Trojan.GenericKD.2093398_23fe953e00

by malwarelabrobot on February 21st, 2015 in Malware Descriptions.

Trojan.GenericKD.2093398 (B) (Emsisoft), Trojan.GenericKD.2093398 (AdAware), GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 23fe953e009865f4eccebe75c5bf4fc0
SHA1: 9b7a70159fe26a15156de2f509a7e44db5eda682
SHA256: 98343a9966f28eadc9059860961b4cd56dabeb27b139bd4fe903448e5e5b5ac2
SSDeep: 24576:joxQwx5eff sVFr5hJWjZTZaqdiXSp0c02uFG6dAk3CMv:jZwx fjFzoTZaqdwk0c05HGiv
Size: 1802240 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2014-10-29 05:29:33
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1252

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1252 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\SkinH_EL.dll (88 bytes)

Registry activity

The process %original file name%.exe:1252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D6 20 B6 52 25 07 D3 F4 87 A2 97 32 E6 19 47 82"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
147127382e001f495d1842ee7a9e7912 c:\SkinH_EL.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ?????
Product Name: 58?????????
Product Version: 2.0.0.0
Legal Copyright: ???????????,????!
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.0.0.0
File Description: 58?????????
Comments: 58?????????
Language: Chinese (Simplified, PRC)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 666906 667648 4.53518 272c205ddebc4f2211d83a6ab13e4d55
.rdata 671744 983410 987136 5.37139 c6c9febe44232bbe38c106b3bd54b4cc
.data 1658880 295370 69632 3.58637 d16d253b093980708e4cd10904f5672f
.rsrc 1957888 71252 73728 2.22229 00449e63df09639ed5165b5f404f4e63

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://aladdin.a.shifen.com/special/time/
hxxp://open.baidu.com/special/time/ 123.125.114.102


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /special/time/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: open.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Fri, 20 Feb 2015 00:19:26 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Vary: User-Agent
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
2065..<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN
".."hXXp://VVV.w3.org/TR/html4/loose.dtd">..<html>..    <h
ead>..        <meta http-equiv="Content-Type" content="text/html
; charset=gbk">..        <title>........_........</title&g
t;...<style type="text/css">..p,dl,dd,div,h1,h2,table,td,th,ul,o
l,li,img,form{margin:0;padding:0;}div,ul{zoom:1;}a:link{color:#261cdc;
}img{border:none;}body{margin:6px 0 0 0;background-color:#fff;color:#0
00;font-family:arial;}#head{margin-left:0px;width:670px;height:54px;}#
head{padding-left:20px;font-size:12px}.fm{clear:both;position:relative
;z-index:297}.nv a,.nv b,.btn,#page,#more{font-size:14px}.s_nav{height
:45px}.s_nav .s_logo{margin-right:20px;float:left}.s_nav .s_logo img{b
order:0;display:block}.s_nav .s_tab{line-height:18px;padding:20px 0 0;
float:left}.s_nav a{color:#0000cc;font-size:14px}.s_nav b{font-size:14
px}.s_ipt_wr{width:533px;height:30px;display:inline-block;margin-right
:5px;background:url(hXXp://s1.bdstatic.com/r/www/img/i-1.0.0.png) no-r
epeat -304px 0;border:1px solid #b6b6b6;border-color:#7b7b7b #b6b6b6 #
b6b6b6 #7b7b7b;vertical-align:top}.s_ipt{width:520px;height:22px;font:
16px/22px arial;margin:5px 0 0 7px;padding:0;background:#fff;border:0;
outline:none;-webkit-appearance:none}.s_btn{width:95px;height:32px;pad
ding-top:2px\9;font-size:14px;padding:0;background:#ddd url(hXXp://s1.
bdstatic.com/r/www/img/i-1.0.0.png);border:0;cursor:pointer}.s_btn_h{b
ackground-position:-100px 0}.s_btn_wr{width:97px;height:34px;displ
<<< skipped >>>

GET /special/time/ HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: open.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Fri, 20 Feb 2015 00:19:27 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Vary: User-Agent
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
2065..<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN
".."hXXp://VVV.w3.org/TR/html4/loose.dtd">..<html>..    <h
ead>..        <meta http-equiv="Content-Type" content="text/html
; charset=gbk">..        <title>........_........</title&g
t;...<style type="text/css">..p,dl,dd,div,h1,h2,table,td,th,ul,o
l,li,img,form{margin:0;padding:0;}div,ul{zoom:1;}a:link{color:#261cdc;
}img{border:none;}body{margin:6px 0 0 0;background-color:#fff;color:#0
00;font-family:arial;}#head{margin-left:0px;width:670px;height:54px;}#
head{padding-left:20px;font-size:12px}.fm{clear:both;position:relative
;z-index:297}.nv a,.nv b,.btn,#page,#more{font-size:14px}.s_nav{height
:45px}.s_nav .s_logo{margin-right:20px;float:left}.s_nav .s_logo img{b
order:0;display:block}.s_nav .s_tab{line-height:18px;padding:20px 0 0;
float:left}.s_nav a{color:#0000cc;font-size:14px}.s_nav b{font-size:14
px}.s_ipt_wr{width:533px;height:30px;display:inline-block;margin-right
:5px;background:url(hXXp://s1.bdstatic.com/r/www/img/i-1.0.0.png) no-r
epeat -304px 0;border:1px solid #b6b6b6;border-color:#7b7b7b #b6b6b6 #
b6b6b6 #7b7b7b;vertical-align:top}.s_ipt{width:520px;height:22px;font:
16px/22px arial;margin:5px 0 0 7px;padding:0;background:#fff;border:0;
outline:none;-webkit-appearance:none}.s_btn{width:95px;height:32px;pad
ding-top:2px\9;font-size:14px;padding:0;background:#ddd url(hXXp://s1.
bdstatic.com/r/www/img/i-1.0.0.png);border:0;cursor:pointer}.s_btn_h{b
ackground-position:-100px 0}.s_btn_wr{width:97px;height:34px;displ
<<< skipped >>>

GET /special/time/ HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: open.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Fri, 20 Feb 2015 00:19:28 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Vary: User-Agent
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
2065..<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN
".."hXXp://VVV.w3.org/TR/html4/loose.dtd">..<html>..    <h
ead>..        <meta http-equiv="Content-Type" content="text/html
; charset=gbk">..        <title>........_........</title&g
t;...<style type="text/css">..p,dl,dd,div,h1,h2,table,td,th,ul,o
l,li,img,form{margin:0;padding:0;}div,ul{zoom:1;}a:link{color:#261cdc;
}img{border:none;}body{margin:6px 0 0 0;background-color:#fff;color:#0
00;font-family:arial;}#head{margin-left:0px;width:670px;height:54px;}#
head{padding-left:20px;font-size:12px}.fm{clear:both;position:relative
;z-index:297}.nv a,.nv b,.btn,#page,#more{font-size:14px}.s_nav{height
:45px}.s_nav .s_logo{margin-right:20px;float:left}.s_nav .s_logo img{b
order:0;display:block}.s_nav .s_tab{line-height:18px;padding:20px 0 0;
float:left}.s_nav a{color:#0000cc;font-size:14px}.s_nav b{font-size:14
px}.s_ipt_wr{width:533px;height:30px;display:inline-block;margin-right
:5px;background:url(hXXp://s1.bdstatic.com/r/www/img/i-1.0.0.png) no-r
epeat -304px 0;border:1px solid #b6b6b6;border-color:#7b7b7b #b6b6b6 #
b6b6b6 #7b7b7b;vertical-align:top}.s_ipt{width:520px;height:22px;font:
16px/22px arial;margin:5px 0 0 7px;padding:0;background:#fff;border:0;
outline:none;-webkit-appearance:none}.s_btn{width:95px;height:32px;pad
ding-top:2px\9;font-size:14px;padding:0;background:#ddd url(hXXp://s1.
bdstatic.com/r/www/img/i-1.0.0.png);border:0;cursor:pointer}.s_btn_h{b
ackground-position:-100px 0}.s_btn_wr{width:97px;height:34px;displ
<<< skipped >>>

GET /special/time/ HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: open.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Fri, 20 Feb 2015 00:19:28 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Vary: User-Agent
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
2065..<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN
".."hXXp://VVV.w3.org/TR/html4/loose.dtd">..<html>..    <h
ead>..        <meta http-equiv="Content-Type" content="text/html
; charset=gbk">..        <title>........_........</title&g
t;...<style type="text/css">..p,dl,dd,div,h1,h2,table,td,th,ul,o
l,li,img,form{margin:0;padding:0;}div,ul{zoom:1;}a:link{color:#261cdc;
}img{border:none;}body{margin:6px 0 0 0;background-color:#fff;color:#0
00;font-family:arial;}#head{margin-left:0px;width:670px;height:54px;}#
head{padding-left:20px;font-size:12px}.fm{clear:both;position:relative
;z-index:297}.nv a,.nv b,.btn,#page,#more{font-size:14px}.s_nav{height
:45px}.s_nav .s_logo{margin-right:20px;float:left}.s_nav .s_logo img{b
order:0;display:block}.s_nav .s_tab{line-height:18px;padding:20px 0 0;
float:left}.s_nav a{color:#0000cc;font-size:14px}.s_nav b{font-size:14
px}.s_ipt_wr{width:533px;height:30px;display:inline-block;margin-right
:5px;background:url(hXXp://s1.bdstatic.com/r/www/img/i-1.0.0.png) no-r
epeat -304px 0;border:1px solid #b6b6b6;border-color:#7b7b7b #b6b6b6 #
b6b6b6 #7b7b7b;vertical-align:top}.s_ipt{width:520px;height:22px;font:
16px/22px arial;margin:5px 0 0 7px;padding:0;background:#fff;border:0;
outline:none;-webkit-appearance:none}.s_btn{width:95px;height:32px;pad
ding-top:2px\9;font-size:14px;padding:0;background:#ddd url(hXXp://s1.
bdstatic.com/r/www/img/i-1.0.0.png);border:0;cursor:pointer}.s_btn_h{b
ackground-position:-100px 0}.s_btn_wr{width:97px;height:34px;displ
<<< skipped >>>

GET /special/time/ HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: open.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Fri, 20 Feb 2015 00:19:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Vary: User-Agent
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
2065..<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN
".."hXXp://VVV.w3.org/TR/html4/loose.dtd">..<html>..    <h
ead>..        <meta http-equiv="Content-Type" content="text/html
; charset=gbk">..        <title>........_........</title&g
t;...<style type="text/css">..p,dl,dd,div,h1,h2,table,td,th,ul,o
l,li,img,form{margin:0;padding:0;}div,ul{zoom:1;}a:link{color:#261cdc;
}img{border:none;}body{margin:6px 0 0 0;background-color:#fff;color:#0
00;font-family:arial;}#head{margin-left:0px;width:670px;height:54px;}#
head{padding-left:20px;font-size:12px}.fm{clear:both;position:relative
;z-index:297}.nv a,.nv b,.btn,#page,#more{font-size:14px}.s_nav{height
:45px}.s_nav .s_logo{margin-right:20px;float:left}.s_nav .s_logo img{b
order:0;display:block}.s_nav .s_tab{line-height:18px;padding:20px 0 0;
float:left}.s_nav a{color:#0000cc;font-size:14px}.s_nav b{font-size:14
px}.s_ipt_wr{width:533px;height:30px;display:inline-block;margin-right
:5px;background:url(hXXp://s1.bdstatic.com/r/www/img/i-1.0.0.png) no-r
epeat -304px 0;border:1px solid #b6b6b6;border-color:#7b7b7b #b6b6b6 #
b6b6b6 #7b7b7b;vertical-align:top}.s_ipt{width:520px;height:22px;font:
16px/22px arial;margin:5px 0 0 7px;padding:0;background:#fff;border:0;
outline:none;-webkit-appearance:none}.s_btn{width:95px;height:32px;pad
ding-top:2px\9;font-size:14px;padding:0;background:#ddd url(hXXp://s1.
bdstatic.com/r/www/img/i-1.0.0.png);border:0;cursor:pointer}.s_btn_h{b
ackground-position:-100px 0}.s_btn_wr{width:97px;height:34px;displ
<<< skipped >>>

GET /special/time/ HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: open.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Fri, 20 Feb 2015 00:19:30 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Vary: User-Agent
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
2065..<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN
".."hXXp://VVV.w3.org/TR/html4/loose.dtd">..<html>..    <h
ead>..        <meta http-equiv="Content-Type" content="text/html
; charset=gbk">..        <title>........_........</title&g
t;...<style type="text/css">..p,dl,dd,div,h1,h2,table,td,th,ul,o
l,li,img,form{margin:0;padding:0;}div,ul{zoom:1;}a:link{color:#261cdc;
}img{border:none;}body{margin:6px 0 0 0;background-color:#fff;color:#0
00;font-family:arial;}#head{margin-left:0px;width:670px;height:54px;}#
head{padding-left:20px;font-size:12px}.fm{clear:both;position:relative
;z-index:297}.nv a,.nv b,.btn,#page,#more{font-size:14px}.s_nav{height
:45px}.s_nav .s_logo{margin-right:20px;float:left}.s_nav .s_logo img{b
order:0;display:block}.s_nav .s_tab{line-height:18px;padding:20px 0 0;
float:left}.s_nav a{color:#0000cc;font-size:14px}.s_nav b{font-size:14
px}.s_ipt_wr{width:533px;height:30px;display:inline-block;margin-right
:5px;background:url(hXXp://s1.bdstatic.com/r/www/img/i-1.0.0.png) no-r
epeat -304px 0;border:1px solid #b6b6b6;border-color:#7b7b7b #b6b6b6 #
b6b6b6 #7b7b7b;vertical-align:top}.s_ipt{width:520px;height:22px;font:
16px/22px arial;margin:5px 0 0 7px;padding:0;background:#fff;border:0;
outline:none;-webkit-appearance:none}.s_btn{width:95px;height:32px;pad
ding-top:2px\9;font-size:14px;padding:0;background:#ddd url(hXXp://s1.
bdstatic.com/r/www/img/i-1.0.0.png);border:0;cursor:pointer}.s_btn_h{b
ackground-position:-100px 0}.s_btn_wr{width:97px;height:34px;displ
<<< skipped >>>

GET /special/time/ HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: open.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Fri, 20 Feb 2015 00:19:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Vary: User-Agent
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
2065..<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN
".."hXXp://VVV.w3.org/TR/html4/loose.dtd">..<html>..    <h
ead>..        <meta http-equiv="Content-Type" content="text/html
; charset=gbk">..        <title>........_........</title&g
t;...<style type="text/css">..p,dl,dd,div,h1,h2,table,td,th,ul,o
l,li,img,form{margin:0;padding:0;}div,ul{zoom:1;}a:link{color:#261cdc;
}img{border:none;}body{margin:6px 0 0 0;background-color:#fff;color:#0
00;font-family:arial;}#head{margin-left:0px;width:670px;height:54px;}#
head{padding-left:20px;font-size:12px}.fm{clear:both;position:relative
;z-index:297}.nv a,.nv b,.btn,#page,#more{font-size:14px}.s_nav{height
:45px}.s_nav .s_logo{margin-right:20px;float:left}.s_nav .s_logo img{b
order:0;display:block}.s_nav .s_tab{line-height:18px;padding:20px 0 0;
float:left}.s_nav a{color:#0000cc;font-size:14px}.s_nav b{font-size:14
px}.s_ipt_wr{width:533px;height:30px;display:inline-block;margin-right
:5px;background:url(hXXp://s1.bdstatic.com/r/www/img/i-1.0.0.png) no-r
epeat -304px 0;border:1px solid #b6b6b6;border-color:#7b7b7b #b6b6b6 #
b6b6b6 #7b7b7b;vertical-align:top}.s_ipt{width:520px;height:22px;font:
16px/22px arial;margin:5px 0 0 7px;padding:0;background:#fff;border:0;
outline:none;-webkit-appearance:none}.s_btn{width:95px;height:32px;pad
ding-top:2px\9;font-size:14px;padding:0;background:#ddd url(hXXp://s1.
bdstatic.com/r/www/img/i-1.0.0.png);border:0;cursor:pointer}.s_btn_h{b
ackground-position:-100px 0}.s_btn_wr{width:97px;height:34px;displ
<<< skipped >>>

GET /special/time/ HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: open.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Fri, 20 Feb 2015 00:19:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Vary: User-Agent
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
2065..<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN
".."hXXp://VVV.w3.org/TR/html4/loose.dtd">..<html>..    <h
ead>..        <meta http-equiv="Content-Type" content="text/html
; charset=gbk">..        <title>........_........</title&g
t;...<style type="text/css">..p,dl,dd,div,h1,h2,table,td,th,ul,o
l,li,img,form{margin:0;padding:0;}div,ul{zoom:1;}a:link{color:#261cdc;
}img{border:none;}body{margin:6px 0 0 0;background-color:#fff;color:#0
00;font-family:arial;}#head{margin-left:0px;width:670px;height:54px;}#
head{padding-left:20px;font-size:12px}.fm{clear:both;position:relative
;z-index:297}.nv a,.nv b,.btn,#page,#more{font-size:14px}.s_nav{height
:45px}.s_nav .s_logo{margin-right:20px;float:left}.s_nav .s_logo img{b
order:0;display:block}.s_nav .s_tab{line-height:18px;padding:20px 0 0;
float:left}.s_nav a{color:#0000cc;font-size:14px}.s_nav b{font-size:14
px}.s_ipt_wr{width:533px;height:30px;display:inline-block;margin-right
:5px;background:url(hXXp://s1.bdstatic.com/r/www/img/i-1.0.0.png) no-r
epeat -304px 0;border:1px solid #b6b6b6;border-color:#7b7b7b #b6b6b6 #
b6b6b6 #7b7b7b;vertical-align:top}.s_ipt{width:520px;height:22px;font:
16px/22px arial;margin:5px 0 0 7px;padding:0;background:#fff;border:0;
outline:none;-webkit-appearance:none}.s_btn{width:95px;height:32px;pad
ding-top:2px\9;font-size:14px;padding:0;background:#ddd url(hXXp://s1.
bdstatic.com/r/www/img/i-1.0.0.png);border:0;cursor:pointer}.s_btn_h{b
ackground-position:-100px 0}.s_btn_wr{width:97px;height:34px;displ
<<< skipped >>>

GET /special/time/ HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: open.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Fri, 20 Feb 2015 00:19:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Vary: User-Agent
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
2065..<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN
".."hXXp://VVV.w3.org/TR/html4/loose.dtd">..<html>..    <h
ead>..        <meta http-equiv="Content-Type" content="text/html
; charset=gbk">..        <title>........_........</title&g
t;...<style type="text/css">..p,dl,dd,div,h1,h2,table,td,th,ul,o
l,li,img,form{margin:0;padding:0;}div,ul{zoom:1;}a:link{color:#261cdc;
}img{border:none;}body{margin:6px 0 0 0;background-color:#fff;color:#0
00;font-family:arial;}#head{margin-left:0px;width:670px;height:54px;}#
head{padding-left:20px;font-size:12px}.fm{clear:both;position:relative
;z-index:297}.nv a,.nv b,.btn,#page,#more{font-size:14px}.s_nav{height
:45px}.s_nav .s_logo{margin-right:20px;float:left}.s_nav .s_logo img{b
order:0;display:block}.s_nav .s_tab{line-height:18px;padding:20px 0 0;
float:left}.s_nav a{color:#0000cc;font-size:14px}.s_nav b{font-size:14
px}.s_ipt_wr{width:533px;height:30px;display:inline-block;margin-right
:5px;background:url(hXXp://s1.bdstatic.com/r/www/img/i-1.0.0.png) no-r
epeat -304px 0;border:1px solid #b6b6b6;border-color:#7b7b7b #b6b6b6 #
b6b6b6 #7b7b7b;vertical-align:top}.s_ipt{width:520px;height:22px;font:
16px/22px arial;margin:5px 0 0 7px;padding:0;background:#fff;border:0;
outline:none;-webkit-appearance:none}.s_btn{width:95px;height:32px;pad
ding-top:2px\9;font-size:14px;padding:0;background:#ddd url(hXXp://s1.
bdstatic.com/r/www/img/i-1.0.0.png);border:0;cursor:pointer}.s_btn_h{b
ackground-position:-100px 0}.s_btn_wr{width:97px;height:34px;displ
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1252:

.text
`.rdata
@.data
.rsrc
t%SVh
t$(SSh
~%UVW
t.It It
u$SShe
Kernel32.dll
ole32.dll
wininet.dll
kernel32.dll
advapi32.dll
SkinH_EL.dll
user32.dll
EnumWindows
1005----
1016----
1029----
1039----
1057----
1067----
1078----
1086----
1096----
1734----
2015----
2032----
2036----
2038----
2039----
2040----
2041----
2042----
2043----
2044----
2045----
2046----
2047----
2049----
2050----
2051----
2052----
2053----
2054----
2055----
2192----
2247----
2236----
2258----
2284----
2292----
2296----
2299----
2302----
2303----
2307----
2315----
2319----
2323----
2325----
2328----
2329----
2335----
2336----
2340----
2342----
2344----
2346----
2347----
2350----
2354----
2360----
2363----
2364----
2361----
2362----
2368----
2380----
2381----
2389----
2390----
2392----
2393----
2394----
2395----
2397----
2398----
2404----
2408----
2421----
2422----
2429----
2501----
3157----
3163----
3177----
3184----
3198----
3209----
3222----
3236----
3251----
3266----
3279----
3306----
3328----
3350----
3359----
3434----
3445----
3453----
3470----
3479----
3369----
5632----
5633----
5653----
5669----
5695----
5709----
5722----
5733----
5756----
5772----
5845----
5853----
5898----
5918----
5928----
5942----
6700----
6718----
6729----
6745----
6752----
6760----
6770----
6776----
6788----
6793----
6803----
6921----
6964----
7112----
7133----
7154----
7289----
7303----
7428----
7452----
7453----
7458----
7624----
7923----
7969----
8408----
8467----
8470----
8531----
8556----
8572----
8658----
8672----
8684----
8694----
8738----
8832----
8951----
9026----
9039----
9101----
9124----
9179----
9303----
9311----
9329----
9342----
9336----
9364----
9384----
9394----
9407----
9417----
9422----
9429----
9441----
9452----
9455----
9464----
9465----
9475----
9366----
9510----
9527----
9533----
9539----
9545----
9556----
9563----
9564----
9578----
9587----
9597----
9616----
9625----
9630----
9635----
9636----
9655----
9676----
9686----
9695----
9702----
9704----
9715----
9723----
9751----
9760----
9765----
9799----
9808----
9814----
9829----
9836----
9846----
9851----
9858----
9869----
9875----
9886----
9894----
9896----
9905----
9921----
9934----
9940----
9936----
9949----
9959----
9967----
9983----
9998----
10012----
10035----
10063----
10078----
10083----
10093----
10102----
10111----
10116----
10138----
10157----
10167----
10177----
10193----
10214----
10224----
10254----
10260----
10279----
10285----
10307----
10320----
10336----
10356----
10381----
10419----
10430----
10441----
10443----
10449----
10456----
10462----
10470----
10500----
10506----
10510----
10514----
10530----
10541----
10549----
10553----
10567----
10736----
10868----
10884----
11053----
11176----
11201----
11238----
11254----
11271----
11313----
12221----
"~(.*?)"
"~411611"
"~411772"
"~412214"
"~411714"
"~412111"
"~411966"
"~411734"
3000"~412144"
"~411865"
"~411912"
"~412157"
"~412065"
"~411958"
"~411674"
"~411825"
"~666971"
"~411644"
)"~411862"
)"~411698"
"~412299"
"~666972"
"~412308"
"~668366"
"~410387"
"~410426"
"~410511"
"~410404"
"~410391"
"~410541"
"~656336"
"~410498"
"~410492"
"~667637"
"~410508"
"~410388"
"~410569"
"~410547"
"~410572"
"~553799"
)"~516017"
"~410767"
"~410917"
"~410869"
"~410768"
"~410794"
"~553816"
"~410783"
"~410836"
"~410965"
"~610793"
"~412596"
"~412597"
"~412751"
"~412660"
"~412714"
"~412862"
"~412814"
"~412709"
"~668160"
"~412698"
)"~518708"
"~412706"
)"~412984"
"~678315"
"~413028"
)"~412925"
"~413021"
"~413044"
)"~413003"
"~413082"
"~413085"
"~413075"
"~420671"
"~551161"
"~553956"
"~431490"
"~606804"
86"~617190"
"~418433"
"~420623"
"~420622"
2000"~418457"
"~418509"
"~418453"
"~416805"
"~417038"
"~416906"
"~416806"
"~416966"
"~417017"
"~416863"
"~416990"
"~416900"
)"~416961"
"~417012"
)"~521093"
"~416898"
)"~416843"
"~417091"
)"~417085"
"~417103"
"~417124"
"~417193"
"~417166"
"~417188"
"~417213"
"~417195"
"~431503"
"~431504"
"~431505"
"~416256"
"~416420"
"~416214"
6"~520870"
1"~416314"
3"~416455"
5"~525216"
7"~668142"
"~416303"
"~416450"
"~416458"
5"~668144"
"~409261"5
"~409331"3
"~409435"7
"~409387"3
)"~409283"5
)"~409262"5
"~409421"3
"~661134"7
"~418514"
"~418518"
"~418557"
"~418650"
"~554442"
"~418710"
"~418640"
"~418718"
"~661133"
"~418515"
"~617358"
"~418574"
"~668367"
"~418691"
"~418587"
"~418624"
"~553390"
"~418729"
)"~553429"
"~418752"
"~660771"
"~418767"
"~418780"
"~418785"
100"~409041"
200"~408851"
"~415955"
6"~416015"
3"~416001"
323"~420630"
)"~668136"
2"~415974"
"~415962"
"~520428"
"~520440"
5"~416063"
8"~416068"
)"~416067"
"~413201"
"~413207"
"~413202"
"~413232"
"~413212"
"~517186"
"~420656"
"~420675"
"~661244"
"~550919"
"~550918"
"~668089"
"~668088"
"~668061"
"~410727"
"~415266"
"~415360"
"~415291"
"~415341"
"~415437"
"~415483"
"~415411"
"~415267"
"~415418"
"~415388"
"~520029"
"~415381"
"~420624"
"~520099"
"~668127"
"~420636"
"~415517"
"~415532"
"~668126"
"~415555"
"~418789"
"~418905"
"~418951"
"~661235"
"~418844"
"~418947"
"~419005"
"~420609"
"~414662"
"~414736"
"~414663"
"~414775"
"~414717"
"~417850"
"~417667"
"~417629"
"~414787"
"~414790"
"~410156"
"~515971"
)"~517680"
"~410173"
"~410131"
"~515968"
)"~410169"
"~550984"
"~550983"
"~550982"
"~420648"
"~411049"
"~411069"
"~411032"
"~411090"
"~668086"
"~668084"
"~411103"
"~516736"
"~420659"
"~420660"
"~420649"
"~666969"
"~666968"
"~666967"
"~660320"
2"~666966"
"~667694"
"~413316"
"~413341"
"~413429"
"~413317"
"~413402"
"~413380"
"~413361"
)"~668371"
"~553981"
)"~668370"
"~668087"
"~413446"
"~660155"
"~668372"
"~413465"
"~617180"
"~413458"
"~413467"
"~431491"
"~419174"
"~419223"
"~419244"
"~419293"
"~419212"
"~419175"
"~419324"
"~419276"
"~419358"
"~419286"
"~419279"
"~419204"
"~419274"
"~419359"
)"~553330"
"~678311"
"~420613"
"~419370"
"~414548"
"~414549"
"~414563"
"~420668"
"~420669"
"~414559"
"~431481"
"~668112"
"~416526"
"~416616"
"~416651"
"~416572"
"~416674"
"~416555"
"~416602"
"~520942"
"~416577"
"~416527"
"~416532"
"~520586"
"~416676"
"~416697"
"~416719"
)"~416688"
"~416728"
"~416717"
"~416782"
"~416793"
"~416796"
"~416757"
"~412398"
"~412399"
"~412404"
"~412410"
"~518240"
"~420610"
"~412413"
"~518246"
"~518243"
"~518251"
"~420664"
"~507656"
"~507615"
"~507612"
"~661241"
"~507613"
"~550934"
"~550933"
"~550935"
"~550937"
"~550936"
"~550938"
"~414297"
"~414332"
"~414343"
"~414307"
"~414354"
"~414365"
"~414411"
"~414382"
"~414474"
"~511496"
"~511495"
"~550928"
"~550926"
"~550932"
"~550927"
"~550929"
"~550931"
"~550925"
"~511494"
"~511493"
"~550930"
"~431482"
"~410181"307
)"~518138"207
"~410201"207
)"~410384"4008"~524444"
"~431512"
"~414203"
"~414264"
)"~414286"
"~414215"
"~414196"
"~414244"
"~414242"
"~668085"
"~414190"
"~412455"
"~657227"
"~553905"
"~553922"
"~420665"
"~412516"
"~419006"
"~554352"
"~419010"
"~419039"
"~419052"
"~420640"
"~419019"
"~419072"
"~419163"
"~419104"
"~420670"
"~668163"
"~678316"
"~419444"
"~419452"
"~419502"
"~419481"
"~419551"
"~420651"
"~511473"
"~511474"
"~413750"
"~413773"
"~413811"
"~413771"
"~420662"
"~420663"
"~420661"
"~660321"
"~668101"
"~668100"
"~668099"
"~413097"
"~413154"
"~676193"
"~413133"
"~413101"
"~413145"
"~413098"
500"~413148"
"~611835"
"~413152"
"~413177"
"~518666"
"~413937"
"~414007"
323"~413951"
"~413956"
"~413991"
"~413938"
3"~413984"
"~518828"
"~524901"
"~413975"
"~414057"
"~414067"
"~414065"
"~657135"
"~657136"
"~657133"
"~657134"
"~657137"
"~411135"
"~411157"
"~516682"
"~411173"
"~411194"
"~411226"
"~411296"
"~420611"
"~411394"
"~411389"
"~516535"
"~411230"
"~516614"
"~656313"
"~431485"
3"~431483"
5"~431484"
"~413566"
"~413573"
"~413635"
"~413627"
"~413609"
"~413657"
"~413575"
"~413633"
"~413583"
"~413618"
"~413621"
"~413567"
"~420650"
"~419842"
"~419852"
"~419862"
"~419925"
"~431480"
"~417330"
"~417342"
"~417331"
)"~417393"
"~417386"
)"~417357"
"~668152"
"~417398"
"~417414"
"~521260"
"~417405"
"~417483"
"~417589"
"~511475"
"~417549"
"~417563"
"~418029"
"~418049"
"~418040"
"~418120"
"~667639"
"~418103"
"~418030"
"~418045"
"~667640"
"~667641"
"~415738"
"~415798"
3"~415756"
"~415766"
"~415744"
"~415739"
2"~415783"
"~414867"
"~414872"
"~414877"
"~667690"
"~414890"
"~414879"
"~414893"
"~414898"
"~414900"
"~414902"
"~414909"
"~416072"
"~416073"
"~416112"
"~416085"
"~668140"
"~416087"
"~416114"
"~416121"
"~668141"
"~418138"
"~418238"
"~420325"
"~520597"
"~420326"
"~431502"
"~411463"
"~411464"
"~411602"
"~411572"
"~411505"
"~411473"
"~411605"
"~431488"
"~431487"
"~518186"
)"~661308"
"~554270"
"~554287"
"~554281"
"~554271"
"~554310"
"~420332"
"~420657"
"~420658"
"~525382"
"~606854"
"~660214"
"~660213"
"~420314"
"~517388"
"~417604"
"~661239"
"~525140"
"~420306"
"~420309"
"~420307"
"~420311"
"~420122"
"~668159"
"~420137"
"~420127"
"~420141"
"~656797"
"~414832"
"~414842"
"~414835"
"~414833"
"~668117"
"~417835"
"~417873"
"~417893"
"~420355"
"~420365"
"~420356"
"~420340"
"~415361"
"~415579"
"~415580"
"~415685"
"~415704"
"~420069"
"~420070"
"~420090"
"~420100"
"~420110"
"~420082"
"~431516"
"~420029"
"~419611"
"~419622"
2008"~419636"
5008"~419626"
"~419656"
"~419668"
"~414823"
"~516101"
"~411124"
"~411115"
"~411112"
"~666970"
"~511479"
"~550923"
"~550924"
"~420048"
"~420066"
"~414998"
"~525070"
"~415010"
"~414999"
"~415015"
"~415012"
"~415006"
"~415024"
"~550996"
"~415223"
"~419994"
"~419995"
"~420020"
"~420018"
"~419797"
6"~419798"
"~419817"
"~419804"
"~419809"
"~517136"
"~431492"
"~431493"
"~431494"
"~419983"
"~419988"
"~419986"
"~419984"
"~419991"
"~420343"
"~420344"
"~420144"
"~660156"
"~420158"
"~660048"
"~415903"3200GT"~415924"COUPE"~415929"GranCabrio"~415922"GranSport"~415926"GranTurismo"~415918"Spyder"~415915"
"~420241"
"~420242"
"~417741"
"~417742"
"~417773"
"~521444"
"~417798"
"~417786"
"~417755"
"~417759"
"~420587"
630"~420588"
"~420384"
"~418243"
"~412445"
"~420170"
"~420171"
"~420182"
"~420180"
"~420604"
"~420593"
"~420594"
"~420321"
"~420322"
"~420277"
"~420267"
"~420270"
"~419822"
"~419833"
"~419823"
"~420590"
"~420317"
"~420318"
"~420115"
"~420119"
"~420116"
"~551122"
"~551123"
"~551168"
"~656796"
"~550861"
"~550862"
"~550865"
"~551020"501
"~551025"
"~551024"
"~551022"
"~551023"
"~551155"
"~551156"
"~550907"
"~550912"
"~660215"
"~550911"
"~550910"
"~550909"
"~551043"
"~551044"
"~550917"
"~550914"
"~550913"
"~550915"
"~550916"
"~550893"
"~507619"
"~507617"
"~550897"
"~550896"
"~507618"
"~550894"
"~550892"
"~511777"
"~550895"
"~507620"
"~551099"
"~551100"
"~551162"
"~551163"
"~511810"
"~511812"
"~511814"
"~511813"
"~511811"
"~550999"
"~551000"
"~551118"
"~551119"
"~551124"
"~551125"
"~507599"
"~507601"
"~551052"
"~616566"
"~616584"
"~616567"
"~616578"
"~616571"
"~616570"
"~616577"
"~616574"
"~616580"
"~616568"
"~616576"
"~616581"
"~616579"
"~616569"
"~616583"
"~616572"
"~616582"
"~616575"
"~616573"
"~511695"
"~551011"
"~551015"
"~551014"
"~551013"
"~551012"
"~551048"
"~551050"
"~551049"
"~551026"
"~551028"
"~551027"
"~667827"
"~667985"
"~667986"
"~612001"
205"~612002"
306"~612003"
307"~661131"
"~524413"
"~617886"
"~550972"1041
"~550975"
"~550974"
"~550973"
"~550976"
"~550944"
"~551128"
"~551129"
"~551169"
"~551170"
"~511490"
"~511492"
"~511491"
"~550939"
"~550942"
"~550941"
"~550940"
"~550964"
"~550965"
"~550966"
"~611992"
"~611994"
"~611996"
"~668368"
"~661302"
"~661304"
"~661305"
"~551059"
"~616460"
"~616465"
"~616467"
"~616473"
"~616471"
"~616462"
"~616466"
"~616468"
"~616461"
"~616472"
"~616470"
"~616464"
"~616474"
"~616463"
"~616475"
"~616469"
"~616346"
"~616347"
"~616362"
"~616365"
"~616355"
"~616353"
"~666965"
"~616354"
"~616357"
"~616350"
"~616364"
"~616360"
"~616356"
"~616361"
"~616352"
"~616348"
"~616358"
"~616349"
"~616363"
"~616351"
"~616359"
"~551147"
"~551148"
"~551166"
"~551167"
"~420386"
"~420387"
"~551066"
"~551061"
"~551065"
"~551064"
"~551063"
"~551062"
"~551054"
"~551055"
"~551120"
"~551121"
"~550902"
"~550906"
"~550903"
"~551159"
"~551160"
"~661303"
"~507602"
"~551068"
"~551067"
"~551069"
"~551086"
"~551087"
"~551088"
"~551090"
"~551091"
"~551089"
"~551153"
"~551154"
"~551157"
"~551158"
"~668276"
"~668277"
"~661179"
"~661181"
"~661180"
"~661182"
"~661183"
"~411455"
"~411456"
"~616491"
"~616496"
"~616501"
"~616500"
"~616495"
"~616497"
"~616494"
"~616492"
"~616493"
"~616498"
"~616499"
"~551164"
"~551165"
"~550970"700
"~550968"
"~551171"
"~551172"
"~550951"
"~550953"
"~550954"
"~550952"
"~551033"
"~551034"
"~551035"
"~551036"
"~551037"
"~661199"
"~551103"
"~551104"
"~551126"
"~551127"
"~616067"
"~616068"
"~616072"
"~616079"
"~668441"
"~616082"
"~616070"
"~616085"
"~616069"
"~616080"
"~616071"
"~616081"
"~616084"
"~616075"
"~616073"
"~616076"
"~616074"
"~616077"
"~616086"
"~616083"
"~616437"
"~616444"
"~616442"
"~616439"
"~616447"
"~616441"
"~616443"
"~616446"
"~616438"
"~616448"
"~616440"
"~616445"
"~667829"
4-4"~667988"
"~550994"
"~550959"
"~550957"
"~550962"
"~550958"
"~507655"
"~550961"
"~550956"
"~656794"
"~656795"
"~550948"
"~616512"
"~616514"
"~616513"
"~616518"
"~616526"
"~616517"
"~616520"
"~616527"
"~616525"
"~616515"
"~616522"
"~616524"
"~616519"
"~616516"
"~616521"
"~616523"
"~551113"
"~551115"
"~551114"
"~552141"
"~552142"
"~552143"
"~552144"
800"~552146"
"~552145"
"~616543"
"~616544"
"~616552"
"~616548"
"~616551"
"~616553"
"~616549"
"~616554"
"~616546"
"~616545"
"~616547"
"~616550"
"~668044"
"~507608"
"~551073"
"~551071"
"~551072"
"~551070"
"~507609"
"~507610"
"~611798"
"~611800"
"~667830"
"~616390"
"~616395"
"~616393"
"~616391"
"~616389"
"~616400"
"~616388"
"~616392"
"~616394"
"~616385"
"~616399"
"~616398"
"~616396"
"~616387"
"~551108"900
"~551106"9300
"~551110"9600
"~551109"9800
"~551107"
"~661192"
3"~661193"
"~616215"
"~616220"
"~616233"
"~616217"
"~616228"
"~616224"
"~616231"
"~616230"
"~616240"
"~616238"
"~616236"
"~616216"
"~616241"
"~616222"
"~616237"
"~616242"
"~616235"
"~616227"
"~551039"
"~551041"
"~551042"
"~551040"
"~667828"
"~550977"
"~550978"
"~551001"
"~551007"
"~551006"
"~551003"
"~551004"
"~551002"
"~551005"
"~551101"
"~551102"
"~551029"
"~551030"
"~551031"
"~551032"
"~551009"
"~551010"
"~660323"
"~660324"
"~660322"
"~660325"
"~660328"
"~660327"
"~660329"
"~660326"
"~660767"
"~660769"
"~660768"
"~550884"
"~550885"
"~550887"
"~550889"
"~550890"
"~550888"
"~550886"
"~551116"
"~551117"
"~551056"
"~551057"
"~551097"
"~551098"
"~612738"
"~612739"
-4ddebc152a9f","apn":"WIFI","lat":""}&shoujishipai=
","X-Wap-Proxy-Cookie":"none","uuid":"e963cc5c-
","channelid":"3","version":"5.7.0.0","productorid":"1","ua":"GT-N
&LV=
&UN=
<=
&SK=
&PPT=
&PPK=
","platform":"android","os":"android","lon":"","locationstate":"0","location":",,","osv":"2.3.4","imei":"727093967614219","maptype":"2","cid":"3","PPU":"UID=
&type=&formatsource=home&headerData={"uid":"
%E5%B9%B4&Content=
&buytime=
&cheshenyanse=
&chexi=
&cspailiang=2.0&cjshijian=2016|4&qxshijian=2016|2&syshijian=2016|2&xinxibianhao=J1RV12&shangpainianyue=201602&cateapplyed=29&paifangbiaozhun=408&canjiapaimai=0&gobquzhi=brand=
","maptype":"2","cid":"342","PPU":"UID=
","platform":"android","os":"android","lon":"","locationstate":"0","location":",,","osv":"2.3.4","imei":"72709
&carchexing=2012%E6%AC%BE%202.0%20EX%20Navi&cheshenyanse=
&gobquzhi=brand=
hXXp://p.webapp.58.com/ajaxSendValidCode/?callback=jsonp_callback2&phone=
hXXp://p.m.58.com/
PRTG Enterprise Console.exe
HttpAnalyzerStdV7.exe
WSExplorer1.3.exe
WinPcap_4_1_3.exe
Wireshark.exe
IceSword.exe
Referer: hXXp://pic2.58.com/ui7/post/PictureUpload_zip_s1.swf
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; EmbeddedWB 14.52 from: hXXp://VVV.bsalsa.com/ EmbeddedWB 14.52; .NET CLR 2.0.50727)
Host: pic.kuche.com
hXXp://pic.kuche.com/postpic/upload?flash=1
WinHttp.WinHttpRequest.5.1
MSXML2.ServerXMLHTTP.6.0
MSXML2.ServerXMLHTTP.5.0
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
hXXp://
hXXps://
Adodb.Stream
@`~!@#$%^&*()-_= [{]};:'\|,<.>/?"
&password=
hXXps://passport.58.com/pso/domclientunionlogin
hXXp://passport.58.com/pso/waplogin
*.txt
|*.txt
STR_UINTIP=1;STR_QLOGIN_VERSION_ERR=2;STR_NO_UIN=3;STR_NO_PWD=4;STR_NO_VCODE=5;STR_INV_UIN=6;STR_INV_VCODE=7;STR_UIN=8;STR_PWD=9;STR_VCODE=10;STR_VCODE_TIP=11;STR_CHANGE_VCODE=12;STR_REMEMBER_PWD=13;STR_1_DAY=14;STR_1_WEEK=15;STR_1_MONTH=16;STR_HALF_YEAR=17;STR_1_YEAR=18;STR_FORGET_PWD=19;STR_LOGIN=20;STR_RESET=21;STR_SWITCH_QLOGIN=22;STR_LOGIN_TITLE=23;STR_QLOGIN_INTRO=24;STR_QLOGINING=25;STR_QLOGIN_HELP=26;STR_SWITCH_NORMAL=27;STR_QLOGIN=28;STR_QLOGIN_BUSY=29;STR_QLOGIN_OFFLINE=30;STR_QLOGIN_OTHER_ERR=31;STR_BACK=32;STR_RETRY=33;function ptui_str(A){A-=1;if(A>=0&&A<g_strArray.length){return g_strArray[A]}return""}function ptui_mapStr(B){for(i=0;i<B.length;i  ){var A=document.getElementById(B[i][1]);if(A!=null){if("A"==A.nodeName||"U"==A.nodeName||"OPTION"==A.nodeName){if(A.innerHTML==""){A.innerHTML=ptui_str(B[i][0])}}else{if("INPUT"==A.nodeName){if(A.value==""){A.value=ptui_str(B[i][0])}}else{if("IMG"==A.nodeName){A.alt=ptui_str(B[i][0])}}}}}}function ptui_onUserFocus(C,A){var B=document.getElementById(C);if(ptui_str(STR_UINTIP)==B.value){B.value=""}B.style.color=A}function ptui_onUserBlue(C,A){var B=document.getElementById(C);if(""==B.value){B.value=ptui_str(STR_UINTIP);B.style.color=A}}var g_speedArray=new Array();function ptui_setSpeed(B){if(B<=0){return }var A=g_speedArray.length;g_speedArray[A]=new Array(B,new Date())}function ptui_reportSpeed(B){if(Math.random()>0.1){return }url="hXXp://isdspeed.qq.com/cgi-bin/r.cgi?flag1=6000&flag2=1&flag3=1";for(var A=0;A<g_speedArray.length;A  ){url=url "&" g_speedArray[A][0] "=" (g_speedArray[A][1]-B)}imgSendTimePoint=new Image();imgSendTimePoint.src=url}function ptui_showDiv(A,B){var C=document.getElementById(A);if(null==C){return }if(B){C.style.display="block"}else{C.style.display="none"}}function ptui_notifySize(B){try{obj=document.getElementById(B);if(obj){if(parent.ptlogin2_onResize){width=1;height=1;if(obj.offsetWidth>0){width=obj.offsetWidth}if(obj.offsetHeight>0){height=obj.offsetHeight}parent.ptlogin2_onResize(width,height)}}}catch(A){}}function ptui_notifyClose(){try{if(parent.ptlogin2_onClose){parent.ptlogin2_onClose()}else{if(top==this){window.close()}}}catch(A){window.close()}}function ptui_setUinColor(D,B,A){var C=document.getElementById(D);if(ptui_str(STR_UINTIP)==C.value){C.style.color=A}else{C.style.color=B}}function ptui_onEnableLLogin(B){var A=B.low_login_enable;var C=B.low_login_hour;if(A!=null&&C!=null){C.disabled=!A.checked}}function ptui_changeImgEx(D,C,F,E){var A=document.getElementById("imgVerify");if(A!=null){A.src=E "?aid=" C "&" Math.random();var B=document.getElementById("verifycode");if(B!=null&&B.disabled==false&&F){B.focus();B.select()}}}function ptui_changeImg(B,A,C){ptui_changeImgEx(B,A,C,"hXXp://ptlogin2." B "/getimage")}function ptui_changeImgHttps(B,A,C){ptui_changeImgEx(B,A,C,"./getimage")}function ptui_checkQQUin(qquin){if(qquin.length==0){return false}if(!(new RegExp(/^\w ((-\w )|(\.\w ))*\@[A-Za-z0-9] ((\.|-)[A-Za-z0-9] )*\.[A-Za-z0-9] $/).test(qquin))){if(qquin.length<5||qquin.length>12||parseInt(qquin)<1000){return false}var exp=eval("/^[0-9]*$/");return exp.test(qquin)}return true}function ptui_checkPwdOnInput(){if(document.getElementById("p").value.length>=16){return false}return true}function ptui_onLogin(A){try{if(parent.ptlogin2_onLogin){if(!parent.ptlogin2_onLogin()){return false}}if(parent.ptlogin2_onLoginEx){var D=A.u.value;var B=A.verifycode.value;if(ptui_str(STR_UINTIP)==D){D=""}if(!parent.ptlogin2_onLoginEx(D,B)){return false}}}catch(C){}return ptui_checkValidate(A)}function ptui_onLoginEx(B,C){if(ptui_onLogin(B)){var A=new Date();A.setHours(A.getHours() 24*30);setCookie("ptui_loginuin",B.u.value,A,"/","ui.ptlogin2." C);return true}return false}function ptui_setDefUin(B,A){if(A==""||A==null){A=getCookie("ptui_loginuin")}if(A!=""&&A!=null){B.u.value=A}}function ptui_onReset(A){try{if(parent.ptlogin2_onReset){if(!parent.ptlogin2_onReset()){return false}}}catch(B){}return true}function ptui_initFocus(B){try{var A=B.u;var D=B.p;var E=B.verifycode;if(A.value==""||ptui_str(STR_UINTIP)==A.value){A.focus();return }if(D.value==""){D.focus();return }if(E.value==""){E.focus()}}catch(C){}}function ptui_checkValidate(B){var A=B.u;var C=B.p;var D=B.verifycode;if(A.value==""||ptui_str(STR_UINTIP)==A.value){alert(ptui_str(STR_NO_UIN));A.focus();return false}if(C.value==""){alert(ptui_str(STR_NO_PWD));C.focus();return false}if(D.value==""){alert(ptui_str(STR_NO_VCODE));D.focus();return false}if(!ptui_checkQQUin(A.value)){alert(ptui_str(STR_INV_UIN));A.focus();A.select();return false}if(D.value.length!=4){alert(ptui_str(STR_INV_VCODE));D.focus();D.select();return false}C.setAttribute("maxlength","32");preprocess(B);return true}function getCookieVal(B){var A=document.cookie.indexOf(";",B);if(A==-1){A=document.cookie.length}return unescape(document.cookie.substring(B,A))}function getCookie(D){var B=D "=";var F=B.length;var A=document.cookie.length;var E=0;while(E<A){var C=E F;if(document.cookie.substring(E,C)==B){return getCookieVal(C)}E=document.cookie.indexOf(" ",E) 1;if(E==0){break}}return null}function setCookie(C,E){var A=setCookie.arguments;var H=setCookie.arguments.length;var B=(2<H)?A[2]:null;var G=(3<H)?A[3]:null;var D=(4<H)?A[4]:null;var F=(5<H)?A[5]:null;document.cookie=C "=" escape(E) ((B==null)?" ":(";expires =" B.toGMTString())) ((G==null)?" ":(";path = " G)) ((D==null)?" ":(";domain =" D)) ((F==true)?";secure":" ")}var hexcase=1;var b64pad="";var chrsz=8;var mode=32;function preprocess(A){var B="";B =A.verifycode.value;B=B.toUpperCase();A.p.value=md5(md5_3(A.p.value) B);return true}function md5_3(B){var A=new Array;A=core_md5(str2binl(B),B.length*chrsz);A=core_md5(A,16*chrsz);A=core_md5(A,16*chrsz);return binl2hex(A)}function md5(A){return hex_md5(A)}function hex_md5(A){return binl2hex(core_md5(str2binl(A),A.length*chrsz))}function b64_md5(A){return binl2b64(core_md5(str2binl(A),A.length*chrsz))}function str_md5(A){return binl2str(core_md5(str2binl(A),A.length*chrsz))}function hex_hmac_md5(A,B){return binl2hex(core_hmac_md5(A,B))}function b64_hmac_md5(A,B){return binl2b64(core_hmac_md5(A,B))}function str_hmac_md5(A,B){return binl2str(core_hmac_md5(A,B))}function md5_vm_test(){return hex_md5("abc")=="900150983cd24fb0d6963f7d28e17f72"}function core_md5(K,F){K[F>>5]|=128<<((F)2);K[(((F 64)>>>9)<<4) 14]=F;var J=1732584193;var I=-271733879;var H=-1732584194;var G=271733878;for(var C=0;C<K.length;C =16){var E=J;var D=I;var B=H;var A=G;J=md5_ff(J,I,H,G,K[C 0],7,-680876936);G=md5_ff(G,J,I,H,K[C 1],12,-389564586);H=md5_ff(H,G,J,I,K[C 2],17,606105819);I=md5_ff(I,H,G,J,K[C 3],22,-1044525330);J=md5_ff(J,I,H,G,K[C 4],7,-176418897);G=md5_ff(G,J,I,H,K[C 5],12,1200080426);H=md5_ff(H,G,J,I,K[C 6],17,-1473231341);I=md5_ff(I,H,G,J,K[C 7],22,-45705983);J=md5_ff(J,I,H,G,K[C 8],7,1770035416);G=md5_ff(G,J,I,H,K[C 9],12,-1958414417);H=md5_ff(H,G,J,I,K[C 10],17,-42063);I=md5_ff(I,H,G,J,K[C 11],22,-1990404162);J=md5_ff(J,I,H,G,K[C 12],7,1804603682);G=md5_ff(G,J,I,H,K[C 13],12,-40341101);H=md5_ff(H,G,J,I,K[C 14],17,-1502002290);I=md5_ff(I,H,G,J,K[C 15],22,1236535329);J=md5_gg(J,I,H,G,K[C 1],5,-165796510);G=md5_gg(G,J,I,H,K[C 6],9,-1069501632);H=md5_gg(H,G,J,I,K[C 11],14,643717713);I=md5_gg(I,H,G,J,K[C 0],20,-373897302);J=md5_gg(J,I,H,G,K[C 5],5,-701558691);G=md5_gg(G,J,I,H,K[C 10],9,38016083);H=md5_gg(H,G,J,I,K[C 15],14,-660478335);I=md5_gg(I,H,G,J,K[C 4],20,-405537848);J=md5_gg(J,I,H,G,K[C 9],5,568446438);G=md5_gg(G,J,I,H,K[C 14],9,-1019803690);H=md5_gg(H,G,J,I,K[C 3],14,-187363961);I=md5_gg(I,H,G,J,K[C 8],20,1163531501);J=md5_gg(J,I,H,G,K[C 13],5,-1444681467);G=md5_gg(G,J,I,H,K[C 2],9,-51403784);H=md5_gg(H,G,J,I,K[C 7],14,1735328473);I=md5_gg(I,H,G,J,K[C 12],20,-1926607734);J=md5_hh(J,I,H,G,K[C 5],4,-378558);G=md5_hh(G,J,I,H,K[C 8],11,-2022574463);H=md5_hh(H,G,J,I,K[C 11],16,1839030562);I=md5_hh(I,H,G,J,K[C 14],23,-35309556);J=md5_hh(J,I,H,G,K[C 1],4,-1530992060);G=md5_hh(G,J,I,H,K[C 4],11,1272893353);H=md5_hh(H,G,J,I,K[C 7],16,-155497632);I=md5_hh(I,H,G,J,K[C 10],23,-1094730640);J=md5_hh(J,I,H,G,K[C 13],4,681279174);G=md5_hh(G,J,I,H,K[C 0],11,-358537222);H=md5_hh(H,G,J,I,K[C 3],16,-722521979);I=md5_hh(I,H,G,J,K[C 6],23,76029189);J=md5_hh(J,I,H,G,K[C 9],4,-640364487);G=md5_hh(G,J,I,H,K[C 12],11,-421815835);H=md5_hh(H,G,J,I,K[C 15],16,530742520);I=md5_hh(I,H,G,J,K[C 2],23,-995338651);J=md5_ii(J,I,H,G,K[C 0],6,-198630844);G=md5_ii(G,J,I,H,K[C 7],10,1126891415);H=md5_ii(H,G,J,I,K[C 14],15,-1416354905);I=md5_ii(I,H,G,J,K[C 5],21,-57434055);J=md5_ii(J,I,H,G,K[C 12],6,1700485571);G=md5_ii(G,J,I,H,K[C 3],10,-1894986606);H=md5_ii(H,G,J,I,K[C 10],15,-1051523);I=md5_ii(I,H,G,J,K[C 1],21,-2054922799);J=md5_ii(J,I,H,G,K[C 8],6,1873313359);G=md5_ii(G,J,I,H,K[C 15],10,-30611744);H=md5_ii(H,G,J,I,K[C 6],15,-1560198380);I=md5_ii(I,H,G,J,K[C 13],21,1309151649);J=md5_ii(J,I,H,G,K[C 4],6,-145523070);G=md5_ii(G,J,I,H,K[C 11],10,-1120210379);H=md5_ii(H,G,J,I,K[C 2],15,718787259);I=md5_ii(I,H,G,J,K[C 9],21,-343485551);J=safe_add(J,E);I=safe_add(I,D);H=safe_add(H,B);G=safe_add(G,A)}if(mode==16){return Array(I,H)}else{return Array(J,I,H,G)}}function md5_cmn(F,C,B,A,E,D){return safe_add(bit_rol(safe_add(safe_add(C,F),safe_add(A,D)),E),B)}function md5_ff(C,B,G,F,A,E,D){return md5_cmn((B&G)|((~B)&F),C,B,A,E,D)}function md5_gg(C,B,G,F,A,E,D){return md5_cmn((B&F)|(G&(~F)),C,B,A,E,D)}function md5_hh(C,B,G,F,A,E,D){return md5_cmn(B^G^F,C,B,A,E,D)}function md5_ii(C,B,G,F,A,E,D){return md5_cmn(G^(B|(~F)),C,B,A,E,D)}function core_hmac_md5(C,F){var E=str2binl(C);if(E.length>16){E=core_md5(E,C.length*chrsz)}var A=Array(16),D=Array(16);for(var B=0;B<16;B  ){A[B]=E[B]^909522486;D[B]=E[B]^1549556828}var G=core_md5(A.concat(str2binl(F)),512 F.length*chrsz);return core_md5(D.concat(G),512 128)}function safe_add(A,D){var C=(A&65535) (D&65535);var B=(A>>16) (D>>16) (C>>16);return(B<<16)|(C&65535)}function bit_rol(A,B){return(A<<B)|(A>>>(32-B))}function str2binl(D){var C=Array();var A=(1<<chrsz)-1;for(var B=0;B<D.length*chrsz;B =chrsz){C[B>>5]|=(D.charCodeAt(B/chrsz)&A)<<(B2)}return C}function binl2str(C){var D="";var A=(1<<chrsz)-1;for(var B=0;B<C.length*32;B =chrsz){D =String.fromCharCode((C[B>>5]>>>(B2))&A)}return D}function binl2hex(C){var B=hexcase?"0123456789ABCDEF":"0123456789abcdef";var D="";for(var A=0;A<C.length*4;A  ){D =B.charAt((C[A>>2]>>((A%4)*8 4))&15) B.charAt((C[A>>2]>>((A%4)*8))&15)}return D}function binl2b64(D){var C="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /";var F="";for(var B=0;B<D.length*4;B =3){var E=(((D[B>>2]>>8*(B%4))&255)<<16)|(((D[B 1>>2]>>8*((B 1)%4))&255)<<8)|((D[B 2>>2]>>8*((B 2)%4))&255);for(var A=0;A<4;A  ){if(B*8 A*6>D.length*32){F =b64pad}else{F =C.charAt((E>>6*(3-A))&63)}}}return F};/* |xGv00|ccbfd68b5fceb62707a9e4ce87b8c813 */
86265112
fJ.WM_
CX%xm
Õ6m*
n.BjCw
%s;7*
0%x@w
%C^L:
%s T5
]E4%F(
.Funr
k%UPp
fg.VG
%C',@
>Ùd
0'.Ll
[I(3/#N0.bd
j"%u=w
q%Xn`
@|H.NI
.wdd!
S|%u4
*.Ea]S
Q.CGo
fTpe
.LLbX
-.Mdl
\-A}=3K
Y:.akpS
$.Zcqn
.WE= T!N
#?%s(C(
u.Jck~
zx/%FN[
%s=\RI
}j%c%Y)
Rx.GR
4o#.dM
IeS`%C
[n 4\.UY 
,4.qO,
gQ'.Io
%cLur?
s%DHB
]I%%X
5r.US
:mD].tB
f%fUZ
.fOuV12
*_.dC
&-N}<
({?.cQm
.Cqx~c
.`.Qw
**.dU
!n]%x
%X,Cr
&.PFy{xh
.um ZZE7L
/^p%u$
I.NoQY
zu.ew
D/.nT
b\SkinH_EL.dll
C$%cmb
.ppM|
 aZ.mO
%-^
.hk;~
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
1076080880
hXXp://open.baidu.com/special/time/
window.baidu_time(
VBScript.RegExp
13669806666
:VVV.ysz5.com
VVV.ysz5.comt
192.168.1.1
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
RASAPI32.dll
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
GetProcessHeap
WinExec
KERNEL32.dll
GetKeyState
GetViewportOrgEx
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
OLEAUT32.dll
oledlg.dll
WSOCK32.dll
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
GetCPInfo
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
msscript.ocx
(*.htm;*.html)|*.htm;*.html
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
VVV.dywt.com.cn
x86 Family %s Model %s Stepping %s
X-X-X-X
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
201502200819
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
(){(){(){(){(){(){
)(})(})(})(})(})(}
)(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(}
)(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(}
)(|)(|)(|)(|)(|)(|
)'{)(|)(|)(|)(|)(|
('{)(|)(|)(|)(|)(|('{
)(|)(|)(|)(|)(|)(|)(|)(|)(|)(|)(|)(|)(|)(|)(|)(|)(|)(|)(|)(|)(|)(|)(|)(|)(|)(|)(|)(|)(|)(|)(|)(|)(|)(|
()}()}()}()}()}()}()}()}()}()}()}()}()}()}()}()}()}()}()}()}()}()}()}()}()}()}()}()}()}()}()}()}()}()}()}()}()}()}()}()}()}()}
)(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(})(|
1, 0, 6, 6
(*.*)
2.0.0.0

%original file name%.exe_1252_rwx_10001000_00039000:

L$(h%f
SSh0j
msctls_hotkey32
TVCLHotKey
THotKey
\skinh.she
}uo,x6l5k%x-l h
9p%s m)t4`#b
e"m?c&y1`Ð<
SetViewportOrgEx
SetViewportExtEx
SetWindowsHookExA
UnhookWindowsHookEx
EnumThreadWindows
EnumChildWindows
`c%US.4/
!#$<#$#=
.text
`.rdata
@.data
.rsrc
@.UPX0
`.UPX1
`.reloc


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\SkinH_EL.dll (88 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now