HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.315121 (B) (Emsisoft), Gen:Variant.Kazy.315121 (AdAware), WormDorkbot.YR, GenericUDPFlooder.YR, GenericIRCBot.YR, GenericUSBInfector.YR, GenericDNSBlocker.YR, GenericAutorunWorm.YR, GenericSYNFlooder.YR, GenericInjector.YR, BankerGeneric.YR, GenericProxy.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)Behaviour: Banker, Trojan, Flooder, Worm, WormAutorun, IRCBot, DNSBlocker, UDPFlooder, SYNFlooder, Trojan-Proxy, USBInfector
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 5899c530d9d05bcc73912382d7e807e2
SHA1: 92b4731a63b701d5f62438669dcd632188a54467
SHA256: 4b41e00b651588787f0b96ebcb831386bb68d840f00f5e3e1890c28ea74e808d
SSDeep: 1536:vN9sxWv6QFiwYlh1o0PSqbe3j7d0Yl/TyC9R6z8W3J7PVguiDaL/B2N4Yjq:vXsaFi3h1zaqi3uO/hQJ7P2HDg/zUq
Size: 122880 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: Enter
Created at: 2013-01-23 00:14:54
Analyzed on: WindowsXP SP3 32-bit
Summary: Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
IRCBot | A bot can communicate with command and control servers via IRC channel. |
DNSBlocker | A program can block designated DNS servers for making it difficult for users to locate specific domains or web sites on the Internet. |
UDPFlooder | This program can make a UDP flood. A UDP flood attack is a denial-of-service attack using the User Datagram Protocol (UDP). It can be initiated by sending a large number of UDP packets to random ports on a remote host. |
SYNFlooder | This program can make a SYN flood. It is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. |
Trojan-Proxy | This program can launch a proxy server (SOCKS4) on a designated TCP port. |
USBInfector | A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:1096
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
No files have been created.
Registry activity
The process %original file name%.exe:1096 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 47 A5 F7 C8 DA 83 E6 FC 37 C2 B1 0F 53 9D 4C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 8192 | 8192 | 4.02909 | c3871408b268660de73f7dab539e8f15 |
.data | 12288 | 4096 | 4096 | 1.19145 | ef59fff83849597987875fbb69d3c83c |
.rsrc | 16384 | 98304 | 98304 | 4.5569 | 7581aa337452c0c3580ee4227fd0b2fe |
.reloc | 114688 | 4096 | 4096 | 0.792261 | 51e2792c340848ad5bca1f1de7656df1 |
.imports | 118784 | 4096 | 4096 | 1.64476 | 053a8cd3a7093f6bf8b00e7841db72eb |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1096:
.text
.text
.data
.data
.rsrc
.rsrc
@.reloc
@.reloc
B.imports
B.imports
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
SHLWAPI.dll
SHLWAPI.dll
/c "%%SystemRoot%%\explorer.exe %Ã%%%s & start %Ã%%%s & exit"
/c "%%SystemRoot%%\explorer.exe %Ã%%%s & start %Ã%%%s & exit"
/c "start %Ã%%%s & start %Ã%%%s & exit"
/c "start %Ã%%%s & start %Ã%%%s & exit"
%SystemRoot%\system32\cmd.exe
%SystemRoot%\system32\cmd.exe
%SystemRoot%\system32\SHELL32.dll
%SystemRoot%\system32\SHELL32.dll
%s\temp.bin
%s\temp.bin
%s\_[$]_TESTFILE_[$]_
%s\_[$]_TESTFILE_[$]_
%s\%s
%s\%s
%s\%s.lnk
%s\%s.lnk
kernel32.dll
kernel32.dll
ntdll.dll
ntdll.dll
user32.dll
user32.dll
advapi32.dll
advapi32.dll
shell32.dll
shell32.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
gdi32.dll
gdi32.dll
rpcrt4.dll
rpcrt4.dll
netapi32.dll
netapi32.dll
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0A
tlSSSSSSSSSShL0A
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
%s_%d
%s_%d
-%sMutex
-%sMutex
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s{%s%s{%s
[%s{%s%s{%s
n%s[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%.Trashes\%s
/c "start %Ã%%.Trashes\%s
.Trashes
.Trashes
\\.\%c:
\\.\%c:
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.scr
%0x.scr
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
SSRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
7 767
7 767
8*808;8~8
8*808;8~8
shlwapi.dll
shlwapi.dll
{A5DCBF10-6530-11D2-901F-00C04FB951ED}
{A5DCBF10-6530-11D2-901F-00C04FB951ED}
n\mspaint.exe
n\mspaint.exe
\svchost.exe
\svchost.exe
C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
%s\Microsoft\%s.exe
%s\Microsoft\%s.exe
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run