Trojan.Win32.FlyStudio_8d6da1f878

by malwarelabrobot on May 1st, 2014 in Malware Descriptions.

Trojan.Generic.11227277 (B) (Emsisoft), Trojan.Generic.11227277 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 8d6da1f878e2853eea459225a9fc10f0
SHA1: c84bf00b377b7fdd0147ac1f1367bddb50dcc1c3
SHA256: 82312f3a488a1e0b10cd91c3a7a894aa6ed2311ae81229eef1ad92afbf570221
SSDeep: 49152:xjnCOJd3fyg5GJ8TZaqdwk0c05HGiERRE:xjffyUvYqdwkLcHHEw
Size: 1769472 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-12-03 11:08:04
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

wuauclt.exe:1880

The Trojan injects its code into the following process(es):

%original file name%.exe:132

File activity

The process %original file name%.exe:132 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ANKBAVY5\Movie[1].swf (81913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ANKBAVY5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ANKBAVY5\count[1].htm (66 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VCZV2W0V\enter[1].jpg (432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C9UB81QB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VCZV2W0V\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6XC3GZ2P\chinahacker[1].htm (1265 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ANKBAVY5\topic[1].mid (24361 bytes)
C:\SkinH_EL.dll (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6XC3GZ2P\desktop.ini (67 bytes)

The process wuauclt.exe:1880 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2448 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The Trojan deletes the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)

Registry activity

The process %original file name%.exe:132 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device]
"DSGuid" = "{00000000-0000-0000-0000-000000000000}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device]
"FriendlyName" = "Default DirectSound Device"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1916x902x32(BGR 0)" = "31,31,31,31"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device]
"CLSID" = "{79376820-07D0-11CF-A24D-0020AFD79767}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device]
"CLSID" = "{07B65360-C445-11CE-AFDE-00AA006C14F4}"
"MidiOutId" = "4294967295"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device]
"FilterData" = "02 00 00 00 00 00 80 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 F3 4F C2 46 B8 87 E4 50 2A DF 9E A6 9B 89 A1"

[HKCU\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache]
"0" = "E0 5A 00 00 65 68 63 66 00 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device]
"FilterData" = "02 00 00 00 00 00 80 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device]
"FriendlyName" = "Default MidiOut Device"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache]
"1"

Dropped PE files

MD5 File path
147127382e001f495d1842ee7a9e7912 c:\SkinH_EL.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ??????????
Product Name: ????????????
Product Version: 1.0.0.0
Legal Copyright: ????????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ????????????
Comments: ??????????
Language: Chinese (Simplified, PRC)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 621234 622592 5.1389 7762e84b73bd3a6c39ed866c408c2047
.rdata 626688 1039398 1040384 5.36973 c96e03ce80a13ce193b1a8b85850f70e
.data 1667072 281002 65536 4.34074 8285d322d54f9aadbcc29a08cc9f475b
.rsrc 1949696 34580 36864 3.80064 a768d97d1833f03f4cd4ae65e31583b6

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.chinahacker.com/ 222.76.217.48
hxxp://www.chinahacker.com/Movie.swf 222.76.217.48
hxxp://www.chinahacker.com/mid/topic.mid 222.76.217.48
hxxp://www.chinahacker.com/count/count.cgi?ID=chinahacker.com&SHOW=count 222.76.217.48
hxxp://www.chinahacker.com/images/enter.jpg 222.76.217.48
hxxp://data.chinahacker.com/count/count.cgi?ID=chinahacker.com&SHOW=count 222.76.217.48


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Outdated Windows Flash Version IE

Traffic

GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.chinahacker.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 30 Apr 2014 09:46:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 3416
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSCCQADQQ=OJHPCCGAPPJIPOMPOHJFKIAA; path=/
Cache-control: private
<html>..<head>..<title>:::............::: VVV.ChinaH
acker.com  ........ China Hacker Union</title>..<meta http-eq
uiv="Content-Type" content="text/html; charset=gb2312">..<STYLE 
type=text/css>BODY {...FONT-SIZE: 9pt; FONT-FAMILY: "...."..}..TD {
...FONT-SIZE: 9pt; FONT-FAMILY: "...."..}..A {...COLOR: #000000; TEXT-
DECORATION: none..}..A:hover {...COLOR: red; TEXT-DECORATION: underlin
e..}..</STYLE>..<bgsound src="mid/topic.mid" loop="-1">..&
lt;/head>..<body bgcolor="#000000" text="#FF0000" link="#FF0000"
 vlink="#FF0000">..<form method="POST" action="--WEBBOT-SELF--"&
gt;..  <div align="center">..    <center>..    <table b
order="0" width="100%" height="527">..      <tr>..        <
;td width="100%" height="326">..          <p align="center">&
lt;object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebas
e="hXXp://download.macrHTTP/1.1 200 OK..Date: Wed, 30 Apr 2014 09:46:4
4 GMT..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Content-Lengt
h: 3416..Content-Type: text/html..Set-Cookie: ASPSESSIONIDSCCQADQQ=OJH
PCCGAPPJIPOMPOHJFKIAA; path=/..Cache-control: private..<html>..&
lt;head>..<title>:::............::: VVV.ChinaHacker.com  ....
.... China Hacker Union</title>..<meta http-equiv="Content-Ty
pe" content="text/html; charset=gb2312">..<STYLE type=text/css&g
t;BODY {...FONT-SIZE: 9pt; FONT-FAMILY: "...."..}..TD {...FONT-SIZE: 9
pt; FONT-FAMILY: "...."..}..A {...COLOR: #000000; TEXT-DECORATION:
<<< skipped >>>

GET /Movie.swf HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://VVV.chinahacker.com/
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.chinahacker.com
Connection: Keep-Alive
Cookie: ASPSESSIONIDSCCQADQQ=OJHPCCGAPPJIPOMPOHJFKIAA


HTTP/1.1 200 OK
Content-Length: 214015
Content-Type: application/x-shockwave-flash
Last-Modified: Mon, 14 Mar 2011 16:00:00 GMT
Accept-Ranges: bytes
ETag: "5033adf60e2cb1:e6d"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 30 Apr 2014 09:46:45 GMT
FWS..C..x..........<.C....D.....?.>........C....................
................................................C.....................
......................................................................
...........................}........!1A..Qa."q.2....#B...R..$3br......
..%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.......................
......................................................................
.................................w.......!1..AQ.aq."2...B.....#3R..br.
..$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz................
.............................................................%........
..JFIF................1...."...................?...?.(...(.Q.....i]...
}..D\...OA......}[email protected]..=...bgt.g'.9..3. .t?.,...9...........7..
.r.]..k........u....T.9)5..../>...<}t)H..<....N....y.>....
W.P.5.... v............._.....iq..............>.....}]............_
....H.......?.O..........y..9.F......(.1.......\./.}.~..>..._F.{...
zi....yy~:|.......t.....R...>........#[email protected]#...#..Z_../.}:
./>.}...~..........}7..v..[...}...G..9....8..\......o.G....q....3..
...._.......\eE.............9...........].W......................W....
.G.1.c..?..O.....8.q...j.u......v'.i.-..../..Z...........?.....C.F....
..5...!...<...iG.S.yc.?.t....?..w........(}.....;...//..l....#.....
.......?...}B<..y.._.`?:...........G..K..N.....{.t..Nae.........}ms
......B}......`.:...._Q.. ..._....!Q?..9...._....W.2..........O>.G5
O.^b.....z.*.D............)?............'.......Z..C..y......Z.1..
<<< skipped >>>


GET /count/count.cgi?ID=chinahacker.com&SHOW=count HTTP/1.1
Accept: */*
Referer: hXXp://VVV.chinahacker.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: data.chinahacker.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 30 Apr 2014 09:46:47 GMT
Connection: close
document.write('........<font color=red>' 34529530 '</font>
;....');..



GET /mid/topic.mid HTTP/1.1
Accept: */*
Referer: hXXp://VVV.chinahacker.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.chinahacker.com
Connection: Keep-Alive
Cookie: ASPSESSIONIDSCCQADQQ=OJHPCCGAPPJIPOMPOHJFKIAA


HTTP/1.1 200 OK
Content-Length: 30594
Content-Type: audio/mid
Last-Modified: Mon, 14 Mar 2011 16:00:00 GMT
Accept-Ranges: bytes
ETag: "5033adf60e2cb1:e6d"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 30 Apr 2014 09:46:45 GMT
[email protected][email protected]..
..A.B.@I".T....A.E....adm-music.com....X.......Y.....Q..'...Q..,.../.M
Trk...2....x.... ...=...Y..$.][d..H}.H..Az.A..Cw.C..Hw.H..H..H..At.A..
Cw.C..Hz.H..Hz.H.-Kz9K.{Ht.H..Ak.A..Ct.C..Hz.H..Hz.H..Az.A..Cw.C..H}.H
..H}.H. Fz:F.zHz.H..Aw.A..Cw.C..Hw.H..H}.H..At.A..Cz.C..Hw.H..H}.H.-Kz
8K.|H..H..Az.A..C}.C..H}.H..Ht.H..Az.A..Cw.C..Hq.H..Hz.H.,F}3F...H..H.
.Az.A..C}.C..H}.H..H}.H..A}.A..Cz.C..Hw.H..H}.H.-Kz9K.{H}.H..Az.A..Cn.
C..Hw.H..Hz.H..At.A..Cw.C..Ht.H..Hz.H.*Fw6F.~H..H..Aw.A..Cw.C..Hw.H..H
}.H..Aw.A..Cz.C..Ht.H..H..H.-Kz4K...H}.H..Az.A..Cw.C..Hn.H..H}.H..Aw.A
..Ct.C..Hq.H..Hz.H.)Fw1F...?w.<w(<..?..>q.Ah.A..>..?z.CwTC
..?..>w.At.A..>.M<q.?w8?..<..>k.AnIA..>..?z.Cw.C..?.
G<z.Aw.,A..<.w<t.?z,?..<..>w.At.>..A..>z.At.A..&g
t;..<t.?z.=[.=.R?..<..?w.<w1<..?..>tHTTP/1.1 200 OK..Co
ntent-Length: 30594..Content-Type: audio/mid..Last-Modified: Mon, 14 M
ar 2011 16:00:00 GMT..Accept-Ranges: bytes..ETag: "5033adf60e2cb1:e6d"
..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Wed, 30 Apr 
2014 09:46:45 GMT..MThd.........xMTrk...u....untitled....GGT....A.B.@.
[email protected].@I".T....A.E....adm-music.com....X.......Y...
..Q..'...Q..,.../.MTrk...2....x.... ...=...Y..$.][d..H}.H..Az.A..Cw.C.
.Hw.H..H..H..At.A..Cw.C..Hz.H..Hz.H.-Kz9K.{Ht.H..Ak.A..Ct.C..Hz.H..Hz.
H..Az.A..Cw.C..H}.H..H}.H. Fz:F.zHz.H..Aw.A..Cw.C..Hw.H..H}.H..At.A..C
z.C..Hw.H..H}.H.-Kz8K.|H..H..Az.A..C}.C..H}.H..Ht.H..Az.A..Cw.C..H
<<< skipped >>>

GET /images/enter.jpg HTTP/1.1


Accept: */*
Referer: hXXp://VVV.chinahacker.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.chinahacker.com
Connection: Keep-Alive
Cookie: ASPSESSIONIDSCCQADQQ=OJHPCCGAPPJIPOMPOHJFKIAA


HTTP/1.1 200 OK
Content-Length: 3593
Content-Type: image/jpeg
Last-Modified: Mon, 14 Mar 2011 16:00:00 GMT
Accept-Ranges: bytes
ETag: "5033adf60e2cb1:e6d"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 30 Apr 2014 09:47:10 GMT
......JFIF..............Exif..II*...........................V.........
..^...(.......................i.......f.......H.......H...............
[email protected].......
....ACD Systems Digital Imaging.......................................
...("..&...#/#&)*---.!141 4(,- ...........@ $ @@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@............................................
............!1.AQ..a"2q.#.3B..$CRS....................................
............!1...a"2A......U.@.."...................?.........x....X.x
.z.$.V..,..c..=v7. ......g8....;F6.`.Z`..bJng.Z.ii..m.6.d......`.u.k..
z| .E..._...?......a.>.z.<...&>8.....a......./...xVF..<...
.....F....c..T....Z[[email protected]|.o....*f.[...... ...
....................2V....o.D.b...[..X..qO......{{(...%g...J>......
..|l/{biqk~N..j.?.m[o...1/.'..8.h.....o..S.g.%7Z..$...xw. ..d..Z..e...
..T.....k&..R...k]]'[......_(&.....Z6..S.........K.A.......]>......
]L..Y..7...j.z.hxr.s.p..\........^.A ........n...........\x>.#....s
.i..2.....w....`. w...'n`...D...Y..?.l.....4......A.......u..d....$...
.. W..[..MO..M..2..v.....AK.&.Q.%.Y.u./a...t.t...<8.......Z.....T.m
.1....?.Z.....f.....i.f...J..`DEU.^...;......" "&..."kh.....6..&^.`1.,
.:..QS.....k..b.8.[1.....nq.....A...... .!^~..)..X!.J.L..&.. .fkZIh'..
.H)B.9. .z..._q!......?..J...X...2{........Mc})...#......l*\9.6g;o#..Z
...%....8....j......F.,P.g......L..M.....z... .}S......\\.e#........d.
..f...].R..9.......L.[.X.mh....X...8....q.'.U.M7O?S.......N.r.....
<<< skipped >>>
%original file name%.exe_132:

.text
.rdata
@.data
.rsrc
xh.NV
t$(SSh
~%UVW
u$SShe
atl.dll
wininet.dll
user32.dll
kernel32.dll
SkinH_EL.dll
WinINet.dll
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
MsgWaitForMultipleObjects
&keyindex=9&pt_aid=549000912&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone
&clientkey=
http://ptlogin2.qq.com/jump?clientuin=
http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone
skey
http://url.cn/9iIZQ9
#home&syn_tweet_verson=1&richtype=&richval=&special_url=&subrichtype=&who=1&con=qm
qzreferrer=http://user.qzone.qq.com/
http://taotao.qq.com/cgi-bin/emotion_cgi_publish_v6?g_tk=
qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=base&nickname=
http://w.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=
qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=space&spacename=
http://w.cnc.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=
&secverifykey=28Q12062209183668_2209183668
&source=1&blogType=0&lp_type=0&lp_flag=0&lp_id=79208&lp_style=16843520&autograph=1&topFlag=0&feeds=1&tweetFlag=0&rightType=1&uin=
&html=
qzreferrer=http://cnc.qzs.qq.com/qzone/newblog/v5/editor.html#opener=refererurl&source=1&refererurl=http%3A%2F%2Fcnc.qzs.qq.com%2Fqzone%2Fapp%2Fblog%2Fv6%2Fbloglist.html%23nojump%3D1%26page%3D1%26catalog%3Dlist&cate=
http://b11.cnc.qzone.qq.com/cgi-bin/blognew/add_blog?g_tk=
http://ptlogin2.qq.com/getimage?aid=11000101&0.510440093974835
http://ptlogin2.qq.com/getimage/paycenterqqcard?aid=20000101&0.7970060507252166
SSOAxCtrlForPTLogin.SSOForPTLogin2
http://xui.ptlogin2.qq.com/cgi-bin/qlogin
document.body.innerHTML=GetuinKey();
function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
https
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
https://
http://
len = str.length; i < len;   i) hash  = (hash << 5)   str.charCodeAt(i);
var t = QZONE.FormSender;
if (t && t.pluginsPool) t.pluginsPool.formHandler.push(function(fm) {
var a = QZFL.string.trim(fm.action);
a  = (a.indexOf("?") > -1 ? "&": "?")   "g_tk="   QZFL.pluginsDefine.getACSRFToken();
fm.action = a
fJ.WM_
CX%xm
Õ6m*
n.BjCw
%s;7*
0%x@w
%C^L:
%s T5
]E4%F(
.Funr
k%UPp
fg.VG
%C',@
>Ùd
0'.Ll
[I(3/#N0.bd
j"%u=w
q%Xn`
@|H.NI
.wdd!
S|%u4
*.Ea]S
Q.CGo
fTpe
.LLbX
-.Mdl
\-A}=3K
Y:.akpS
$.Zcqn
.WE= T!N
#?%s(C(
u.Jck~
zx/%FN[
%s=\RI
}j%c%Y)
Rx.GR
4o#.dM
IeS`%C
[n 4\.UY 
,4.qO,
gQ'.Io
%cLur?
s%DHB
]I%%X
5r.US
:mD].tB
f%fUZ
.fOuV12
*_.dC
&-N}<
({?.cQm
.Cqx~c
.`.Qw
**.dU
!n]%x
%X,Cr
&.PFy{xh
.um ZZE7L
/^p%u$
I.NoQY
zu.ew
D/.nT
b\SkinH_EL.dll
C$%cmb
.ppM|
 aZ.mO
%-^
.hk;~
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
tencent://message/?uin=3447808Site=www.vvred.com&Menu=yes
103371334
840531158
smtp.qq.com
[email protected]
appId=1&loadingTpl=paynew&resultTpl=paynew&errorTpl=paynew&tpl=paynew&provider=1&mode=WEB&paytype=2&area=&returl=&isDirect=0&serviceitem=1&buyer=
http://mpay.qq.com/portal/doPay_6.htm
&CardPassword=
http://pay.qq.com/cgi-bin/account/account_qqcard_save_qbqd.cgi
http://pay.qq.com/
CDKEY
http://www.chinahacker.com/
X.zM-q
, #&')*)
-0-(0%()(
http://ptlogin2.qq.com/getimage?aid=11000101&0.510440093974835(
E.DW<
3447808
[email protected]
http://3447808.qzone.qq.com
http://t.qq.com/qiq7777
.Up7.
Gl.om
/l.rq^U
1999001
[email protected]
http://1999001.qzone.qq.com/
http://t.qq.com/Q99999
400-7065-889
eBjq.TT
.uyP0
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
ole32.dll
__MSVCRT_HEAP_SELECT
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
RASAPI32.dll
GetProcessHeap
WinExec
KERNEL32.dll
GetKeyState
GetKeyboardLayout
VkKeyScanExA
keybd_event
SetWindowsHookExA
UnhookWindowsHookEx
EnumThreadWindows
EnumChildWindows
GetViewportOrgEx
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
OLEAUT32.dll
oledlg.dll
WSOCK32.dll
WININET.dll
GetCPInfo
CreateDialogIndirectParamA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
www.dywt.com.cn
msctls_hotkey32
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
HELO %s
SMTP
AUTH LOGIN
LOGIN
AUTH=LOGIN
EHLO %s
Content-Type: application/octet-stream; name=%s
Content-Disposition: attachment; filename=%s
MAIL FROM:<%s>
RCPT TO:<%s>
(*.htm;*.html)|*.htm;*.html
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
1, 0, 6, 6
(*.*)
1.0.0.0

%original file name%.exe_132_rwx_00401000_00098000:




xh.NV
t$(SSh
~%UVW
u$SShe

%original file name%.exe_132_rwx_10001000_00039000:




L$(h%f
SSh0j
msctls_hotkey32
TVCLHotKey
THotKey
\skinh.she
}uo,x6l5k%x-l h
9p%s m)t4`#b
e"m?c&y1`Ð<
SetViewportOrgEx
SetViewportExtEx
SetWindowsHookExA
UnhookWindowsHookEx
EnumThreadWindows
EnumChildWindows
`c%US.4/
!#$<#$#=
.text
`.rdata
@.data
.rsrc
@.UPX0
`.UPX1
`.reloc






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    wuauclt.exe:1880
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ANKBAVY5\Movie[1].swf (81913 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ANKBAVY5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ANKBAVY5\count[1].htm (66 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VCZV2W0V\enter[1].jpg (432 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C9UB81QB\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VCZV2W0V\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6XC3GZ2P\chinahacker[1].htm (1265 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ANKBAVY5\topic[1].mid (24361 bytes)
    C:\SkinH_EL.dll (88 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6XC3GZ2P\desktop.ini (67 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2448 bytes)
    %WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
   

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now