Trojan.GenericKD.2525644_5312a30060

by malwarelabrobot on August 9th, 2015 in Malware Descriptions.

Trojan.GenericKD.2525644 (B) (Emsisoft), Trojan.GenericKD.2525644 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 5312a300604fcf5da5cb5b748b73c246
SHA1: 5cfcf139be7aed142e8939bc546d06abb907937c
SHA256: 19ba6787fd7ce37626481de9088cdf6da3bdd6e180750d924e31d78124384841
SSDeep: 49152:lxAeU88ItvaET/ve6pQZE8P5oYL/ZBWIk6cK:l5RlmwQZE8P5nL/n1n
Size: 1658368 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-06-06 01:08:33
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:320

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:320 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLNS9NSS\title[1].css (984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLNS9NSS\default[1].css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41IR45E3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLNS9NSS\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ICNDMG3A\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C9EJGDEF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLNS9NSS\slzkai[1].htm (23 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLNS9NSS\slzkai[1].htm (0 bytes)

Registry activity

The process %original file name%.exe:320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 BE 91 CB AD 81 26 1C 10 1F 9E A2 4A 36 71 A7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ??
Product Name: ???????
Product Version: 1.8.0.7
Legal Copyright: ?? ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.8.0.7
File Description: ???????
Comments: ??????????(http://www.eyuyan.com)
Language: English (Canada)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 1196032 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 1200128 1585152 1584640 5.44337 669c644683ff5f96cb2fc3f4ebf28c04
.rsrc 2785280 73728 72704 3.00236 6fc74614d8d823e554ef6b204b0a6607

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.hksite.cdncenter.cn/slzkai
hxxp://hpcc-page.cnc.ccgslb.net/website/plugin/title/css/title.css?v=14273332
hxxp://hpcc-page.cnc.ccgslb.net/website/template/default/css/default.css?v=14105106
hxxp://www.slzaqfh.com/slzkai 119.28.1.58
hxxp://static.websiteonline.cn/website/plugin/title/css/title.css?v=14273332 60.6.197.39
hxxp://static.websiteonline.cn/website/template/default/css/default.css?v=14105106 60.6.197.39


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /slzkai HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.slzaqfh.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Sat, 08 Aug 2015 04:27:09 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.27
Set-Cookie: PHPSESSID=qflmn0thk8gcq8otmmbq9g2rv4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
5a3f..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN
" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<h
tml xmlns="hXXp://VVV.w3.org/1999/xhtml">...<head>....<met
a http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />.<me
ta http-equiv="Content-Type" content="text/html; charset=utf-8" />.
..<title>.....................</title>...<meta content=
".....................................................................
...................................." name="keywords" />...<meta
 content="............................................................
......................................................................
......................................................................
...........................................2..........................
............................95........." name="description" />.....
<link rel="shortcut icon" href="hXXp://hk8289b1.pic21.websiteonline
.cn/upload/ooopic_1421163015.ico" type="image/x-icon" />...<link
 rel="Bookmark" href="hXXp://hk8289b1.pic21.websiteonline.cn/upload/oo
opic_1421163015.ico" />........<link href="hXXp://static.website
online.cn/website/template/default/css/default.css?v=14105106" rel="st
ylesheet" type="text/css" />.<link href="hXXp://static.websiteon
line.cn/website/plugin/title/css/title.css?v=14273332" rel="stylesheet
" type="text/css" />.<!--...............css-->..<style>
...............prop_rotate_angle sup,.prop_rotate_angle .posblk-de
<<< skipped >>>


GET /website/plugin/title/css/title.css?v=14273332 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.slzaqfh.com/slzkai
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.websiteonline.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/css
Connection: keep-alive
Date: Thu, 06 Aug 2015 02:36:26 GMT
Powered-By-ChinaCache: HIT from 06053323H8.18
Content-Length: 984
Last-Modified: Thu, 26 Mar 2015 01:29:00 GMT
Cache-Control: max-age=604800
Expires: Thu, 13 Aug 2015 02:36:26 GMT
Age: 179447
Server: Tengine/1.5.2
CC_CACHE: TCP_HIT
Accept-Ranges: bytes
@charset "UTF-8";...wp-title_content {overflow:hidden;}...wp-title_con
tent .wp-script,...wp-title_content .wp-style,...wp-title_content .wp-
iframe {display:none;font-size:0;width:0;height:0;}...wp-title_content
 img.wp-flash,...wp-title_content img.wp-rm,...wp-title_content img.wp
-media {border:none;background-position:center center;background-repea
t:no-repeat;width:32px;height:32px;}...wp-title_content img.wp-flash {
background-image:url(../view/icons/flash.gif);}...wp-title_content img
.wp-rm {background-image:url(../view/icons/rm.gif);}...wp-title_conten
t img.wp-media {background-image:url(../view/icons/media.gif);}...wp-t
itle_content img.wp-anchor {border:none;width:16px;height:16px;}...wp-
title_content ul {list-style:disc inside;}...wp-title_content ul li {l
ist-style-type:disc;}...wp-title_content ol {list-style:decimal inside
;}...wp-title_content ol li {list-style-type:decimal;}...wp-title_cont
ent span, .wp-title_content p, .wp-title_content div {line-height:140%
;}HTTP/1.1 200 OK..Content-Type: text/css..Connection: keep-alive..Dat
e: Thu, 06 Aug 2015 02:36:26 GMT..Powered-By-ChinaCache: HIT from 0605
3323H8.18..Content-Length: 984..Last-Modified: Thu, 26 Mar 2015 01:29:
00 GMT..Cache-Control: max-age=604800..Expires: Thu, 13 Aug 2015 02:36
:26 GMT..Age: 179447..Server: Tengine/1.5.2..CC_CACHE: TCP_HIT..Accept
-Ranges: bytes..@charset "UTF-8";...wp-title_content {overflow:hidden;
}...wp-title_content .wp-script,...wp-title_content .wp-style,...wp-ti
tle_content .wp-iframe {display:none;font-size:0;width:0;height:0;
<<< skipped >>>


GET /website/template/default/css/default.css?v=14105106 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.slzaqfh.com/slzkai
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.websiteonline.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/css
Connection: keep-alive
Date: Thu, 06 Aug 2015 02:34:08 GMT
Vary: Accept-Encoding
Powered-By-ChinaCache: HIT from 06053323H8.11
Content-Length: 3332
Content-Encoding: gzip
Expires: Thu, 13 Aug 2015 02:34:08 GMT
Last-Modified: Thu, 04 Sep 2014 03:15:00 GMT
Cache-Control: max-age=604800
Age: 179588
Server: Tengine/1.5.2
CC_CACHE: TCP_HIT
Accept-Ranges: bytes
...........Z.o...?......#.@r?.k.\$..u.C.C.^.`1K...s9,..jM.h{...A.E....
......F.....5....}ofH.?vE....-.....7.....{.G...d......{..7zG..........
.......Q....w7....=.F........}..{.......{.OXp.R...Ih.......K..4....<
;......Y.x..v.Bf.....*t..{..M...7.t..bI.t....=.uY81.lv.O....f.?`&u?Z%.
...M`hJg.3R...%Uj.i...]...6.Q....p!.$.u.p.|.e.nL..Ab'._..R. .K....L...
....L..2..4.y(Yl.v.>..?en....uw......(Q....E........vc..<0....xi
.a.J...X`.$B...75\....74.c......ng..D.u..p-..W.&b....tv.C.6...9..*1.0d
.A.n.U....~.j..;.7....!y..".!j3.............f..0.......X<....#...U|
px....@...?Bs.._...L..zy.....c..;.?...O...M.L.[a........DW)..../...h6.
s.*.6y.......a....q.6L. ...;z.A..S..........ll.w7.|...B...#..$)["..~.j
...;4..$vl.....f..b.....a..q.1a....l!....JJ.P..J..!A......X.......o..O
..0`....v)&.P.<..s...[v.D....8f......}7..A...e..t:[...Eg..VieT.....
.Hy$..4...h..l[.......;[email protected].\,.;.#.Qo.\..s.)........^@H..z..
....^.3.K.C.G:..?...../.=}....O.u..OL..o.#......x..k...h..k.........b0
..D".6W.:2".j...q. :'......c../f..o.c..'$wjm..Q.a...J0...`$Z.{....N.QW
...{;..yM..HTTP/1.1 200 OK..Content-Type: text/css..Connection: keep-a
live..Date: Thu, 06 Aug 2015 02:34:08 GMT..Vary: Accept-Encoding..Powe
red-By-ChinaCache: HIT from 06053323H8.11..Content-Length: 3332..Conte
nt-Encoding: gzip..Expires: Thu, 13 Aug 2015 02:34:08 GMT..Last-Modifi
ed: Thu, 04 Sep 2014 03:15:00 GMT..Cache-Control: max-age=604800..Age:
 179588..Server: Tengine/1.5.2..CC_CACHE: TCP_HIT..Accept-Ranges: byte
s.............Z.o...?......#.@r?.k.\$..u.C.C.^.`1K...s9,..jM.h{...
<<< skipped >>>


GET /slzkai HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.slzaqfh.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Sat, 08 Aug 2015 04:27:09 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.27
Set-Cookie: PHPSESSID=rb9m1bni7dr2rd89bka3b3pmr1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Encoding: gzip
1c00.............\ys.......w.C..X.3..$..tQ<*...W.T.......... ..(.Q.
.X.%9Y[.-.r.X.-.Y.mY.wI...k...^..`..HPV..-Sq0G.........}...b..... U.ZU
z.W._:0'.b..........~.../.$iJ\:h.....V].....CR..8......( I......T..,.:
..1..S)9...s........f...655..S..}.C/[email protected].........
V.1.N.t`!.PZ2...m.........s.}......c.qT.rZ*Vt.i8..S.e.....N...........
'.w..O......s7....z(..|....Zm....<|............Gw..|.f. .^.r.{..
..../.{...y..T.1...qt..KM.u?:.`?...w......'.b2.PONcX....[.j.....}...G.
.g...o.9......o6>.t...x...'.u.....~k../........I....I.....k.o..(...
.............. .k..l.........]..|.~..=.....;.......S..{..7..|y..h...s.
[email protected];...o....f.6.$..u..U..,.F5.jV,
.)........m.=N.,g.....4.bBSV..$....m(...jT-..Z...y-....d\K ....0j.d..%
C=...9O.F.oY.5.^~...A........7....,n..;=.1j....j.(......Mq.....9-...Z|
"...9Z5...p...T.-Q|....phT[Kf..'..I.7zb2.L&F...Xl....['.g...9.~.b..i.&
!......m5.....y..T5.f...x.4.f... .K.e..X.<fd5.q....Zvv..<.......
\.8..e.t(/.........@q..*W<,X....Yo.q9.U.R......-....5K..4.|.8lT.x..
....q. =Yn..$".......t:P/[.....#..m..\w.. .6.t....>KO..z.Z1.9.i.#..
.b.K.:v.4.M.5........N.K&oe....b.K.._..!j..H3R.F.[....e...JMw.....c..H
5F.....>..............-C.K.o......._4...E...T.......cS..........%1Y
.../'px-.:....P.I.../0...e.....0e..X.*BL..Br..!..GiT./.k..F.l......y=.
N)..s...a..q:.ry.I.!......*8..H...i..z.p;..!./.x..-.>....%..jF..Rl5
...{P...%..{.....U.9J..z.~V..dP.Vq.b ..`[email protected][.....`.
.c.k.\[email protected]@...U.a...).d:...B3...\p....L)./....f....
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_320:

`.rsrc
(i.Lh
t%SVh
t$(SSh
~%UVW
u$SShe
iphlpapi.dll
ws2_32.dll
user32.dll
kernel32.dll
ole32.dll
OLEACC.DLL
gdiplus.dll
Ole32.dll
gdi32.dll
advapi32.dll
GetExtendedTcpTable
GdiplusShutdown
MsgWaitForMultipleObjects
RegCreateKeyA
RegOpenKeyA
RegEnumKeyA
RegCloseKey
RegFlushKey
RegOpenKeyExA
RegCreateKeyExA
RegDeleteKeyA
{B6F7542F-B8FE-46a8-9605-98856A687097}
WebBrowser
[I(3/#N0.bd
j"%u=w
q%Xn`
@|H.NI
.wdd!
S|%u4
843008880
k3"
Nc:\kss.ini
.idata
.edata
P.vmp0
`.vmp1
.reloc
P.rsrc
version.dll
shell32.dll
1e.ro4A
oleaut32.dll
H0.gW
comctl32.dll
d.jF/"
r#'%C
6.Xdp
g|$^.Cn
>.bM8
>Z.Ye
w4R`$p%s*
f.zo~L^
wsock32.dll
ntdll.dll
Ë.L@
l.sQ{
c-t{.FF
b#I".wM
e.ENZ
xip.tu
@>.vO
%FX2Fsi
qKT.jLka
3.LD7
Uq
G,.gd
<.cFF=j
&8.XMj
$~O.Ba
)].Wd
/_{M%U
Q%s6|
lVfeVg
 !%uO
mh.ud
m%Csn%
kq84.QaI
)f%fg
.SuDYw
K)`p.frC
*%s!%
aR.dDb&<y
.xk 4g
ShellExecuteA
)%S{.
'U}.Ue
l%S(8x$!(
1L%UJ
.vtbw
.iA5N
yyhKa%S
d.Zd=#R
x0r%F{
.IPi)
Vj.jH
>M%X9
/8[<{~@ 
bc.lTk
ks_GetMsg
kssPlugin.dll
tole32.dll
5555555555
6666666666
%Program Files%\Internet Explorer\iexplore.exe hXXps://login.taobao.com/member/login.jhtml?redirectURL=http://buyer.trade.taobao.com/trade/itemlist/list_bought_items.htm?type=mytaobao&tracelog=newmdbb
.rsrc
%S4WD
hg%fpM
S.Ac9SR
0.I%3s
,wAe.kI
aiUy'4xu
%c*@j
.eH'y
{&%U)
lj%4U
xe%CNs
9F.cLe
hJK.ZH
O.qt0
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
SkinH_EL.dll
hXXp://buyer.trade.taobao.com/trade/detail/trade_item_detail.htm?bizOrderId=
trade.taobao.com/trade/security/security
<span class="J_WangWang" data-nick="
class="J_WangWang" data-nick="
class="J_WangWang" data-nick=
data-nick=
hXXps://login.taobao.com/member/login.jhtml?redirectURL=http://buyer.trade.taobao.com/trade/itemlist/list_bought_items.htm?type=mytaobao&tracelog=newmdbb
1.9.exe
\ .bat
iexplore.exe
360chrome.exe
360SE.exe
SogouExplorer.exe
sogouexplorer.exe
The world .exe
twchrome.exe
Maxthon.exe
2345Explorer.exe
QQBrowser.exe
Liebao.exe
[email protected]
.exe|.rar|.zip|.gif|.jpg|.mp3|.rm
hXXp://
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
window.location.reload()
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
text|password|file
comdlg32.dll
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
[email protected]
hXXp://VVV.slzaqfh.com/slzkai4
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSH_SCROLL_LINES_MSG
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
SHLWAPI.dll
MPR.dll
VERSION.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
1.1.3
;3 #>6.&
'2, / 0&7!4-)1#
(*.htm;*.html)|*.htm;*.html
[%s:%d]
Range: bytes=%s-
[%s:%d]
PASS %s
PASS ******
USER %s
E:\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp
SIZE %s
PORT
User-Agent: %s
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Referer: %s
Host: %s
GET %s HTTP/1.1
HTTP/1.1
Cookie: %s
%d, %s
\\192.168.0.129\TCP\1037
NSPlayer/9.0.0.2980; {%s}; Host: %s
rmff_fix_header: assuming data.size=%i
rmff_fix_header: assuming data.num_packets=%i
rmff_fix_header: assuming prop.num_packets=%i
rmff_fix_header: setting prop.data_offset from %i to %i
rmff_fix_header: correcting prop.num_streams from %i to %i
rmff_fix_header: correcting prop.size from %i to %i
%s %s %s
Session: %s
Cseq: %u
%*s %s
%*s %u
CSeq: %u
rtsp://%s:%i
rtsp://%s:%i/%s
ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586
GUID: 00000000-0000-0000-0000-000000000000
[%s:%d]
User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)
Range: npt=%s-
%s/streamid=1
%s/streamid=0
Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play
If-Match: %s
RealChallenge2: %s, sd=%s
Title: %s
Copyright: %s
Author: %s
real: Content-length for description too big (> %uMB)!
Require: com.real.retain-entity-for-setup
SupportsMaximumASMBandwidth: 1
Bandwidth: %u
Challenge1: %s
hash output: %x %x %x %x
hash input: %x %x %x %x
stream=%u;rule=%u,
Illegal character '%c' in input.
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
right-curly-bracket
left-curly-bracket
0123456789
1057202
c:\%original file name%.exe
4300888
#include "l.chs\afxres.rc" // Standard components
GetCPInfo
WinExec
GetProcessHeap
ScaleViewportExtEx
SetViewportExtEx
GetViewportExtEx
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
EnumChildWindows
UnhookWindowsHookEx
SetWindowsHookExA
GetKeyState
CreateDialogIndirectParamA
InternetCanonicalizeUrlA
InternetCrackUrlA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
.text
`.rdata
@.data
%FN~/
UrlA3Q(
%Http
ADVAPI32.dll
OLEAUT32.dll
oledlg.dll
RASAPI32.dll
SHELL32.dll
WININET.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
9.5.25.212
1, 0, 6, 6
- Skin.dll
(*.*)
1.8.0.7
(hXXp://VVV.eyuyan.com)

%original file name%.exe_320_rwx_00401000_002A6000:

t%SVh
t$(SSh
~%UVW
u$SShe
iphlpapi.dll
ws2_32.dll
user32.dll
kernel32.dll
ole32.dll
OLEACC.DLL
gdiplus.dll
Ole32.dll
gdi32.dll
advapi32.dll
GetExtendedTcpTable
GdiplusShutdown
MsgWaitForMultipleObjects
RegCreateKeyA
RegOpenKeyA
RegEnumKeyA
RegCloseKey
RegFlushKey
RegOpenKeyExA
RegCreateKeyExA
RegDeleteKeyA
{B6F7542F-B8FE-46a8-9605-98856A687097}
WebBrowser
[I(3/#N0.bd
j"%u=w
q%Xn`
@|H.NI
.wdd!
S|%u4
843008880
k3"
Nc:\kss.ini
.idata
.edata
P.vmp0
`.vmp1
.reloc
P.rsrc
version.dll
shell32.dll
1e.ro4A
oleaut32.dll
H0.gW
comctl32.dll
d.jF/"
r#'%C
6.Xdp
g|$^.Cn
>.bM8
>Z.Ye
w4R`$p%s*
f.zo~L^
wsock32.dll
ntdll.dll
Ë.L@
l.sQ{
c-t{.FF
b#I".wM
e.ENZ
xip.tu
@>.vO
%FX2Fsi
qKT.jLka
3.LD7
Uq
G,.gd
<.cFF=j
&8.XMj
$~O.Ba
)].Wd
/_{M%U
Q%s6|
lVfeVg
 !%uO
mh.ud
m%Csn%
kq84.QaI
)f%fg
.SuDYw
K)`p.frC
*%s!%
aR.dDb&<y
.xk 4g
ShellExecuteA
)%S{.
'U}.Ue
l%S(8x$!(
1L%UJ
.vtbw
.iA5N
yyhKa%S
d.Zd=#R
x0r%F{
.IPi)
Vj.jH
>M%X9
/8[<{~@ 
bc.lTk
ks_GetMsg
kssPlugin.dll
tole32.dll
5555555555
6666666666
%Program Files%\Internet Explorer\iexplore.exe hXXps://login.taobao.com/member/login.jhtml?redirectURL=http://buyer.trade.taobao.com/trade/itemlist/list_bought_items.htm?type=mytaobao&tracelog=newmdbb
.rsrc
%S4WD
hg%fpM
S.Ac9SR
0.I%3s
,wAe.kI
aiUy'4xu
%c*@j
.eH'y
{&%U)
lj%4U
xe%CNs
9F.cLe
hJK.ZH
O.qt0
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
SkinH_EL.dll
hXXp://buyer.trade.taobao.com/trade/detail/trade_item_detail.htm?bizOrderId=
trade.taobao.com/trade/security/security
<span class="J_WangWang" data-nick="
class="J_WangWang" data-nick="
class="J_WangWang" data-nick=
data-nick=
hXXps://login.taobao.com/member/login.jhtml?redirectURL=http://buyer.trade.taobao.com/trade/itemlist/list_bought_items.htm?type=mytaobao&tracelog=newmdbb
1.9.exe
\ .bat
iexplore.exe
360chrome.exe
360SE.exe
SogouExplorer.exe
sogouexplorer.exe
The world .exe
twchrome.exe
Maxthon.exe
2345Explorer.exe
QQBrowser.exe
Liebao.exe
[email protected]
.exe|.rar|.zip|.gif|.jpg|.mp3|.rm
hXXp://
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
window.location.reload()
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
text|password|file
comdlg32.dll
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
[email protected]
hXXp://VVV.slzaqfh.com/slzkai4
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSH_SCROLL_LINES_MSG
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
SHLWAPI.dll
MPR.dll
VERSION.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
1.1.3
;3 #>6.&
'2, / 0&7!4-)1#
(*.htm;*.html)|*.htm;*.html
[%s:%d]
Range: bytes=%s-
[%s:%d]
PASS %s
PASS ******
USER %s
E:\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp
SIZE %s
PORT
User-Agent: %s
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Referer: %s
Host: %s
GET %s HTTP/1.1
HTTP/1.1
Cookie: %s
%d, %s
\\192.168.0.129\TCP\1037
NSPlayer/9.0.0.2980; {%s}; Host: %s
rmff_fix_header: assuming data.size=%i
rmff_fix_header: assuming data.num_packets=%i
rmff_fix_header: assuming prop.num_packets=%i
rmff_fix_header: setting prop.data_offset from %i to %i
rmff_fix_header: correcting prop.num_streams from %i to %i
rmff_fix_header: correcting prop.size from %i to %i
%s %s %s
Session: %s
Cseq: %u
%*s %s
%*s %u
CSeq: %u
rtsp://%s:%i
rtsp://%s:%i/%s
ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586
GUID: 00000000-0000-0000-0000-000000000000
[%s:%d]
User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)
Range: npt=%s-
%s/streamid=1
%s/streamid=0
Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play
If-Match: %s
RealChallenge2: %s, sd=%s
Title: %s
Copyright: %s
Author: %s
real: Content-length for description too big (> %uMB)!
Require: com.real.retain-entity-for-setup
SupportsMaximumASMBandwidth: 1
Bandwidth: %u
Challenge1: %s
hash output: %x %x %x %x
hash input: %x %x %x %x
stream=%u;rule=%u,
Illegal character '%c' in input.
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
right-curly-bracket
left-curly-bracket
0123456789
1057202
c:\%original file name%.exe
4300888
#include "l.chs\afxres.rc" // Standard components
GetCPInfo
WinExec
GetProcessHeap
ScaleViewportExtEx
SetViewportExtEx
GetViewportExtEx
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
EnumChildWindows
UnhookWindowsHookEx
SetWindowsHookExA
GetKeyState
CreateDialogIndirectParamA
InternetCanonicalizeUrlA
InternetCrackUrlA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
.text
`.rdata
@.data
%FN~/
9.5.25.212
1, 0, 6, 6
- Skin.dll
(*.*)

%original file name%.exe_320_rwx_00CB8000_0000C000:

x.yvr
x.yvkd
x.yvw
x.yvq5v

%original file name%.exe_320_rwx_00D4D000_000CA000:

version.dll
user32.dll
shell32.dll
1e.ro4A
oleaut32.dll
H0.gW
comctl32.dll
advapi32.dll
gdi32.dll
d.jF/"
r#'%C
6.Xdp
g|$^.Cn
>.bM8
>Z.Ye
w4R`$p%s*
f.zo~L^
wsock32.dll
ntdll.dll
Ë.L@
l.sQ{
c-t{.FF
b#I".wM
e.ENZ
xip.tu
@>.vO
%FX2Fsi
qKT.jLka
3.LD7
Uq
G,.gd
<.cFF=j
&8.XMj
$~O.Ba
)].Wd
/_{M%U
Q%s6|
lVfeVg
 !%uO
mh.ud
m%Csn%
kq84.QaI
)f%fg
.SuDYw
K)`p.frC
*%s!%
aR.dDb&<y
.xk 4g
ShellExecuteA
RegCloseKey
)%S{.
'U}.Ue
l%S(8x$!(
1L%UJ
.vtbw
.iA5N
yyhKa%S
d.Zd=#R
x0r%F{
.IPi)
Vj.jH
>M%X9
/8[<{~@ 
bc.lTk
ks_GetMsg
kssPlugin.dll
tole32.dll
kernel32.dll

%original file name%.exe_320_rwx_10000000_0003E000:

`.rsrc
L$(h%f
SSh0j
msctls_hotkey32
TVCLHotKey
THotKey
\skinh.she
}uo,x6l5k%x-l h
9p%s m)t4`#b
e"m?c&y1`Ð<
SetViewportOrgEx
SetViewportExtEx
SetWindowsHookExA
UnhookWindowsHookEx
EnumThreadWindows
EnumChildWindows
`c%US.4/
!#$<#$#=
.text
`.rdata
@.data
.rsrc
@.UPX0
`.UPX1
`.reloc
hJK.ZH
O.qt0
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
SkinH_EL.dll
1, 0, 6, 6
- Skin.dll


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLNS9NSS\title[1].css (984 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLNS9NSS\default[1].css (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41IR45E3\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLNS9NSS\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ICNDMG3A\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C9EJGDEF\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLNS9NSS\slzkai[1].htm (23 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now