Trojan.GenericKD.2516841_064d77d58f

by malwarelabrobot on July 14th, 2015 in Malware Descriptions.

Trojan.Win32.Fsysna.axws (Kaspersky), Trojan.GenericKD.2516841 (B) (Emsisoft), Trojan.GenericKD.2516841 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 064d77d58fae967ff1355f273e54eabb
SHA1: 392ffe32af04f6495c92a2a10fdc3d941fea5806
SHA256: 978598e68d4179a7fe03bfc8eaa7ebde8425b65105d24acca00b8b4c0faafa2a
SSDeep: 49152:T96cerrBSnQYGnwykD/v0cfKYjsRutGoTXvda4TdNAEn7cjOaFjZ8V VIFE4aqKS:wrrwnQPwyI/v0Way
Size: 2547712 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2014-10-24 15:50:08
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:928

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\winlogon.exe (7386 bytes)

Registry activity

The process %original file name%.exe:928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 09 01 24 36 74 42 BA 92 64 8E EF 8F 60 ED 57"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

Dropped PE files

MD5 File path
d2674d35cfc3afe2be0e12869392c1b2 c:\WINDOWS\winlogon.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ???
Product Name: ???????????V5.0
Product Version: 1.0.0.0
Legal Copyright: ???????????V5.0
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ???????
Comments: ???????????V5.0
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 987339 991232 4.4118 3bc12589397eb05b34715495866dfe8d
.rdata 995328 1462098 1462272 4.47932 c284adc9f7fc8b30e7e1ed10d2524a59
.data 2457600 267690 65536 3.54521 d34df20ba756b03586ae36dc6cb776ac
.rsrc 2727936 23824 24576 3.65377 b67f0a0ef83a5a994dca5dac3c6c014e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.yy.com/ 113.107.236.195
hi.baidu.com 180.76.2.41
lgn.yy.com 120.132.133.53
aq.yy.com 113.108.228.234


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.yy.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 13 Jul 2015 12:35:27 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
P3P: CP="NON DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONa HISa TELa OTPa OUR UNRa IND UNI COM NAV INT DEM CNT PRE LOC"
Content-Language: en-US
Expires: Mon, 13 Jul 2015 12:35:57 GMT
Cache-Control: max-age=30
Content-Encoding: gzip
47b7..............ks.G....q. 0.9..!.y...-...........>g....(..$l.`..
h.e..n..$%..J...mI.%..ER..|....6..O....B..... H. ....%...7....7....z2.
..7......w...@$.....&!$.t!8....XB7>..7..~...8....-...Ri#s`......|.|
).I..3.......y&..vH....<.....3Z.w.-..}l.....I..._h.c....#F.......YO
.......RF....H..SF..DF.......P(.....#.....'RF..Gbc.HZ}(......L..NNN...
.I-..c.O...i...U/,=Z...F&....?.8..E...`v..ym-.8m.}..z...x..Y.Z~.l.. ..
..O..o>7.\.g....6.,.DB.....b.D0....CF*..E.L,...D......Cb.g.../.....
!.D>3.&.)=]..-...?.d..[^...K...0..2./TK./.`.\\.._.3.=..b..2_].N.3..
.W.dW......N= ^;Z8|>....x2./...'....V...(.>i.}TN.\>f~y/..qa..
....B..77r'..".^^....'J.x.....5..nX*_[Zv..X..7w.i.../7..].VSR...X..?..
y(^z(.y.h.;m...[\)g..l..].`...p..9g....3O>.K..[.{.........W.'....7.
........e...gn..]X....N=..Z.0..uv.........-..Tr.He....).........(..R..
..bF.$4.~....i....J B..iZ.D!.8&.5..A..F.2..J...k...l.k.#R..D&..... ..8
[email protected]...:,.....>..T.H..F.>.H:.*].....3.....b.@<c.
~...../........31&.j....|.........k..FR.... ).GZd......ic_&5a...o.....
..co./........H........n&N.,.D'......{.RS...&'E5........#.a...H<&&g
t;.#.gF......>U}....GKi.n '.........F..=I..........<'.}...`....D
q.F.K$-....W...>....9C....*m.utX...2.T,<!.wH.2ZP.b...V.d........
..K.|..v....l...@l{.dD.&...o...6E..:.....A......-\:Y}.xW2..YT.;...c..W
d..a-e[ .........H*..#C.0...........Hhv.*g.|.4l.....;$...us.Qv.b....!.
.E.Qx...k..'.Z\..!...D.zp\K.....g........D.9....C.Q}....H.>9*.o\di.
.>#.F.UP......Y..4...f...!.T>D../.et.....{Y...SX..l..9((..&l
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_928:

.text
`.rdata
@.data
.rsrc
t%SVh
t$(SSh
|$D.tm
~%UVW
u$SShe
kernel32.dll
ole32.dll
winmm.dll
wininet.dll
ws2_32.dll
WinINet.dll
shlwapi.dll
User32.dll
user32.dll
gdiplus.dll
advapi32.dll
rasapi32.dll
Wininet.dll
urlmon.dll
psapi.dll
shell32.dll
OLEACC.DLL
gdi32.dll
MsgWaitForMultipleObjects
GetWindowsDirectoryA
HttpAddRequestHeadersA
GdiplusShutdown
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
keybd_event
RegCloseKey
RegCreateKeyA
RegOpenKeyA
UrlMkSetSessionOption
GetProcessHeap
RegEnumKeyA
RegFlushKey
RegOpenKeyExA
RegCreateKeyExA
RegDeleteKeyA
ShellExecuteA
WinExec
%System%\ntdll.dll
%System%\kernel32.dll
%System%\USER32.dll
%System%\GDI32.dll
%System%\ADVAPI32.dll
%System%\RPCRT4.dll
%System%\Secur32.dll
%System%\IMM32.DLL
%System%\LPK.DLL
%System%\USP10.dll
%System%\WINMM.dll
%System%\comdlg32.dll
%System%\msvcrt.dll
%System%\SHLWAPI.dll
%System%\SHELL32.dll
%System%\WINSPOOL.DRV
%System%\ole32.dll
%System%\OLEPRO32.DLL
%System%\OLEAUT32.dll
%System%\WS2_32.dll
%System%\WS2HELP.dll
%System%\uxtheme.dll
%System%\MSIMG32.dll
%System%\MSVCP60.dll
%System%\WININET.dll
%System%\CRYPT32.dll
%System%\MSASN1.dll
%System%\PSAPI.DLL
%System%\VERSION.dll
%System%\urlmon.dll
Web.dll
hXXp://VVV.yy.com/
hXXp://wpa.qq.com/msgrd?v=3&uin=1152259123
software\microsoft\windows\CurrentVersion\Run\
hXXp://hi.baidu.com/dthtkjmcmpejkle/item/dc19bbe50299ca0a5a7cfb27
Winmm.dll
dsound.dll
@ping 127.0.0.1 -n
\*.*"
@ping 127.0.0.1 -n 1 >nul
del 123.bat
\123.bat
\TEMP.TMP
{Reg}((?:src=)['"]?).*?\.js['"]
{Reg}((?:hXXp://)['"]?).*?\.swf
{Reg}((?:url\()|(?:src=)['"]?).*?\.[jpg|gif|png]{3}
http=
scripting.FileSystemObject
bbs.125.la_Cookie
hXXps://
hXXp://
Adodb.Stream
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.1
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
del C:\123.bat
\Restart.bat
(*.*)|*.*
(*.txt)|*.txt|
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Current
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
Software\Microsoft\Windows\CurrentVersion\Internet Settings\proxyserver
Software\Microsoft\Windows\CurrentVersion\Internet Settings\proxyenable
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
\data\Config.ini
;http=
<ie9>Mozilla/4.0 (compatible; MSIE 9.0; Windows NT6.1)</ie9>
<ie8>Mozilla/4.0 (compatible; MSIE 8.0; Windows NT6.0)</ie8>
<ie7>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT5.2)</ie7>
<ie6>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT5.1)</ie6>
>Mozilla/5.0 (compatible) AppleWebKit/534.21 (KHTML, like Gecko) Chrome/11.0.682.0 Safari/534.21</
>Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2</
<ipad>Mozilla/5.0(iPad; U; CPU iPhone OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B314 Safari/531.21.10</ipad>
<iphone>Mozilla/5.0 (iPhone; U; CPU OS 4_2_1 like Mac OS X) AppleWebKit/532.9 (KHTML, like Gecko) Version/5.0.3 Mobile/8B5097d Safari/6531.22.7 </iphone>
<android>Mozilla/5.0 (Linux; U; Android 2.3.3; zh-tw; HTC_Pyramid Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1</android>
<opera>Opera/9.80 (compatible; U) Presto/2.7.39 Version/11.00</opera>
<navigator>Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12)Gecko/20080219 Firefox/2.0.0.12 Navigator/9.0.0.6</navigator>
<safari>Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_7) AppleWebKit/534.16  (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4</safari>
{25336920-03F9-11CF-8FD0-00AA00686F13}
document.all.retjs.innerText=
hXXps://aq.yy.com/loginOut.do
hXXps://aq.yy.com/p/wklogin.do
&denyCallbackURL=hXXps://aq.yy.com/p/logincbk.do?cancel=1®CallbackURL=hXXps://aq.yy.com/welcome.do&UIStyle=xelogin&rdm=0.26365254551226436
hXXps://lgn.yy.com/lgn/oauth/authorize.do?oauth_token=
hXXps://lgn.yy.com/lgn/oauth/x/s/login_asyn.do
&denyCallbackURL=https://aq.yy.com/p/logincbk.do?cancel=1&UIStyle=xelogin&appid=1
&password=
callbackURL
yy.com
VVV.yy.com
wyy.com
v1.0.1
hXXp://hi.baidu.com/tyjsz/item/0c087c4d03a2d387823ae162
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
https
hXXp://hi.baidu.com/onukxtwlnubgpz/item/eaadd32b867e0444087508e6
hXXp://hi.baidu.com/uczlldnyeubmnue/item/288ca03af758d9cdb80c030d
hXXp://hi.baidu.com/onukxtwlnubgpz/item/c8a74505a219af8d73e676d6
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Microsoft.XMLDOM
adodb.stream
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
text|password|file
comdlg32.dll
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
VBScript.RegExp
application/x-www-form-urlencoded
WinHttp.WinHttpRequest.5.1
SetClientCertificate
Set fso = CreateObject("Scripting.FileSystemObject")
fso.DeleteFile("
sc.vbs")
\sc.vbs
sc.vbs
sc.bat"
sc.bat
del Restart.bat
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
RASAPI32.dll
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
KERNEL32.dll
GetKeyState
USER32.dll
GetViewportOrgEx
GDI32.dll
WINSPOOL.DRV
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
COMCTL32.dll
oledlg.dll
WSOCK32.dll
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
GetCPInfo
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
(*.htm;*.html)|*.htm;*.html
its:%s::%s
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
#include "l.chs\afxres.rc" // Standard components
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX%WinDir%\winlogon.exe
FlashPlayerApp.exe
SysWOW64\FlashPlayerApp.exe
FlashPlayerCPLApp.cpl
1152259123
11601235
11522598/11522598
.aGeAr
-l.mc
hIh.bb
7".Af
VVV.dywt.com.cn
c:\%original file name%.exe
246813579
(*.*)
1.0.0.0

winlogon.exe_968:

.text
`.rdata
@.data
.rsrc
t%SVh
t$(SSh
|$D.tm
~%UVW
u$SShe
kernel32.dll
ole32.dll
winmm.dll
wininet.dll
ws2_32.dll
WinINet.dll
shlwapi.dll
User32.dll
user32.dll
gdiplus.dll
advapi32.dll
rasapi32.dll
Wininet.dll
urlmon.dll
psapi.dll
shell32.dll
OLEACC.DLL
gdi32.dll
MsgWaitForMultipleObjects
GetWindowsDirectoryA
HttpAddRequestHeadersA
GdiplusShutdown
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
keybd_event
RegCloseKey
RegCreateKeyA
RegOpenKeyA
UrlMkSetSessionOption
GetProcessHeap
RegEnumKeyA
RegFlushKey
RegOpenKeyExA
RegCreateKeyExA
RegDeleteKeyA
ShellExecuteA
WinExec
%System%\ntdll.dll
%System%\kernel32.dll
%System%\USER32.dll
%System%\GDI32.dll
%System%\ADVAPI32.dll
%System%\RPCRT4.dll
%System%\Secur32.dll
%System%\IMM32.DLL
%System%\LPK.DLL
%System%\USP10.dll
%System%\WINMM.dll
%System%\comdlg32.dll
%System%\msvcrt.dll
%System%\SHLWAPI.dll
%System%\SHELL32.dll
%System%\WINSPOOL.DRV
%System%\ole32.dll
%System%\OLEPRO32.DLL
%System%\OLEAUT32.dll
%System%\WS2_32.dll
%System%\WS2HELP.dll
%System%\uxtheme.dll
%System%\MSIMG32.dll
%System%\MSVCP60.dll
%System%\WININET.dll
%System%\CRYPT32.dll
%System%\MSASN1.dll
%System%\PSAPI.DLL
%System%\VERSION.dll
%System%\urlmon.dll
Web.dll
software\microsoft\windows\CurrentVersion\Run\
hXXp://hi.baidu.com/dthtkjmcmpejkle/item/dc19bbe50299ca0a5a7cfb27
hXXp://VVV.yy.com/
Winmm.dll
dsound.dll
@ping 127.0.0.1 -n
\*.*"
@ping 127.0.0.1 -n 1 >nul
del 123.bat
\123.bat
\TEMP.TMP
{Reg}((?:src=)['"]?).*?\.js['"]
{Reg}((?:hXXp://)['"]?).*?\.swf
{Reg}((?:url\()|(?:src=)['"]?).*?\.[jpg|gif|png]{3}
http=
scripting.FileSystemObject
bbs.125.la_Cookie
hXXps://
hXXp://
Adodb.Stream
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.1
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
del C:\123.bat
\Restart.bat
(*.*)|*.*
(*.txt)|*.txt|
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Current
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
Software\Microsoft\Windows\CurrentVersion\Internet Settings\proxyserver
Software\Microsoft\Windows\CurrentVersion\Internet Settings\proxyenable
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
\data\Config.ini
;http=
<ie9>Mozilla/4.0 (compatible; MSIE 9.0; Windows NT6.1)</ie9>
<ie8>Mozilla/4.0 (compatible; MSIE 8.0; Windows NT6.0)</ie8>
<ie7>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT5.2)</ie7>
<ie6>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT5.1)</ie6>
>Mozilla/5.0 (compatible) AppleWebKit/534.21 (KHTML, like Gecko) Chrome/11.0.682.0 Safari/534.21</
>Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2</
<ipad>Mozilla/5.0(iPad; U; CPU iPhone OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B314 Safari/531.21.10</ipad>
<iphone>Mozilla/5.0 (iPhone; U; CPU OS 4_2_1 like Mac OS X) AppleWebKit/532.9 (KHTML, like Gecko) Version/5.0.3 Mobile/8B5097d Safari/6531.22.7 </iphone>
<android>Mozilla/5.0 (Linux; U; Android 2.3.3; zh-tw; HTC_Pyramid Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1</android>
<opera>Opera/9.80 (compatible; U) Presto/2.7.39 Version/11.00</opera>
<navigator>Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12)Gecko/20080219 Firefox/2.0.0.12 Navigator/9.0.0.6</navigator>
<safari>Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_7) AppleWebKit/534.16  (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4</safari>
{25336920-03F9-11CF-8FD0-00AA00686F13}
document.all.retjs.innerText=
hXXps://aq.yy.com/loginOut.do
hXXps://aq.yy.com/p/wklogin.do
&denyCallbackURL=hXXps://aq.yy.com/p/logincbk.do?cancel=1®CallbackURL=hXXps://aq.yy.com/welcome.do&UIStyle=xelogin&rdm=0.26365254551226436
hXXps://lgn.yy.com/lgn/oauth/authorize.do?oauth_token=
hXXps://lgn.yy.com/lgn/oauth/x/s/login_asyn.do
&denyCallbackURL=https://aq.yy.com/p/logincbk.do?cancel=1&UIStyle=xelogin&appid=1
&password=
callbackURL
yy.com
VVV.yy.com
wyy.com
v1.0.1
hXXp://hi.baidu.com/tyjsz/item/0c087c4d03a2d387823ae162
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
https
hXXp://hi.baidu.com/onukxtwlnubgpz/item/eaadd32b867e0444087508e6
hXXp://hi.baidu.com/uczlldnyeubmnue/item/288ca03af758d9cdb80c030d
hXXp://hi.baidu.com/onukxtwlnubgpz/item/c8a74505a219af8d73e676d6
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Microsoft.XMLDOM
adodb.stream
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
text|password|file
comdlg32.dll
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
VBScript.RegExp
application/x-www-form-urlencoded
WinHttp.WinHttpRequest.5.1
SetClientCertificate
Set fso = CreateObject("Scripting.FileSystemObject")
fso.DeleteFile("
sc.vbs")
\sc.vbs
sc.vbs
sc.bat"
sc.bat
del Restart.bat
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
RASAPI32.dll
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
KERNEL32.dll
GetKeyState
USER32.dll
GetViewportOrgEx
GDI32.dll
WINSPOOL.DRV
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
COMCTL32.dll
oledlg.dll
WSOCK32.dll
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
GetCPInfo
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
(*.htm;*.html)|*.htm;*.html
its:%s::%s
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
i.baidu.com/dthtkjmcmpejkle/item/dc19bbe50299ca0a5a7cfb27
du.com/dthtkjmcmpejkle/item/dc19bbe50299ca0a5a7cfb27
%WinDir%\winlogon.exe
#include "l.chs\afxres.rc" // Standard components
246813579
(*.*)
1.0.0.0


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:928

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %WinDir%\winlogon.exe (7386 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now