Trojan-Dropper.Win32.Agent.ano (Kaspersky), GenPack:Generic.Malware.SI!Bg.20A29979 (B) (Emsisoft), GenPack:Generic.Malware.SI!Bg.20A29979 (AdAware), Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.4.FD, TrojanSwrort.YR, GenericIRCBot.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, IRCBot, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 3fe91d14931fb6d70d418477a8813407
SHA1: 800ef45b89681d6bfb4770fa942cc4d0cd6a0259
SHA256: 106b1fc62ed0cca20a61d553eb45facbfbfce542057037b040a55b724122bf34
SSDeep: 1536:VMvCvspprwFvG50QctoYRN7dvC8ZtmbycedueXBVRRbWiQXERd7mW:VMavMpcxG5Fq71C8lVRRbW9ERdCW
Size: 89814 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2007-07-14 18:12:49
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The GenPack creates the following process(es):
systec32.exe:1492
~z545158.tmp:496
The GenPack injects its code into the following process(es):
%original file name%.exe:644
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process ~z545158.tmp:496 makes changes in the file system.
The GenPack creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HMNHLGIO\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%System%\systec32.exe (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PBX2QB5C\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\55UO2EVH\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CT48K6BI\desktop.ini (67 bytes)
The process %original file name%.exe:644 makes changes in the file system.
The GenPack creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\~z545158.tmp (33 bytes)
The GenPack deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsv1.tmp (0 bytes)
Registry activity
The process systec32.exe:1492 makes changes in the system registry.
The GenPack creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 96 FD DF E3 DC 40 1B E0 20 FD F4 3F 7C 8A 55"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
To automatically run itself each time Windows is booted, the GenPack adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"systec32.exe" = "systec32.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"systec32.exe" = "systec32.exe"
The process ~z545158.tmp:496 makes changes in the system registry.
The GenPack creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 FA 61 F1 E6 89 75 25 0F A5 42 E2 65 AD 32 80"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
The process %original file name%.exe:644 makes changes in the system registry.
The GenPack creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 EF 20 CE DE CB 04 F1 03 66 2E 88 91 AD 88 E8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Dropped PE files
| MD5 | File path |
|---|---|
| 8d044d5c3cfda151f961eb26b8558ac2 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\~z545158.tmp |
| 8d044d5c3cfda151f961eb26b8558ac2 | c:\WINDOWS\system32\systec32.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
systec32.exe:1492
~z545158.tmp:496 - Delete the original GenPack file.
- Delete or disinfect the following files created/modified by the GenPack:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HMNHLGIO\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%System%\systec32.exe (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PBX2QB5C\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\55UO2EVH\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CT48K6BI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~z545158.tmp (33 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"systec32.exe" = "systec32.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"systec32.exe" = "systec32.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| UPX0 | 4096 | 204800 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| UPX1 | 208896 | 20480 | 18432 | 5.44525 | 2b72c47a9deccd0c25eab5bbf438bba7 |
| .entry | 229376 | 28672 | 27648 | 4.00987 | 0b4972200c4e0642bbecbb7ee1ffc36b |
| 258048 | 33920 | 34304 | 4.35016 | 63a414472ccbf8aa9bf880fb19ddd256 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| irc.webchat.org | 216.152.78.166 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The GenPack connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_644:
`.entry
`.entry
t%SPV
t%SPV
tDSSh
tDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
... %d%%
... %d%%
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
c:\%original file name%.exe
c:\%original file name%.exe
%original file name%.exe
%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
GetWindowsDirectoryA
GetWindowsDirectoryA
RegEnumKeyA
RegEnumKeyA
RegOpenKeyExA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
ExitWindowsEx
ExitWindowsEx
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
.wuepOp(oc$s4
.wuepOp(oc$s4
NEL \*.*
NEL \*.*
umKey
umKey
11111111111111
11111111111111
@@@`777-
@@@`777-
Nullsoft Install System v2.29
Nullsoft Install System v2.29
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
GDI32.dll
GDI32.dll
ole32.dll
ole32.dll
SHELL32.dll
SHELL32.dll
USER32.dll
USER32.dll
VERSION.dll
VERSION.dll
~z545158.tmp
~z545158.tmp
P`.data
P`.data
.rdata
.rdata
0@.bss
0@.bss
.idata
.idata
systec32.exe
systec32.exe
0903176650
0903176650
irc.webchat.org
irc.webchat.org
[%d-%d-%d %d:%d:%d] %s
[%d-%d-%d %d:%d:%d] %s
%d, %d : USERID : UNIX : %s
%d, %d : USERID : UNIX : %s
PRIVMSG
PRIVMSG
%s %s :%s
%s %s :%s
PONG %s
PONG %s
JOIN %s %s
JOIN %s %s
[%s]: Users in %s: %s
[%s]: Users in %s: %s
[%s]: nick %s already in use.
[%s]: nick %s already in use.
JOIN
JOIN
[%s]: %s has joined %s.
[%s]: %s has joined %s.
[%s]: %s has left %s.
[%s]: %s has left %s.
wtf %s?
wtf %s?
[%s]: %s has quit(%s).
[%s]: %s has quit(%s).
NICK
NICK
[%s]: %s is now known as %s.
[%s]: %s is now known as %s.
[%s]: %s sets mode: %s
[%s]: %s sets mode: %s
[%s]: * %s %s
[%s]: * %s %s
[%s]: %s
[%s]: %s
%s%s%s
%s%s%s
PRIVMSG %s :error sending pings to %s.
PRIVMSG %s :error sending pings to %s.
PRIVMSG %s :finished sending pings to %s.
PRIVMSG %s :finished sending pings to %s.
connection type: %s (%s). local IP address: %d.%d.%d.%d. connected from: %s
connection type: %s (%s). local IP address: %d.%d.%d.%d. connected from: %s
%s [%s]
%s [%s]
cpu: %dMHz. ram: %dKB total, %dKB free. os: Windows %s (%d.%d, build %d). uptime: Ã %dh %dm
cpu: %dMHz. ram: %dKB total, %dKB free. os: Windows %s (%d.%d, build %d). uptime: Ã %dh %dm
invalid URL.
invalid URL.
url visited.
url visited.
error visiting URL.
error visiting URL.
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunServices
Software\Microsoft\Windows\CurrentVersion\RunServices
%s\r.bat
%s\r.bat
%%comspec%% /c %s %s
%%comspec%% /c %s %s
PRIVMSG %s :couldn't open %s.
PRIVMSG %s :couldn't open %s.
file download (%s - %dkb transferred)
file download (%s - %dkb transferred)
update (%s - %dkb transferred)
update (%s - %dkb transferred)
downloaded %.1f kb to %s @ %.1f kb/sec.
downloaded %.1f kb to %s @ %.1f kb/sec.
PRIVMSG %s :opened %s.
PRIVMSG %s :opened %s.
downloaded %.1f kb to %s @ %.1f kb/sec. updating...
downloaded %.1f kb to %s @ %.1f kb/sec. updating...
update failed: error executing file.
update failed: error executing file.
bad url, or dns error.
bad url, or dns error.
USERHOST %s
USERHOST %s
user %s logged out.
user %s logged out.
NOTICE %s :%s
NOTICE %s :%s
screw you %s!
screw you %s!
joined channel %s.
joined channel %s.
NOTICE %s :
NOTICE %s :
VERSION %s
VERSION %s
login
login
password accepted.
password accepted.
user %s(%s) logged in.
user %s(%s) logged in.
$rndnick
$rndnick
rndnick
rndnick
QUIT :%s
QUIT :%s
sdbot 0.5b ready. Up à %dh %dm.
sdbot 0.5b ready. Up à %dh %dm.
sdbot 0.5b by [sd] (sdbot@mail.ru). homepage: hXXp://sdbot.n3.net/
sdbot 0.5b by [sd] (sdbot@mail.ru). homepage: hXXp://sdbot.n3.net/
%d. %s
%d. %s
%d. %s = %s
%d. %s = %s
nick
nick
NICK %s
NICK %s
join
join
PART %s
PART %s
c_rndnick
c_rndnick
%s -> %s
%s -> %s
privmsg
privmsg
ACTION %s
ACTION %s
MODE %s
MODE %s
%s %s %s :%s
%s %s %s :%s
c_nick
c_nick
c_join
c_join
%s\%s.exe
%s\%s.exe
update (%s)
update (%s)
downloading update from %s...
downloading update from %s...
couldn't execute file.
couldn't execute file.
clone (%s)
clone (%s)
clone created on %s:%d, in channel %s.
clone created on %s:%d, in channel %s.
download (%s)
download (%s)
downloading %s...
downloading %s...
redirect (%d->%s:%d)
redirect (%d->%s:%d)
redirect created on port %d to %s:%d.
redirect created on port %d to %s:%d.
c_privmsg
c_privmsg
[%s] %s
[%s] %s
[%s] * %s %s
[%s] * %s %s
ping (%s)
ping (%s)
sending %d pings to %s. packet size: %d, timeout: %d[ms]
sending %d pings to %s. packet size: %d, timeout: %d[ms]
icmp.dll not available
icmp.dll not available
spy (%s)
spy (%s)
spy created on %s:%d, in channel %s.
spy created on %s:%d, in channel %s.
USER %s 0 0 :%s
USER %s 0 0 :%s
connected to %s.
connected to %s.
ICMP.DLL
ICMP.DLL
kernel32.dll
kernel32.dll
Mozilla/4.0 (compatible)
Mozilla/4.0 (compatible)
WININET.DLL
WININET.DLL
udp $1 100 2048 50
udp $1 100 2048 50
raw PRIVMSG $1 :$chr(1)$2-$chr(1)
raw PRIVMSG $1 :$chr(1)$2-$chr(1)
ctcp
ctcp
VirtualQuery failed for %d bytes at address %p
VirtualQuery failed for %d bytes at address %p
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
Unknown pseudo relocation bit size %d.
../../gcc-3.4.5/gcc/config/i386/w32-shared-ptr.c
../../gcc-3.4.5/gcc/config/i386/w32-shared-ptr.c
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
InternetCrackUrlA
InternetCrackUrlA
InternetOpenUrlA
InternetOpenUrlA
ADVAPI32.DLL
ADVAPI32.DLL
KERNEL32.dll
KERNEL32.dll
msvcrt.dll
msvcrt.dll
SHELL32.DLL
SHELL32.DLL
WSOCK32.DLL
WSOCK32.DLL
%original file name%.exe_644_rwx_00401000_00036000:
t%SPV
t%SPV
tDSSh
tDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
... %d%%
... %d%%
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
c:\%original file name%.exe
c:\%original file name%.exe
%original file name%.exe
%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
GetWindowsDirectoryA
GetWindowsDirectoryA
RegEnumKeyA
RegEnumKeyA
RegOpenKeyExA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
ExitWindowsEx
ExitWindowsEx
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
.wuepOp(oc$s4
.wuepOp(oc$s4
NEL \*.*
NEL \*.*
%original file name%.exe_644_rwx_0043F000_00009000:
~z545158.tmp
~z545158.tmp
.text
.text
P`.data
P`.data
.rdata
.rdata
0@.bss
0@.bss
.idata
.idata
systec32.exe
systec32.exe
0903176650
0903176650
irc.webchat.org
irc.webchat.org
[%d-%d-%d %d:%d:%d] %s
[%d-%d-%d %d:%d:%d] %s
%d, %d : USERID : UNIX : %s
%d, %d : USERID : UNIX : %s
PRIVMSG
PRIVMSG
%s %s :%s
%s %s :%s
PONG %s
PONG %s
JOIN %s %s
JOIN %s %s
[%s]: Users in %s: %s
[%s]: Users in %s: %s
[%s]: nick %s already in use.
[%s]: nick %s already in use.
JOIN
JOIN
[%s]: %s has joined %s.
[%s]: %s has joined %s.
[%s]: %s has left %s.
[%s]: %s has left %s.
wtf %s?
wtf %s?
[%s]: %s has quit(%s).
[%s]: %s has quit(%s).
NICK
NICK
[%s]: %s is now known as %s.
[%s]: %s is now known as %s.
[%s]: %s sets mode: %s
[%s]: %s sets mode: %s
[%s]: * %s %s
[%s]: * %s %s
[%s]: %s
[%s]: %s
%s%s%s
%s%s%s
PRIVMSG %s :error sending pings to %s.
PRIVMSG %s :error sending pings to %s.
PRIVMSG %s :finished sending pings to %s.
PRIVMSG %s :finished sending pings to %s.
connection type: %s (%s). local IP address: %d.%d.%d.%d. connected from: %s
connection type: %s (%s). local IP address: %d.%d.%d.%d. connected from: %s
%s [%s]
%s [%s]
cpu: %dMHz. ram: %dKB total, %dKB free. os: Windows %s (%d.%d, build %d). uptime: Ã %dh %dm
cpu: %dMHz. ram: %dKB total, %dKB free. os: Windows %s (%d.%d, build %d). uptime: Ã %dh %dm
invalid URL.
invalid URL.
url visited.
url visited.
error visiting URL.
error visiting URL.
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunServices
Software\Microsoft\Windows\CurrentVersion\RunServices
%s\r.bat
%s\r.bat
%%comspec%% /c %s %s
%%comspec%% /c %s %s
PRIVMSG %s :couldn't open %s.
PRIVMSG %s :couldn't open %s.
file download (%s - %dkb transferred)
file download (%s - %dkb transferred)
update (%s - %dkb transferred)
update (%s - %dkb transferred)
downloaded %.1f kb to %s @ %.1f kb/sec.
downloaded %.1f kb to %s @ %.1f kb/sec.
PRIVMSG %s :opened %s.
PRIVMSG %s :opened %s.
downloaded %.1f kb to %s @ %.1f kb/sec. updating...
downloaded %.1f kb to %s @ %.1f kb/sec. updating...
update failed: error executing file.
update failed: error executing file.
bad url, or dns error.
bad url, or dns error.
USERHOST %s
USERHOST %s
user %s logged out.
user %s logged out.
NOTICE %s :%s
NOTICE %s :%s
screw you %s!
screw you %s!
joined channel %s.
joined channel %s.
NOTICE %s :
NOTICE %s :
VERSION %s
VERSION %s
login
login
password accepted.
password accepted.
user %s(%s) logged in.
user %s(%s) logged in.
$rndnick
$rndnick
rndnick
rndnick
QUIT :%s
QUIT :%s
sdbot 0.5b ready. Up à %dh %dm.
sdbot 0.5b ready. Up à %dh %dm.
sdbot 0.5b by [sd] (sdbot@mail.ru). homepage: hXXp://sdbot.n3.net/
sdbot 0.5b by [sd] (sdbot@mail.ru). homepage: hXXp://sdbot.n3.net/
%d. %s
%d. %s
%d. %s = %s
%d. %s = %s
nick
nick
NICK %s
NICK %s
join
join
PART %s
PART %s
c_rndnick
c_rndnick
%s -> %s
%s -> %s
privmsg
privmsg
ACTION %s
ACTION %s
MODE %s
MODE %s
%s %s %s :%s
%s %s %s :%s
c_nick
c_nick
c_join
c_join
%s\%s.exe
%s\%s.exe
update (%s)
update (%s)
downloading update from %s...
downloading update from %s...
couldn't execute file.
couldn't execute file.
clone (%s)
clone (%s)
clone created on %s:%d, in channel %s.
clone created on %s:%d, in channel %s.
download (%s)
download (%s)
downloading %s...
downloading %s...
redirect (%d->%s:%d)
redirect (%d->%s:%d)
redirect created on port %d to %s:%d.
redirect created on port %d to %s:%d.
c_privmsg
c_privmsg
[%s] %s
[%s] %s
[%s] * %s %s
[%s] * %s %s
ping (%s)
ping (%s)
sending %d pings to %s. packet size: %d, timeout: %d[ms]
sending %d pings to %s. packet size: %d, timeout: %d[ms]
icmp.dll not available
icmp.dll not available
spy (%s)
spy (%s)
spy created on %s:%d, in channel %s.
spy created on %s:%d, in channel %s.
USER %s 0 0 :%s
USER %s 0 0 :%s
connected to %s.
connected to %s.
ICMP.DLL
ICMP.DLL
kernel32.dll
kernel32.dll
Mozilla/4.0 (compatible)
Mozilla/4.0 (compatible)
WININET.DLL
WININET.DLL
udp $1 100 2048 50
udp $1 100 2048 50
raw PRIVMSG $1 :$chr(1)$2-$chr(1)
raw PRIVMSG $1 :$chr(1)$2-$chr(1)
ctcp
ctcp
VirtualQuery failed for %d bytes at address %p
VirtualQuery failed for %d bytes at address %p
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
Unknown pseudo relocation bit size %d.
../../gcc-3.4.5/gcc/config/i386/w32-shared-ptr.c
../../gcc-3.4.5/gcc/config/i386/w32-shared-ptr.c
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
ShellExecuteA
ShellExecuteA
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
InternetCrackUrlA
InternetCrackUrlA
InternetOpenUrlA
InternetOpenUrlA
ADVAPI32.DLL
ADVAPI32.DLL
KERNEL32.dll
KERNEL32.dll
msvcrt.dll
msvcrt.dll
SHELL32.DLL
SHELL32.DLL
WSOCK32.DLL
WSOCK32.DLL
systec32.exe_1492:
.text
.text
P`.data
P`.data
.rdata
.rdata
0@.bss
0@.bss
.idata
.idata
systec32.exe
systec32.exe
0903176650
0903176650
irc.webchat.org
irc.webchat.org
[%d-%d-%d %d:%d:%d] %s
[%d-%d-%d %d:%d:%d] %s
%d, %d : USERID : UNIX : %s
%d, %d : USERID : UNIX : %s
PRIVMSG
PRIVMSG
%s %s :%s
%s %s :%s
PONG %s
PONG %s
JOIN %s %s
JOIN %s %s
[%s]: Users in %s: %s
[%s]: Users in %s: %s
[%s]: nick %s already in use.
[%s]: nick %s already in use.
JOIN
JOIN
[%s]: %s has joined %s.
[%s]: %s has joined %s.
[%s]: %s has left %s.
[%s]: %s has left %s.
wtf %s?
wtf %s?
[%s]: %s has quit(%s).
[%s]: %s has quit(%s).
NICK
NICK
[%s]: %s is now known as %s.
[%s]: %s is now known as %s.
[%s]: %s sets mode: %s
[%s]: %s sets mode: %s
[%s]: * %s %s
[%s]: * %s %s
[%s]: %s
[%s]: %s
%s%s%s
%s%s%s
PRIVMSG %s :error sending pings to %s.
PRIVMSG %s :error sending pings to %s.
PRIVMSG %s :finished sending pings to %s.
PRIVMSG %s :finished sending pings to %s.
connection type: %s (%s). local IP address: %d.%d.%d.%d. connected from: %s
connection type: %s (%s). local IP address: %d.%d.%d.%d. connected from: %s
%s [%s]
%s [%s]
cpu: %dMHz. ram: %dKB total, %dKB free. os: Windows %s (%d.%d, build %d). uptime: Ã %dh %dm
cpu: %dMHz. ram: %dKB total, %dKB free. os: Windows %s (%d.%d, build %d). uptime: Ã %dh %dm
invalid URL.
invalid URL.
url visited.
url visited.
error visiting URL.
error visiting URL.
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunServices
Software\Microsoft\Windows\CurrentVersion\RunServices
%s\r.bat
%s\r.bat
%%comspec%% /c %s %s
%%comspec%% /c %s %s
PRIVMSG %s :couldn't open %s.
PRIVMSG %s :couldn't open %s.
file download (%s - %dkb transferred)
file download (%s - %dkb transferred)
update (%s - %dkb transferred)
update (%s - %dkb transferred)
downloaded %.1f kb to %s @ %.1f kb/sec.
downloaded %.1f kb to %s @ %.1f kb/sec.
PRIVMSG %s :opened %s.
PRIVMSG %s :opened %s.
downloaded %.1f kb to %s @ %.1f kb/sec. updating...
downloaded %.1f kb to %s @ %.1f kb/sec. updating...
update failed: error executing file.
update failed: error executing file.
bad url, or dns error.
bad url, or dns error.
USERHOST %s
USERHOST %s
user %s logged out.
user %s logged out.
NOTICE %s :%s
NOTICE %s :%s
screw you %s!
screw you %s!
joined channel %s.
joined channel %s.
NOTICE %s :
NOTICE %s :
VERSION %s
VERSION %s
login
login
password accepted.
password accepted.
user %s(%s) logged in.
user %s(%s) logged in.
$rndnick
$rndnick
rndnick
rndnick
QUIT :%s
QUIT :%s
sdbot 0.5b ready. Up à %dh %dm.
sdbot 0.5b ready. Up à %dh %dm.
sdbot 0.5b by [sd] (sdbot@mail.ru). homepage: hXXp://sdbot.n3.net/
sdbot 0.5b by [sd] (sdbot@mail.ru). homepage: hXXp://sdbot.n3.net/
%d. %s
%d. %s
%d. %s = %s
%d. %s = %s
nick
nick
NICK %s
NICK %s
join
join
PART %s
PART %s
c_rndnick
c_rndnick
%s -> %s
%s -> %s
privmsg
privmsg
ACTION %s
ACTION %s
MODE %s
MODE %s
%s %s %s :%s
%s %s %s :%s
c_nick
c_nick
c_join
c_join
%s\%s.exe
%s\%s.exe
update (%s)
update (%s)
downloading update from %s...
downloading update from %s...
couldn't execute file.
couldn't execute file.
clone (%s)
clone (%s)
clone created on %s:%d, in channel %s.
clone created on %s:%d, in channel %s.
download (%s)
download (%s)
downloading %s...
downloading %s...
redirect (%d->%s:%d)
redirect (%d->%s:%d)
redirect created on port %d to %s:%d.
redirect created on port %d to %s:%d.
c_privmsg
c_privmsg
[%s] %s
[%s] %s
[%s] * %s %s
[%s] * %s %s
ping (%s)
ping (%s)
sending %d pings to %s. packet size: %d, timeout: %d[ms]
sending %d pings to %s. packet size: %d, timeout: %d[ms]
icmp.dll not available
icmp.dll not available
spy (%s)
spy (%s)
spy created on %s:%d, in channel %s.
spy created on %s:%d, in channel %s.
USER %s 0 0 :%s
USER %s 0 0 :%s
connected to %s.
connected to %s.
ICMP.DLL
ICMP.DLL
kernel32.dll
kernel32.dll
Mozilla/4.0 (compatible)
Mozilla/4.0 (compatible)
WININET.DLL
WININET.DLL
udp $1 100 2048 50
udp $1 100 2048 50
raw PRIVMSG $1 :$chr(1)$2-$chr(1)
raw PRIVMSG $1 :$chr(1)$2-$chr(1)
ctcp
ctcp
VirtualQuery failed for %d bytes at address %p
VirtualQuery failed for %d bytes at address %p
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
Unknown pseudo relocation bit size %d.
../../gcc-3.4.5/gcc/config/i386/w32-shared-ptr.c
../../gcc-3.4.5/gcc/config/i386/w32-shared-ptr.c
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
[9-14-2016 14:50:15] joined channel #pnp0807.
[9-14-2016 14:50:15] joined channel #pnp0807.
[9-14-2016 14:50:14] connected to irc.webchat.org.
[9-14-2016 14:50:14] connected to irc.webchat.org.
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
ShellExecuteA
ShellExecuteA
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
InternetCrackUrlA
InternetCrackUrlA
InternetOpenUrlA
InternetOpenUrlA
ADVAPI32.DLL
ADVAPI32.DLL
KERNEL32.dll
KERNEL32.dll
msvcrt.dll
msvcrt.dll
SHELL32.DLL
SHELL32.DLL
WSOCK32.DLL
WSOCK32.DLL