Sample_27978af6bf – Adaware

GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Worm, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 27978af6bfb56660e238499c89669c3c

SHA1: b3041d1bafb91cc54d22f82a694f8cf5b0ad7d0a

SHA256: ff4a72490d9169de6110c0c175ad5092c02b094f43bc73db21eedafe2626cd15

SSDeep: 24576:b201cUIhefdoW RMchfaT8dROhSpzXLTIY2lgHPUZSZJEDPAtZGAj2wc:b2mrfOB5aTk8YLUYLUZSZJ6APz1c

Size: 1531752 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: BorlandDelphi30, UPolyXv05_v6

Company: Blue Squirrel

Created at: 1992-06-20 01:22:17

Analyzed on: Windows7Ada SP1 64-bit

Summary: Worm. A program that is primarily replicating on networks or removable drives.

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Worm creates the following process(es):

TPAutoConnSvc.exe:1776
grabsite.exe:1040
regsvr32.exe:3644
%original file name%.exe:3716
27978af6bfb56660e238499c89669c3c.tmp:2484

The Worm injects its code into the following process(es):

WORDPAD.EXE:1672

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process grabsite.exe:1040 makes changes in the file system.

The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\Grab-a-Site 5.1\ix.dll (716 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\grabsite.INI (28 bytes)

The process regsvr32.exe:3644 makes changes in the file system.

The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\Grab-a-Site 5.1\WebGrabber.dll (712 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\pi.dll (131 bytes)

The process %original file name%.exe:3716 makes changes in the file system.

The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MPIKU.tmp\27978af6bfb56660e238499c89669c3c.tmp (1423 bytes)

The process 27978af6bfb56660e238499c89669c3c.tmp:2484 makes changes in the file system.

The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\Grab-a-Site 5.1\is-ECLB2.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-482OA.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-74JU1.tmp (5109 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Grab-a-Site\Grab-a-Site Help.lnk (1 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\Edge\is-RL3EB.tmp (11 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-T9JMM.tmp (186 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-DG9RB.tmp (14 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Grab-a-Site\Grab-a-Site ReadMe.lnk (990 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-1ME24.tmp (23 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-D5M1P.tmp (7547 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-1093R.tmp (407 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-HLA0C.tmp (4545 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-3NKQ3.tmp (30 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-JQC9U.tmp (132 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Grab-a-Site\Blue Squirrel.lnk (836 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-T0507.tmp (206 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\unins000.dat (1376 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-482OA.tmp\_isetup\_setup64.tmp (6 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-CBQID.tmp (3073 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\Edge\is-6GA2P.tmp (1 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-8SVDJ.tmp (603 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-6E51A.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-482OA.tmp\_isetup\_RegDLL.tmp (4 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-GOMKQ.tmp (40 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Grab-a-Site\Grab-a-Site 5.lnk (1 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\grabsite.exe (49 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-99FQ1.tmp (673 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-M90HH.tmp (4545 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-EE0M9.tmp (2105 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-IGF3R.tmp (601 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\REGSVR32.EXE (32 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\unins000.msg (463 bytes)

Registry activity

The process TPAutoConnSvc.exe:1776 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\ThinPrint\TPPrnUI\NPI456AB0 (HP LaserJet Professional M1212nf MFP)#:1]
"TrayData" = "2,Tray 3, 3,Tray 2, 1,Tray 1, 4,Manual Feed, 7,Auto Select"
"FormData" = "1,2159,2794,LetterÃƒâ€šÃ‚Â¶40,40,2086,2712, 5,2159,3556,LegalÃƒâ€šÃ‚Â¶40,40,2086,3474, 9,2100,2970,A4Ãƒâ€šÃ‚Â¶39,39,2032,2890, 7,1842,2667,ExecutiveÃƒâ€šÃ‚Â¶40,40,1761,2585, 258,2159,3302,8.5 x 13 (custom)Ãƒâ€šÃ‚Â¶40,40,2086,3220, 11,1480,2100,A5Ãƒâ€šÃ‚Â¶39,39,1408,2020, 70,1050,1480,A6Ãƒâ€šÃ‚Â¶39,39,975,1399, 13,1820,2570,B5 (JIS)Ãƒâ€šÃ‚Â¶39,39,1747,2490, 264,1950,2700,16K 195x270Ãƒâ€šÃ‚Â¶39,39,1882,2620, 263,1840,2600,16K 184x260Ãƒâ€šÃ‚Â¶39,39,1761,2520, 257,1970,2730,16K 197x273Ãƒâ€šÃ‚Â¶39,39,1896,2650, 43,1000,1480,Japanese PostcardÃƒâ€šÃ‚Â¶39,39,921,1399, 82,1480,2000,Double Japan Postcard RotatedÃƒâ€šÃ‚Â¶39,39,1408,1919, 20,1046,2413,Envelope #10Ãƒâ€šÃ‚Â¶40,40,975,2331, 37,983,1905,Envelope MonarchÃƒâ€šÃ‚Â¶40,40,907,1823, 34,1760,2500,Envelope B5Ãƒâ€šÃ‚Â¶39,39,1693,2420, 28,1620,2290,Envelope C5Ãƒâ€šÃ‚Â¶39,39,1544,2209, 27,1100,2200,Envelope DLÃƒâ€šÃ‚Â¶39,39,1029,2120"
"DelAfterCreate" = "1"

[HKU\.DEFAULT\Printers\DevModes2]
"NPI456AB0 (HP LaserJet Professional M1212nf MFP)#:1" = "4E 00 50 00 49 00 34 00 35 00 36 00 41 00 42 00"

The Worm deletes the following registry key(s):

[HKLM\SOFTWARE\ThinPrint\TPPrnUI\NPI456AB0 (HP LaserJet Professional M1212nf MFP)#:1]

The process grabsite.exe:1040 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\uSSPESOQsu0yNqTumyyPLBWW]
"Xva_h1UE7YrwkGIs" = "bq2ZfC0JSgMnCO_xX3Sj31femCWW"
"haZRuEa_l4wKeRnJG!byuQ0SkJEKRC4KCEeSuwaHkL24cBp6GSmW" = "hkFHua0Bl4kFeRn8HE!yuaDB49EFcRkrCE!guaAS44oFcRx9!HmW"

The process WORDPAD.EXE:1672 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Font Management\Auto Activation Languages]
"en-Latn-US" = "1033"

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Font Management]
"Active Languages" = "09 04 00 00"
"Inactive Fonts" = "Large Fonts, 8514oem, Marlett, Andalus, Arial Unicode MS, Arabic Typesetting, HGMaruGothicMPRO, Estrangelo Edessa, Microsoft Uighur, MV Boli, Sakkal Majalla, Simplified Arabic, Simplified Arabic Fixed, Traditional Arabic, FangSong, KaiTi, Microsoft YaHei, NSimSun, SimHei, SimSun, SimSun-ExtB, DFKai-SB, Microsoft JhengHei, MingLiU, MingLiU-ExtB, MingLiU_HKSCS, MingLiU_HKSCS-ExtB, PMingLiU, PMingLiU-ExtB, Euphemia, Lao UI, Plantagenet Cherokee, Aharoni, David, FrankRuehl, Gisha, Levenim MT, Miriam, Miriam Fixed, Narkisim, Rod, Aparajita, Gautami, Iskoola Pota, Kalinga, Kartika, Kokila, Latha, Mangal, Raavi, Shonar Bangla, Shruti, Tunga, Utsaah, Vani, Vijaya, Vrinda, Meiryo, Meiryo UI, MS Gothic, MS Mincho, MS PGothic, MS PMincho, MS UI Gothic, Batang, BatangChe, Dotum, DotumChe, Gulim, GulimChe, Gungsuh, GungsuhChe, Malgun Gothic, Ebrima, Microsoft Himalaya, Microsoft New Tai Lue, Microsoft PhagsPa, Microsoft Tai Le, Microsoft Yi Baiti, Mongolian Baiti, Nyala, Sylfaen, Angsana New, AngsanaUPC, Browallia New, BrowalliaUPC, Cordia New, CordiaUPC, DaunPenh, DilleniaUPC, DokChampa, EucrosiaUPC, FreesiaUPCÃƒÂ§Ã‚ÂÃ‚Â²ÃƒË†Ã‚Â"

The process regsvr32.exe:3644 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\Interface\{8AA23DB2-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Interface\{5BBB7C44-D873-11D1-BA47-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{8AA23DB1-9CAE-11D1-8648-00A0246D0300}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{8AA23DB2-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{8AA23DB0-9CAE-11D1-8648-00A0246D0300}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{ADB18B66-EFFD-11D1-BA6A-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{ADB18B66-EFFD-11D1-BA6A-00104B1F427E}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{B3DF250F-DF76-11D1-BA52-00104B1F427E}]
"(Default)" = "IGrabberEnumFilter"

[HKCR\Wow6432Node\Interface\{82630067-FB0C-11D1-BA79-00104B1F427E}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{ADB18B66-EFFD-11D1-BA6A-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Interface\{0BFF46C3-C4C6-11D1-BA2E-00104B1F427E}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{ADB18B66-EFFD-11D1-BA6A-00104B1F427E}]
"(Default)" = "IGrabberEnumUrl"

[HKCR\Wow6432Node\Interface\{B3DF250F-DF76-11D1-BA52-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Interface\{8AA23DB0-9CAE-11D1-8648-00A0246D0300}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{8AA23DB2-9CAE-11D1-8648-00A0246D0300}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{D0136EF6-A2F8-11D1-864E-00A0246D0300}]
"(Default)" = "IGrabberEvents"

[HKCR\Interface\{8AA23DB0-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{B3DF250F-DF76-11D1-BA52-00104B1F427E}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{8AA23DA3-9CAE-11D1-8648-00A0246D0300}\1.0\HELPDIR]
"(Default)" = "%Program Files% (x86)\Grab-a-Site 5.1\"

[HKCR\TypeLib\{8AA23DA3-9CAE-11D1-8648-00A0246D0300}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{8AA23DB2-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Interface\{82630067-FB0C-11D1-BA79-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Interface\{0BFF46C3-C4C6-11D1-BA2E-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Interface\{8AA23DB2-9CAE-11D1-8648-00A0246D0300}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{8AA23DB5-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Wow6432Node\Interface\{ADB18B66-EFFD-11D1-BA6A-00104B1F427E}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{8AA23DB2-9CAE-11D1-8648-00A0246D0300}]
"(Default)" = "IGrabberUrl"

[HKCR\TypeLib\{8AA23DA3-9CAE-11D1-8648-00A0246D0300}\1.0\0\win32]
"(Default)" = "%Program Files% (x86)\Grab-a-Site 5.1\webgrabber.dll"

[HKCR\Interface\{0BFF46C3-C4C6-11D1-BA2E-00104B1F427E}]
"(Default)" = "IGrabberUrlStatus"

[HKCR\Wow6432Node\Interface\{8AA23DB5-9CAE-11D1-8648-00A0246D0300}]
"(Default)" = "IGrabberEnumChild"

[HKCR\Interface\{8AA23DB0-9CAE-11D1-8648-00A0246D0300}]
"(Default)" = "IGrabber"

[HKCR\Wow6432Node\Interface\{ADB18B66-EFFD-11D1-BA6A-00104B1F427E}]
"(Default)" = "IGrabberEnumUrl"

[HKCR\Interface\{B3DF250F-DF76-11D1-BA52-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Wow6432Node\Interface\{82630067-FB0C-11D1-BA79-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Interface\{B3DF2506-DF76-11D1-BA52-00104B1F427E}]
"(Default)" = "IGrabberFilter"

[HKCR\Wow6432Node\Interface\{8AA23DB0-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{5BBB7C44-D873-11D1-BA47-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{8AA23DB5-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{82630067-FB0C-11D1-BA79-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{B3DF250F-DF76-11D1-BA52-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{D0136EF6-A2F8-11D1-864E-00A0246D0300}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{82630067-FB0C-11D1-BA79-00104B1F427E}]
"(Default)" = "DGrabberEvents"

[HKCR\Interface\{ADB18B66-EFFD-11D1-BA6A-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{B3DF250F-DF76-11D1-BA52-00104B1F427E}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{B3DF2506-DF76-11D1-BA52-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{8AA23DB5-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Wow6432Node\Interface\{B3DF250F-DF76-11D1-BA52-00104B1F427E}]
"(Default)" = "IGrabberEnumFilter"

[HKCR\Interface\{B3DF250F-DF76-11D1-BA52-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\WebGrabber.Grabber]
"(Default)" = "WebGrabber Class"

[HKCR\Interface\{8AA23DB5-9CAE-11D1-8648-00A0246D0300}]
"(Default)" = "IGrabberEnumChild"

[HKCR\Wow6432Node\CLSID\{8AA23DB1-9CAE-11D1-8648-00A0246D0300}\ProgID]
"(Default)" = "WebGrabber.Grabber.1"

[HKCR\WebGrabber.Grabber.1\CLSID]
"(Default)" = "{8AA23DB1-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Wow6432Node\Interface\{0BFF46C3-C4C6-11D1-BA2E-00104B1F427E}]
"(Default)" = "IGrabberUrlStatus"

[HKCR\Wow6432Node\Interface\{D0136EF6-A2F8-11D1-864E-00A0246D0300}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Wow6432Node\Interface\{8AA23DB0-9CAE-11D1-8648-00A0246D0300}]
"(Default)" = "IGrabber"

[HKCR\Wow6432Node\CLSID\{8AA23DB1-9CAE-11D1-8648-00A0246D0300}]
"(Default)" = "WebGrabber Class"

[HKCR\Wow6432Node\Interface\{B3DF2506-DF76-11D1-BA52-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Wow6432Node\Interface\{0BFF46C3-C4C6-11D1-BA2E-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\WebGrabber.Grabber.1]
"(Default)" = "WebGrabber Class"

[HKCR\Wow6432Node\Interface\{0BFF46C3-C4C6-11D1-BA2E-00104B1F427E}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{5BBB7C44-D873-11D1-BA47-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Wow6432Node\CLSID\{8AA23DB1-9CAE-11D1-8648-00A0246D0300}\VersionIndependentProgID]
"(Default)" = "WebGrabber.Grabber"

[HKCR\Wow6432Node\Interface\{0BFF46C3-C4C6-11D1-BA2E-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Wow6432Node\Interface\{8AA23DB0-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Interface\{B3DF2506-DF76-11D1-BA52-00104B1F427E}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{5BBB7C44-D873-11D1-BA47-00104B1F427E}]
"(Default)" = "IGrabberPrefs"

[HKCR\Wow6432Node\Interface\{B3DF2506-DF76-11D1-BA52-00104B1F427E}\TypeLib]
"Version" = "1.0"

[HKCR\WebGrabber.Grabber\CLSID]
"(Default)" = "{8AA23DB1-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Interface\{82630067-FB0C-11D1-BA79-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{5BBB7C44-D873-11D1-BA47-00104B1F427E}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{8AA23DB2-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{B3DF2506-DF76-11D1-BA52-00104B1F427E}]
"(Default)" = "IGrabberFilter"

[HKCR\Wow6432Node\Interface\{B3DF2506-DF76-11D1-BA52-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{5BBB7C44-D873-11D1-BA47-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\WebGrabber.Grabber\CurVer]
"(Default)" = "WebGrabber.Grabber.1"

[HKCR\Interface\{8AA23DB5-9CAE-11D1-8648-00A0246D0300}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{8AA23DB5-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{B3DF2506-DF76-11D1-BA52-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Interface\{D0136EF6-A2F8-11D1-864E-00A0246D0300}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{D0136EF6-A2F8-11D1-864E-00A0246D0300}]
"(Default)" = "IGrabberEvents"

[HKCR\Wow6432Node\Interface\{D0136EF6-A2F8-11D1-864E-00A0246D0300}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{8AA23DB2-9CAE-11D1-8648-00A0246D0300}]
"(Default)" = "IGrabberUrl"

[HKCR\Interface\{5BBB7C44-D873-11D1-BA47-00104B1F427E}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{5BBB7C44-D873-11D1-BA47-00104B1F427E}]
"(Default)" = "IGrabberPrefs"

[HKCR\Interface\{0BFF46C3-C4C6-11D1-BA2E-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{D0136EF6-A2F8-11D1-864E-00A0246D0300}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Wow6432Node\Interface\{ADB18B66-EFFD-11D1-BA6A-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\TypeLib\{8AA23DA3-9CAE-11D1-8648-00A0246D0300}\1.0]
"(Default)" = "WebGrabber 1.0 Type Library"

[HKCR\Interface\{82630067-FB0C-11D1-BA79-00104B1F427E}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{8AA23DB5-9CAE-11D1-8648-00A0246D0300}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{8AA23DB1-9CAE-11D1-8648-00A0246D0300}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Grab-a-Site 5.1\webgrabber.dll"

[HKCR\Wow6432Node\Interface\{82630067-FB0C-11D1-BA79-00104B1F427E}]
"(Default)" = "DGrabberEvents"

[HKCR\Interface\{8AA23DB0-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Interface\{D0136EF6-A2F8-11D1-864E-00A0246D0300}\TypeLib]
"Version" = "1.0"

The process 27978af6bfb56660e238499c89669c3c.tmp:2484 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKCR\.gas]
"(Default)" = "Grab-a-Site.Document"

[HKLM\SOFTWARE\Wow6432Node\Blue Squirrel\IX\Settings]
"rootDir" = "c:\Users\Public\IX\"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Grab-a-Site_is1]
"QuietUninstallString" = "%Program Files% (x86)\Grab-a-Site 5.1\unins000.exe /SILENT"

[HKCR\webwhacker\shell\open\command]
"(Default)" = "%Program Files% (x86)\Grab-a-Site 5.1\grabsite.exe /%1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Grab-a-Site_is1]
"URLInfoAbout" = "http://www.BlueSquirrel.com"
"InstallDate" = "20141216"
"Publisher" = "Blue Squirrel"
"Inno Setup: Language" = "default"
"Inno Setup: User" = "%CurrentUserName%"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\%Program Files% (x86)\Grab-a-Site 5.1]
"iundo.exe" = "RUNASADMIN"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Grab-a-Site_is1]
"DisplayVersion" = "5.1"
"MinorVersion" = "1"
"DisplayName" = "Blue Squirrel Grab-a-Site 5.1"
"HelpLink" = "http://www.BlueSquirrel.com"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\%Program Files% (x86)\Grab-a-Site 5.1]
"iu.exe" = "RUNASADMIN"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Grab-a-Site_is1]
"MajorVersion" = "5"
"Inno Setup: App Path" = "%Program Files% (x86)\Grab-a-Site 5.1"
"Inno Setup: Icon Group" = "Grab-a-Site"

[HKCU\.gas\OpenWithList]
"a" = "grabsite.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Grab-a-Site_is1]
"Inno Setup: Setup Version" = "5.3.9 (a)"

[HKCU\.gas\OpenWithList]
"(Default)" = ""

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Grab-a-Site_is1]
"EstimatedSize" = "4441"
"NoModify" = "1"
"UninstallString" = "%Program Files% (x86)\Grab-a-Site 5.1\unins000.exe"
"InstallLocation" = "%Program Files% (x86)\Grab-a-Site 5.1\"

[HKCR\Grab-a-Site.Document]
"(Default)" = "Grab-a-Site Document"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Grab-a-Site_is1]
"NoRepair" = "1"

[HKCU\.gas\OpenWithList]
"MURList" = "a"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Grab-a-Site_is1]
"URLUpdateInfo" = "http://www.BlueSquirrel.com"

Dropped PE files

MD5	File path
c8ae2251ef395dddf4e8ec3a84701e5b	c:\Program Files (x86)\Grab-a-Site 5.1\REGSVR32.EXE
35fbe8ed171b91e312df1b24c91a551e	c:\Program Files (x86)\Grab-a-Site 5.1\WebGrabber.dll
106eda7931123e6fd3c44c5eed4e4f41	c:\Program Files (x86)\Grab-a-Site 5.1\autorun.exe
6dc74d4d670e2f5904a4d92731fc59ed	c:\Program Files (x86)\Grab-a-Site 5.1\grabsite.exe
710590af15d47364111204e0c5af6ea9	c:\Program Files (x86)\Grab-a-Site 5.1\iu.exe
9b5bd8b5b70f6bf240b71bff59dad854	c:\Program Files (x86)\Grab-a-Site 5.1\iundo.exe
9b5af98a22740d2eb0180c852aa21a2d	c:\Program Files (x86)\Grab-a-Site 5.1\ix.dll
14652be5311a039d6e8db6689ee871f1	c:\Program Files (x86)\Grab-a-Site 5.1\pi.dll
da6d09a571f57114ced2cc49f05165ac	c:\Program Files (x86)\Grab-a-Site 5.1\unins000.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
TPAutoConnSvc.exe:1776
grabsite.exe:1040
regsvr32.exe:3644
%original file name%.exe:3716
27978af6bfb56660e238499c89669c3c.tmp:2484
Delete the original Worm file.
Delete or disinfect the following files created/modified by the Worm:
%Program Files% (x86)\Grab-a-Site 5.1\ix.dll (716 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\grabsite.INI (28 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\WebGrabber.dll (712 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\pi.dll (131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MPIKU.tmp\27978af6bfb56660e238499c89669c3c.tmp (1423 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-ECLB2.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-482OA.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-74JU1.tmp (5109 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Grab-a-Site\Grab-a-Site Help.lnk (1 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\Edge\is-RL3EB.tmp (11 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-T9JMM.tmp (186 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-DG9RB.tmp (14 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Grab-a-Site\Grab-a-Site ReadMe.lnk (990 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-1ME24.tmp (23 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-D5M1P.tmp (7547 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-1093R.tmp (407 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-HLA0C.tmp (4545 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-3NKQ3.tmp (30 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-JQC9U.tmp (132 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Grab-a-Site\Blue Squirrel.lnk (836 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-T0507.tmp (206 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\unins000.dat (1376 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-482OA.tmp\_isetup\_setup64.tmp (6 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-CBQID.tmp (3073 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\Edge\is-6GA2P.tmp (1 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-8SVDJ.tmp (603 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-6E51A.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-482OA.tmp\_isetup\_RegDLL.tmp (4 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-GOMKQ.tmp (40 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Grab-a-Site\Grab-a-Site 5.lnk (1 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\grabsite.exe (49 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-99FQ1.tmp (673 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-M90HH.tmp (4545 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-EE0M9.tmp (2105 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-IGF3R.tmp (601 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\REGSVR32.EXE (32 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\unins000.msg (463 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Blue Squirrel
Product Name: Grab-a-Site
Product Version: 5.1.0.0
Legal Copyright: Copyright (c) 2010 Blue Squirrel
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 5.1.0.0
File Description: Grab-a-Site Setup
Comments: This installation was built with Inno Setup.
Language: English (United States)

Company Name: Blue SquirrelProduct Name: Grab-a-Site Product Version: 5.1.0.0Legal Copyright: Copyright (c) 2010 Blue Squirrel Legal Trademarks: Original Filename: Internal Name: File Version: 5.1.0.0File Description: Grab-a-Site Setup Comments: This installation was built with Inno Setup.Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
CODE	4096	37504	37888	4.53167	5d87ded351b0b41961d927fb546efca7
DATA	45056	588	1024	1.89606	e8b4b57d70dce84e92f20fc39f4aa0ce
BSS	49152	3668	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	53248	2384	2560	3.07115	bb5485bf968b970e5ea81292af2acdba
.tls	57344	8	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	61440	24	512	0.14174	9ba824905bf9c7922b6fc87a38b74366
.reloc	65536	2224	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	69632	11264	11264	3.10504	800e1f2bb4575d7fa0346bb489692bca

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 2
3a3c56d67684a559adf7d98a549bc424
459db64ac881b403827643aba31a6bc6

Network Activity

URLs

URL	IP
hxxp://a1363.g.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.g.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.g.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d5a231e1604969a1
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2ccd8f4b9a46853c
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=
hxxp://a1363.g.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=	23.43.139.27
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	87.245.202.16
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2ccd8f4b9a46853c	87.245.202.24
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=	23.43.139.27
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d5a231e1604969a1	87.245.202.24
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl	87.245.202.16
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=	23.43.139.27
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl	87.245.202.16
hxxp://crl.verisign.com/pca3.crl	23.43.133.163
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	87.245.202.16
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=	23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=	23.43.139.27

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /pca3.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.verisign.com

HTTP/1.1 200 OK

Server: Apache

ETag: "8f6b3bcd9bb64555001fba64f5b01b92:1411517716"

Last-Modified: Wed, 24 Sep 2014 00:15:16 GMT

Date: Tue, 16 Dec 2014 14:25:26 GMT

Content-Length: 933

Connection: keep-alive

Content-Type: application/pkix-crl

0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..140922000000Z..141231235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2....{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I...Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1..7<.....e..010207211822Z0...*.H............M....s#..Lo...TU...tM.3...'.U......:Z...w.x.=....K.0;...!....D....9...,!....B.t. <..........-.....k.$<i{O.<.E...*.......Ow _..J.HTTP/1.1 200 OK..Server: Apache..ETag: "8f6b3bcd9bb64555001fba64f5b01b92:1411517716"..Last-Modified: Wed, 24 Sep 2014 00:15:16 GMT..Date: Tue, 16 Dec 2014 14:25:26 GMT..Content-Length: 933..Connection: keep-alive..Content-Type: application/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..140922000000Z..141231235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....0209231715

<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?d5a231e1604969a1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT

If-None-Match: "0b96c77303ecf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Type: application/octet-stream

Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT

Accept-Ranges: bytes

ETag: "805a83f2b9cecf1:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

X-Powered-By: ARR/2.5

X-Powered-By: ASP.NET

Content-Length: 56928

Date: Tue, 16 Dec 2014 14:25:10 GMT

Connection: keep-alive

MSCF....`.......,...................I.................,E.Y .authroot.stl..Y-..8..CK...<T...g.v!M.d..f.%d..}K..5..F. ...T..%.,YJ.,!T......_..x.<=O.....yy....;3..>.|..~..\.....|......;..8..~.za...."A...q.......g..m......<X........j"I........!..-w.....w....P...H..(.?}..2.N. .u..a. ...=.C..D.F>rC.. ..|).=.. ..3b.8H.M...(...u8.%...W.g...\YB.m:.....dE.........V....$....Dn:....0...S."...o..q.....K...I..K...(x%....>A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,....`0$z.@..&.x"....T..H...<........~..E..".....<<.\B(.....................@.....L.........KNAy8/"...f.......k..Jm7j....R.5q....Rz..!@...].......Y.[........4.. .D8..&...t.J^O..Q.._..1.J.m5<'k.,....%T....i.\.;.;q..S./ 8.?Bu.............}D.Q....L....*..[.."e......15m..._.0.M........#..v!..<...@..?sc.y....*.....tX[........{.W4.Q...^u@..*..QP.......~.L9N....2r...4.....B..-\(...b.d...K...O.8..Un.......V.<.......A...V.....(..s..f..q.{N0.hS.,..;M.|G|.@.M.._.....7._6...C.0...A;L....%...M=Y.....f.JV.(.5.....0..?*...KZ....jM...8.6U...#...ew.?..?...........WE.Or..O>..{.'W2.........3m.O.u..Z8....H4@.w}.o:?~....]<!...%....}@.d...L.p.a.g ..K."..N1!%..S.bT.H.-.....e..`.0$...0t..DX..{.....#./...8.5..M...T.......D......V\C.zy.....3E:..>.{..).QW......q....9..n..1....8%,.........r.p@.>. ...Q.?.p..7.?..7...&..!.........`. .=....Sf..q.l.A.....L...t.}g..;...f....=.e.~.z....C..*R....H-..=...f..(t'.."....F...g._....n.J..U.4vr`}.....1..o@.....@.#...R. L8....z..].|......3..y..-./....K..6{...s.<R`.}6....?.......-..@.g..S....

<<< skipped >>>

GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Thu, 13 Nov 2014 06:02:42 GMT

Accept-Ranges: bytes

ETag: "88cab6f7ffcf1:0"

Server: Microsoft-IIS/8.5

VTag: 791936916300000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 554

Cache-Control: max-age=900

Date: Tue, 16 Dec 2014 14:25:47 GMT

Connection: keep-alive

0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..141112173206Z..150211055206Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......W0... .....7......150210174206Z0...*.H................].`...D..9.>LO.ey...Qx%.^.P.& ...D.......b}.K..[.....5.m....).....H..6R....G/ju.........:..A.#.9!......D5...|".w.x..=.u..X6.7{..).XN....g......B.8.!&...........<7fS$..........t<X)%.b(0.L@..i..Kn.......fX... ,...K\....U1cp).........y.T..?rm.t..Y.}.E..-@...

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1453

content-transfer-encoding: binary

Cache-Control: max-age=380474, public, no-transform, must-revalidate

Last-Modified: Sun, 14 Dec 2014 00:03:56 GMT

Expires: Sun, 21 Dec 2014 00:03:56 GMT

Date: Tue, 16 Dec 2014 14:25:16 GMT

Connection: keep-alive

0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....20141214000356Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a..eR&.....Y.)..".\....20141214000356Z....20141221000356Z0...*.H................t.(:....I.m....0..C...1...5.....3.E._.'=.B...T0...&KN9..[.....'......F....>..o"9T...Jn......]..K....`$_......Rb....K*...ln......F.>/..^.V...]..]..a..2..QO .Jw>....4.Q6..;..S...%4......h.v%...VM......}...on.=,...6..._..\p@4..<R...Pm..XkK..f7U.-...a....2B....0...0...0..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1 OCSP Responder Certificate 30.."0...*.H.............0..........'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|o....S..v.).).....r.v.qo$......C.V!....@.h#qh...u1T.].G0.]E...=._...... ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=357331, public, no-transform, must-revalidate

Last-Modified: Sat, 13 Dec 2014 17:38:38 GMT

Expires: Sat, 20 Dec 2014 17:38:38 GMT

Date: Tue, 16 Dec 2014 14:25:21 GMT

Connection: keep-alive

0..........0..... .....0......0...0........6?s....V....OlL".O..20141213173838Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5........M.s.Q~...@?j.......20141213173838Z....20141220173838Z0...*.H................;....f...2H.:.v...h.n...1..N4.1..PppH[vj(....I..T.`..!.G..>F.....OK..I.......U4.......qF3qe..'VB.n...X..#..."j:.?......... ..6{e._........l..|.....6...H.4z.Mw6....\.!..B..^A..e....;Gm.BqF.1...Y....L.A...0.T...Tb...n.uC..3.$....^{..@j.Q.v...i...........>...#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H

<<< skipped >>>

GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1

Cache-Control: max-age = 812

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 23 Oct 2014 05:05:32 GMT

If-None-Match: "a2f3ff97eeecf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 304 Not Modified

Content-Type: application/pkix-crl

Last-Modified: Thu, 23 Oct 2014 05:05:32 GMT

ETag: "a2f3ff97eeecf1:0"

Cache-Control: max-age=900

Date: Tue, 16 Dec 2014 14:24:55 GMT

Connection: keep-alive

HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Modified: Thu, 23 Oct 2014 05:05:32 GMT..ETag: "a2f3ff97eeecf1:0"..Cache-Control: max-age=900..Date: Tue, 16 Dec 2014 14:24:55 GMT..Connection: keep-alive......

GET /pki/crl/products/WinPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Mon, 06 Oct 2014 05:06:02 GMT

If-None-Match: "3e1c83923e1cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 304 Not Modified

Content-Type: application/pkix-crl

Last-Modified: Mon, 06 Oct 2014 05:06:02 GMT

ETag: "3e1c83923e1cf1:0"

Cache-Control: max-age=900

Date: Tue, 16 Dec 2014 14:25:00 GMT

Connection: keep-alive

HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Modified: Mon, 06 Oct 2014 05:06:02 GMT..ETag: "3e1c83923e1cf1:0"..Cache-Control: max-age=900..Date: Tue, 16 Dec 2014 14:25:00 GMT..Connection: keep-alive......

GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Sat, 04 Oct 2014 05:06:12 GMT

If-None-Match: "58cddbea90dfcf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 304 Not Modified

Content-Type: application/pkix-crl

Last-Modified: Sat, 04 Oct 2014 05:06:12 GMT

ETag: "58cddbea90dfcf1:0"

Cache-Control: max-age=900

Date: Tue, 16 Dec 2014 14:25:05 GMT

Connection: keep-alive

HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Modified: Sat, 04 Oct 2014 05:06:12 GMT..ETag: "58cddbea90dfcf1:0"..Cache-Control: max-age=900..Date: Tue, 16 Dec 2014 14:25:05 GMT..Connection: keep-alive..

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?2ccd8f4b9a46853c HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT

If-None-Match: "0b96c77303ecf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Type: application/octet-stream

Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT

Accept-Ranges: bytes

ETag: "805a83f2b9cecf1:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

X-Powered-By: ARR/2.5

X-Powered-By: ASP.NET

Content-Length: 56928

Date: Tue, 16 Dec 2014 14:25:11 GMT

Connection: keep-alive

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=357371, public, no-transform, must-revalidate

Last-Modified: Sat, 13 Dec 2014 17:38:40 GMT

Expires: Sat, 20 Dec 2014 17:38:40 GMT

Date: Tue, 16 Dec 2014 14:25:39 GMT

Connection: keep-alive

0..........0..... .....0......0...0........6?s....V....OlL".O..20141213173840Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......l$.%t...............20141213173840Z....20141220173840Z0...*.H.............!..d..........w [7*A.u.&....n.k...Z.@c..5....;5..D....W1.....d....oj....c....R...&....6[._.?..../...(h.......&.C............kL$....|.h$.A.MJ....=%....7.....b....Z.g.W.2.6.t...".....4.4......Y.....,.'=m..#).E_..}.E.L`. ...O....Ruc1:..=.,.$.Sk.is...'K.....PI...#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H......

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1697

content-transfer-encoding: binary

Cache-Control: max-age=484303, public, no-transform, must-revalidate

Last-Modified: Mon, 15 Dec 2014 04:54:07 GMT

Expires: Mon, 22 Dec 2014 04:54:07 GMT

Date: Tue, 16 Dec 2014 14:25:32 GMT

Connection: keep-alive

0..........0..... .....0......0...0...A0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA OCSP Responder..20141215045407Z0s0q0I0... ........?.@..w.........Y.!......Q...==d6|h.[x....7..`..........cV.!.....20141215045407Z....20141222045407Z0...*.H.............O.1.P*........i..]w.. ..P.Z.....4....t#..LzE8>.4".....:..t9..eUg.U....1..J\=.'...I....?,.mr. |4<I..!..........Vd...m. ......H[x.1H./........f).........}....W8..bv?.CHZ2.hK..wx..ia....z@.f-o8.l....)>..Z..`$.p9.E..p...y..;4.n^.o.........Q....p..3.,..Lz>...3.....0...0...0..{.........[..I|.....Zm..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA0...140428000000Z..150729235959Z0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA OCSP Responder0.."0...*.H.............0.........Y....h..@..>.....%.-.....O...' y.........x..Gw.xF.....?..Z..u,.X.&..........3C..H.l.....f..;]s!.\"v...|....].@.....K7m2...N......-S.I......5n...G7. ..W....n..*..-f?EY.......UN...r...........-_.%..,P;b.....)(.P.4...,.%....<..6.....[r^X.EV..S...5#'Y.. .TD...........0...0...U.......0.0...U.%..0... .......0...U...........0... .....0......0f..U. ._0]0[..`.H...E....0L0#.. .........hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.symcb.com/rpa0!..U....0...0.1.0...U....TGV-B-1080...U......"...?....`>q..i1o...0...U.#..0.....Q...==d6|h.[x....70...*.H.............B8@.$..wo......E.....P52"b*@'C\.y.(...n....h.f..7f.....v...pb<...]..|..

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=503590, public, no-transform, must-revalidate

Last-Modified: Mon, 15 Dec 2014 10:19:02 GMT

Expires: Mon, 22 Dec 2014 10:19:02 GMT

Date: Tue, 16 Dec 2014 14:25:53 GMT

Connection: keep-alive

0..........0..... .....0......0...0........6?s....V....OlL".O..20141215101902Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......A..2.....:...:......20141215101902Z....20141222101902Z0...*.H.............A.?v....x...R..IV..........9.%...OQ.&lm..L81!.l4......v,.....:e.......m.2\$K.I.GS..E95.J.G;...T...lj.....f.=.5!$..cM..0'....F.k.n.$.6s...V.<.xbrT....).nC...`Q.m18d.....V...?9O..X.$...bZ...[.....%z^.....'...l..e....b.(q..CH. .........T.M.d.:...@4.Sk.d!..-,....#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...

<<< skipped >>>

Map

The Worm connects to the servers at the folowing location(s):

Strings from Dumps

grabsite.exe_1040:

.text

`.rdata

@.data

.rsrc

t.HuY

.tTPV

FTPjK

FtPj;

F.PjRWj

u.WWj

u.VVj

u$SShe

@u.Wj

proxy.htm

reset.htm

index.html

index.txt

\/:*?"|=&

/:*?"|=&

broken.gif

broken.jpg

hXXp://

hXXps://

PTF://

hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

GDI32.DLL

CNotSupportedException

{X-X-X-XX-XXXXXX}

%*.*f

windows

MSWHEEL_ROLLMSG

File%d

CMDIFrameWnd

MSH_SCROLL_LINES_MSG

ddeexec

%s\ShellNew

%s\DefaultIcon

%s\shell\printto\%s

%s\shell\print\%s

%s\shell\open\%s

ole32.dll

__MSVCRT_HEAP_SELECT

portuguese-brazilian

user32.dll

VERSION.dll

GetCPInfo

KERNEL32.dll

GetKeyNameTextA

MapVirtualKeyA

UnhookWindowsHookEx

SetWindowsHookExA

GetKeyState

CreateDialogIndirectParamA

GetAsyncKeyState

USER32.dll

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GDI32.dll

comdlg32.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyA

RegOpenKeyExA

RegDeleteKeyA

RegEnumKeyA

RegCreateKeyExA

RegCreateKeyA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

COMCTL32.dll

oledlg.dll

OLEAUT32.dll

c:\snapshot.wwp

snapshot.wwp

notepad.exe

Export

{C6266CF2-244C-45B8-A37A-DBEE76EE58B2}

{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}

WebWhacker For Palm Snapshot

snapshot.htm

URL Protocol

URL: WebWhacker For Palm Protocol

iexplore.exe

.PAVCOleException@@

Ftp_ProxyPort

FTP_Proxy

Http_ProxyPort

HTTP_Proxy

Software\Microsoft\Windows\CurrentVersion\Internet Settings

http:=

http=

;http=

user_pref("network.proxy.http",

user_pref("network.proxy.http_port",

user_pref("network.proxy.type",

user_pref("network.proxy.ftp_port",

user_pref("network.proxy.ftp",

prefs.js

.PAVCFileException@@

user_pref("network.proxy.type", 1);

.html

mozilla.exe

netscape.exe

grabsite.ini

foot.htm

head.htm

contents.htm

index.htm

export.htm

B~.INI

SetUpdateNamePassword

SetPurchaseMsgUpdate

SetPurchaseMsg

SetNewLicenseKeyFlag

SetLicenseKey32

SetClientToServerMsg

GetPurchaseMsgUpdate

GetPurchaseMsg

GetNewLicenseKeyFlag

GetLicenseKey32

%s%siu.exe

IX.dll

Application requires Microsoft Windows 32-bit extensions.

Attempt was made to load a compressed executable file. The file must be decompressed before it can be loaded.

Attempt was made to load a second instance of an executable file containing multiple data segments that were not marked read-only.

Attempt was made to load a real-mode application(developed for an earlier version of Windows)

Type of executable file was unknown

The program is designed for another operating system

Invalid executable, corrupt executable or non-Windows executable

Incorrect version of Windows

Path was not found - %s

File not found - %s

Unable to run %s

System out of memory or executable is corrupt

C:\Programming\PROJECTS\web2pqa\LeftView.cpp

IDispatch error #%d

d:d:d

grabasite.log

C:\Programming\PROJECTS\web2pqa\MainFrm.cpp

edge.htm

Need a URL to grab.

instaide.dll

%s\x

software\microsoft\windows nt\currentversion\perflib

KERNEL32.DLL

webwhacker

*.bat

CUrlSheet

C:\Programming\PROJECTS\web2pqa\UrlSheet.cpp

%sx%s

URLWiz

C:\Programming\PROJECTS\web2pqa\URLWiz.cpp

URLWizConfig

URLWizFilter

URLWizSched

URLWizSelect

hXXp://VVV.

http-equiv="refresh"

hXXp://VVV.bluesquirrel.com/cart/cart.asp?P=GAS&k=2

\Buy Grab-a-Site.url

hXXp://VVV.bluesquirrel.com/cart/cart.asp?P=GAS&k=1

\~backup\ix.dll

grabasite.bluesquirrel.com

\iundo.exe "Grab-a-Site"

%i %d %t

%dReplace

%dSearch

RunCmd

%b Ãœontents.htm

command.com /c

(801)352-1551

ix.dll

https:

http:

C:\Programming\PROJECTS\web2pqa\Web2PQA.cpp

CWeb2PQADoc

gsurl.dbf

C:\Programming\PROJECTS\web2pqa\Web2PQADoc.cpp

Advise failed: %x

Advise failed(dialog): %x

Exporting...

pGrabber.CreateInstance FAILED

WebGrabber.Grabber

webgrabber.dll

regsvr32.exe

OPEN=autorun.exe

autorun.inf

autorun.exe

*.htm*

CWeb2PQAView

WWW_OpenURL

WWW_OpenURLResult

An invalid transaction identifier was passed to a DDEML function. Once the application has returned from an XTYP_XACT_COMPLETE callback, the transaction identifier for that callback function is no longer valid.

A parameter failed to be validated by the DDEML. Some of the possible causes follow: The application used a data handle initialized with a different item name handle than was required by the transaction.The application used a data handle that was initialized with a different clipboard data format than was required by the transaction.The application used a client-side conversation handle with a server-side function or vice versa.The application used a freed data handle or string handle.More than one instance of the application used the same object.

A request for a synchronous execute transaction has timed out.

An application initialized as APPCLASS_MONITOR hasattempted to perform a dynamic data exchange (DDE) transaction, or an application initialized as APPCMD_CLIENTONLY has attempted to perform server transactions.

A DDEML function was called without first callingthe DdeInitialize function, or an invalid instanceidentifier was passed to a DDEML function.

Web DDE Error

yyFlexLexer::yylex invoked but %option yyclass used

Warning: This program requires comctl32.dll version 4.71 or greater.

comctl32.dll

&%d %s

%s-SCBar-%d

.?AVCCmdTarget@@

.PAVCException@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCUserException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCResourceException@@

.PAVCMemoryException@@

.PAVCNotSupportedException@@

.?AVCNotSupportedException@@

.?AVCStatusCmdUI@@

.?AVCToolCmdUI@@

.?AVCMDIFrameWnd@@

.PAVCArchiveException@@

zcÃ

%Program Files% (x86)\Grab-a-Site 5.1\grabsite.exe

{4AFE05E6-595E-42A6-907D-CF3B1AE98720} = s 'Web2Palm'

'Web2Palm.EXE'

val AppID = s {4AFE05E6-595E-42A6-907D-CF3B1AE98720}

Web2Palm.Palmer.1 = s 'Web2Palm Class'

CLSID = s '{4D1E5FE6-C4B7-42F3-B359-01A110C236BD}'

Web2Palm.Palmer = s 'Web2Palm Class'

CurVer = s 'Web2Palm.Palmer.1'

ForceRemove {4D1E5FE6-C4B7-42F3-B359-01A110C236BD} = s 'Web2Palm Class'

ProgID = s 'Web2Palm.Palmer.1'

VersionIndependentProgID = s 'Web2Palm.Palmer'

val AppID = s '{4AFE05E6-595E-42A6-907D-CF3B1AE98720}'

'TypeLib' = s '{B0149167-787A-4178-BCC7-3CDA49DFC29B}'

stdole2.tlbWWW

Web2PalmLibW

AddURLWW

urlW

Web2Palm 1.0 Type LibraryW

Web2Palm Class

method AddURLW

333333333

;;

_[__[_[[_[[[[

[_[__[[[[_[

;

??=??@?@?@@@@

[____[_[_[[_[[

))))(()))

[[_[_[[_

____[_[_

688869899

882()))).

)&&&&&&&&&&&&&&&&%X

&&&&%&%&

>>?>??

'&&&&&&&&&&%&&&&%X

/0/02009

/00/20209

))))()))

/0/0///0/2/

;;;>>>

0/202/0:

8868869\

:::;;;:;;;;

223222232355353

:::;:;:;:;;;;>>;>

@??@?@@@@

0/00/02202222

;>;

"[_[__[[_[

;>;>

8588868

__[[__[_[[

????=?=@?@@@@

)%)))()())

/000//2/2

--0-0/-/0//02//2

--.k.kk-k

-)--.----

222225232355535

::;:;::;:;;;;

::;:;:;;;:;;

;

-.j--.-.kk-

>;>>

;;>;>

-..---0.

//0202022

;>;>

6868868996999

-.-k.kk

::::;:;;;;:

;;>;>>

:9::::;::;:;;;;

:9::::;:;;:;;;

00/0/02000

22222255235333

)()())))

????@?@@?@@

//00/0/0220022

222223225233533

-00-00/00

//0/2/222/222322525533535

6888698

=?=@@@@?@@

;;;>>;

2222523233553353338

/002202/2

??@?=?@?@@@

--..kk-0

::::;;:;:;;;;

>;;

22222325522355333

?=?=@@?@@@@

/0/00/02/2/2

2222223232533558338

888888889

=??@?@@?@@@@

00//0//202/

["[_[_[[[

00/0/20222

?=??=@@?@@@

[__[[_[[[

____[__[_

__[["[_[[[

/00/0//2

))()()))

"____[_[[

//2022/222322323355533

[[[[_[_[

=??@@?@@@@

&%&&%%&&&%

88888898

022222252525332553

/02202223223553555

-.jk.-kk-

0-/-/0/0/00/22/22

:::;:;;:;;;;

--.---0-

;;;>;>

22222523552335355

38688886889

.kk-k/

88888888

[_"[[_[[[

9999:9::::;::;;;;:

[___["[[[

00/0220//222

6888888

[[_[_[[[_[[

[_[[_[[[

_"["__[__[[[[_[[

[[_["[[_[[[

222223253555

8688866

523555353

;;;>

9999999

>====|=|?=>

??@?@@?@@@@

::::;:;;;;

_[[[\\\__

;;>

_"[[\[[\\

:::;:;;;:;;;

>>?

__["[_[[_[\

____["[[_

["[[[_[_[

_[[[_[[[

[["[_[[[

[__[[[_[[[

___[[_[_[[[

"["[__[__[_[[[[

___[_[[_[[[[

[__[_[_[__

__[_[_[[[_

___[[_[[[

2.%&&'&'&&'&&'&&&&&.vc!Z

!b*&&&%&&&&&&&&&%&&'&.cg

'&&&&&&&&&&&&2)'&&&&&&'&&%&&&&&''.wW

v'&&&&&&&&&&&&&&&&&&&%&&&&&&&&&&&&&&%&%X

v&&&&&&&%&'&&&&'&&.jh&&&&&&&&&&&&&&&&'P

c&%&&&&&&&&&&&&&%X

&&&&'&&&&'&&&&'3

d'&&&&&&&&&&%&&&%X

/'&'&'&''&'&''''2

''&&&'&'&&&''&&&'&'>

[____[_[_[__[____[[_[

0'''&'&'&''&'&''5

;52-))%)%

TU.WRX

1114445

InternetExplorer.Application

&Import URL(s)...

&Export Content...

&URL Properties

Url Menu

URL Properties

Grab URL

Refresh URL

Skip URL

Delete URL

Export URL Tree

Export URL Page

New Url

Large Icon (.BMP):

Small Icon (.BMP):

Please enter the name and location of you're WCA Builder (WCABuild.EXE):

Palm's Web Clipping Application (Palm Query Application) Builder is requirred to build PQA files.

(.GIF, .JPG, .HTM, .HTML)

&Skip this URL

&Url:

(Example: zip,exe,pdf)

URL Wizard (step 1 of 4)

&URL to Add:

URL Wizard (step 2 of 4)

Select the number of levels of this web site you wish to download

Select the types of files that you do not want to download from this web site

URL Wizard (4 of 4)

WebWhacker For Palm

Enter a user name and password if required by this site:

&Password:

Port:

Note: Palm's Web Clipping Application Builder is used to create PQA (Palm Query Application) files.

Web Browser Emulation

Browse Web Pages With:

Shell (command.com /c)

Autorun.inf

URL Wizard (step 3 of 4)

Full URL (hXXp://...)

Enter filename from the edge directory or a fully qualified URL.

VIP Key Error

Error GS0345 - The VIP key you used has been invalidated. Click OK to purchase a new key.

jWebWhacker For Palm

WebWhacker For Palm Files (*.wwp)

WWPalm.Document

WWPalm DocumentXWeb2Help

Web2He

Web2Help Files (*.w2h)

Web2Help.Document

Web2Help DocumentdGrab-a-Site

Grab-a-Site Files (*.gas)

Grab-a-Site.Document

WebWhacker For Palm Options

Browse&WebWhacker For Palm Project Properties

%1LFinished downloading web site(s).

Would you like to build the PQA file now?OThe URL you entered is not valid. The format is:

hXXp:///dir/page.html

Microsoft Web Proxy Server

Wingate SOCKS Proxy Server,Document size filter must be greater that 0.#Levels must be set to 1 or greater.PLevels must be left blank or set to 1 or greater to override

inherited behavior.4Would you like to begin downloading web site(s) now?

WCABuild.exe

Please enter a positive integerLFinished downloading web site(s).

Would you like to build the HLP file now?1There has been an error createding the help file.qThe PQA needs to be rebuilt in order for property changes to

take effect. Would you like to rebuild the PQA now?4hXXp://VVV.palmos.com/dev/tech/tools/wca_builder.zip

hXXp://VVV.bluesquirrel.com/

http:\VVV.palm.comVYou must first enter the URL of at least one

web site that you would like to download.

Import Are you sure you want to delete this URL?

Unable to open file for Import.

GIF Files (*.gif)

*.gif

JPG Files (*.jpg)

*.jpg

HTML Files (*.htm;*.html)

*.htm;*.html

Executable (*.exe)

*.exe

PQA Files (*.pqa)

*.pqa

Bitmap Files (*.bmp)

*.bmp

*.txt

Text Files (*.txt)

The required component IX.DLL was unable to load.

It is recommended that you reinstall Grab-a-Site.ySorry, Grab-a-Site is unable to continue due to authentication

problem. Please call technical support at 1-801-352-1551. You have the latest version of Grab-a-Site.

Unable to launch IUNDO.EXE:hXXp://VVV.bluesquirrel.com/scripts/orderpage.asp?skey=GAS

You can purchase Grab-a-Site at hXXp://VVV.bluesquirrel.com/scripts/orderform.asp?skey=GAS or call at 1-800-403-0925 or 801-352-1551.ChXXp://VVV.bluesquirrel.com/scripts/upgradepage.asp?skey=GASUPGRADE

#Your evaluation period has expired.WWe thank you for evaluating this product and look forward to serving you in the future.

1-801-352-1551 Sales:1-800-403-0925>E-mail: info@bluesquirrel.com

WWW: hXXp://VVV.bluesquirrel.com

The required component IU.EXE was not found.

Printed

How did you find out about WebWhacker For Palm?

WebWhacker For Palm Order Form

: $49.95**

Grab-a-Site V.I.P. Key Form

WebWhacker For Palm VIP Key Form

V.I.P. Key

Insert a new URL

'Begin Grabbing Web Site(s)

Properties"Edit URL Properties

URL Properties:Open local version of URL in your Browser

Browse Local URL>Open the PQA version of this URL in you Browser

Browse PQA URL

.Check for an online update to this application1Revert back to the version before the last update#Invoke the InstantX Settings dialog"Don't include this URL in the PQA.

,Begin Refreshing Web Site(s)

Refresh Site(s)

Browse Remote URL

Delete Selected URL

Delete4Visit the Blue Squirrel Web Site

*Begin Grabbing Selected Web Site

Grab Site/Begin Refreshing Selected Web Site

View ContentsMImport URL(s) from a Text or HTML file into the current project

Import URL(s)%Export grabbed content

Export Content

Replace%Select the entire document

All Files (*.*)

No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.

Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.

Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.

#Unable to load mail system support.

Access to %1 was denied..An invalid file handle was associated with %1.

Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.

Disk full while accessing %1..An attempt was made to access %1 past its end.

No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.

5.0.1.1

grabsite.exe

WORDPAD.EXE_1672:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

GDI32.dll

USER32.dll

MFC42u.dll

msvcrt.dll

COMDLG32.dll

SHELL32.dll

ole32.dll

SHLWAPI.dll

COMCTL32.dll

OLEAUT32.dll

PROPSYS.dll

RPCRT4.dll

WINMM.dll

urlmon.dll

XmlLite.dll

VERSION.dll

Wordpad.exe

SSSh,

FtPW

1.1.4

application/vnd.oasis.opendocument.text

u%Sjo

PVSSh

COMDLG32.DLL

Invalid parameter passed to C runtime function.

oledlg.dll

gdiplus.dll

WININET.dll

GdiplusShutdown

InternetCanonicalizeUrlW

ntdll.dll

RegCloseKey

RegOpenKeyExW

RegQueryInfoKeyW

RegDeleteKeyW

RegCreateKeyExW

RegEnumKeyExW

GetProcessHeap

GetViewportOrgEx

GetKeyboardLayout

EnumWindows

GetKeyState

UnhookWindowsHookEx

SetWindowsHookExW

__crtLCMapStringW

__crtGetStringTypeW

_amsg_exit

_wcmdln

ShellExecuteExW

ShellExecuteW

wordpad.pdb

.PAVCException@@

.PAVCFileException@@

.?AVCCmdTarget@@

.?AVCDummyCmdUI@@

.?AVCCmdUI@@

.?AVCUnsupportedElement@@

.?AVUnsupportedSaveFormatDialog@@

.?AVXCmdGalSiteCommandHandler@CCommandGalSite@@

name="Microsoft.Windows.Shell.wordpad"

version="5.1.0.0"

Windows Shell

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

true

;:::999966

-d}y[s

!$$$%'*,112

...3.433345

...33335555

54445555555

45555555555

$555-5555&

4 HuJ.gI

=7.pp9

52511515111111115

)))')')')

.Ess3

/1/1/1//1///

2222222222

22222222220000000

2222222222000000

22222220002

2222002

22222222222222222

22222202

2222222

22222222222

(''''&%%

''%%%'%'%

@.lF!=^

.pppF

/888 888

>888)888

9888#888

888Ë†8/

888!888)8881

888 888$888)88808884

3888(888

7888&888

888 888(8881

888#888(888/8883

>888;88878887888:

2229222

2220222

888 888Ë†8 8881

%Mgr.RhY4RfE5Qd:5w

y'MfR Og>-Qh".Sj

Kha"OjR(RkB.Sj42Sh04Re15Re!5Rf

Nkh$RnZ)VoH.Wn92Wn.5Vk'6Th 5Qe

poq.uuv

ppq.qpq

[[[%UUU

KEYW

1 1(14181]1

:,:0:8:<:>

9!9&9&:0:5:

8$81878=8

2&323>3\3

6o6x6

4"4(4.4\4

:(:.:4:_:

: :$:(:,:0:4:8:

3#3'3 3/3

11X1

1'282@2~2

3 3$3(3,30343

Microsoft\Windows\CurrentVersion\Applets

WORDPAD.HLP

w:tcPr

w:webSettings

w:webHidden

Software\Microsoft\Windows\CurrentVersion\Wordpad\COMChecks

MSFTEDIT.DLL

DOCX Element With Id: %d,ParentId: %d

Ignoring Error: Func %s Line %d: setting line rule to auto

\u%d?

.docx

#%;\:/|"?*

Ignoring Error: Func %s Line %d: unknown tab leader set to none, %ws

hXXp://VVV.w3.org/XML/1998/namespace

hXXp://schemas.microsoft.com/office/word/2006/wordml

hXXp://schemas.openxmlformats.org/wordprocessingml/2006/main

hXXp://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing

hXXp://schemas.openxmlformats.org/officeDocument/2006/math

hXXp://schemas.openxmlformats.org/markup-compatibility/2006

hXXp://schemas.openxmlformats.org/officeDocument/2006/relationships

hXXp://schemas.openxmlformats.org/officeDocument/2006/relationships/hyperlink

application/vnd.openxmlformats-package.core-properties xml

application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings xml

application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable xml

application/vnd.openxmlformats-officedocument.theme xml

application/vnd.openxmlformats-officedocument.wordprocessingml.settings xml

application/vnd.openxmlformats-officedocument.extended-properties xml

text:url

text:report-type

text:use-keys-as-entries

text:protection-key

text:key2-phonetic

text:key2

text:key1-phonetic

text:key1

text:key

table:sql-statement

table:protection-key

table:password

table:parse-sql-statement

table:operator

table:execute

smil:keyTimes

smil:keySplines

draw:stroke-linejoin

hXXp://VVV.w3.org/2002/xforms

hXXp://VVV.w3.org/1998/Math/MathML

hXXp://VVV.w3.org/1999/xlink

hXXp://purl.org/dc/elements/1.1/

application/vnd.openxmlformats-officedocument.wordprocessingml.styles xml

/word/styles.xml

hXXp://schemas.openxmlformats.org/officeDocument/2006/relationships/styles

application/vnd.openxmlformats-officedocument.wordprocessingml.document.main xml

word/document.xml

hXXp://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument

application/vnd.openxmlformats-officedocument.wordprocessingml.numbering xml

/word/numbering.xml

numbering.xml

hXXp://schemas.openxmlformats.org/officeDocument/2006/relationships/numbering

OLEUI_MSG_HELP

text:sort-key

text:keywords

text:execute-macro

table:operation

table:database-source-sql

meta:keyword

form:password

config:config-item-map-indexed

Ignoring Error: Func %s Line %d: AppendWpadFormat failed for element:%ws

Ignoring Error: Func %s Line %d: Picture has size 0.Skipping Picture.

Ignoring Error: Func %s Line %d: OLE Object has size 0.Skipping OLE Object.

Ignoring Error: Func %s Line %d: Failed to Embed an OLE object

Ignoring Error: Func %s Line %d: skipping this oleobject

should have fSupported = %d.

Ignoring Error: Func %s Line %d: %ws

Ignoring hr=0X%0x for elem=%s attr=%s val=%s

Error: Func %s Line %d: Not a Cell Element inside the Table

Error: Func %s Line %d: Not a Row Element inside the Table

Error: Func %s Line %d: No. of cells > richedit maximum!

Ignoring Error: Func %s Line %d: %s

Error: Func %s Line %d: min cell width 1 twip for RE 4.1

Error: Func %s Line %d: insert in map failed, out of memory ?

Ignoring Error: Func %s Line %d: Ignoring error on start of elem

Error: Func %s Line %d: Out of memory for m_pParaFmtAlloc

Error: Func %s Line %d: Out of memory for m_pCharFmtAlloc

Error: Func %s Line %d: Out of memory for m_pRowWithMaskAlloc

Error: Func %s Line %d: Out of memory for m_pCellWithMaskAlloc

Ignoring Error: Func %s Line %d: table row has fewer cells than defined in grid

Error: Func %s Line %d: GetTempPath failed

Error: Func %s Line %d: GetTempFileName failed

Error: Func %s Line %d: Out of memory for temp file name

Ignoring Error: Func %s Line %d: Unable to insert style: %s

Ignoring Error: Func %s Line %d: Unable to insert default format

Ignoring Error: Func %s Line %d: mapping bar tab to left aligned tab

\StringFileInfo\xx\OriginalFilename

\sppsvc.exe

\slui.exe

\sppuinotify.dll

Ignoring Error: Func %s Line %d: Table is corrupt. Ignoring Table.

Error: Func %s Line %d: invalid value %ws

Ignoring Error: Func %s Line %d: AppendWpadFormat failed for table properties.

Ignoring Error: Func %s Line %d: AppendWpadFormat failed for style:%ws

/word/document.xml

Error: Func %s Line %d: %ws

hr=%d from xml lite for string %s

styles.xml

Error: Func %s Line %d: family outside Array!

Error: Func %s Line %d: Out of memory for pParaFmtAlloc

meta.xml

Error: Func %s Line %d: Insert object failed

Error: Func %s Line %d: Table Style given but not found

Error: Func %s Line %d: No name specified for this formatting element to be used

Error: Func %s Line %d: Invalid element

Error: Func %s Line %d: mask not set in parent

Error: Func %s Line %d: negative lenght not allowed

Error: Func %s Line %d: Out of memory

%0.6fin solid #xxx

>Tabled

TableColumndd

TableRowdd

TableCellddd

mshelp://windows/?id=7479c387-8dc4-40b6-9506-cc7a58c61f0a

xPTF.

https:

http:

Software\Microsoft\Windows\CurrentVersion\Applets\

A%s\%s

pct%d

pkgRId%d

docRId%d

width:%fpt;height:%fpt

rectole%s

hXXp://schemas.openxmlformats.org/officeDocument/2006/relationships/image

application/vnd.openxmlformats-officedocument.oleObject

hXXp://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject

%s%d%s

XXX

?hXXp://xml.org/sax/features/namespace-prefixes

Ignoring Error: Func %s Line %d: discarding hidden table

Ignoring Error: Func %s Line %d: %ws not list style

Ignoring Error: Func %s Line %d: failure:%ws

Ignoring Error: Func %s Line %d: list level not found:%ws

Ignoring Error: Func %s Line %d: style not found:%ws

Ignoring Error: Func %s Line %d: Skipped an element inside draw:frame

Ignoring Error: Func %s Line %d: discarding hidden draw frame

Ignoring Error: Func %s Line %d: Could not resolve style %ws

family %d name %s

Ignoring Error: Func %s Line %d: Could not resolve default style of family %ws

Error: Func %s Line %d: Row Style element given but not found

Error: Func %s Line %d: Truncating large count specified for text:s

Error: Func %s Line %d: No style for Table Found

Ignoring Error: Func %s Line %d: Resolve() failed

Error: Func %s Line %d: duplicate list level

Error: Func %s Line %d: list level too deep

Ignoring Error: Func %s Line %d: using default bullet char formatting

Ignoring Error: Func %s Line %d: too many tab stops, discarding one

Error: Func %s Line %d: level not specified

Error: Func %s Line %d: tabstop should be child of tabstops and grandchild of para properties

Ignoring Error: Func %s Line %d: tab stop alignment or leader was mapped

Ignoring Error: Func %s Line %d: unsupported or invalid char for tab type char

Ignoring Error: Func %s Line %d: No position for tab stop!

Error: Func %s Line %d: parent style not found: %ws

Ignoring Error: Func %s Line %d: Style not found:%ws

Error: Func %s Line %d: font scale/delta without parent char format/size

Error: Func %s Line %d: font scale/delta without parent style

Error: Func %s Line %d: No paraformat in parent style to resolve

Error: Func %s Line %d: No parent style found to resolve

Ignoring Error: Func %s Line %d: tab char is not one char!

Ignoring Error: Func %s Line %d: invalid line style: %ws

Ignoring Error: Func %s Line %d: invalid line type: %ws

Ignoring Error: Func %s Line %d: invalid line Width: %ws

Ignoring Error: Func %s Line %d: invalid tab position:%ws

Ignoring Error: Func %s Line %d: invalid tab type:%ws

Ignoring Error: Func %s Line %d: invalid or unsupported attribute: %ws

Error: Func %s Line %d: unknown attribute %s

Error: Func %s Line %d: invalid style family %s

Error: Func %s Line %d: unexpcted parent type

COdtAttributeParser::OdtPfFromMarginLeftParent

Error: Func %s Line %d: GetDC Failed

Error: Func %s Line %d: percentage not allowed: %ws

Error: Func %s Line %d: doing nothing for conditionally hidden text, will display by default

Ignoring Error: Func %s Line %d: Too long font name:%ws

Error: Func %s Line %d: need non-empty font family

Error: Func %s Line %d: unsupported or invalid text transform %ws

Error: Func %s Line %d: mapping double strikeout to single strikeout

Ignoring Error: Func %s Line %d: unknown writing mode %ws

Error: Func %s Line %d: %% font height unsupported for %ws

Error: Func %s Line %d: Mapping text-position %s to subscript

Error: Func %s Line %d: Mapping text-position %s to superscript

dODT Element With Id: %d,ParentId: %d

2 15 5 2 2 2 4 3 2 4

Error: Func %s Line %d: PFM_RTLPARA not set

Error: Func %s Line %d: PFM_SPACEAFTER not set

Error: Func %s Line %d: PFM_SPACEBEFORE not set

Error: Func %s Line %d: right indent not set

Error: Func %s Line %d: offset not set

Error: Func %s Line %d: start indent not set

Error: Func %s Line %d: alignment not set

Error: Func %s Line %d: line spacing not set

Error: Func %s Line %d: Unknown line spacing rule

Error: Func %s Line %d: CFM_STRIKEOUT not set

Error: Func %s Line %d: CFM_ITALIC not set

Error: Func %s Line %d: CFM_IMPRINT not set

Error: Func %s Line %d: both CFE_EMBOSS and CFE_IMPRINT are set, discarding imprint

Error: Func %s Line %d: CFM_EMBOSS not set

Error: Func %s Line %d: CFM_SHADOW not set

Error: Func %s Line %d: CFM_OUTLINE not set

Error: Func %s Line %d: CFM_HIDDEN not set

Error: Func %s Line %d: CFM_ALLCAPS not set

Error: Func %s Line %d: CFM_SMALLCAPS not set

Error: Func %s Line %d: text color not set

Error: Func %s Line %d: back color not set

#xxx

Error: Func %s Line %d: CFM_FACE not set

Error: Func %s Line %d: weight / bold not set

Error: Func %s Line %d: offset/subscript/superscript not set

Error: Func %s Line %d: conflict for subscript and superscript

Error: Func %s Line %d: CFM_SIZE not set

#%2x%2x%2x

Error: Func %s Line %d: PFM_NUMBERING not set

META-INF/manifest.xml

content.xml

OleObj%d

Error: Func %s Line %d: Numbering flag not set

Error: Func %s Line %d: table row end outside table!

windows

UIInitPropertyFromString(UIKEY_Title) failed

{mswrd8.wpc

write.wpc

mswrd6.wpc

Windows Wordpad Application

6.1.7601.17514 (win7sp1_rtm.101119-1850)

WORDPAD.EXE

Windows

Operating System

6.1.7601.17514

Microsoft-Windows-Wordpad/Diagnostic

Microsoft-Windows-Wordpad/Debug

Microsoft-Windows-Wordpad/Admin

Wordpad_LivePreviewExecute