Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Agent.75776.8
Date discovered:23/04/2007
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:75.776 Bytes
MD5 checksum:2fa48a277ed630e0c2d76b7b47c3a935
VDF version:6.38.01.20
IVDF version:6.38.01.22 - Monday, April 23, 2007

 General Method of propagation:
   • Autorun feature


Aliases:
   •  Mcafee: W32/Autorun.worm.c
   •  Kaspersky: Worm.Win32.AutoRun.bpsa
   •  Sophos: Troj/PWS-BJM
   •  Bitdefender: Win32.Worm.Autorun.WB
   •  GData: Win32.Worm.Autorun.WB


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • %PROGRAM FILES%\Common Files\Microsoft Shared\explorer.exe
   • C:\TSTP\winlogon.exe
   • %drive%\svchost.exe



It deletes the following files:
   • %drive%\lvglkr.doc
   • %drive%\ttqdxj.jpg
   • %drive%\85S22.dat
   • %drive%\xbkkjw.gif
   • %drive%\upppye.txt
   • %drive%\gixvab.bmp



The following files are created:

%drive%\upppye.txt
%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

– %ALLUSERSPROFILE%\Start Menu\Programs\Startup\TSPS.lnk This is a non malicious text file with the following content:
   • %code that runs malware%

– %ALLUSERSPROFILE%\Desktop\Intennet Exploner.lnk This is a non malicious text file with the following content:
   • %code that runs malware%

%drive%\lvglkr.doc
– %HOME%\Favorites\&
%drive%\ttqdxj.jpg
– %ALLUSERSPROFILE%\Desktop\
– %ALLUSERSPROFILE%\Desktop\
%drive%\85S22.dat
– %ALLUSERSPROFILE%\Desktop\
%drive%\xbkkjw.gif
%PROGRAM FILES%\Common Files\ips888.dll Further investigation pointed out that this file is malware, too. Detected as: TR/HideProc.F

%drive%\gixvab.bmp



It tries to execute the following file:

– Filename:
   • %PROGRAM FILES%\Common Files\Microsoft Shared\explorer.exe

 Registry The following registry keys are added:

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\CCenter.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\auto.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Navapsvc.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\irsetup.exe]
   • "Debugger"="ntsd -d"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   • "DisableRegistryTools"=dword:0x00000001

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UmxAgent.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\QQSC.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\PFWLiveUpdate.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\DSMain.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\logogo.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\mmqczj.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kwstray.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360Safe.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\mmsk.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\adam.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RavTask.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RavMonD.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVMonXP_1.kxp]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\QQDoctorMain.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\QHSET.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ScanFrm.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\QQPCSmashFile.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kvwsc.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\qsetup.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\rfwProxy.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\av.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Trojanwall.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kvolself.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360rp.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kissvc.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Iparmor.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\IceSword.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\niu.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\filmst.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RsAgent.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MagicSet.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\SysSafe.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\QQKav.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\pagefile.pif]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UmxFwHlp.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360rpt.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FileDsty.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVScan.kxp]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\isPwdSvc.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TxoMoU.Exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\pfserver.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kernelwind32.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Rsaupd.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Navapw32.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Discovery.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RsTray.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\EGHOST.exe]
   • "Debugger"="ntsd -d"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\
   Associations]
   • "ModRiskFileTypes"=".exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\QQPCMgr.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\WoptiClean.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UFO.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVPF.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Rav.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FTCleanerShell.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVSrvXP.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RavStub.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\qheart.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avp.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\XP.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\PFW.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kavstart.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\SelfUpdate.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\guangd.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\QQPCTray.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\loaddll.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360safebox.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\SREngPS.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ghost.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UIHost.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KASTask.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\atpup.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies]
   • "WriteProtect"=dword:0x00000000

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\XDelBox.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\jisu.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\QQPCRTP.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UmxCfg.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KASMain.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TNT.Exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\mcconsol.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\appdllman.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\cross.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\NPFMntor.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avconsol.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
   • "DisableRegistryTools"=dword:0x00000001

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\nod32.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TrojanDetector.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\799d.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVDX.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kvupload.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avp.com]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\SDGames.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\USBCleaner.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Ras.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RegClean.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAV32.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\HijackThis.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360sd.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\NAVSetup.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avgrssvc.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\iparmo.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\pagefile.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\nod32kui.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360sdrun.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\QQDoctorRtp.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360tray.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TrojDie.kxp]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UpLive.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Classes\exefile]
   • "NeverShowExt"="1"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KvfwMcl.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Wsyscheck.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UmxAttachment.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kvol.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ccSvcHst.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVMonXP.kxp]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\SmartUp.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ScanU3.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ravcopy.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\autoruns.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UmxPol.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\SREng.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\QQDoctor.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\nod32krn.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RavMon.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kabaload.exe]
   • "Debugger"="ntsd -d"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FYFireWall.exe]
   • "Debugger"="ntsd -d"



The following registry keys are changed:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
   HideDesktopIcons\ClassicStartMenu]
   New value:
   • "{871C5380-42A0-1069-A2EA-08002B30309D}"=dword:0x00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   New value:
   • "ShowSuperHidden"=dword:0x00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
   HideDesktopIcons\NewStartPanel]
   New value:
   • "{871C5380-42A0-1069-A2EA-08002B30309D}"=dword:0x00000001

 Miscellaneous Accesses internet resources:
   • http://888.qq2233.com/**********
   • http://i.163**********.com/?96
   • http://www.dh0**********.com/?Dll
   • http://www.vol**********.com/?Dll


Mutex:
It creates the following Mutex:
   • 51ea43ebe4a56fa13efb989971bcd358


String:
Furthermore it contains the following strings:
   • iq123.com
   • yijidh.com
   • 250dh.cn
   • 223.la
   • kuku123.com
   • 930930.com
   • 9123.com
   • hao123e.com
   • 020.com
   • youxi777.com
   • 1616.net
   • 1188.com
   • urldh.com
   • daohang.la
   • pp55.com
   • 9605.com
   • 05505.cn
   • 7055.net
   • 0056.com
   • 6655.com
   • 1166.com
   • 5kip.com
   • 114xia.com
   • 265dh.com
   • 3567.com
   • 6565.cn
   • 666t.com
   • 9223.com
   • dduu.com
   • hao123.cn
   • 5snow.com
   • 2523.com
   • 5599.net
   • tt98.com
   • zhaodao123.com
   • kuhao123.com
   • 5151la.net
   • 6h.com.cn
   • zeibi.com
   • 6e8e.com
   • th123.com
   • 9991.com
   • hao123ol.com
   • wu123.com
   • t220.cn
   • ttver.net
   • 188HI.com
   • go2000.com
   • 5igb.com
   • bb2000.net
   • 9wa.com
   • qq5.com
   • 365j.com
   • 7345.com
   • 2760.com
   • 361la.com
   • haojs.com
   • 5zd.com
   • i8866.com
   • 100wz.com
   • 114hi.com
   • 234.la
   • 657.com
   • 339.la
   • 365wz.net
   • 7792.com
   • 9495.com
   • dazuimao.com
   • 71314.com
   • 265.com
   • gouwo.com
   • huai456.com
   • ku256.com
   • my180.com
   • 2522.cn
   • 405.cn
   • 44244.com
   • 111dh.com
   • 115ku.com
   • 13387.com
   • 163yes.com
   • 256s.com
   • 2676.com
   • 3355.net
   • 365lo.com
   • 4168.com
   • 4545.cn
   • 4688.com
   • 566.net
   • 5666.net
   • 5733.com
   • 6461.cn
   • 7356.com
   • 800186.com
   • 85851.com
   • asp51.com
   • 361dh.com
   • 5566.net
   • yulinweb.com
   • 6296.com.cn
   • mianfeia.com
   • ai1234.com
   • k369.com
   • msncn.com
   • ss256.com
   • min513.com
   • 88-888.com
   • lggg.cn
   • 7771.cn
   • leeboo.com
   • jjol.cn
   • 5566.com
   • 9166.net
   • hao253.com
   • 7b.com.cn
   • haoei.com
   • 77114.com
   • 21310.cn
   • weiduomei.net
   • kk3000.cn
   • 7241.cn
   • 44384.com
   • daohang1234.com
   • 131.cc
   • 223224.com
   • 537.com
   • 9348.cn
   • bju123.cn
   • i4455.com
   • jia123.com
   • 0666.com.cn
   • 553.la
   • 5566.org
   • 37021.com
   • 88488.com
   • 99986.net
   • 37021.net
   • k986.com
   • cc62.com
   • 5518.cn
   • 55620.com
   • 52416.com
   • 7357.cn
   • 8c8c.net
   • 9999q.com
   • 123shi123.com
   • yl234.cn
   • 3322.com
   • hao222.com
   • 6313.com
   • f127.com
   • 5599cn.cn
   • 99499.com
   • 2548.cn
   • 133.net
   • ie30.com
   • 8751.com
   • se:home
   • 160dh.com
   • 114115.com
   • 1322.cn
   • hh361.com
   • 2800.cc
   • 52daohang.com
   • 186.me
   • diyidh.com
   • zaodezhu.com
   • 7832.com
   • 3073.com
   • 2058.cc
   • 3456.cc
   • 7771.com
   • q6789.com
   • 7k.cc
   • dianzi88.com
   • 7802.com
   • xinbut.com
   • 59688.com
   • gjj.cc
   • youla.com
   • ok1616.com
   • i2345.cn
   • gg8000.com
   • daohang12345.cn
   • inina.cn
   • dowei.com
   • 1515.net
   • 41119.cn
   • 21230.cn
   • 97youku.com
   • fast35.net
   • m32.cn
   • tom155.cn
   • 668yo.com
   • online.cq.cn
   • shagua.cn
   • 007247.cn
   • 603467.cn
   • 197326.cn
   • wwwoj.cn
   • xp22.cn
   • 84022.cn
   • 520593.cn
   • 448789.cn
   • 141321.cn
   • 36gggg.cn
   • 427842.cn
   • niubihao123.cn
   • ovooo.cn
   • rtys520.net
   • rtxzw.com
   • uurenti.cc
   • bo.dy288.com
   • renti11.com
   • 123.cd
   • 336655.com
   • 9978.net
   • 114la.com
   • 520.com
   • 6l.cn
   • 420.cn
   • v989.com
   • 16551.com
   • 2tvv.com
   • m4455.com
   • 5987.net
   • 7999.com
   • caipopo.com
   • wndhw.com
   • henku123.com
   • qu123.com
   • 94176.com
   • u526.com
   • haokan123.com
   • uusee.net
   • 9733.com
   • 173com
   • qnrwz.com
   • 999w.com
   • h935.com
   • 33250.com
   • tz911.net
   • 639e.com
   • 920xx.cn
   • 13393.com
   • tncdh.com
   • sou185.com
   • 3566.cc
   • 580so.com
   • 2001.cc
   • hnhao123.com
   • zz5.net.cn
   • abc123.name
   • ekan123.com
   • 1266.cc
   • hao123.cc
   • 126.cc
   • ie1788.com
   • 58daohang.com
   • 6dh.com
   • 991.cn
   • 114la.me
   • 1133.cc
   • ads8.com
   • haoz.com
   • jsing.net
   • 123.sogou.com
   • 3321.com
   • 1155.cc
   • hao123.com
   • hao123.net
   • 6700.cn
   • 168.com
   • uu881.com
   • 6264.cn
   • 606600.com
   • 2345.com
   • 5607.cn
   • 1111116.com
   • v7799.com
   • ie7.com.cn
   • 365t.cc
   • 89679.com
   • se:blank
   • 35029.com
   • 8d9a.cn
   • 400zm.com
   • 58816.com
   • 727dh.cn
   • hao123w.com
   • 114td.com
   • 28101.cn
   • 03336.cn
   • 79001.cn
   • 133132.com
   • 3434.com.cn
   • 828dh.cn
   • 64500.cn
   • 22q.cc
   • jj77.com
   • vvyy.net
   • ie567.com
   • 5d5e.com
   • 212dh.cn
   • 911g.cn
   • 1616.la
   • tomatolei.com
   • 96nn.com
   • 5543.com
   • 2288.org
   • 3322.org
   • 9966.org
   • 8800.org
   • 8866.org
   • 7766.org
   • 22409.com
   • se-se.info
   • 26043.com
   • 34414.com
   • gaoav1.info
   • 0558114.com
   • 3333dh.cn
   • zjialin.com
   • 22dao.com
   • soupay.com
   • langlangdoor.com
   • 99cu.com
   • 5555dh.cn
   • wang123.net
   • hxdlink
   • haaoo123.com
   • 3645.com
   • hao123q.com
   • tvsooo.com
   • gaituba.com
   • 45566.net
   • 2298.cn
   • iexx.com
   • dh115.com
   • 97sp.cn
   • 39r.cn
   • f8f8.cn
   • 391kk.cn
   • 266.cc
   • jysoso.net
   • wg510.cn
   • 1155.com
   • 114d.org
   • ie3721.com
   • 2142.cn
   • go2000.cc
   • go2000.cn
   • 99521.com
   • yeooo.com
   • haha123.com
   • hao.360.cn
   • 07707.cn
   • yy2000.net
   • 1111118.com
   • 26281.com
   • 960dh.cn
   • 300.cc
   • 163333333.com.cn
   • kz300.cn
   • i3525.cn
   • 67881.net
   • t2t2.net
   • mm4000.cn
   • 669dh.cn
   • k58n.com
   • haoha123.com
   • ab99.com
   • i2255.com
   • 054.cc
   • fffggqq.cn
   • k2345.net
   • vv33.com
   • tuku6.com
   • mmpp654.com
   • 228dh.cn
   • seibb.com
   • 14164.com
   • 552dh.cn
   • hao969.com
   • lalamao.com
   • 21225.cn
   • 5k5.net
   • 65630.cn
   • at46.cn
   • 98928.cn
   • ads.eorezo.com
   • 661dh.cn
   • 6320.com
   • henbianjie.com
   • xiushe.com
   • 5mqxmq.com
   • 989228.com
   • i8844.cn
   • g1476.cn
   • 4j4j.cn
   • 1777zzw5.com
   • 989228.cn
   • henbucuo.com
   • 886dh.cn
   • 2255.net
   • 160yes.com
   • u8s.cn
   • 16711.com
   • 626dh.cn
   • rfwow.cn
   • baiyici.cn
   • lalamao.cn
   • 136s.com
   • huhuyy.cn
   • 8diq.com
   • d2fs.cn
   • 0229.com
   • yy4000.com
   • 9934.cn
   • 3883.net
   • 151dh.com
   • 26dh.cn
   • kkwwxx.com
   • t67.net
   • 29dao.cn
   • 58ju.com
   • dnc8.net
   • yl177.com.cn
   • xj.cn
   • 950990.cn
   • 114.com.cn
   • xxxip.cn
   • 3628.com
   • 265.cc
   • 26.la
   • 5654.com
   • zg115.com
   • 969dh.cn
   • 111555.com.cn
   • pic.jinti.com
   • kk8000.com
   • wokaokao.cn
   • duoxxppmmkoo.com
   • kanlink.cn
   • 91youa.com
   • shinia.cn
   • pp9pp9.cn
   • ma80.com
   • 556dh.cn
   • bu4.cn
   • 8555.com
   • e23.la
   • flash678.cn
   • yy4000.cn
   • wo333.com
   • mv700.com
   • xcwhgx.cn
   • 3s11.cn
   • sp16888.com
   • k7k7.com
   • zzw5.com
   • okdianying.com
   • 789bb.com
   • antuoo.com
   • so06.com
   • 665532.cn
   • 7f7f.com
   • k261.com
   • fanbaidu.org.cn
   • iu888.cn
   • 977k.com
   • 93w.com
   • 68566.com.cn
   • zhidao163.cn
   • it958.cn
   • lx8000.cn
   • sc.cn
   • ucuc.cc
   • kkdowns.com
   • 189189.com
   • 0002.com
   • 4737.cn
   • 226dh.cn
   • bb115.cn
   • 06000.cn
   • u87.cn
   • sohao123.com
   • k887.com
   • hao602.com
   • t7t7.net
   • ku4000.cn
   • v6677.cn
   • hong666.com
   • 4000a.com
   • kk4000.cn
   • 7767.com
   • 11227.cn
   • u9u9.net
   • 28113.cn
   • rr55.com
   • a4000.cn
   • yunfujkw.cn
   • 886.com
   • 2800.cer.cn
   • zyyu.com
   • 49la.com
   • hi3000.cn
   • sogouliulanqi.com
   • 888ge.com
   • 00333.cn
   • 29wz.com
   • soso126.com
   • 180wan.com
   • kan888.com
   • 4929.cn
   • v2233.com
   • m345.cn
   • tt265.net
   • 18ttt.com
   • 153.cc
   • 00664.cn
   • gugogo.com
   • kk4000.com
   • 185b.com
   • uuent.com
   • 6666dh.cn
   • 25dao.com
   • shangla.com
   • 77177.cn
   • about:blank
   • haoq123.com
   • baiduo.org
   • lejiu.net
   • dianxin.cn
   • u7758.com
   • dao234.com
   • 85692.com
   • xiaosb.com
   • soso313.cn
   • 939dh.com
   • 85952.com
   • 31346.com
   • 71528.com
   • 788dh.com
   • 91695.com
   • 5566x.com
   • 131u.com
   • 1149.cn
   • 9281.net
   • my115.net
   • 4119.cn
   • 9m1.net
   • dh818.com
   • iehwz.com
   • wa200.com
   • hao234.cc
   • 6781.com
   • 652dh.com
   • 16811.com
   • zhongshu.net
   • 992k.com
   • 71628.com
   • 6701.com
   • diyou.net
   • iehao123.com
   • laidao123.com
   • yinfen.net
   • wz4321.com
   • shangqu.info
   • 5121.net
   • 668g.com
   • 51150.com
   • 53ff.com
   • dada123.com
   • you2000.com
   • 884599.cn
   • kuaijiong.com
   • 398.cn
   • 32387.com
   • 82vv.com
   • 46.com
   • 09tao.com
   • 977dh.com
   • 598.net
   • 211dh.com
   • 9365.info
   • wblive.com
   • e722.com
   • v232.com
   • 7400.net
   • 62106.com
   • ll4xi.com
   • 3932.com
   • puZeng.com
   • 97199.com
   • 447.cc
   • 0749.com
   • 6656.net
   • niebai.com
   • 447.com
   • uuchina.net
   • hao123cn.info
   • dao666.com
   • 9813.org
   • 91kk.com
   • freedh.info
   • yidaba.com
   • 161111111.com
   • 009dh.com
   • qsxx.cn
   • geyuan.net
   • 8t8.net
   • xorg.pl
   • bij.pl
   • qqnz.com
   • srpkw.com
   • gggdu.com
   • baiduo.com
   • wys99.com
   • leilei.cc
   • 3633.net
   • fjta.com
   • so11.cn
   • 522dh.com
   • 9249.com
   • 3110.cn
   • 300cc.com
   • 7669.cn
   • 5c6.com
   • 7993.cn
   • 8336.cn
   • 03m.net
   • ou33.com
   • bv0.net
   • 163333333.cn
   • 45575.com
   • 2637.cn
   • skyhouse.com.cn
   • 98453.com
   • 65642.net
   • 776la.com
   • 256.CC
   • 114king.cn
   • yyyqq.com
   • huhu123.com
   • gyyx.cn
   • 2888.me
   • 4444dh.cn
   • 191pk.com
   • 118.com
   • 57xswz.com
   • how18.cn
   • sohu12333333.com
   • xz26.com
   • 654v.com
   • 280580.cn
   • huoban.taobao.com
   • fjgqw.com
   • 49558.cn
   • pp8000.cn
   • 265it.com
   • soolaa.com
   • 9899.cn
   • 18143.com
   • haoxyz.com
   • 4555.net
   • 10du.net
   • 528988.com
   • wahahaha123.com
   • c256.cn
   • chinaih.com
   • mnv.cn
   • 633dh.com
   • ncjxx.com
   • 51721.net
   • 556w.com
   • 114cc.net
   • 5go.com.cn
   • pp4000.com
   • 8844.com
   • dd335.cn
   • qu163.net
   • itwenba.cn
   • dou2game.cn
   • h220.com
   • neng123.com
   • pleoc.cn
   • 6006.cc
   • 987654.com
   • 39903.com
   • ddoowwnn.cn
   • 788111.com
   • zhidao001.com
   • 5hao123.com
   • 978.la
   • 135968.cn
   • bb112.com
   • r220.cn
   • 365kong.com
   • woainame.cn
   • okgouwu.cn
   • hao006.com
   • jipinla.com
   • 99467.com
   • wawamm.cn
   • qian14.cn
   • ip27.cn
   • 56dh.cn
   • 2966.com
   • game333.net
   • kukuwz.com
   • 1-xiu.cn
   • 92hao123.com
   • lian9.cn
   • 222q.cn
   • jj98.com
   • 73vv.com
   • mubanw.com
   • t262.com
   • x1258.cn
   • weishi66.cn
   • hao990.com
   • 68la.com
   • sowang123.cn
   • 3929.cn
   • 5665.cn
   • 81sf.com
   • kz123.cn
   • qq806.cn
   • ffwyt.com

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Açıklamayı yerleştiren Petre Galan tarihinde 1 Nisan 2011 Cuma
Açıklamayı güncelleyen: Andrei Ivanes tarihinde 8 Nisan 2011 Cuma

Geri . . . .
https:// Bu pencere güvenlik amacıyla şifrelenmiştir.