXXp://VVV.web7b.cn/soft/data2.asp?id=

data.dll

update url set url='

insert into url(id,url,ref,zb,djl) values('

select id from MAIN.[url] where id in(

hXXp://VVV.web7b.cn/down/

hXXp://VVV.web7b.cn/reg.asp

Y@hXXp://VVV.web7b.cn/shipin/fd.htm

2.2.6.8

hXXp://VVV.web7b.cn/banben.asp?banben=

[web7b]

adslpassword=

password=

SQLite format 3

atableurlurl

CREATE TABLE "url"(

[id] int PRIMARY KEY

,[url] nvarchar

indexsqlite_autoindex_url_1url

hXXp://VVV.web7b.cn/index.asp?cz=down

hXXp://VVV.web7b.cn/gonggao.txt

hXXp://VVV.web7b.cn/soft/online.asp?username=

hXXp://VVV.web7b.cn/soft/news.asp?id=1

hXXp://VVV.web7b.cn/soft/edit.asp

hXXp://VVV.web7b.cn/soft/tx.asp

hXXp://VVV.web7b.cn/soft/tuiguang.asp?username=

hXXp://VVV.web7b.cn/soft/news.asp?id=0

hXXp://VVV.web7b.cn/soft/about.asp

127.0.0.1

[email protected]

.exe|.rar|.zip|.gif|.jpg|.mp3|.rm

3.6.11

CREATE TABLE sqlite_master(

sql text

CREATE TEMP TABLE sqlite_temp_master(

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLYFcpD

Q%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

MSH_SCROLL_LINES_MSG

MSWHEEL_ROLLMSG

ole32.dll

__MSVCRT_HEAP_SELECT

portuguese-brazilian

RASAPI32.dll

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

GetProcessHeap

WinExec

KERNEL32.dll

GetKeyState

SetWindowsHookExA

UnhookWindowsHookEx

EnumChildWindows

RegisterHotKey

UnregisterHotKey

USER32.dll

GetViewportOrgEx

GDI32.dll

MSIMG32.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

RegOpenKeyA

RegCreateKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

OLEAUT32.dll

COMCTL32.dll

oledlg.dll

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

ATL.DLL

GetCPInfo

CreateDialogIndirectParamA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

sqlite_version

sqlite_attach

sqlite_detach

RowKey

d-d-d d:d:d

d:d:d

d-d-d

%s\etilqs_

OsError 0x%x (%u)

%s-mjX

922337203685477580

%s(%d)

keyinfo(%d

database table is locked: %s

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s

sqlite_master

sqlite_temp_master

cannot commit transaction - SQL statements in progress

cannot rollback transaction - SQL statements in progress

cannot %s savepoint - SQL statements in progress

no such savepoint: %s

cannot open savepoint - SQL statements in progress

Outstanding page count goes from %d to %d during this analysis

Pointer map page %d is referenced

Page %d is never used

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

Failed to read ptrmap key=%d

failed to get page %d

%d of %d pages missing from overflow list starting at %d

freelist leaf count too big on page %d

2nd reference to page %d

invalid page number %d

Fragmented space is %d byte reported as %d on page %d

Multiple uses for byte %d of page %d

Corruption detected in cell %d on page %d

Corruption detected in header on page %d

On page %d at right child:

On tree page %d cell %d:

sqlite3BtreeInitPage() returns error code %d

unable to get the page. error code=%d

Page %d:

cannot open value of type %s

cannot open indexed column for writing

no such column: "%s"

cannot open view: %s

cannot open virtual table: %s

SELECT idx, stat FROM %Q.sqlite_stat1

sqlite_stat1

unable to open database: %s

database %s is already in use

too many attached databases - max %d

database %s is locked

cannot detach database %s

no such database: %s

%s: %s

%s: %s.%s

error during initialization: %s

no entry point [%s] in shared library [%s]

unable to open shared library [%s]

sqlite3_extension_init

%s - %s

malformed database schema (%s)

SELECT name, rootpage, sql FROM '%q'.%s

unsupported file format

database schema is locked: %s

sqlite3_get_table() called with two or more incompatible queries

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

PRAGMA vacuum_db.synchronous=OFF

no such module: %s

vtable constructor failed: %s

vtable constructor did not declare schema: %s

Expression tree is too large (maximum depth %d)

too many SQL variables

variable number must be between ?1 and ?%d

too many columns in %s

there is already another table or index with this name: %s

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

sqlite_sequence

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

view %s may not be altered

table %s may not be altered

sqlite_

%s OR name=%Q

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

Cannot add a PRIMARY KEY column

sqlite_altertab_%s

DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q

CREATE TABLE %Q.sqlite_stat1(tbl,idx,stat)

not authorized to use function: %s

%s: %s.%s.%s

misuse of aliased aggregate %s

%r %s BY term out of range - should be between 1 and %d

too many terms in %s BY clause

access to %s.%s.%s is prohibited

access to %s.%s is prohibited

illegal return value (%d) from the authorization function - should be SQLITE_OK, SQLITE_IGNORE, or SQLITE_DENY

object name reserved for internal use: %s

there is already an index named %s

duplicate column name: %s

too many columns on %s

default value of column [%s] is not constant

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

table "%s" has more than one primary key

CREATE TABLE %Q.sqlite_sequence(name,seq)

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

CREATE %s %.*s

%s %T cannot reference objects in database %s

view %s is circularly defined

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %s.sqlite_sequence WHERE name=%Q

use DROP VIEW to delete view %s

use DROP TABLE to delete table %s

table %s may not be dropped

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

unknown column "%s" in foreign key definition

number of columns in foreign key does not match the number of columns in the referenced table

foreign key on %s should reference only one column of table %T

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

CREATE%s INDEX %.*s

table %s has no column named %s

sqlite_autoindex_%s_%d

index %s already exists

there is already a table named %s

virtual tables may not be indexed

views may not be indexed

table %s may not be indexed

indexed columns are not unique

DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q

DELETE FROM %Q.%s WHERE name=%Q

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

no such index: %S

unable to identify the object to be reindexed

no such collation sequence: %s

cannot modify %s because it is a view

table %s may not be modified

table %S has no column named %s

%d values for %d columns

table %S has %d columns but %d values were supplied

PRIMARY KEY must be unique

%s.%s may not be NULL

*** in database %s ***

unsupported encoding: %s

foreign_key_list

unknown or unsupported join type: %T %T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

no such index: %s

no such table: %s

%s.%s

sqlite_subquery_%p_

cannot join using column %s - column not present in both tables

cannot have both ON and USING clauses in the same join

a NATURAL join may not have an ON or USING clause

SELECTs to the left and right of %s do not have the same number of result columns

LIMIT clause should come after %s not before

ORDER BY clause should come after %s not before

cannot create INSTEAD OF trigger on table: %S

cannot create %s trigger on view: %S

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

no such trigger: %S

-- TRIGGER %s

no such column: %s

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

%s ORDER BY

%s VIRTUAL TABLE INDEX %d:%s

%s USING PRIMARY KEY

%s VIA MULTI-INDEX UNION

%s WITH INDEX %s

%s AS %s

TABLE %s

cannot use index: %s

at most %d tables in a join

table %s: xBestIndex returned an invalid plan

unable to close due to unfinished backup operation

large file support is disabled

SQL logic error or missing database

unable to use function %s in the requested context

no such vfs: %s

sqlite_rename_trigger

sqlite_rename_table

%.*s"%w"%s

automatic extension loading failed: %s

1.1.3

;3 #>6.&

'2, / 0&7!4-)1#

VVV.dywt.com.cn

%s\%s.lnk

Software\Microsoft\Windows\CurrentVersion\Run

[%s:%d]

Range: bytes=%s-

[%s:%d]

PASS %s

PASS ******

USER %s

E:\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp

SIZE %s

PORT

User-Agent: %s

Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

Referer: %s

Host: %s

GET %s HTTP/1.1

Cookie: %s

%d, %s

\\192.168.0.129\TCP\1037

NSPlayer/9.0.0.2980; {%s}; Host: %s

rmff_fix_header: assuming data.size=%i

rmff_fix_header: assuming data.num_packets=%i

rmff_fix_header: assuming prop.num_packets=%i

rmff_fix_header: setting prop.data_offset from %i to %i

rmff_fix_header: correcting prop.num_streams from %i to %i

rmff_fix_header: correcting prop.size from %i to %i

%s %s %s

Session: %s

Cseq: %u

%*s %s

%*s %u

CSeq: %u

rtsp://%s:%i

rtsp://%s:%i/%s

ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586

GUID: 00000000-0000-0000-0000-000000000000

[%s:%d]

User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)

Range: npt=%s-

%s/streamid=1

%s/streamid=0

Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play

If-Match: %s

RealChallenge2: %s, sd=%s

Title: %s

Copyright: %s

Author: %s

real: Content-length for description too big (> %uMB)!

Require: com.real.retain-entity-for-setup

SupportsMaximumASMBandwidth: 1

Bandwidth: %u

Challenge1: %s

hash output: %x %x %x %x

hash input: %x %x %x %x

stream=%u;rule=%u,

Illegal character '%c' in input.

%d%d%d

rundll32.exe shell32.dll,

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

zcÁ

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

(*.*)

VVV.web7b.cn

VVV.web7b.cn

[email protected]

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:912

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Program Files%\web7b\data.dll (3 bytes)
   %Program Files%\web7b\update.exe (9098 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Start Menu\Programs\Startup\Á÷Á¿Ææ±ø.lnk (539 bytes)
   %Program Files%\web7b\web7b.ini (145 bytes)

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.