HEUR:Trojan.Win32.Generic (Kaspersky), Worm.Win32.Dorkbot.FD, WormDorkbot.YR, GenericUDPFlooder.YR, GenericIRCBot.YR, GenericMSNWorm.YR, GenericUSBInfector.YR, GenericDNSBlocker.YR, GenericAutorunWorm.YR, GenericSYNFlooder.YR, GenericInjector.YR, BankerGeneric.YR, GenericProxy.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)Behaviour: Banker, Trojan, Flooder, Worm, WormAutorun, IRCBot, MSNWorm, DNSBlocker, UDPFlooder, SYNFlooder, Trojan-Proxy, USBInfector
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 6e34467dd949a74d0d65b9014cfdd066
SHA1: 040bc0354c27b0eaae62253b7c6d842bd7c85791
SHA256: 27ca8280182f51dbab03c26cb26d6be49ec899c84f319ccdba2d96f53f7de75a
SSDeep: 3072:xkKD3DKpZm3R3y2qr6HOoKP7KsKh081OXxew LZT 1N:xk6Tko3aN5usmdOXqm
Size: 149504 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2011-06-14 17:39:33
Analyzed on: Windows7 SP1 32-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer. |
IRCBot | A bot can communicate with command and control servers via IRC channel. |
MSNWorm | A worm can spread its copies through the MSN Messanger. |
DNSBlocker | A program can block designated DNS servers for making it difficult for users to locate specific domains or web sites on the Internet. |
UDPFlooder | This program can make a UDP flood. A UDP flood attack is a denial-of-service attack using the User Datagram Protocol (UDP). It can be initiated by sending a large number of UDP packets to random ports on a remote host. |
SYNFlooder | This program can make a SYN flood. It is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. |
Trojan-Proxy | This program can launch a proxy server (SOCKS4) on a designated TCP port. |
USBInfector | A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer. |
Process activity
The Worm creates the following process(es):
%original file name%.exe:3424
The Worm injects its code into the following process(es):
WerFault.exe:2108
csrss.exe:368
winlogon.exe:416
taskhost.exe:872
Dwm.exe:1376
Explorer.EXE:1440
TPAutoConnect.exe:2160
conhost.exe:2168
conhost.exe:3076
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:3424 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Oplqle.exe (824 bytes)
Registry activity
The process WerFault.exe:2108 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"ExceptionRecord" = "03 00 00 80 00 00 00 00 00 00 00 00 23 73 EA 02"
[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles]
"FirstLevelConsentDialog" = "Type: REG_QWORD, Length: 8"
[HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles]
"FirstLevelConsentDialog" = "Type: REG_QWORD, Length: 8"
The process %original file name%.exe:3424 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Oplqle" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Oplqle.exe"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Worm installs the following user-mode hooks in urlmon.dll:
URLDownloadToFileA
URLDownloadToFileW
The Worm installs the following user-mode hooks in WININET.dll:
HttpSendRequestA
HttpSendRequestW
InternetWriteFile
The Worm installs the following user-mode hooks in ADVAPI32.dll:
RegCreateKeyExW
RegCreateKeyExA
The Worm installs the following user-mode hooks in WS2_32.dll:
send
GetAddrInfoW
The Worm installs the following user-mode hooks in kernel32.dll:
MoveFileA
MoveFileW
CopyFileA
CreateFileA
CreateFileW
CopyFileW
The Worm installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
ZwResumeThread
NtQueryDirectoryFile
ZwEnumerateValueKey
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.A worm can spread its copies through the MSN Messanger.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:3424
- Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
C:\Users\"%CurrentUserName%"\AppData\Roaming\Oplqle.exe (824 bytes)
- Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Oplqle" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Oplqle.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 8192 | 26068 | 26112 | 4.12101 | 1f89e13769042086bc30f8d593824dda |
.sdata | 40960 | 107 | 512 | 1.05827 | cf605b0bd0b28fc836871bced8eff446 |
.rsrc | 49152 | 121184 | 121344 | 5.40618 | 59d35c4f046822ea271b421894f9b503 |
.reloc | 172032 | 12 | 512 | 0.056519 | 4e07950ae9961489b89d6fdc866da153 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Worm connects to the servers at the folowing location(s):
Strings from Dumps
svchost.exe_548:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
msvcrt.dll
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
RPCRT4.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
_amsg_exit
_amsg_exit
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
svchost.pdb
svchost.pdb
version="5.1.0.0"
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
name="Microsoft.Windows.Services.SvcHost"
Host Process for Windows Services
Host Process for Windows Services
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
\PIPE\
Host Process for Windows Services
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
svchost.exe
Windows
Windows
Operating System
Operating System
6.1.7600.16385
6.1.7600.16385
WerFault.exe_2108:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
ADVAPI32.dll
ADVAPI32.dll
ntdll.DLL
ntdll.DLL
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
msvcrt.dll
msvcrt.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHLWAPI.dll
SHLWAPI.dll
IMM32.dll
IMM32.dll
wer.dll
wer.dll
COMCTL32.dll
COMCTL32.dll
faultrep.dll
faultrep.dll
Starting kernel vertical - %S
Starting kernel vertical - %S
rundll32.exe
rundll32.exe
NtQueryInformationProcess failed with status: 0x%x
NtQueryInformationProcess failed with status: 0x%x
Reporting never started for process id %u
Reporting never started for process id %u
StringCchPrintf failed with 0x%x
StringCchPrintf failed with 0x%x
NtWow64QueryInformationProcess64 failed with 0x%x
NtWow64QueryInformationProcess64 failed with 0x%x
NtWow64ReadVirtualMemory64 failed with 0x%x
NtWow64ReadVirtualMemory64 failed with 0x%x
NtQueryInformationProcess failed with status 0x%x
NtQueryInformationProcess failed with status 0x%x
WerpNtWow64QueryInformationProcess64 failed with status 0x%x
WerpNtWow64QueryInformationProcess64 failed with status 0x%x
StringCchCopy failed with 0x%x
StringCchCopy failed with 0x%x
Invalid arg in %s
Invalid arg in %s
wdi.dll
wdi.dll
dbgeng.dll
dbgeng.dll
dbghelp.dll
dbghelp.dll
SETUPAPI.dll
SETUPAPI.dll
SHELL32.dll
SHELL32.dll
VERSION.dll
VERSION.dll
WTSAPI32.dll
WTSAPI32.dll
WerFault.pdb
WerFault.pdb
PSShD
PSShD
tSSh,
tSSh,
t.PSj6
t.PSj6
t5SSh
t5SSh
SShx`
SShx`
tsShxc
tsShxc
t.Ph0j
t.Ph0j
_amsg_exit
_amsg_exit
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryW
GetWindowsDirectoryW
RegDeleteKeyW
RegDeleteKeyW
ReportEventW
ReportEventW
RegOpenKeyW
RegOpenKeyW
RegSetKeyValueW
RegSetKeyValueW
GetProcessWindowStation
GetProcessWindowStation
EnumWindows
EnumWindows
NtAlpcSendWaitReceivePort
NtAlpcSendWaitReceivePort
NtAlpcConnectPort
NtAlpcConnectPort
ShipAssert
ShipAssert
ntdll.dll
ntdll.dll
RegisterErrorReportingDialog
RegisterErrorReportingDialog
WerReportSubmit
WerReportSubmit
WerReportAddFile
WerReportAddFile
WerReportCreate
WerReportCreate
WerReportCloseHandle
WerReportCloseHandle
WerReportSetUIOption
WerReportSetUIOption
WerpGetReportConsent
WerpGetReportConsent
WerpSetIntegratorReportId
WerpSetIntegratorReportId
WerpReportCancel
WerpReportCancel
WerpAddRegisteredDataToReport
WerpAddRegisteredDataToReport
WerReportAddDump
WerReportAddDump
WerpCreateIntegratorReportId
WerpCreateIntegratorReportId
WerpSetReportFlags
WerpSetReportFlags
WerpGetReportFlags
WerpGetReportFlags
WerpIsTransportAvailable
WerpIsTransportAvailable
WerReportSetParameter
WerReportSetParameter
WerpInitiateCrashReporting
WerpInitiateCrashReporting
version="1.0.0.0"
version="1.0.0.0"
name="Microsoft.Windows.Feedback.Watson"
name="Microsoft.Windows.Feedback.Watson"
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
ÃCD0
ÃCD0
#$$$3355
#$$$3355
##$$$335566
##$$$335566
% "#$$$3355666=
% "#$$$3355666=
"#$$33555666
"#$$33555666
!.DQ$
!.DQ$
.Py>o
.Py>o
Kÿg
Kÿg
.ib:?
.ib:?
T3%X_
T3%X_
a,M.cbd
a,M.cbd
KEYW8
KEYW8
KEYWH
KEYWH
? ?$?(?,?0?4?8?
? ?$?(?,?0?4?8?
1 2$2(2,20242
1 2$2(2,20242
>,?0?4?8?@?
>,?0?4?8?@?
?%?5?:?|?
?%?5?:?|?
5'565^5{5
5'565^5{5
3#3(353_3
3#3(353_3
=#='= =/=3=7=;=?=
=#='= =/=3=7=;=?=
=#=(=>=]=
=#=(=>=]=
>!>&>3>}>
>!>&>3>}>
1!1&131[1
1!1&131[1
Microsoft\Windows\WindowsErrorReporting\WerFault
Microsoft\Windows\WindowsErrorReporting\WerFault
%s %s
%s %s
Global\WerKernelVerticalReporting
Global\WerKernelVerticalReporting
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl
CrashDumpEnabled.Old
CrashDumpEnabled.Old
CrashDumpEnabled.New
CrashDumpEnabled.New
%SystemRoot%\MEMORY.DMP
%SystemRoot%\MEMORY.DMP
LiveKernelReports
LiveKernelReports
Software\Microsoft\Windows\Windows Error Reporting\LiveKernelReports
Software\Microsoft\Windows\Windows Error Reporting\LiveKernelReports
LiveKernelReportsPath
LiveKernelReportsPath
BCCode=%x&BCP1=%p&BCP2=%p&BCP3=%p&BCP4=%p&OS Version=%u_%u_%u&Service Pack=%u_%u&Product=%u_%u
BCCode=%x&BCP1=%p&BCP2=%p&BCP3=%p&BCP4=%p&OS Version=%u_%u_%u&Service Pack=%u_%u&Product=%u_%u
*WerKernelReporting
*WerKernelReporting
%SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq
%SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\Windows Error Reporting\KernelFaults\Queue
SOFTWARE\Microsoft\Windows\Windows Error Reporting\KernelFaults\Queue
sysdata.xml
sysdata.xml
%s -k -q
%s -k -q
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
%u.%u.%u %u.%u
%u.%u.%u %u.%u
%u
%u
%u
%u
%u
%u
%u
%u
d-d-d d:d:d
d-d-d d:d:d
%s
%s
%s
%s
Failed at Step: %s with error 0x%x
Failed at Step: %s with error 0x%x
%sDrivers\%s.sys
%sDrivers\%s.sys
%s>
%s>
%s%s>
%s%s>
%u.%u.%u.%u
%u.%u.%u.%u
*.mrk
*.mrk
WER-%u-%u.sysdata.xml
WER-%u-%u.sysdata.xml
Software\Microsoft\Windows\CurrentVersion\CEIPRole\RolesInWER
Software\Microsoft\Windows\CurrentVersion\CEIPRole\RolesInWER
SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\MemoryDiagnostic
SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\MemoryDiagnostic
Web Server
Web Server
Software\Microsoft\Windows\Windows Error Reporting\Debug
Software\Microsoft\Windows\Windows Error Reporting\Debug
%SystemRoot%\Minidump
%SystemRoot%\Minidump
0xx (0xx, 0xx, 0xx, 0xx)
0xx (0xx, 0xx, 0xx, 0xx)
%s\%2.2d%2.2d%2.2d-%u-%2.2d.dmp
%s\%2.2d%2.2d%2.2d-%u-%2.2d.dmp
*.dmp
*.dmp
Software\Microsoft\Windows\Windows Error Reporting
Software\Microsoft\Windows\Windows Error Reporting
Software\Policies\Microsoft\Windows\Windows Error Reporting
Software\Policies\Microsoft\Windows\Windows Error Reporting
\KernelObjects\SystemErrorPortReady
\KernelObjects\SystemErrorPortReady
%s\%s
%s\%s
Microsoft.Windows.Setup
Microsoft.Windows.Setup
\WindowsErrorReportingServicePort
\WindowsErrorReportingServicePort
(0x%x): %s
(0x%x): %s
%u %s
%u %s
WindowsNTVersion
WindowsNTVersion
%u.%u
%u.%u
ErrorPort
ErrorPort
\StringFileInfo\xx\%s
\StringFileInfo\xx\%s
HKEY_USERS\
HKEY_USERS\
HKEY_CURRENT_CONFIG\
HKEY_CURRENT_CONFIG\
HKEY_CLASSES_ROOT\
HKEY_CLASSES_ROOT\
HKEY_LOCAL_MACHINE\
HKEY_LOCAL_MACHINE\
HKEY_CURRENT_USER\
HKEY_CURRENT_USER\
%s="%s"
%s="%s"
%s.%s
%s.%s
%s %d
%s %d
Software\Microsoft\Windows\Windows Error Reporting\Hangs
Software\Microsoft\Windows\Windows Error Reporting\Hangs
_NT_EXECUTABLE_IMAGE_PATH
_NT_EXECUTABLE_IMAGE_PATH
wxmu.dmp
wxmu.dmp
wxhu.dmp
wxhu.dmp
axmu.dmp
axmu.dmp
axhu.dmp
axhu.dmp
hu.kdmp
hu.kdmp
mu.kdmp
mu.kdmp
hu.dmp
hu.dmp
mu.dmp
mu.dmp
Software\Microsoft\.NETFramework
Software\Microsoft\.NETFramework
NOT_TCPIP
NOT_TCPIP
sos.dll
sos.dll
version.xml
version.xml
.version.xml
.version.xml
%s.xml
%s.xml
memory.hdmp
memory.hdmp
minidump.mdmp
minidump.mdmp
Local\WERReportingForProcess%d
Local\WERReportingForProcess%d
atk.kdmp
atk.kdmp
Software\Microsoft\Windows\Windows Error Reporting\Hangs\NHRTimes
Software\Microsoft\Windows\Windows Error Reporting\Hangs\NHRTimes
%i|%d|%d
%i|%d|%d
xxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxx
xx
xx
%d.%d.%d.%d
%d.%d.%d.%d
D:P(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;%s)
D:P(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;%s)
D:P(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;%s)S:(ML;;NR;;;HI)
D:P(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;%s)S:(ML;;NR;;;HI)
dc.noreflect
dc.noreflect
dc.xpmemdump
dc.xpmemdump
dc.xpdata
dc.xpdata
dc.CustomDump
dc.CustomDump
dc.expmodmem
dc.expmodmem
dc.expmoddata
dc.expmoddata
dc.OnDemandKdmp
dc.OnDemandKdmp
dc.xpmodmem
dc.xpmodmem
dc.xpmoddata
dc.xpmoddata
default=%s
default=%s
memory=%s
memory=%s
module=%s
module=%s
.dbgcfg.ini
.dbgcfg.ini
ElevatedDataCollectionStatus.txt
ElevatedDataCollectionStatus.txt
Open process failed unexpectedly: 0X%X
Open process failed unexpectedly: 0X%X
Attempting to cross-proc reporting process!
Attempting to cross-proc reporting process!
Elevation:Administrator!new:%s
Elevation:Administrator!new:%s
Reflection attempt failed: 0X%X
Reflection attempt failed: 0X%X
Attempting to reflect reporting process!
Attempting to reflect reporting process!
Could not collect dump for reflection cross process: 0x%x
Could not collect dump for reflection cross process: 0x%x
Could not collect xproc for reflection: 0x%x
Could not collect xproc for reflection: 0x%x
CollectFile for reflection failed: 0x%x
CollectFile for reflection failed: 0x%x
Could not collect dump for cross process: 0x%x
Could not collect dump for cross process: 0x%x
CollectReflectionDump failed with: 0x%x
CollectReflectionDump failed with: 0x%x
0 processes found for xproc module: %s
0 processes found for xproc module: %s
Could not collect cross dump from module: 0x%x
Could not collect cross dump from module: 0x%x
CollectCrossProcessModuleDumps failed: 0x%x
CollectCrossProcessModuleDumps failed: 0x%x
CollectCrossProcessDumps failed: 0x%x
CollectCrossProcessDumps failed: 0x%x
KernelDump failed: 0x%x
KernelDump failed: 0x%x
ProcessHandle
ProcessHandle
%s|%s
%s|%s
rpcrt4
rpcrt4
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebugProtected\AutoExclusionList
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebugProtected\AutoExclusionList
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\AutoExclusionList
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\AutoExclusionList
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebugProtected
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebugProtected
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
sntdll.dll
sntdll.dll
WerDiagController.dll
WerDiagController.dll
Software\Microsoft\Windows\Windows Error Reporting\Plugins
Software\Microsoft\Windows\Windows Error Reporting\Plugins
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Software\Microsoft\Windows\Windows Error Reporting\Plugins\FDR\CurrentSession
Software\Microsoft\Windows\Windows Error Reporting\Plugins\FDR\CurrentSession
%s\%s\%u-%u.etl
%s\%s\%u-%u.etl
%s\%s\%u-%u.etl_%d
%s\%s\%u-%u.etl_%d
Microsoft\Windows\FDR
Microsoft\Windows\FDR
%s-%d
%s-%d
Software\Microsoft\Windows\Windows Error Reporting\Plugins\DriverVerifier
Software\Microsoft\Windows\Windows Error Reporting\Plugins\DriverVerifier
Software\Microsoft\Windows\Windows Error Reporting\Plugins\AppRecorder
Software\Microsoft\Windows\Windows Error Reporting\Plugins\AppRecorder
%d-AppRecorderEnabled
%d-AppRecorderEnabled
%s /stop
%s /stop
psr.exe
psr.exe
Software\Microsoft\Windows\Windows Error Reporting\RuntimeExceptionHelperModules
Software\Microsoft\Windows\Windows Error Reporting\RuntimeExceptionHelperModules
verifier.dll
verifier.dll
nVerifier.dll
nVerifier.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
lsvchost.exe
lsvchost.exe
"%s" "%s" "%s"
"%s" "%s" "%s"
%s\system32\cofire.exe
%s\system32\cofire.exe
psapi.dll
psapi.dll
sfc_os.dll
sfc_os.dll
werfault.exe
werfault.exe
%s\%s-(PID-%u)-%u
%s\%s-(PID-%u)-%u
%s\%s-(PID-%u).dmp
%s\%s-(PID-%u).dmp
%s\*-(PID-*)-*
%s\*-(PID-*)-*
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\%s
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\%s
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit
kernel32.dll
kernel32.dll
kernelbase.dll
kernelbase.dll
ReportingMode
ReportingMode
WinShipAssert
WinShipAssert
WindowsMessageReportingB1
WindowsMessageReportingB1
Windows
Windows
ws2_32.dll
ws2_32.dll
Software\Microsoft\SQMClient\%s\AdaptiveSqm\ManifestInfo
Software\Microsoft\SQMClient\%s\AdaptiveSqm\ManifestInfo
%s\Sqm%d.bin
%s\Sqm%d.bin
CorporateWerPortNumber
CorporateWerPortNumber
BypassDataThrottling
BypassDataThrottling
Software\Microsoft\Windows\Windows Error Reporting\Consent
Software\Microsoft\Windows\Windows Error Reporting\Consent
Windows Problem Reporting
Windows Problem Reporting
6.1.7600.16385 (win7_rtm.090713-1255)
6.1.7600.16385 (win7_rtm.090713-1255)
WerFault.exe
WerFault.exe
Windows
Windows
Operating System
Operating System
6.1.7600.16385
6.1.7600.16385
Microsoft-Windows-WER-Diag/Operational
Microsoft-Windows-WER-Diag/Operational
WerFault.exe_2108_rwx_000D0000_0002A000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
:.datt
:.datt
tB
tB
toSSSSSSSSSSh
toSSSSSSSSSSh
iu2.iu@
iu2.iu@
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetWindowsDirectoryW
GetWindowsDirectoryW
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
autorun.inf
autorun.inf
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
JOIN #
JOIN #
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
PRIVMSG #
PRIVMSG #
%s:%d
%s:%d
%s.PTF://%s:%s@%s:%d (p='%S')
%s.PTF://%s:%s@%s:%d (p='%S')
%s:%s@%s:%d
%s:%s@%s:%d
PASS %s
PASS %s
USER %s
USER %s
ftpgrab
ftpgrab
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
hXXp://
hXXp://
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
irc.albergueselvavirgen.com
irc.albergueselvavirgen.com
albergueselvavirgen.com
albergueselvavirgen.com
#httpslg
#httpslg
#ftplg
#ftplg
1.0.3
1.0.3
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
USER %s 0 0 :%s
USER %s 0 0 :%s
NICK %s
NICK %s
JOIN %s %s
JOIN %s %s
PART %s
PART %s
PRIVMSG %s :%s
PRIVMSG %s :%s
QUIT :%s
QUIT :%s
PONG %s
PONG %s
PRIVMSG
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" http="%d" total="%d"]
[ftp="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\%s_ipc
\\.\pipe\%s_ipc
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
*megaupload.*/*login
*megaupload.*/*login
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserve.*/login*
*fileserve.*/login*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
Password
Password
*&Password=*
*&Password=*
*.alertpay.*/*login.aspx
*.alertpay.*/*login.aspx
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
-\\.\PHYSICALDRIVE0
-\\.\PHYSICALDRIVE0
state_%s
state_%s
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
{%s|%s%s}%s
{%s|%s%s}%s
n{%s|%s%s}%s
n{%s|%s%s}%s
%s|%s|%s
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
explorer.exe
explorer.exe
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[Logins]: %s
[Logins]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%RECYCLER\%s
/c "start %Ã%%RECYCLER\%s
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.exe
%0x.exe
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
%s-Mutex
%s-Mutex
%s_%d
%s_%d
%s_%lu
%s_%lu
kernel32.dll
kernel32.dll
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Oplqle.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Oplqle.exe
C:\Windows
C:\Windows
="='=7=
="='=7=
\\.\pipe
\\.\pipe
nwlcomm.exe
nwlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
pidgin.exe
pidgin.exe
xchat.exe
xchat.exe
mirc.exe
mirc.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
cipconfig.exe
cipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
lol.exe
lol.exe
%s:Zone.Identifier
%s:Zone.Identifier
winlogon.exe
winlogon.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
wininet.dll
wininet.dll
ws2_32.dll
ws2_32.dll
Akernel23.dll
Akernel23.dll
yntdll.dll
yntdll.dll
skype.exe
skype.exe
lsass.exe
lsass.exe
\Device\HarddiskVolume1\Windows\System32\WerFault.exe
\Device\HarddiskVolume1\Windows\System32\WerFault.exe
csrss.exe_368_rwx_01FA0000_0002A000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
:.datt
:.datt
tB
tB
toSSSSSSSSSSh
toSSSSSSSSSSh
iu2.iu@
iu2.iu@
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetWindowsDirectoryW
GetWindowsDirectoryW
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
autorun.inf
autorun.inf
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
JOIN #
JOIN #
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
PRIVMSG #
PRIVMSG #
%s:%d
%s:%d
%s.PTF://%s:%s@%s:%d (p='%S')
%s.PTF://%s:%s@%s:%d (p='%S')
%s:%s@%s:%d
%s:%s@%s:%d
PASS %s
PASS %s
USER %s
USER %s
ftpgrab
ftpgrab
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
hXXp://
hXXp://
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
irc.albergueselvavirgen.com
irc.albergueselvavirgen.com
albergueselvavirgen.com
albergueselvavirgen.com
#httpslg
#httpslg
#ftplg
#ftplg
1.0.3
1.0.3
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
USER %s 0 0 :%s
USER %s 0 0 :%s
NICK %s
NICK %s
JOIN %s %s
JOIN %s %s
PART %s
PART %s
PRIVMSG %s :%s
PRIVMSG %s :%s
QUIT :%s
QUIT :%s
PONG %s
PONG %s
PRIVMSG
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" http="%d" total="%d"]
[ftp="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\%s_ipc
\\.\pipe\%s_ipc
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
*megaupload.*/*login
*megaupload.*/*login
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserve.*/login*
*fileserve.*/login*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
Password
Password
*&Password=*
*&Password=*
*.alertpay.*/*login.aspx
*.alertpay.*/*login.aspx
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
-\\.\PHYSICALDRIVE0
-\\.\PHYSICALDRIVE0
state_%s
state_%s
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
{%s|%s%s}%s
{%s|%s%s}%s
n{%s|%s%s}%s
n{%s|%s%s}%s
%s|%s|%s
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
explorer.exe
explorer.exe
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[Logins]: %s
[Logins]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%RECYCLER\%s
/c "start %Ã%%RECYCLER\%s
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.exe
%0x.exe
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
%s-Mutex
%s-Mutex
%s_%d
%s_%d
%s_%lu
%s_%lu
kernel32.dll
kernel32.dll
C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Oplqle.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Oplqle.exe
C:\Windows
C:\Windows
="='=7=
="='=7=
\\.\pipe
\\.\pipe
nwlcomm.exe
nwlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
pidgin.exe
pidgin.exe
xchat.exe
xchat.exe
mirc.exe
mirc.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
cipconfig.exe
cipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
lol.exe
lol.exe
%s:Zone.Identifier
%s:Zone.Identifier
winlogon.exe
winlogon.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
wininet.dll
wininet.dll
ws2_32.dll
ws2_32.dll
Akernel23.dll
Akernel23.dll
yntdll.dll
yntdll.dll
skype.exe
skype.exe
lsass.exe
lsass.exe
\Device\HarddiskVolume1\Windows\System32\csrss.exe
\Device\HarddiskVolume1\Windows\System32\csrss.exe
winlogon.exe_416_rwx_003B0000_0002A000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
:.datt
:.datt
tB
tB
toSSSSSSSSSSh
toSSSSSSSSSSh
iu2.iu@
iu2.iu@
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetWindowsDirectoryW
GetWindowsDirectoryW
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
autorun.inf
autorun.inf
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
JOIN #
JOIN #
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
PRIVMSG #
PRIVMSG #
%s:%d
%s:%d
%s.PTF://%s:%s@%s:%d (p='%S')
%s.PTF://%s:%s@%s:%d (p='%S')
%s:%s@%s:%d
%s:%s@%s:%d
PASS %s
PASS %s
USER %s
USER %s
ftpgrab
ftpgrab
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
hXXp://
hXXp://
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
irc.albergueselvavirgen.com
irc.albergueselvavirgen.com
albergueselvavirgen.com
albergueselvavirgen.com
#httpslg
#httpslg
#ftplg
#ftplg
1.0.3
1.0.3
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
USER %s 0 0 :%s
USER %s 0 0 :%s
NICK %s
NICK %s
JOIN %s %s
JOIN %s %s
PART %s
PART %s
PRIVMSG %s :%s
PRIVMSG %s :%s
QUIT :%s
QUIT :%s
PONG %s
PONG %s
PRIVMSG
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" http="%d" total="%d"]
[ftp="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\%s_ipc
\\.\pipe\%s_ipc
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
*megaupload.*/*login
*megaupload.*/*login
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserve.*/login*
*fileserve.*/login*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
Password
Password
*&Password=*
*&Password=*
*.alertpay.*/*login.aspx
*.alertpay.*/*login.aspx
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
-\\.\PHYSICALDRIVE0
-\\.\PHYSICALDRIVE0
state_%s
state_%s
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
{%s|%s%s}%s
{%s|%s%s}%s
n{%s|%s%s}%s
n{%s|%s%s}%s
%s|%s|%s
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
explorer.exe
explorer.exe
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[Logins]: %s
[Logins]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%RECYCLER\%s
/c "start %Ã%%RECYCLER\%s
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.exe
%0x.exe
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
%s-Mutex
%s-Mutex
%s_%d
%s_%d
%s_%lu
%s_%lu
kernel32.dll
kernel32.dll
C:\Windows\system32\winlogon.exe
C:\Windows\system32\winlogon.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Oplqle.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Oplqle.exe
C:\Windows
C:\Windows
="='=7=
="='=7=
\\.\pipe
\\.\pipe
nwlcomm.exe
nwlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
pidgin.exe
pidgin.exe
xchat.exe
xchat.exe
mirc.exe
mirc.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
cipconfig.exe
cipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
lol.exe
lol.exe
%s:Zone.Identifier
%s:Zone.Identifier
winlogon.exe
winlogon.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
wininet.dll
wininet.dll
ws2_32.dll
ws2_32.dll
Akernel23.dll
Akernel23.dll
yntdll.dll
yntdll.dll
skype.exe
skype.exe
lsass.exe
lsass.exe
taskhost.exe_872_rwx_00590000_0002A000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
:.datt
:.datt
tB
tB
toSSSSSSSSSSh
toSSSSSSSSSSh
iu2.iu@
iu2.iu@
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetWindowsDirectoryW
GetWindowsDirectoryW
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
autorun.inf
autorun.inf
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
JOIN #
JOIN #
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
PRIVMSG #
PRIVMSG #
%s:%d
%s:%d
%s.PTF://%s:%s@%s:%d (p='%S')
%s.PTF://%s:%s@%s:%d (p='%S')
%s:%s@%s:%d
%s:%s@%s:%d
PASS %s
PASS %s
USER %s
USER %s
ftpgrab
ftpgrab
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
hXXp://
hXXp://
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
irc.albergueselvavirgen.com
irc.albergueselvavirgen.com
albergueselvavirgen.com
albergueselvavirgen.com
#httpslg
#httpslg
#ftplg
#ftplg
1.0.3
1.0.3
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
USER %s 0 0 :%s
USER %s 0 0 :%s
NICK %s
NICK %s
JOIN %s %s
JOIN %s %s
PART %s
PART %s
PRIVMSG %s :%s
PRIVMSG %s :%s
QUIT :%s
QUIT :%s
PONG %s
PONG %s
PRIVMSG
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" http="%d" total="%d"]
[ftp="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\%s_ipc
\\.\pipe\%s_ipc
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
*megaupload.*/*login
*megaupload.*/*login
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserve.*/login*
*fileserve.*/login*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
Password
Password
*&Password=*
*&Password=*
*.alertpay.*/*login.aspx
*.alertpay.*/*login.aspx
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
-\\.\PHYSICALDRIVE0
-\\.\PHYSICALDRIVE0
state_%s
state_%s
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
{%s|%s%s}%s
{%s|%s%s}%s
n{%s|%s%s}%s
n{%s|%s%s}%s
%s|%s|%s
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
explorer.exe
explorer.exe
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[Logins]: %s
[Logins]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%RECYCLER\%s
/c "start %Ã%%RECYCLER\%s
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.exe
%0x.exe
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
%s-Mutex
%s-Mutex
%s_%d
%s_%d
%s_%lu
%s_%lu
kernel32.dll
kernel32.dll
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskhost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Oplqle.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Oplqle.exe
C:\Windows
C:\Windows
="='=7=
="='=7=
\\.\pipe
\\.\pipe
nwlcomm.exe
nwlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
pidgin.exe
pidgin.exe
xchat.exe
xchat.exe
mirc.exe
mirc.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
cipconfig.exe
cipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
lol.exe
lol.exe
%s:Zone.Identifier
%s:Zone.Identifier
winlogon.exe
winlogon.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
wininet.dll
wininet.dll
ws2_32.dll
ws2_32.dll
Akernel23.dll
Akernel23.dll
yntdll.dll
yntdll.dll
skype.exe
skype.exe
lsass.exe
lsass.exe
Z\Device\HarddiskVolume1\Windows\System32\taskhost.exe
Z\Device\HarddiskVolume1\Windows\System32\taskhost.exe
Dwm.exe_1376_rwx_00120000_0002A000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
:.datt
:.datt
tB
tB
toSSSSSSSSSSh
toSSSSSSSSSSh
iu2.iu@
iu2.iu@
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetWindowsDirectoryW
GetWindowsDirectoryW
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
autorun.inf
autorun.inf
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
JOIN #
JOIN #
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
PRIVMSG #
PRIVMSG #
%s:%d
%s:%d
%s.PTF://%s:%s@%s:%d (p='%S')
%s.PTF://%s:%s@%s:%d (p='%S')
%s:%s@%s:%d
%s:%s@%s:%d
PASS %s
PASS %s
USER %s
USER %s
ftpgrab
ftpgrab
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
hXXp://
hXXp://
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
irc.albergueselvavirgen.com
irc.albergueselvavirgen.com
albergueselvavirgen.com
albergueselvavirgen.com
#httpslg
#httpslg
#ftplg
#ftplg
1.0.3
1.0.3
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
USER %s 0 0 :%s
USER %s 0 0 :%s
NICK %s
NICK %s
JOIN %s %s
JOIN %s %s
PART %s
PART %s
PRIVMSG %s :%s
PRIVMSG %s :%s
QUIT :%s
QUIT :%s
PONG %s
PONG %s
PRIVMSG
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" http="%d" total="%d"]
[ftp="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\%s_ipc
\\.\pipe\%s_ipc
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
*megaupload.*/*login
*megaupload.*/*login
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserve.*/login*
*fileserve.*/login*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
Password
Password
*&Password=*
*&Password=*
*.alertpay.*/*login.aspx
*.alertpay.*/*login.aspx
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
-\\.\PHYSICALDRIVE0
-\\.\PHYSICALDRIVE0
state_%s
state_%s
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
{%s|%s%s}%s
{%s|%s%s}%s
n{%s|%s%s}%s
n{%s|%s%s}%s
%s|%s|%s
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
explorer.exe
explorer.exe
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[Logins]: %s
[Logins]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%RECYCLER\%s
/c "start %Ã%%RECYCLER\%s
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.exe
%0x.exe
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
%s-Mutex
%s-Mutex
%s_%d
%s_%d
%s_%lu
%s_%lu
kernel32.dll
kernel32.dll
C:\Windows\system32\Dwm.exe
C:\Windows\system32\Dwm.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Oplqle.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Oplqle.exe
C:\Windows
C:\Windows
="='=7=
="='=7=
\\.\pipe
\\.\pipe
nwlcomm.exe
nwlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
pidgin.exe
pidgin.exe
xchat.exe
xchat.exe
mirc.exe
mirc.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
cipconfig.exe
cipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
lol.exe
lol.exe
%s:Zone.Identifier
%s:Zone.Identifier
winlogon.exe
winlogon.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
wininet.dll
wininet.dll
ws2_32.dll
ws2_32.dll
Akernel23.dll
Akernel23.dll
yntdll.dll
yntdll.dll
skype.exe
skype.exe
lsass.exe
lsass.exe
\Device\HarddiskVolume1\Windows\System32\dwm.exe
\Device\HarddiskVolume1\Windows\System32\dwm.exe
Explorer.EXE_1440_rwx_020D0000_0002A000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
:.datt
:.datt
tB
tB
toSSSSSSSSSSh
toSSSSSSSSSSh
iu2.iu@
iu2.iu@
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetWindowsDirectoryW
GetWindowsDirectoryW
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
autorun.inf
autorun.inf
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
JOIN #
JOIN #
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
PRIVMSG #
PRIVMSG #
%s:%d
%s:%d
%s.PTF://%s:%s@%s:%d (p='%S')
%s.PTF://%s:%s@%s:%d (p='%S')
%s:%s@%s:%d
%s:%s@%s:%d
PASS %s
PASS %s
USER %s
USER %s
ftpgrab
ftpgrab
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
hXXp://
hXXp://
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
irc.albergueselvavirgen.com
irc.albergueselvavirgen.com
albergueselvavirgen.com
albergueselvavirgen.com
#httpslg
#httpslg
#ftplg
#ftplg
1.0.3
1.0.3
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
USER %s 0 0 :%s
USER %s 0 0 :%s
NICK %s
NICK %s
JOIN %s %s
JOIN %s %s
PART %s
PART %s
PRIVMSG %s :%s
PRIVMSG %s :%s
QUIT :%s
QUIT :%s
PONG %s
PONG %s
PRIVMSG
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" http="%d" total="%d"]
[ftp="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\%s_ipc
\\.\pipe\%s_ipc
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
*megaupload.*/*login
*megaupload.*/*login
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserve.*/login*
*fileserve.*/login*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
Password
Password
*&Password=*
*&Password=*
*.alertpay.*/*login.aspx
*.alertpay.*/*login.aspx
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
-\\.\PHYSICALDRIVE0
-\\.\PHYSICALDRIVE0
state_%s
state_%s
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
{%s|%s%s}%s
{%s|%s%s}%s
n{%s|%s%s}%s
n{%s|%s%s}%s
%s|%s|%s
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
explorer.exe
explorer.exe
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[Logins]: %s
[Logins]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%RECYCLER\%s
/c "start %Ã%%RECYCLER\%s
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.exe
%0x.exe
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
%s-Mutex
%s-Mutex
%s_%d
%s_%d
%s_%lu
%s_%lu
kernel32.dll
kernel32.dll
c:\%original file name%.exe
c:\%original file name%.exe
="='=7=
="='=7=
\\.\pipe
\\.\pipe
nwlcomm.exe
nwlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
pidgin.exe
pidgin.exe
xchat.exe
xchat.exe
mirc.exe
mirc.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
cipconfig.exe
cipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
lol.exe
lol.exe
%s:Zone.Identifier
%s:Zone.Identifier
winlogon.exe
winlogon.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
wininet.dll
wininet.dll
ws2_32.dll
ws2_32.dll
Akernel23.dll
Akernel23.dll
yntdll.dll
yntdll.dll
skype.exe
skype.exe
lsass.exe
lsass.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Oplqle.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Oplqle.exe
Explorer.EXE_1440_rwx_02E90000_0002A000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
:.datt
:.datt
tB
tB
toSSSSSSSSSSh
toSSSSSSSSSSh
iu2.iu@
iu2.iu@
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetWindowsDirectoryW
GetWindowsDirectoryW
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
autorun.inf
autorun.inf
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
JOIN #
JOIN #
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
PRIVMSG #
PRIVMSG #
%s:%d
%s:%d
%s.PTF://%s:%s@%s:%d (p='%S')
%s.PTF://%s:%s@%s:%d (p='%S')
%s:%s@%s:%d
%s:%s@%s:%d
PASS %s
PASS %s
USER %s
USER %s
ftpgrab
ftpgrab
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
hXXp://
hXXp://
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
irc.albergueselvavirgen.com
irc.albergueselvavirgen.com
albergueselvavirgen.com
albergueselvavirgen.com
#httpslg
#httpslg
#ftplg
#ftplg
1.0.3
1.0.3
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
USER %s 0 0 :%s
USER %s 0 0 :%s
NICK %s
NICK %s
JOIN %s %s
JOIN %s %s
PART %s
PART %s
PRIVMSG %s :%s
PRIVMSG %s :%s
QUIT :%s
QUIT :%s
PONG %s
PONG %s
PRIVMSG
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" http="%d" total="%d"]
[ftp="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\%s_ipc
\\.\pipe\%s_ipc
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
*megaupload.*/*login
*megaupload.*/*login
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserve.*/login*
*fileserve.*/login*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
Password
Password
*&Password=*
*&Password=*
*.alertpay.*/*login.aspx
*.alertpay.*/*login.aspx
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
-\\.\PHYSICALDRIVE0
-\\.\PHYSICALDRIVE0
state_%s
state_%s
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
{%s|%s%s}%s
{%s|%s%s}%s
n{%s|%s%s}%s
n{%s|%s%s}%s
%s|%s|%s
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
explorer.exe
explorer.exe
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[Logins]: %s
[Logins]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%RECYCLER\%s
/c "start %Ã%%RECYCLER\%s
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.exe
%0x.exe
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
%s-Mutex
%s-Mutex
%s_%d
%s_%d
%s_%lu
%s_%lu
kernel32.dll
kernel32.dll
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\"%CurrentUserName%"\AppData\Roaming\Oplqle.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Oplqle.exe
C:\Windows
C:\Windows
="='=7=
="='=7=
\\.\pipe
\\.\pipe
nwlcomm.exe
nwlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
pidgin.exe
pidgin.exe
xchat.exe
xchat.exe
mirc.exe
mirc.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
cipconfig.exe
cipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
lol.exe
lol.exe
%s:Zone.Identifier
%s:Zone.Identifier
winlogon.exe
winlogon.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
wininet.dll
wininet.dll
ws2_32.dll
ws2_32.dll
Akernel23.dll
Akernel23.dll
yntdll.dll
yntdll.dll
skype.exe
skype.exe
lsass.exe
lsass.exe
\Device\HarddiskVolume1\Windows\explorer.exe
\Device\HarddiskVolume1\Windows\explorer.exe
Explorer.EXE_1440_rwx_03A90000_0002A000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
:.datt
:.datt
tB
tB
toSSSSSSSSSSh
toSSSSSSSSSSh
iu2.iu@
iu2.iu@
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetWindowsDirectoryW
GetWindowsDirectoryW
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
autorun.inf
autorun.inf
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
JOIN #
JOIN #
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
PRIVMSG #
PRIVMSG #
%s:%d
%s:%d
%s.PTF://%s:%s@%s:%d (p='%S')
%s.PTF://%s:%s@%s:%d (p='%S')
%s:%s@%s:%d
%s:%s@%s:%d
PASS %s
PASS %s
USER %s
USER %s
ftpgrab
ftpgrab
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
hXXp://
hXXp://
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
irc.albergueselvavirgen.com
irc.albergueselvavirgen.com
albergueselvavirgen.com
albergueselvavirgen.com
#httpslg
#httpslg
#ftplg
#ftplg
1.0.3
1.0.3
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
USER %s 0 0 :%s
USER %s 0 0 :%s
NICK %s
NICK %s
JOIN %s %s
JOIN %s %s
PART %s
PART %s
PRIVMSG %s :%s
PRIVMSG %s :%s
QUIT :%s
QUIT :%s
PONG %s
PONG %s
PRIVMSG
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" http="%d" total="%d"]
[ftp="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\%s_ipc
\\.\pipe\%s_ipc
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
*megaupload.*/*login
*megaupload.*/*login
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserve.*/login*
*fileserve.*/login*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
Password
Password
*&Password=*
*&Password=*
*.alertpay.*/*login.aspx
*.alertpay.*/*login.aspx
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
-\\.\PHYSICALDRIVE0
-\\.\PHYSICALDRIVE0
state_%s
state_%s
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
{%s|%s%s}%s
{%s|%s%s}%s
n{%s|%s%s}%s
n{%s|%s%s}%s
%s|%s|%s
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
explorer.exe
explorer.exe
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[Logins]: %s
[Logins]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%RECYCLER\%s
/c "start %Ã%%RECYCLER\%s
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.exe
%0x.exe
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
%s-Mutex
%s-Mutex
%s_%d
%s_%d
%s_%lu
%s_%lu
kernel32.dll
kernel32.dll
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Oplqle.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Oplqle.exe
="='=7=
="='=7=
\\.\pipe
\\.\pipe
nwlcomm.exe
nwlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
pidgin.exe
pidgin.exe
xchat.exe
xchat.exe
mirc.exe
mirc.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
cipconfig.exe
cipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
lol.exe
lol.exe
%s:Zone.Identifier
%s:Zone.Identifier
winlogon.exe
winlogon.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
wininet.dll
wininet.dll
ws2_32.dll
ws2_32.dll
Akernel23.dll
Akernel23.dll
yntdll.dll
yntdll.dll
skype.exe
skype.exe
lsass.exe
lsass.exe
TPAutoConnect.exe_2160_rwx_00390000_0002A000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
:.datt
:.datt
tB
tB
toSSSSSSSSSSh
toSSSSSSSSSSh
iu2.iu@
iu2.iu@
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetWindowsDirectoryW
GetWindowsDirectoryW
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
autorun.inf
autorun.inf
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
JOIN #
JOIN #
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
PRIVMSG #
PRIVMSG #
%s:%d
%s:%d
%s.PTF://%s:%s@%s:%d (p='%S')
%s.PTF://%s:%s@%s:%d (p='%S')
%s:%s@%s:%d
%s:%s@%s:%d
PASS %s
PASS %s
USER %s
USER %s
ftpgrab
ftpgrab
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
hXXp://
hXXp://
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
irc.albergueselvavirgen.com
irc.albergueselvavirgen.com
albergueselvavirgen.com
albergueselvavirgen.com
#httpslg
#httpslg
#ftplg
#ftplg
1.0.3
1.0.3
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
USER %s 0 0 :%s
USER %s 0 0 :%s
NICK %s
NICK %s
JOIN %s %s
JOIN %s %s
PART %s
PART %s
PRIVMSG %s :%s
PRIVMSG %s :%s
QUIT :%s
QUIT :%s
PONG %s
PONG %s
PRIVMSG
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" http="%d" total="%d"]
[ftp="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\%s_ipc
\\.\pipe\%s_ipc
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
*megaupload.*/*login
*megaupload.*/*login
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserve.*/login*
*fileserve.*/login*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
Password
Password
*&Password=*
*&Password=*
*.alertpay.*/*login.aspx
*.alertpay.*/*login.aspx
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
-\\.\PHYSICALDRIVE0
-\\.\PHYSICALDRIVE0
state_%s
state_%s
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
{%s|%s%s}%s
{%s|%s%s}%s
n{%s|%s%s}%s
n{%s|%s%s}%s
%s|%s|%s
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
explorer.exe
explorer.exe
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[Logins]: %s
[Logins]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%RECYCLER\%s
/c "start %Ã%%RECYCLER\%s
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.exe
%0x.exe
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
%s-Mutex
%s-Mutex
%s_%d
%s_%d
%s_%lu
%s_%lu
kernel32.dll
kernel32.dll
%Program Files%\VMware\VMware Tools\TPAutoConnect.exe
%Program Files%\VMware\VMware Tools\TPAutoConnect.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Oplqle.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Oplqle.exe
C:\Windows
C:\Windows
="='=7=
="='=7=
\\.\pipe
\\.\pipe
nwlcomm.exe
nwlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
pidgin.exe
pidgin.exe
xchat.exe
xchat.exe
mirc.exe
mirc.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
cipconfig.exe
cipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
lol.exe
lol.exe
%s:Zone.Identifier
%s:Zone.Identifier
winlogon.exe
winlogon.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
wininet.dll
wininet.dll
ws2_32.dll
ws2_32.dll
Akernel23.dll
Akernel23.dll
yntdll.dll
yntdll.dll
skype.exe
skype.exe
lsass.exe
lsass.exe
:\Device\HarddiskVolume1\Program Files\VMware\VMware Tools\TPAutoConnect.exe
:\Device\HarddiskVolume1\Program Files\VMware\VMware Tools\TPAutoConnect.exe
conhost.exe_2168_rwx_002D0000_0002A000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
:.datt
:.datt
tB
tB
toSSSSSSSSSSh
toSSSSSSSSSSh
iu2.iu@
iu2.iu@
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetWindowsDirectoryW
GetWindowsDirectoryW
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
autorun.inf
autorun.inf
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
JOIN #
JOIN #
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
PRIVMSG #
PRIVMSG #
%s:%d
%s:%d
%s.PTF://%s:%s@%s:%d (p='%S')
%s.PTF://%s:%s@%s:%d (p='%S')
%s:%s@%s:%d
%s:%s@%s:%d
PASS %s
PASS %s
USER %s
USER %s
ftpgrab
ftpgrab
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
hXXp://
hXXp://
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
irc.albergueselvavirgen.com
irc.albergueselvavirgen.com
albergueselvavirgen.com
albergueselvavirgen.com
#httpslg
#httpslg
#ftplg
#ftplg
1.0.3
1.0.3
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
USER %s 0 0 :%s
USER %s 0 0 :%s
NICK %s
NICK %s
JOIN %s %s
JOIN %s %s
PART %s
PART %s
PRIVMSG %s :%s
PRIVMSG %s :%s
QUIT :%s
QUIT :%s
PONG %s
PONG %s
PRIVMSG
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" http="%d" total="%d"]
[ftp="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\%s_ipc
\\.\pipe\%s_ipc
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
*megaupload.*/*login
*megaupload.*/*login
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserve.*/login*
*fileserve.*/login*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
Password
Password
*&Password=*
*&Password=*
*.alertpay.*/*login.aspx
*.alertpay.*/*login.aspx
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
-\\.\PHYSICALDRIVE0
-\\.\PHYSICALDRIVE0
state_%s
state_%s
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
{%s|%s%s}%s
{%s|%s%s}%s
n{%s|%s%s}%s
n{%s|%s%s}%s
%s|%s|%s
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
explorer.exe
explorer.exe
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[Logins]: %s
[Logins]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%RECYCLER\%s
/c "start %Ã%%RECYCLER\%s
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.exe
%0x.exe
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
%s-Mutex
%s-Mutex
%s_%d
%s_%d
%s_%lu
%s_%lu
kernel32.dll
kernel32.dll
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Oplqle.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Oplqle.exe
C:\Windows
C:\Windows
="='=7=
="='=7=
\\.\pipe
\\.\pipe
nwlcomm.exe
nwlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
pidgin.exe
pidgin.exe
xchat.exe
xchat.exe
mirc.exe
mirc.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
cipconfig.exe
cipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
lol.exe
lol.exe
%s:Zone.Identifier
%s:Zone.Identifier
winlogon.exe
winlogon.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
wininet.dll
wininet.dll
ws2_32.dll
ws2_32.dll
Akernel23.dll
Akernel23.dll
yntdll.dll
yntdll.dll
skype.exe
skype.exe
lsass.exe
lsass.exe
.\Device\HarddiskVolume1\Windows\System32\conhost.exe
.\Device\HarddiskVolume1\Windows\System32\conhost.exe
conhost.exe_3076_rwx_000F0000_0002A000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
:.datt
:.datt
tB
tB
toSSSSSSSSSSh
toSSSSSSSSSSh
iu2.iu@
iu2.iu@
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetWindowsDirectoryW
GetWindowsDirectoryW
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
autorun.inf
autorun.inf
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
JOIN #
JOIN #
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
PRIVMSG #
PRIVMSG #
%s:%d
%s:%d
%s.PTF://%s:%s@%s:%d (p='%S')
%s.PTF://%s:%s@%s:%d (p='%S')
%s:%s@%s:%d
%s:%s@%s:%d
PASS %s
PASS %s
USER %s
USER %s
ftpgrab
ftpgrab
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
hXXp://
hXXp://
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
irc.albergueselvavirgen.com
irc.albergueselvavirgen.com
albergueselvavirgen.com
albergueselvavirgen.com
#httpslg
#httpslg
#ftplg
#ftplg
1.0.3
1.0.3
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
USER %s 0 0 :%s
USER %s 0 0 :%s
NICK %s
NICK %s
JOIN %s %s
JOIN %s %s
PART %s
PART %s
PRIVMSG %s :%s
PRIVMSG %s :%s
QUIT :%s
QUIT :%s
PONG %s
PONG %s
PRIVMSG
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" http="%d" total="%d"]
[ftp="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\%s_ipc
\\.\pipe\%s_ipc
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
*megaupload.*/*login
*megaupload.*/*login
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserve.*/login*
*fileserve.*/login*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
Password
Password
*&Password=*
*&Password=*
*.alertpay.*/*login.aspx
*.alertpay.*/*login.aspx
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
-\\.\PHYSICALDRIVE0
-\\.\PHYSICALDRIVE0
state_%s
state_%s
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
{%s|%s%s}%s
{%s|%s%s}%s
n{%s|%s%s}%s
n{%s|%s%s}%s
%s|%s|%s
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
explorer.exe
explorer.exe
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[Logins]: %s
[Logins]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%RECYCLER\%s
/c "start %Ã%%RECYCLER\%s
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.exe
%0x.exe
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
%s-Mutex
%s-Mutex
%s_%d
%s_%d
%s_%lu
%s_%lu
kernel32.dll
kernel32.dll
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Oplqle.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Oplqle.exe
C:\Windows
C:\Windows
="='=7=
="='=7=
\\.\pipe
\\.\pipe
nwlcomm.exe
nwlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
pidgin.exe
pidgin.exe
xchat.exe
xchat.exe
mirc.exe
mirc.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
cipconfig.exe
cipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
lol.exe
lol.exe
%s:Zone.Identifier
%s:Zone.Identifier
winlogon.exe
winlogon.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
wininet.dll
wininet.dll
ws2_32.dll
ws2_32.dll
Akernel23.dll
Akernel23.dll
yntdll.dll
yntdll.dll
skype.exe
skype.exe
lsass.exe
lsass.exe
\Device\HarddiskVolume1\Windows\System32\conhost.exe
\Device\HarddiskVolume1\Windows\System32\conhost.exe