Trojan.Win32.FlyStudio_eb0ca9362f

by malwarelabrobot on June 4th, 2015 in Malware Descriptions.

Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: eb0ca9362f4363e89a0d8d952a96c391
SHA1: 6d31178527baffcd96b338b5c80fdad9c774418e
SHA256: 7aef27978e9764d29fb889a2a559a4757d78ed46f1018a857e24dbedb46a4115
SSDeep: 12288:1sd5uSQbW3ofQ7ofAGw7nXglK/uyY6ZXBWJ W41deQTloS:Cd5uSOW4frAjD/s6ZXk WmEQT
Size: 537088 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-01-24 15:22:13
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:800

Mutexes

The following mutexes were created/opened:

c:!documents and settings!adm!local settings!history!history.ie5!mshist012015060320150604!
_!SHMSFTHISTORY!_
CTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
HGFSMUTEX00000000000240ee
ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
RasPbFile
ShimCacheMutex

File activity

The process %original file name%.exe:800 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A9WRW5GJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR5MZNZI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
C:\Ƥ·ô.she (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR5MZNZI\CAOVI5A7.htm (10 bytes)
C:\jedata.dll (88 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR5MZNZI\CAR2KVN1 (123 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GBE3DABB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PW0KY8DE\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (180 bytes)

Registry activity

The process %original file name%.exe:800 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015060320150604]
"CacheLimit" = "8192"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015060320150604]
"CachePrefix" = ":2015060320150604:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015060320150604]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012015060320150604\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 3A ED BD 98 07 43 B9 3A 80 14 FC 13 56 3C 9C"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.2345.com/?k56330"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015060320150604]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015060320150604]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
114054313070472cd1a6d7d28f7c5002 c:\jedata.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ?????
Product Name: ??V8????1.5
Product Version: 1.3.0.0
Legal Copyright: ????? ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.3.0.0
File Description: V8.0??????-????????
Comments: V8.0??????-????????
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 1224704 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 1228800 466944 463872 5.54474 bb5fb09f867f7ad0b3f8c9d88ed3304f
.rsrc 1695744 73728 72192 1.60111 df070ca39aeed1d9da24c39021c5a6a8

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://ui.ptlogin2.qq.com/cgi-bin/login?link_target=blank&appid=15000101&s_url=http://php.qzone.qq.com/index.php?mod=portal&act=login&f_url=loginerroralert&target=top&qlogin_jumpname=jump&qlogin_param=u1=http://php.qzone.qq.com/index.php?mod=portal&act=login&r=2010-10-31 0:03:44 112.90.83.106


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /cgi-bin/login?link_target=blank&appid=15000101&s_url=http://php.qzone.qq.com/index.php?mod=portal&act=login&f_url=loginerroralert&target=top&qlogin_jumpname=jump&qlogin_param=u1=http://php.qzone.qq.com/index.php?mod=portal&act=login&r=2010-10-31 0:03:44 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ui.ptlogin2.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Connection: keep-alive
Keep-Alive: timeout=50, max=1024
Server: QZHTTP-2.38.20
Date: Tue, 02 Jun 2015 23:30:25 GMT
P3P: CP="CAO PSA OUR"
Cache-Control: max-age=86400
Set-Cookie: pt_user_id=9571227474957132143; EXPIRES=Fri, 30-May-2025 23:30:25 GMT; PATH=/; DOMAIN=ui.ptlogin2.qq.com;
Set-Cookie: pt_login_sig=1wwnglu-xtFLJACb1cmHXbTn*lznPQ3ojGXliU3-Otn*EI7GHzjCKv5jE98eRd0S; PATH=/; DOMAIN=ptlogin2.qq.com;
Set-Cookie: pt_clientip=90b0c18af4e71c53; PATH=/; DOMAIN=qq.com;
Set-Cookie: pt_serverip=0a940a85030cbd2d; PATH=/; DOMAIN=qq.com;
Set-Cookie: login_param=link_target=blank&appid=15000101&s_url=http%3A//php.qzone.qq.com/index.php%3Fmod%3Dportal%26act%3Dlogin&f_url=loginerroralert&target=top&qlogin_jumpname=jump&qlogin_param=u1%3Dhttp%3A//php.qzone.qq.com/index.php%3Fmod%3Dportal%26act%3Dlogin&r=2010-10-31%200:03:44; PATH=/; DOMAIN=ui.ptlogin2.qq.com;
Set-Cookie: uikey=bfa7ba82c4f1036bc6ed4e7d3044e759c921a524698327a61990af015fccfea6; PATH=/; DOMAIN=ptlog







The Trojan connects to the servers at the folowing location(s):







%original file name%.exe_800:




`.rsrc
t%SVh
t$(SSh
~%UVW
u$SShe
wininet.dll
kernel32.dll
shlwapi.dll
jedata.dll
user32.dll
gdiplus.dll
ole32.dll
GdiPlus.dll
Psapi.dll
advapi32.dll
ntdll.dll
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
GdiplusShutdown
EnumChildWindows
WEBUI
WebUIControl
hXXp://qun.qzone.qq.com/cgi-bin/get_group_member?uin=
"nick":"
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
https
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
hXXps://
hXXp://
hXXp://ui.ptlogin2.qq.com/cgi-bin/login?link_target=blank&appid=15000101&s_url=http://php.qzone.qq.com/index.php?mod=portal&act=login&f_url=loginerroralert&target=top&qlogin_jumpname=jump&qlogin_param=u1=http://php.qzone.qq.com/index.php?mod=portal&act=login&r=2010-10-31 0:03:44
.qzone.qq.com/jjb
hXXp://wenwen.qq.com/z/QzoneAppQuestionAndAnswer.htm
skey=
; skey=
VVV.baidu.com
hXXp://qun.qzone.qq.com/cgi-bin/get_group_list?uin=
hXXp://VVV.2345.com/?k56330
pei.jjb
\jedata.dll
.rsrc
%S4WD
hg%fpM
S.Ac9SR
0.I%3s
,wAe.kI
aiUy'4xu
%c*@j
.eH'y
{&%U)
lj%4U
xe%CNs
9F.cLe
hJK.ZH
O.qt0
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
SkinH_EL.dll
_y.qzone.qq.com
hXXp://w.qzone.qq.com/cgi-bin/likes/internal_dolike_app?g_tk=
&zb_url=http://i.gtimg.cn/qzone/space_item/pre/14/94110_1.gif
&curkey=http://user.qzone.qq.com/
&unikey=http://user.qzone.qq.com/
/main&appid=7030&face=0&fupdate=1&from=1&query_count=200&opuin=
qzreferrer=http://user.qzone.qq.com/
hXXp://user.qzone.qq.com/
:hXXp://VVV.tmd.la
hXXp://users.qzone.qq.com/cgi-bin/likes/get_like_list_app?uin=
VVV.29523472.cn/
2000-4000
WinHttp.WinHttpRequest.5.1
application/x-www-form-urlencoded
Adodb.Stream
MSScriptControl.ScriptControl
Scripting.Encoder
1, 2, 0, 1, 2, 0, 2, 0, 0, 2, 0, 2, 1, 0, 2, 0,
1, 0, 2, 0, 1, 1, 2, 0, 0, 2, 1, 0, 2, 0, 0, 2,
1, 1, 0, 2, 0, 2, 0, 1, 0, 1, 1, 2, 0, 1, 0, 2,
1, 0, 2, 0, 1, 1, 2, 0, 0, 1, 1, 2, 0, 1, 0, 2
digits["A".charCodeAt(0) i] = i
digits["a".charCodeAt(0) i] = i 26
for (var i=0; i<10; i  ) digits["0".charCodeAt(0) i] = i 52
if (char.charCodeAt(0) > 126) return char
if (escapes.indexOf(char) != -1) return escaped.substr(escapes.indexOf(char), 1)
val  = (digits[string.substr(0,1).charCodeAt(0)] << 2)
val  = (digits[string.substr(1,1).charCodeAt(0)] >> 4)
val  = (digits[string.substr(1,1).charCodeAt(0)] & 0xf) << 12
val  = ((digits[string.substr(2,1).charCodeAt(0)] >> 2) << 8)
val  = ((digits[string.substr(2,1).charCodeAt(0)] & 0x3) << 22)
val  = (digits[string.substr(3,1).charCodeAt(0)] << 16)
scriptIndex = encodingString.indexOf(marker, stringIndex)
unEncodingString  = encodingString.substring(stringIndex, scriptIndex)
scriptIndex  = marker.length
unEncodingString  = encodingString.substr(stringIndex, encodingString.length)
encodingLength = encodingString.substr(scriptIndex, 6)
scriptIndex  = (6   "==".length)
stringIndex = scriptIndex   "DQgAAA==^#~@".length
char = encodingString.substr(scriptIndex, 1)
if (char.charCodeAt(0) < 0xFF)
unEncodingString  = String.fromCharCode(transformed[pick_encoding[unEncodingIndexd]][char.charCodeAt(0)])
unEncodingString  = unescape(encodingString.substr(  scriptIndex, 1))
re = new RegExp("(JScript|VBscript).encode", "gmi")
while(arr = re.exec(unEncodingString)) unEncodingString = RegExp.leftContext   RegExp.$1   RegExp.rightContext
strdec(AdodbStream.ReadText);
0.0.0.0
0000000000
function encrypt(str,pass){
data = m_xxtea.encrypt(str, pass);
function decrypt(str,pass){
data = m_xxtea.decrypt(str, pass);
if (str.match(/^[\x00-\x7f]*$/) != null) {
return str.toString();
len = str.length;
c = str.charCodeAt(i);
out[j] = str.charAt(i);
out[j] = String.fromCharCode(0xc0 | (c >>> 6),
out[j] = String.fromCharCode(0xe0 | (c >>> 12),
c2 = str.charCodeAt(i);
out[j] = String.fromCharCode(0xf0 | ((c >>> 18) & 0x3f),
return out.join('');
if ((str.match(/^[\x00-\x7f]*$/) != null) ||
(str.match(/^[\x00-\xff]*$/) == null)) {
c = str.charCodeAt(i  );
out[j  ] = str.charAt(i - 1);
c2 = str.charCodeAt(i  );
out[j  ] = String.fromCharCode(((c & 0x1f) << 6) |
c3 = str.charCodeAt(i  );
out[j  ] = String.fromCharCode(((c & 0x0f) << 12) |
c4 = str.charCodeAt(i  );
out[j  ] = String.fromCharCode(((s >>> 10) & 0x03ff) | 0xd800,
var base64EncodeChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /'.split('');
len = str.length;
c = str.charCodeAt(i  ) << 16 |
str.charCodeAt(i  ) << 8 |
str.charCodeAt(i  );
c = str.charCodeAt(i  );
c = str.charCodeAt(i  ) << 8 |
return out.join('');
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63,
if (/[^ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\ \/\=]/.test(str)) {
if (str.charAt(len - 2) == '=') {
else if (str.charAt(len - 1) == '=') {
c1 = base64DecodeChars[str.charCodeAt(i  )];
c2 = base64DecodeChars[str.charCodeAt(i  )];
out[j  ] = String.fromCharCode((c1 << 2) | ((c2 & 0x30) >> 4));
c3 = base64DecodeChars[str.charCodeAt(i  )];
out[j  ] = String.fromCharCode(((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2));
c4 = base64DecodeChars[str.charCodeAt(i  )];
out[j  ] = String.fromCharCode(((c3 & 0x03) << 6) | c4);
var length = data.length;
data[i] = String.fromCharCode(
return data.join('').substring(0, n);
return data.join('');
var length = string.length;
result[i >> 2] = string.charCodeAt(i) |
string.charCodeAt(i   1) << 8 |
string.charCodeAt(i   2) << 16 |
string.charCodeAt(i   3) << 24;
result[result.length] = length;
this.encrypt = function(string, key) {
var k = stringToLongArray(key, false);
if (k.length < 4) {
k.length = 4;
var n = v.length - 1;
var mx, e, p, q = Math.floor(6   52 / (n   1)), sum = 0;
this.decrypt = function(string, key) {
var mx, e, p, q = Math.floor(6   52 / (n   1)), sum = q * delta & 0xffffffff;
* See hXXp://pajhome.org.uk/crypt/md5 for details.
function hex_sha1(s){return binb2hex(core_sha1(str2binb(s),s.length * chrsz));}
function b64_sha1(s){return binb2b64(core_sha1(str2binb(s),s.length * chrsz));}
function str_sha1(s){return binb2str(core_sha1(str2binb(s),s.length * chrsz));}
function hex_hmac_sha1(key, data){ return binb2hex(core_hmac_sha1(key, data));}
function b64_hmac_sha1(key, data){ return binb2b64(core_hmac_sha1(key, data));}
function str_hmac_sha1(key, data){ return binb2str(core_hmac_sha1(key, data));}
for(var i = 0; i < x.length; i  = 16)
* Calculate the HMAC-SHA1 of a key and some data
function core_hmac_sha1(key, data)
var bkey = str2binb(key);
if(bkey.length > 16) bkey = core_sha1(bkey, key.length * chrsz);
ipad[i] = bkey[i] ^ 0x36363636;
opad[i] = bkey[i] ^ 0x5C5C5C5C;
var hash = core_sha1(ipad.concat(str2binb(data)), 512   data.length * chrsz);
return core_sha1(opad.concat(hash), 512   160);
* Add integers, wrapping at 2^32. This uses 16-bit operations internally
for(var i = 0; i < str.length * chrsz; i  = chrsz)
bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask) << (32 - chrsz - i2);
for(var i = 0; i < bin.length * 32; i  = chrsz)
str  = String.fromCharCode((bin[i>>5] >>> (32 - chrsz - i2)) & mask);
for(var i = 0; i < binarray.length * 4; i  )
str  = hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 4)) & 0xF)  
hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 )) & 0xF);
for(var i = 0; i < binarray.length * 4; i  = 3)
if(i * 8   j * 6 > binarray.length * 32) str  = b64pad;
else str  = tab.charAt((triplet >> 6*(3-j)) & 0x3F);
TempObj=JSON.parse(str);
var obj=JSON.parse(str);
Lobj.push(obj);
return Lobj.length;
function GetAllKey(){
Lobj = JSON.parse(str);
var str=JSON.stringify(Lobj);
return Lobj.str;
if (typeof Date.prototype.toJSON !== 'function') {
Date.prototype.toJSON = function (key) {
return isFinite(this.valueOf())
? this.getUTCFullYear()   '-'  
f(this.getUTCMonth()   1)   '-'  
f(this.getUTCDate())   'T'  
f(this.getUTCHours())   ':'  
f(this.getUTCMinutes())   ':'  
f(this.getUTCSeconds())   'Z'
String.prototype.toJSON =
Number.prototype.toJSON =
Boolean.prototype.toJSON = function (key) {
return this.valueOf();
'"' : '\\"',
'\\': '\\\\'
escapable.lastIndex = 0;
return escapable.test(string) ? '"'   string.replace(escapable, function (a) {
: '\\u'   ('0000'   a.charCodeAt(0).toString(16)).slice(-4);
function str(key, holder) {
k, // The member key.
value = holder[key];
typeof value.toJSON === 'function') {
value = value.toJSON(key);
value = rep.call(holder, key, value);
if (Object.prototype.toString.apply(value) === '[object Array]') {
length = value.length;
v = partial.length === 0
? '[\n'   gap   partial.join(',\n'   gap)   '\n'   mind   ']'
: '['   partial.join(',')   ']';
length = rep.length;
partial.push(quote(k)   (gap ? ': ' : ':')   v);
if (Object.prototype.hasOwnProperty.call(value, k)) {
v = partial.length === 0
? '{\n'   gap   partial.join(',\n'   gap)   '\n'   mind   '}'
: '{'   partial.join(',')   '}';
if (typeof JSON.stringify !== 'function') {
JSON.stringify = function (value, replacer, space) {
typeof replacer.length !== 'number')) {
throw new Error('JSON.stringify');
if (typeof JSON.parse !== 'function') {
JSON.parse = function (text, reviver) {
function walk(holder, key) {
var k, v, value = holder[key];
if (Object.prototype.hasOwnProperty.call(value, k)) {
return reviver.call(holder, key, value);
cx.lastIndex = 0;
if (cx.test(text)) {
text = text.replace(cx, function (a) {
('0000'   a.charCodeAt(0).toString(16)).slice(-4);
.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@')
.replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g, ']')
.replace(/(?:^|:|,)(?:\s*\[) /g, ''))) {
throw new SyntaxError('JSON.parse');
JSON.stringify(Lobj['
Lobj.push("
Lobj.push(
Lobj.push('
Lobj.length
JSON.stringify(Lobj[
Lobj.splice(
GetAllKey
Math.round(new Date().getTime()/1000)
Math.round(new Date().getTime())
Math.round(new Date().getTime() * 100)
7 9 10 5 8 4 2 1 6 3 7 9 10 5 8 4 2
WScript.Shell
rundll32.exe url.dll,FileProtocolHandler
function trim_output() {while (output.length && (output[output.length - 1] === " " || output[output.length - 1] === indent_string)) {output.pop();}}
function print_newline(ignore_repeated) {ignore_repeated = typeof ignore_repeated === "undefined" ? true : ignore_repeated;trim_output();if (!output.length) {return;}if (output[output.length - 1] !== "\n" || !ignore_repeated) {output.push("\n");}for (var i = 0; i < indent_level; i  ) {output.push(indent_string);}}
function print_space() {var last_output = output.length ? output[output.length - 1] : " ";if (last_output !== " " && last_output !== "\n" && last_output !== indent_string) {output.push(" ");}}
function print_token() {output.push(token_text);}
function remove_indent() {if (output.length && output[output.length - 1] === indent_string) {output.pop();}}
function set_mode(mode) {modes.push(current_mode);current_mode = mode;}
function restore_mode() {do_block_just_closed = current_mode === "DO_BLOCK";current_mode = modes.pop();}
function in_array(what, arr) {for (var i = 0; i < arr.length; i  ) {if (arr[i] === what) {return true;}}return false;}
function get_next_token() {var n_newlines = 0;var c = "";do {if (parser_pos >= input.length) {return ["", "TK_EOF"];}c = input.charAt(parser_pos);parser_pos  = 1;if (c === "\n") {n_newlines  = 1;}} while (in_array(c, whitespace));if (n_newlines > 1) {for (var i = 0; i < 2; i  ) {print_newline(i === 0);}}var wanted_newline = n_newlines === 1;if (in_array(c, wordchar)) {if (parser_pos < input.length) {while (in_array(input.charAt(parser_pos), wordchar)) {c  = input.charAt(parser_pos);parser_pos  = 1;if (parser_pos === input.length) {break;}}}if (parser_pos !== input.length && c.match(/^[0-9] [Ee]$/) && input.charAt(parser_pos) === "-") {parser_pos  = 1;var t = get_next_token(parser_pos);c  = "-"   t[0];return [c, "TK_WORD"];}if (c === "in") {return [c, "TK_OPERATOR"];}return [c, "TK_WORD"];}if (c === "(" || c === "[") {return [c, "TK_START_EXPR"];}if (c === ")" || c === "]") {return [c, "TK_END_EXPR"];}if (c === "{") {return [c, "TK_START_BLOCK"];}if (c === "}") {return [c, "TK_END_BLOCK"];}if (c === ";") {return [c, "TK_END_COMMAND"];}if (c === "/") {var comment = "";if (input.charAt(parser_pos) === "*") {parser_pos  = 1;if (parser_pos < input.length) {while (!(input.charAt(parser_pos) === "*" && input.charAt(parser_pos   1) && input.charAt(parser_pos   1) === "/") && parser_pos < input.length) {comment  = input.charAt(parser_pos);parser_pos  = 1;if (parser_pos >= input.length) {break;}}}parser_pos  = 2;return ["/*"   comment   "*/", "TK_BLOCK_COMMENT"];}if (input.charAt(parser_pos) === "/") {comment = c;while (input.charAt(parser_pos) !== "\r" && input.charAt(parser_pos) !== "\n") {comment  = input.charAt(parser_pos);parser_pos  = 1;if (parser_pos >= input.length) {break;}}parser_pos  = 1;if (wanted_newline) {print_newline();}return [comment, "TK_COMMENT"];}}if (c === "'" || c === "\"" || c === "/" && (last_type === "TK_WORD" && last_text === "return" || last_type === "TK_START_EXPR" || last_type === "TK_END_BLOCK" || last_type === "TK_OPERATOR" || last_type === "TK_EOF" || last_type === "TK_END_COMMAND")) {var sep = c;var esc = false;c = "";if (parser_pos < input.length) {while (esc || input.charAt(parser_pos) !== sep) {c  = input.charAt(parser_pos);if (!esc) {esc = input.charAt(parser_pos) === "\\";} else {esc = false;}parser_pos  = 1;if (parser_pos >= input.length) {break;}}}parser_pos  = 1;if (last_type === "TK_END_COMMAND") {print_newline();}return [sep   c   sep, "TK_STRING"];}if (in_array(c, punct)) {while (parser_pos < input.length && in_array(c   input.charAt(parser_pos), punct)) {c  = input.charAt(parser_pos);parser_pos  = 1;if (parser_pos >= input.length) {break;}}return [c, "TK_OPERATOR"];}return [c, "TK_UNKNOWN"];}
indent_character = indent_character || " ";indent_size = indent_size || 4;indent_string = "";while (indent_size--) {indent_string  = indent_character;}input = js_source_text;last_word = "";last_type = "TK_START_EXPR";last_text = "";output = [];do_block_just_closed = false;var_line = false;var_line_tainted = false;whitespace = "\n\r\t ".split("");wordchar = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_$".split("");punct = "  - * / % &    -- =  = -= *= /= $= == === != !== > < >= <= >> << >>> >>>= >>= <<= && &= | || ! !! , : ? ^ ^= |=".split(" ");line_starters = "continue,try,throw,return,var,if,switch,case,default,for,while,break,function".split(",");current_mode = "BLOCK";modes = [current_mode];indent_level = indent_level || 0;parser_pos = 0;in_case = false;while (true) {var t = get_next_token(parser_pos);token_text = t[0];token_type = t[1];if (token_type === "TK_EOF") {break;}switch (token_type) {case "TK_START_EXPR":var_line = false;set_mode("EXPRESSION");if (last_type === "TK_END_EXPR" || last_type === "TK_START_EXPR") {} else if (last_type !== "TK_WORD" && last_type !== "TK_OPERATOR") {print_space();} else if (in_array(last_word, line_starters) && last_word !== "function") {print_space();}print_token();break;case "TK_END_EXPR":print_token();restore_mode();break;case "TK_START_BLOCK":if (last_word === "do") {set_mode("DO_BLOCK");} else {set_mode("BLOCK");}if (last_type !== "TK_OPERATOR" && last_type !== "TK_START_EXPR") {if (last_type === "TK_START_BLOCK") {print_newline();} else {print_space();}}print_token();indent();break;case "TK_END_BLOCK":if (last_type === "TK_START_BLOCK") {trim_output();unindent();} else {unindent();print_newline();}print_token();restore_mode();break;case "TK_WORD":if (do_block_just_closed) {print_space();print_token();print_space();break;}if (token_text === "case" || token_text === "default") {if (last_text === ":") {remove_indent();} else {unindent();print_newline();indent();}print_token();in_case = true;break;}prefix = "NONE";if (last_type === "TK_END_BLOCK") {if (!in_array(token_text.toLowerCase(), ["else", "catch", "finally"])) {prefix = "NEWLINE";} else {prefix = "SPACE";print_space();}} else if (last_type === "TK_END_COMMAND" && (current_mode === "BLOCK" || current_mode === "DO_BLOCK")) {prefix = "NEWLINE";} else if (last_type === "TK_END_COMMAND" && current_mode === "EXPRESSION") {prefix = "SPACE";} else if (last_type === "TK_WORD") {prefix = "SPACE";} else if (last_type === "TK_START_BLOCK") {prefix = "NEWLINE";} else if (last_type === "TK_END_EXPR") {print_space();prefix = "NEWLINE";}if (last_type !== "TK_END_BLOCK" && in_array(token_text.toLowerCase(), ["else", "catch", "finally"])) {print_newline();} else if (in_array(token_text, line_starters) || prefix === "NEWLINE") {if (last_text === "else") {print_space();} else if ((last_type === "TK_START_EXPR" || last_text === "=") && token_text === "function") {} else if (last_type === "TK_WORD" && (last_text === "return" || last_text === "throw")) {print_space();} else if (last_type !== "TK_END_EXPR") {if ((last_type !== "TK_START_EXPR" || token_text !== "var") && last_text !== ":") {if (token_text === "if" && last_type === "TK_WORD" && last_word === "else") {print_space();} else {print_newline();}}} else {if (in_array(token_text, line_starters) && last_text !== ")") {print_newline();}}} else if (prefix === "SPACE") {print_space();}print_token();last_word = token_text;if (token_text === "var") {var_line = true;var_line_tainted = false;}break;case "TK_END_COMMAND":print_token();var_line = false;break;case "TK_STRING":if (last_type === "TK_START_BLOCK" || last_type === "TK_END_BLOCK") {print_newline();} else if (last_type === "TK_WORD") {print_space();}print_token();break;case "TK_OPERATOR":var start_delim = true;var end_delim = true;if (var_line && token_text !== ",") {var_line_tainted = true;if (token_text === ":") {var_line = false;}}if (token_text === ":" && in_case) {print_token();print_newline();break;}in_case = false;if (token_text === ",") {if (var_line) {if (var_line_tainted) {print_token();print_newline();var_line_tainted = false;} else {print_token();print_space();}} else if (last_type === "TK_END_BLOCK") {print_token();print_newline();} else {if (current_mode === "BLOCK") {print_token();print_newline();} else {print_token();print_space();}}break;} else if (token_text === "--" || token_text === "  ") {if (last_text === ";") {start_delim = true;end_delim = false;} else {start_delim = false;end_delim = false;}} else if (token_text === "!" && last_type === "TK_START_EXPR") {start_delim = false;end_delim = false;} else if (last_type === "TK_OPERATOR") {start_delim = false;end_delim = false;} else if (last_type === "TK_END_EXPR") {start_delim = true;end_delim = true;} else if (token_text === ".") {start_delim = false;end_delim = false;} else if (token_text === ":") {if (last_text.match(/^\d $/)) {start_delim = true;} else {start_delim = false;}}if (start_delim) {print_space();}print_token();if (end_delim) {print_space();}break;case "TK_BLOCK_COMMENT":print_newline();print_token();print_newline();break;case "TK_COMMENT":print_space();print_token();print_newline();break;case "TK_UNKNOWN":print_token();break;default:;}last_type = token_type;last_text = token_text;}return output.join("");}
x =a.replace(/^\s /, '')
1970/01/01 00:00:00
.htmlt
VVV.29523472.cn
287306383
VVV.29523472.cn
287306383
29523472
CCmdTarget
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CNotSupportedException
__MSVCRT_HEAP_SELECT
GetCPInfo
KERNEL32.dll
UnhookWindowsHookEx
SetWindowsHookExA
GetKeyState
CreateDialogIndirectParamA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
WINSPOOL.DRV
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
ADVAPI32.dll
SHELL32.dll
oledlg.dll
OLEPRO32.DLL
OLEAUT32.dll
WEBUI.fne
F%D,3
%*.*f
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
WSOCK32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
icmp.dll
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
VVV.dywt.com.cn
(*.htm;*.html)|*.htm;*.html
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
window.event
its:%s::%s
:[email protected]
:6225 8841 1439 1173
:6222 0234 0000 1901908
:95599 8137 08198 36418
hXXp://VVV.lifepj.cn
[email protected]
(0730)6672620
.?AVCCmdUI@@
.PAVCOleException@@
.PAVCObject@@
.PAVCOleDispatchException@@
.?AVCCmdTarget@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCArchiveException@@
.PAVCSimpleException@@
.PAVCResourceException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
WinExec
GetProcessHeap
RegCreateKeyA
GetViewportOrgEx
ShellExecuteA
InternetCrackUrlA
InternetCanonicalizeUrlA
.text
`.rdata
@.data
RASAPI32.dll
WININET.dll
WINMM.dll
WS2_32.dll
1, 0, 6, 6
- Skin.dll
(*.*)
1.3.0.0

%original file name%.exe_800_rwx_00401000_0019B000:




t%SVh
t$(SSh
~%UVW
u$SShe
wininet.dll
kernel32.dll
shlwapi.dll
jedata.dll
user32.dll
gdiplus.dll
ole32.dll
GdiPlus.dll
Psapi.dll
advapi32.dll
ntdll.dll
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
GdiplusShutdown
EnumChildWindows
WEBUI
WebUIControl
hXXp://qun.qzone.qq.com/cgi-bin/get_group_member?uin=
"nick":"
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
https
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
hXXps://
hXXp://
hXXp://ui.ptlogin2.qq.com/cgi-bin/login?link_target=blank&appid=15000101&s_url=http://php.qzone.qq.com/index.php?mod=portal&act=login&f_url=loginerroralert&target=top&qlogin_jumpname=jump&qlogin_param=u1=http://php.qzone.qq.com/index.php?mod=portal&act=login&r=2010-10-31 0:03:44
.qzone.qq.com/jjb
hXXp://wenwen.qq.com/z/QzoneAppQuestionAndAnswer.htm
skey=
; skey=
VVV.baidu.com
hXXp://qun.qzone.qq.com/cgi-bin/get_group_list?uin=
hXXp://VVV.2345.com/?k56330
pei.jjb
\jedata.dll
.rsrc
%S4WD
hg%fpM
S.Ac9SR
0.I%3s
,wAe.kI
aiUy'4xu
%c*@j
.eH'y
{&%U)
lj%4U
xe%CNs
9F.cLe
hJK.ZH
O.qt0
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
SkinH_EL.dll
_y.qzone.qq.com
hXXp://w.qzone.qq.com/cgi-bin/likes/internal_dolike_app?g_tk=
&zb_url=http://i.gtimg.cn/qzone/space_item/pre/14/94110_1.gif
&curkey=http://user.qzone.qq.com/
&unikey=http://user.qzone.qq.com/
/main&appid=7030&face=0&fupdate=1&from=1&query_count=200&opuin=
qzreferrer=http://user.qzone.qq.com/
hXXp://user.qzone.qq.com/
:hXXp://VVV.tmd.la
hXXp://users.qzone.qq.com/cgi-bin/likes/get_like_list_app?uin=
VVV.29523472.cn/
2000-4000
WinHttp.WinHttpRequest.5.1
application/x-www-form-urlencoded
Adodb.Stream
MSScriptControl.ScriptControl
Scripting.Encoder
1, 2, 0, 1, 2, 0, 2, 0, 0, 2, 0, 2, 1, 0, 2, 0,
1, 0, 2, 0, 1, 1, 2, 0, 0, 2, 1, 0, 2, 0, 0, 2,
1, 1, 0, 2, 0, 2, 0, 1, 0, 1, 1, 2, 0, 1, 0, 2,
1, 0, 2, 0, 1, 1, 2, 0, 0, 1, 1, 2, 0, 1, 0, 2
digits["A".charCodeAt(0) i] = i
digits["a".charCodeAt(0) i] = i 26
for (var i=0; i<10; i  ) digits["0".charCodeAt(0) i] = i 52
if (char.charCodeAt(0) > 126) return char
if (escapes.indexOf(char) != -1) return escaped.substr(escapes.indexOf(char), 1)
val  = (digits[string.substr(0,1).charCodeAt(0)] << 2)
val  = (digits[string.substr(1,1).charCodeAt(0)] >> 4)
val  = (digits[string.substr(1,1).charCodeAt(0)] & 0xf) << 12
val  = ((digits[string.substr(2,1).charCodeAt(0)] >> 2) << 8)
val  = ((digits[string.substr(2,1).charCodeAt(0)] & 0x3) << 22)
val  = (digits[string.substr(3,1).charCodeAt(0)] << 16)
scriptIndex = encodingString.indexOf(marker, stringIndex)
unEncodingString  = encodingString.substring(stringIndex, scriptIndex)
scriptIndex  = marker.length
unEncodingString  = encodingString.substr(stringIndex, encodingString.length)
encodingLength = encodingString.substr(scriptIndex, 6)
scriptIndex  = (6   "==".length)
stringIndex = scriptIndex   "DQgAAA==^#~@".length
char = encodingString.substr(scriptIndex, 1)
if (char.charCodeAt(0) < 0xFF)
unEncodingString  = String.fromCharCode(transformed[pick_encoding[unEncodingIndexd]][char.charCodeAt(0)])
unEncodingString  = unescape(encodingString.substr(  scriptIndex, 1))
re = new RegExp("(JScript|VBscript).encode", "gmi")
while(arr = re.exec(unEncodingString)) unEncodingString = RegExp.leftContext   RegExp.$1   RegExp.rightContext
strdec(AdodbStream.ReadText);
0.0.0.0
0000000000
function encrypt(str,pass){
data = m_xxtea.encrypt(str, pass);
function decrypt(str,pass){
data = m_xxtea.decrypt(str, pass);
if (str.match(/^[\x00-\x7f]*$/) != null) {
return str.toString();
len = str.length;
c = str.charCodeAt(i);
out[j] = str.charAt(i);
out[j] = String.fromCharCode(0xc0 | (c >>> 6),
out[j] = String.fromCharCode(0xe0 | (c >>> 12),
c2 = str.charCodeAt(i);
out[j] = String.fromCharCode(0xf0 | ((c >>> 18) & 0x3f),
return out.join('');
if ((str.match(/^[\x00-\x7f]*$/) != null) ||
(str.match(/^[\x00-\xff]*$/) == null)) {
c = str.charCodeAt(i  );
out[j  ] = str.charAt(i - 1);
c2 = str.charCodeAt(i  );
out[j  ] = String.fromCharCode(((c & 0x1f) << 6) |
c3 = str.charCodeAt(i  );
out[j  ] = String.fromCharCode(((c & 0x0f) << 12) |
c4 = str.charCodeAt(i  );
out[j  ] = String.fromCharCode(((s >>> 10) & 0x03ff) | 0xd800,
var base64EncodeChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /'.split('');
len = str.length;
c = str.charCodeAt(i  ) << 16 |
str.charCodeAt(i  ) << 8 |
str.charCodeAt(i  );
c = str.charCodeAt(i  );
c = str.charCodeAt(i  ) << 8 |
return out.join('');
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63,
if (/[^ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\ \/\=]/.test(str)) {
if (str.charAt(len - 2) == '=') {
else if (str.charAt(len - 1) == '=') {
c1 = base64DecodeChars[str.charCodeAt(i  )];
c2 = base64DecodeChars[str.charCodeAt(i  )];
out[j  ] = String.fromCharCode((c1 << 2) | ((c2 & 0x30) >> 4));
c3 = base64DecodeChars[str.charCodeAt(i  )];
out[j  ] = String.fromCharCode(((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2));
c4 = base64DecodeChars[str.charCodeAt(i  )];
out[j  ] = String.fromCharCode(((c3 & 0x03) << 6) | c4);
var length = data.length;
data[i] = String.fromCharCode(
return data.join('').substring(0, n);
return data.join('');
var length = string.length;
result[i >> 2] = string.charCodeAt(i) |
string.charCodeAt(i   1) << 8 |
string.charCodeAt(i   2) << 16 |
string.charCodeAt(i   3) << 24;
result[result.length] = length;
this.encrypt = function(string, key) {
var k = stringToLongArray(key, false);
if (k.length < 4) {
k.length = 4;
var n = v.length - 1;
var mx, e, p, q = Math.floor(6   52 / (n   1)), sum = 0;
this.decrypt = function(string, key) {
var mx, e, p, q = Math.floor(6   52 / (n   1)), sum = q * delta & 0xffffffff;
* See hXXp://pajhome.org.uk/crypt/md5 for details.
function hex_sha1(s){return binb2hex(core_sha1(str2binb(s),s.length * chrsz));}
function b64_sha1(s){return binb2b64(core_sha1(str2binb(s),s.length * chrsz));}
function str_sha1(s){return binb2str(core_sha1(str2binb(s),s.length * chrsz));}
function hex_hmac_sha1(key, data){ return binb2hex(core_hmac_sha1(key, data));}
function b64_hmac_sha1(key, data){ return binb2b64(core_hmac_sha1(key, data));}
function str_hmac_sha1(key, data){ return binb2str(core_hmac_sha1(key, data));}
for(var i = 0; i < x.length; i  = 16)
* Calculate the HMAC-SHA1 of a key and some data
function core_hmac_sha1(key, data)
var bkey = str2binb(key);
if(bkey.length > 16) bkey = core_sha1(bkey, key.length * chrsz);
ipad[i] = bkey[i] ^ 0x36363636;
opad[i] = bkey[i] ^ 0x5C5C5C5C;
var hash = core_sha1(ipad.concat(str2binb(data)), 512   data.length * chrsz);
return core_sha1(opad.concat(hash), 512   160);
* Add integers, wrapping at 2^32. This uses 16-bit operations internally
for(var i = 0; i < str.length * chrsz; i  = chrsz)
bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask) << (32 - chrsz - i2);
for(var i = 0; i < bin.length * 32; i  = chrsz)
str  = String.fromCharCode((bin[i>>5] >>> (32 - chrsz - i2)) & mask);
for(var i = 0; i < binarray.length * 4; i  )
str  = hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 4)) & 0xF)  
hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 )) & 0xF);
for(var i = 0; i < binarray.length * 4; i  = 3)
if(i * 8   j * 6 > binarray.length * 32) str  = b64pad;
else str  = tab.charAt((triplet >> 6*(3-j)) & 0x3F);
TempObj=JSON.parse(str);
var obj=JSON.parse(str);
Lobj.push(obj);
return Lobj.length;
function GetAllKey(){
Lobj = JSON.parse(str);
var str=JSON.stringify(Lobj);
return Lobj.str;
if (typeof Date.prototype.toJSON !== 'function') {
Date.prototype.toJSON = function (key) {
return isFinite(this.valueOf())
? this.getUTCFullYear()   '-'  
f(this.getUTCMonth()   1)   '-'  
f(this.getUTCDate())   'T'  
f(this.getUTCHours())   ':'  
f(this.getUTCMinutes())   ':'  
f(this.getUTCSeconds())   'Z'
String.prototype.toJSON =
Number.prototype.toJSON =
Boolean.prototype.toJSON = function (key) {
return this.valueOf();
'"' : '\\"',
'\\': '\\\\'
escapable.lastIndex = 0;
return escapable.test(string) ? '"'   string.replace(escapable, function (a) {
: '\\u'   ('0000'   a.charCodeAt(0).toString(16)).slice(-4);
function str(key, holder) {
k, // The member key.
value = holder[key];
typeof value.toJSON === 'function') {
value = value.toJSON(key);
value = rep.call(holder, key, value);
if (Object.prototype.toString.apply(value) === '[object Array]') {
length = value.length;
v = partial.length === 0
? '[\n'   gap   partial.join(',\n'   gap)   '\n'   mind   ']'
: '['   partial.join(',')   ']';
length = rep.length;
partial.push(quote(k)   (gap ? ': ' : ':')   v);
if (Object.prototype.hasOwnProperty.call(value, k)) {
v = partial.length === 0
? '{\n'   gap   partial.join(',\n'   gap)   '\n'   mind   '}'
: '{'   partial.join(',')   '}';
if (typeof JSON.stringify !== 'function') {
JSON.stringify = function (value, replacer, space) {
typeof replacer.length !== 'number')) {
throw new Error('JSON.stringify');
if (typeof JSON.parse !== 'function') {
JSON.parse = function (text, reviver) {
function walk(holder, key) {
var k, v, value = holder[key];
if (Object.prototype.hasOwnProperty.call(value, k)) {
return reviver.call(holder, key, value);
cx.lastIndex = 0;
if (cx.test(text)) {
text = text.replace(cx, function (a) {
('0000'   a.charCodeAt(0).toString(16)).slice(-4);
.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@')
.replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g, ']')
.replace(/(?:^|:|,)(?:\s*\[) /g, ''))) {
throw new SyntaxError('JSON.parse');
JSON.stringify(Lobj['
Lobj.push("
Lobj.push(
Lobj.push('
Lobj.length
JSON.stringify(Lobj[
Lobj.splice(
GetAllKey
Math.round(new Date().getTime()/1000)
Math.round(new Date().getTime())
Math.round(new Date().getTime() * 100)
7 9 10 5 8 4 2 1 6 3 7 9 10 5 8 4 2
WScript.Shell
rundll32.exe url.dll,FileProtocolHandler
function trim_output() {while (output.length && (output[output.length - 1] === " " || output[output.length - 1] === indent_string)) {output.pop();}}
function print_newline(ignore_repeated) {ignore_repeated = typeof ignore_repeated === "undefined" ? true : ignore_repeated;trim_output();if (!output.length) {return;}if (output[output.length - 1] !== "\n" || !ignore_repeated) {output.push("\n");}for (var i = 0; i < indent_level; i  ) {output.push(indent_string);}}
function print_space() {var last_output = output.length ? output[output.length - 1] : " ";if (last_output !== " " && last_output !== "\n" && last_output !== indent_string) {output.push(" ");}}
function print_token() {output.push(token_text);}
function remove_indent() {if (output.length && output[output.length - 1] === indent_string) {output.pop();}}
function set_mode(mode) {modes.push(current_mode);current_mode = mode;}
function restore_mode() {do_block_just_closed = current_mode === "DO_BLOCK";current_mode = modes.pop();}
function in_array(what, arr) {for (var i = 0; i < arr.length; i  ) {if (arr[i] === what) {return true;}}return false;}
function get_next_token() {var n_newlines = 0;var c = "";do {if (parser_pos >= input.length) {return ["", "TK_EOF"];}c = input.charAt(parser_pos);parser_pos  = 1;if (c === "\n") {n_newlines  = 1;}} while (in_array(c, whitespace));if (n_newlines > 1) {for (var i = 0; i < 2; i  ) {print_newline(i === 0);}}var wanted_newline = n_newlines === 1;if (in_array(c, wordchar)) {if (parser_pos < input.length) {while (in_array(input.charAt(parser_pos), wordchar)) {c  = input.charAt(parser_pos);parser_pos  = 1;if (parser_pos === input.length) {break;}}}if (parser_pos !== input.length && c.match(/^[0-9] [Ee]$/) && input.charAt(parser_pos) === "-") {parser_pos  = 1;var t = get_next_token(parser_pos);c  = "-"   t[0];return [c, "TK_WORD"];}if (c === "in") {return [c, "TK_OPERATOR"];}return [c, "TK_WORD"];}if (c === "(" || c === "[") {return [c, "TK_START_EXPR"];}if (c === ")" || c === "]") {return [c, "TK_END_EXPR"];}if (c === "{") {return [c, "TK_START_BLOCK"];}if (c === "}") {return [c, "TK_END_BLOCK"];}if (c === ";") {return [c, "TK_END_COMMAND"];}if (c === "/") {var comment = "";if (input.charAt(parser_pos) === "*") {parser_pos  = 1;if (parser_pos < input.length) {while (!(input.charAt(parser_pos) === "*" && input.charAt(parser_pos   1) && input.charAt(parser_pos   1) === "/") && parser_pos < input.length) {comment  = input.charAt(parser_pos);parser_pos  = 1;if (parser_pos >= input.length) {break;}}}parser_pos  = 2;return ["/*"   comment   "*/", "TK_BLOCK_COMMENT"];}if (input.charAt(parser_pos) === "/") {comment = c;while (input.charAt(parser_pos) !== "\r" && input.charAt(parser_pos) !== "\n") {comment  = input.charAt(parser_pos);parser_pos  = 1;if (parser_pos >= input.length) {break;}}parser_pos  = 1;if (wanted_newline) {print_newline();}return [comment, "TK_COMMENT"];}}if (c === "'" || c === "\"" || c === "/" && (last_type === "TK_WORD" && last_text === "return" || last_type === "TK_START_EXPR" || last_type === "TK_END_BLOCK" || last_type === "TK_OPERATOR" || last_type === "TK_EOF" || last_type === "TK_END_COMMAND")) {var sep = c;var esc = false;c = "";if (parser_pos < input.length) {while (esc || input.charAt(parser_pos) !== sep) {c  = input.charAt(parser_pos);if (!esc) {esc = input.charAt(parser_pos) === "\\";} else {esc = false;}parser_pos  = 1;if (parser_pos >= input.length) {break;}}}parser_pos  = 1;if (last_type === "TK_END_COMMAND") {print_newline();}return [sep   c   sep, "TK_STRING"];}if (in_array(c, punct)) {while (parser_pos < input.length && in_array(c   input.charAt(parser_pos), punct)) {c  = input.charAt(parser_pos);parser_pos  = 1;if (parser_pos >= input.length) {break;}}return [c, "TK_OPERATOR"];}return [c, "TK_UNKNOWN"];}
indent_character = indent_character || " ";indent_size = indent_size || 4;indent_string = "";while (indent_size--) {indent_string  = indent_character;}input = js_source_text;last_word = "";last_type = "TK_START_EXPR";last_text = "";output = [];do_block_just_closed = false;var_line = false;var_line_tainted = false;whitespace = "\n\r\t ".split("");wordchar = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_$".split("");punct = "  - * / % &    -- =  = -= *= /= $= == === != !== > < >= <= >> << >>> >>>= >>= <<= && &= | || ! !! , : ? ^ ^= |=".split(" ");line_starters = "continue,try,throw,return,var,if,switch,case,default,for,while,break,function".split(",");current_mode = "BLOCK";modes = [current_mode];indent_level = indent_level || 0;parser_pos = 0;in_case = false;while (true) {var t = get_next_token(parser_pos);token_text = t[0];token_type = t[1];if (token_type === "TK_EOF") {break;}switch (token_type) {case "TK_START_EXPR":var_line = false;set_mode("EXPRESSION");if (last_type === "TK_END_EXPR" || last_type === "TK_START_EXPR") {} else if (last_type !== "TK_WORD" && last_type !== "TK_OPERATOR") {print_space();} else if (in_array(last_word, line_starters) && last_word !== "function") {print_space();}print_token();break;case "TK_END_EXPR":print_token();restore_mode();break;case "TK_START_BLOCK":if (last_word === "do") {set_mode("DO_BLOCK");} else {set_mode("BLOCK");}if (last_type !== "TK_OPERATOR" && last_type !== "TK_START_EXPR") {if (last_type === "TK_START_BLOCK") {print_newline();} else {print_space();}}print_token();indent();break;case "TK_END_BLOCK":if (last_type === "TK_START_BLOCK") {trim_output();unindent();} else {unindent();print_newline();}print_token();restore_mode();break;case "TK_WORD":if (do_block_just_closed) {print_space();print_token();print_space();break;}if (token_text === "case" || token_text === "default") {if (last_text === ":") {remove_indent();} else {unindent();print_newline();indent();}print_token();in_case = true;break;}prefix = "NONE";if (last_type === "TK_END_BLOCK") {if (!in_array(token_text.toLowerCase(), ["else", "catch", "finally"])) {prefix = "NEWLINE";} else {prefix = "SPACE";print_space();}} else if (last_type === "TK_END_COMMAND" && (current_mode === "BLOCK" || current_mode === "DO_BLOCK")) {prefix = "NEWLINE";} else if (last_type === "TK_END_COMMAND" && current_mode === "EXPRESSION") {prefix = "SPACE";} else if (last_type === "TK_WORD") {prefix = "SPACE";} else if (last_type === "TK_START_BLOCK") {prefix = "NEWLINE";} else if (last_type === "TK_END_EXPR") {print_space();prefix = "NEWLINE";}if (last_type !== "TK_END_BLOCK" && in_array(token_text.toLowerCase(), ["else", "catch", "finally"])) {print_newline();} else if (in_array(token_text, line_starters) || prefix === "NEWLINE") {if (last_text === "else") {print_space();} else if ((last_type === "TK_START_EXPR" || last_text === "=") && token_text === "function") {} else if (last_type === "TK_WORD" && (last_text === "return" || last_text === "throw")) {print_space();} else if (last_type !== "TK_END_EXPR") {if ((last_type !== "TK_START_EXPR" || token_text !== "var") && last_text !== ":") {if (token_text === "if" && last_type === "TK_WORD" && last_word === "else") {print_space();} else {print_newline();}}} else {if (in_array(token_text, line_starters) && last_text !== ")") {print_newline();}}} else if (prefix === "SPACE") {print_space();}print_token();last_word = token_text;if (token_text === "var") {var_line = true;var_line_tainted = false;}break;case "TK_END_COMMAND":print_token();var_line = false;break;case "TK_STRING":if (last_type === "TK_START_BLOCK" || last_type === "TK_END_BLOCK") {print_newline();} else if (last_type === "TK_WORD") {print_space();}print_token();break;case "TK_OPERATOR":var start_delim = true;var end_delim = true;if (var_line && token_text !== ",") {var_line_tainted = true;if (token_text === ":") {var_line = false;}}if (token_text === ":" && in_case) {print_token();print_newline();break;}in_case = false;if (token_text === ",") {if (var_line) {if (var_line_tainted) {print_token();print_newline();var_line_tainted = false;} else {print_token();print_space();}} else if (last_type === "TK_END_BLOCK") {print_token();print_newline();} else {if (current_mode === "BLOCK") {print_token();print_newline();} else {print_token();print_space();}}break;} else if (token_text === "--" || token_text === "  ") {if (last_text === ";") {start_delim = true;end_delim = false;} else {start_delim = false;end_delim = false;}} else if (token_text === "!" && last_type === "TK_START_EXPR") {start_delim = false;end_delim = false;} else if (last_type === "TK_OPERATOR") {start_delim = false;end_delim = false;} else if (last_type === "TK_END_EXPR") {start_delim = true;end_delim = true;} else if (token_text === ".") {start_delim = false;end_delim = false;} else if (token_text === ":") {if (last_text.match(/^\d $/)) {start_delim = true;} else {start_delim = false;}}if (start_delim) {print_space();}print_token();if (end_delim) {print_space();}break;case "TK_BLOCK_COMMENT":print_newline();print_token();print_newline();break;case "TK_COMMENT":print_space();print_token();print_newline();break;case "TK_UNKNOWN":print_token();break;default:;}last_type = token_type;last_text = token_text;}return output.join("");}
x =a.replace(/^\s /, '')
1970/01/01 00:00:00
.htmlt
VVV.29523472.cn
287306383
VVV.29523472.cn
287306383
29523472
CCmdTarget
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CNotSupportedException
__MSVCRT_HEAP_SELECT
GetCPInfo
KERNEL32.dll
UnhookWindowsHookEx
SetWindowsHookExA
GetKeyState
CreateDialogIndirectParamA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
WINSPOOL.DRV
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
ADVAPI32.dll
SHELL32.dll
oledlg.dll
OLEPRO32.DLL
OLEAUT32.dll
WEBUI.fne
F%D,3
%*.*f
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
WSOCK32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
icmp.dll
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
VVV.dywt.com.cn
(*.htm;*.html)|*.htm;*.html
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
window.event
its:%s::%s
:[email protected]
:6225 8841 1439 1173
:6222 0234 0000 1901908
:95599 8137 08198 36418
hXXp://VVV.lifepj.cn
[email protected]
(0730)6672620
.?AVCCmdUI@@
.PAVCOleException@@
.PAVCObject@@
.PAVCOleDispatchException@@
.?AVCCmdTarget@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCArchiveException@@
.PAVCSimpleException@@
.PAVCResourceException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
WinExec
GetProcessHeap
RegCreateKeyA
GetViewportOrgEx
ShellExecuteA
InternetCrackUrlA
InternetCanonicalizeUrlA
.text
`.rdata
@.data
1, 0, 6, 6
- Skin.dll
(*.*)

%original file name%.exe_800_rwx_10001000_00039000:




L$(h%f
SSh0j
msctls_hotkey32
TVCLHotKey
THotKey
\skinh.she
}uo,x6l5k%x-l h
9p%s m)t4`#b
e"m?c&y1`Ð<
SetViewportOrgEx
SetViewportExtEx
SetWindowsHookExA
UnhookWindowsHookEx
EnumThreadWindows
EnumChildWindows
`c%US.4/
!#$<#$#=
.text
`.rdata
@.data
.rsrc
@.UPX0
`.UPX1
`.reloc






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A9WRW5GJ\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR5MZNZI\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    C:\Ƥ·ô.she (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR5MZNZI\CAOVI5A7.htm (10 bytes)
    C:\jedata.dll (88 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR5MZNZI\CAR2KVN1 (123 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GBE3DABB\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PW0KY8DE\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (180 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now