Generic.Sdbot.375F541B_f1fc128209 – Adaware

Dynamic Analysis

Payload

Behaviour	Description
IRCBot	A bot can communicate with command and control servers via IRC channel.

Process activity

The Generic creates the following process(es):No processes have been created.The Generic injects its code into the following process(es):

%original file name%.exe:1832

Mutexes

The following mutexes were created/opened:

MAIN_-994442811ZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutex

File activity

The process %original file name%.exe:1832 makes changes in the file system.

The Generic creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\NTUSER.DAT (11692 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (12816 bytes)
%System%\config\software (3339 bytes)
%System%\config\SOFTWARE.LOG (8303 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\I-994442811.bat (23 bytes)

The Generic deletes the following file(s):

%WinDir%\-994442811\csrss.exe (0 bytes)

Registry activity

The process %original file name%.exe:1832 makes changes in the system registry.

The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 06 BB EE 83 6D 8B 3A A0 D4 C8 62 1A AF A0 81"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"I-994442811.bat" = "I-994442811"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software]
"-994442811" = "0ddb4b98fff2dd4d9cb88b80ed705baf93f7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the Generic adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*-994442811" = "%WinDir%\-994442811\csrss.exe"

The Generic modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Generic modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Generic modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Generic adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"*-994442811" = "%WinDir%\-994442811\csrss.exe"

The Generic deletes the following value(s) in system registry:

The Generic disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*-994442811"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Generic file.
Delete or disinfect the following files created/modified by the Generic:
%Documents and Settings%\%current user%\NTUSER.DAT (11692 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (12816 bytes)
%System%\config\software (3339 bytes)
%System%\config\SOFTWARE.LOG (8303 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\I-994442811.bat (23 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*-994442811" = "%WinDir%\-994442811\csrss.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"*-994442811" = "%WinDir%\-994442811\csrss.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	520192	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	524288	57344	56320	5.4909	d4c706fae2f398c345cfdd1a0530e99c
UPX2	581632	4096	512	2.78187	50c49c2d281a27921209d47f55cc5e75

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
www.update.microsoft.com	65.55.50.158
jueswooda.pw	108.61.167.52

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Generic connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1832:

i.vr!

tL

PNYwpky4C04U-gM-OwcaUKBs5dOOvC0Kncwpj0FU8PRNicGSVpgZeiHaK9ObPZXBAtQOIemRQZXLGDzjvsoH3bzqVYiL4YbTUMsdjiFg4GY0dBaryxiKfXsLRPv`Kcv-Ymol0AXw7dhjIiFztf`MD9AfoKIJyKxx7PRly7DZvg7otL6jtgOYr0CVQFee3qnN6RX2feTjgj4OFO6MndvtKZ5tFUieTqMTkNVgFincfNwf6fvxww33qeJmXynqEJ9VttRl1bibpvaoIpm1R5wGB4rfvHuk8ASqOGTx7laQ7nAM5UAzRnhAZDYzQ3hfMkUyWEhkM29TNUVfR0sxYTQ0YW8oekotVHwpRXloSnlGUHUmSU1zRyk0J3Mrbm15VydTZ2BTRThzfHNrWjI5bEFOZm9PfDdBU2FzY3F2M0xvdkNOcytnX3ZhWWpyWHNKdUxSKCcjd1Z2RzZKRUdySidvdnRnMyBNTXVlbnQyWEB0T35HcDQreS0gLUNxTHJCRHAmWTJ3K0AzcnZANVVtUGcgaHdDenRoemUyIE9FLVc1K0NzYFRndXhpWG4mRndIWEYuNU5QU2NLVHYnaUBKX0xY

libgcj-13.dll

Mozilla/4.0 (compatible)

%s--%s

%s\B%i.tmp

http.

hXXp://

hXXps://

%s@%s:%i

%s:%i

%s\browser%li.html

%s "%s"

%sX

Software\Microsoft\Windows NT\CurrentVersion\Windows\load

%s(%s)

%s\%s.exe

%s %s

127.0.0.1

%s\I%li.bat

Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore

NoWindowsUpdate

%s:*:Enabled:%s

%s\U%li.bat

%s\Google\Chrome\Application\chrome.exe

%s\Internet Explorer\iexplore.exe

%s\Opera\opera.exe

%s\Mozilla Firefox\firefox.exe

%s\Maxthon3\Bin\Maxthon.exe

Google Chrome

Opera

Firefox

chrome.exe

opera.exe

firefox.exe

iexplore.exe

Maxthon.exe

JOIN :

376 %s

422 %s

332 %s

@%s TOPIC %s :!

@%s %s #

@%s %s %s :!

%s[%s|%s|%s|%s|x%s|%ldc]%s

PRIVMSG

:You need a registered nick to join that channel.

:Cannot join channel

:Nickname is already in use.

flood.anope

kill.user

.multi

xchat 2.8.8 Linux 3.2.0-4-amd64 [x86_64/1.10GHz/SMP]

irssi v0.8.15

hXXp://VVV.mibbit.com ajax IRC Client:3972:3972

HexChat 2.9.3 [x64] / Windows 7 [3.31GHz]

ZNC 0.202 - hXXp://znc.in

lightIRC.com 1.3 Build 118, Okt 22 2012 12:07 on Windows 7

nickserv

:Your passcode is:

NickServ PROCEED

%s :%s

%s %s%i

INVITE %s %s%i

NickServ :REGISTER

gmail.com

yahoo.com

hotmail.com

facebook.com

live.com

QUIT :Windows is shutting down

autoruns.exe

wuauclt.exe

explorer.exe

%s@%s

SbieDll.dll

snxhk.dll

dbghelp.dll

SOFTWARE\Microsoft\Windows NT\CurrentVersion

76487-640-1457236-23837

76487-644-3177037-23510

55274-640-2673064-23950

76497-640-6308873-23835

Imagination is more important than knowledge.

Windows Task Manager

%s %s :%s MD5: [Hash: %s]

PTF.upload

.output

join

ctcp

flood.channel

.hidden

filesearch.stop

newnick

hosts.restore

%s %s :||

%s ||

10Executed From:

%s ||

10Key:

10.NET:

%s %s :%s Encrypted Command: Failed to decrypt

%s %s :%s Shell: Submitted [Command: %s]

%s %s :%s Website Status [URL: %s | Result: %s]

%s %s :%s File Search: Stopped [Param: %s]

%s %s :%s File Search: Failed

%s %s :%s File Search: Already Running

%s %s :%s File Search: [Searched Files: %li | Matches: %li | Param: %s]

%s %s :%s File Search: [File: %s | Param: %s]

%s %s :%s Flood: Started [Type: %s | Host: %s | Port:

%s %s :%s Flood: Failed [Type: %s | Host: %s | Port:

%s %s :%s HTTP Flood: Stopped [Total Packets: %ld | Rate: %ld Packets/Second]

%s %s :%s HTTP Flood: Stopped

%s %s :%s UDP Flood: Stopped [Total Packets: %ld | Rate: %ld Packets/Second]

%s %s :%s ECF Flood: Stopped [Total Connections: %ld | Rate: %ld Connections/Second]

%s %s :%s Browser Based Flood: Started [Host: %s | Length: %ld seconds | Browser: %s]

%s %s :%s Browser Based Flood: Stopped [Host: %s]

%s %s :%s Browser Based Flood: Failed [Host: %s]

%s %s :%s Update Scheduled [File: %s | Wait Time: %ld Seconds]

%s %s :%s Download and Execute Scheduled [File: %s | Wait Time: %ld Seconds]

%s %s :%s Download and Execute: Failed [File: %s] (Could not not open file for writing)

%s %s :%s Download and Execute: Success [File: %s | MD5: %s]

%s %s :%s MD5 Mismatch [%s != %s]

%s %s :%s MD5 Matches Current File [%s == %s]

%s %s :%s Download and Execute: Success [File: %s | MD5: %s | Args: %s]

%s %s :%s Download and Execute: Failed [File: %s | MD5: %s] (Download Succeeded | Execute Failed)

%s %s :%s MD5 Hash [File: %s | MD5: %s]

%s %s :%s Download and Execute: Failed [File: %s] (Download Failed)

%s %s :%s Download and Execute: Aborted [File: %s | Remaining Time: %ld Seconds]

%s %s :%s Botkill: Started

%s %s :%s Botkill: Cycled once: [Killed Processes: %ld | File Modifications: %ld | Deleted Registry Keys: %ld]

%s %s :%s Botkill: Stopped

%s %s :%s Botkill: Counter: [Killed Processes: %ld | File Modifications: %ld | Deleted Registry Keys: %ld]

%s %s :%s Botkill: Counter: Cleared

%s %s :%s Skype Mass Messenger: Sent message to %i contacts

%s %s :%s Visit: Success [URL: %s | Mode: %s | Browser: %s]

%s %s :%s Visit: Failed [URL: %s]

%s %s :%s SmartView: Opened [URL: %s | Waited: %i Seconds | Closing In: %i Seconds | Browser: %s]

%s %s :%s SmartView: Closed [URL: %s | Waited: %i Seconds]

%s %s :%s SmartView: Scheduled [URL: %s | Wait Time: %i Seconds]

%s %s :%s SmartView: Cleared [Entries Cleared: %i]

%s %s :%s SmartView: Deleted Entry [URL: %s]

%s %s :%s FTP Upload: Failed (Could not open an internet connection)

%s %s :%s FTP Upload: Success [Original File: %s | New File: %s]

%s %s :%s FTP Upload: Failed

%s %s :%s FTP Upload: Failed (Could not connect)

%s %s :%s Failed to Create Thread

%s %s :%s Invalid Parameter(s)

%s %s :%s Hosts file restored

%s %s :%s Host Blocked [Param: %s]

%s %s :%s Host Redirected [Original: %s | Redirect: %s]

%s %s :%s FTP Recovered: %s [Host: %s | User: %s | Pass: %s]

%s %s :%s IM Recovered: %s [User: %s | Pass: %s]

%s %s :%s Browser Recovered: %s [URL: %s | User: %s | Pass: %s]

%s %s :%s IRC War: Connecting [Host: %s | Port: %ld]

%s %s :%s IRC War: Disconnecting [Host: %s | Port: %ld]

%s %s :%s IRC War: Command submitted [Type: %s]

%s %s :%s IRC War: Flood started [Type: %s | Target: %s]

%s %s :%s IRC War: Flood stopped [Type: %s | Target: %s]

%s %s :%s IRC War: [Validated Connections: %ld | Status: %s]

%s %s :%s IRC War: Kill User [Target: %s]

%s %s :%s IRC War: Kill Multiple Users [Targets: %s]

%s %s :%s IRC War: Stopped Kill Multiple Users

%s %s :%s IRC War: Successfully registered with NickServ [Socket: %ld]

%s %s :%s IRC War: Aborted registration with NickServ

%s\FileZilla\recentservers.xml

%s\.purple\accounts.xml

%s%s%i%s%s%s%s%s

%s\System32\drivers\etc\protocol

%s\Microsoft.NET\Framework\

v4.0.30319

v2.0.50727

\explorer.exe

HTTP/1.

text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

application/x-www-form-urlencoded

HTTP/1.

dnsapi.dll

update.microsoft.com

VVV.update.microsoft.com

windowsupdate.microsoft.com

VVV.microsoft.com

microsoft.com

%s & %s

Software\Microsoft\Windows\CurrentVersion\

\Microsoft\Windows

%s%s%s%s%i%s%s

:Zone.Identifier

%s\K%li.bat

document.write(unescape('%s'));

operator

global constructors keyed to

global destructors keyed to

operator""

VirtualQuery failed for %d bytes at address %p

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

fc_key

use_fc_key

jueswooda.pw

Flow (v2.5.0)

@auth PRIVMSG n[USA|A|D|W_XP|x86|1c]gghebefc :!

@auth PRIVMSG #

%WinDir%

%Program Files%

%Documents and Settings%\All Users

%Documents and Settings%\%current user%

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Start Menu\Programs\Startup

%Documents and Settings%\All Users\Start Menu\Programs\Startup

%Program Files%\Internet Explorer\iexplore.exe

%Program Files%\Opera\opera.exe

%Program Files%\Mozilla Firefox\firefox.exe

%Program Files%\Maxthon3\Bin\Maxthon.exe

axthon.exe

e.exe

ull)jnfhuwsdjueswooda.pw10000#botsFlow (v2.5.0)

-994442811

c:\%original file name%.exe

%WinDir%\-994442811

%WinDir%\-994442811\csrss.exe

NICK

JOIN

PRIVMSG

spoolsv.exe

GetProcessHeap

RegCloseKey

RegCreateKeyExA

RegFlushKey

RegOpenKeyExA

ShellExecuteA

FtpPutFileA

InternetOpenUrlA

.text

P`.data

.rdata

`@.eh_fram

0@.bss

.idata

Y.rS

?@.eh_

KERNEL32.DLL

ADVAPI32.DLL

msvcrt.dll

SHELL32.DLL

USER32.dll

WININET.DLL

WS2_32.dll

kernel32.dll

advapi32.dll

Aicmp.dll

surlmon.dll

gws2_32.dll

rpcrt4.dll

%original file name%.exe_1832_rwx_00401000_0008D000:

tL

PNYwpky4C04U-gM-OwcaUKBs5dOOvC0Kncwpj0FU8PRNicGSVpgZeiHaK9ObPZXBAtQOIemRQZXLGDzjvsoH3bzqVYiL4YbTUMsdjiFg4GY0dBaryxiKfXsLRPv`Kcv-Ymol0AXw7dhjIiFztf`MD9AfoKIJyKxx7PRly7DZvg7otL6jtgOYr0CVQFee3qnN6RX2feTjgj4OFO6MndvtKZ5tFUieTqMTkNVgFincfNwf6fvxww33qeJmXynqEJ9VttRl1bibpvaoIpm1R5wGB4rfvHuk8ASqOGTx7laQ7nAM5UAzRnhAZDYzQ3hfMkUyWEhkM29TNUVfR0sxYTQ0YW8oekotVHwpRXloSnlGUHUmSU1zRyk0J3Mrbm15VydTZ2BTRThzfHNrWjI5bEFOZm9PfDdBU2FzY3F2M0xvdkNOcytnX3ZhWWpyWHNKdUxSKCcjd1Z2RzZKRUdySidvdnRnMyBNTXVlbnQyWEB0T35HcDQreS0gLUNxTHJCRHAmWTJ3K0AzcnZANVVtUGcgaHdDenRoemUyIE9FLVc1K0NzYFRndXhpWG4mRndIWEYuNU5QU2NLVHYnaUBKX0xY

libgcj-13.dll

Mozilla/4.0 (compatible)

%s--%s

%s\B%i.tmp

http.

hXXp://

hXXps://

%s@%s:%i

%s:%i

%s\browser%li.html

%s "%s"

%sX

Software\Microsoft\Windows NT\CurrentVersion\Windows\load

%s(%s)

%s\%s.exe

%s %s

127.0.0.1

%s\I%li.bat

Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore

NoWindowsUpdate

%s:*:Enabled:%s

%s\U%li.bat

%s\Google\Chrome\Application\chrome.exe

%s\Internet Explorer\iexplore.exe

%s\Opera\opera.exe

%s\Mozilla Firefox\firefox.exe

%s\Maxthon3\Bin\Maxthon.exe

Google Chrome

Opera

Firefox

chrome.exe

opera.exe

firefox.exe

iexplore.exe

Maxthon.exe

JOIN :

376 %s

422 %s

332 %s

@%s TOPIC %s :!

@%s %s #

@%s %s %s :!

%s[%s|%s|%s|%s|x%s|%ldc]%s

PRIVMSG

:You need a registered nick to join that channel.

:Cannot join channel

:Nickname is already in use.

flood.anope

kill.user

.multi

xchat 2.8.8 Linux 3.2.0-4-amd64 [x86_64/1.10GHz/SMP]

irssi v0.8.15

hXXp://VVV.mibbit.com ajax IRC Client:3972:3972

HexChat 2.9.3 [x64] / Windows 7 [3.31GHz]

ZNC 0.202 - hXXp://znc.in

lightIRC.com 1.3 Build 118, Okt 22 2012 12:07 on Windows 7

nickserv

:Your passcode is:

NickServ PROCEED

%s :%s

%s %s%i

INVITE %s %s%i

NickServ :REGISTER

gmail.com

yahoo.com

hotmail.com

facebook.com

live.com

QUIT :Windows is shutting down

autoruns.exe

wuauclt.exe

explorer.exe

%s@%s

SbieDll.dll

snxhk.dll

dbghelp.dll

SOFTWARE\Microsoft\Windows NT\CurrentVersion

76487-640-1457236-23837

76487-644-3177037-23510

55274-640-2673064-23950

76497-640-6308873-23835

Imagination is more important than knowledge.

Windows Task Manager

%s %s :%s MD5: [Hash: %s]

PTF.upload

.output

join

ctcp

flood.channel

.hidden

filesearch.stop

newnick

hosts.restore

%s %s :||

%s ||

10Executed From:

%s ||

10Key:

10.NET:

%s %s :%s Encrypted Command: Failed to decrypt

%s %s :%s Shell: Submitted [Command: %s]

%s %s :%s Website Status [URL: %s | Result: %s]

%s %s :%s File Search: Stopped [Param: %s]

%s %s :%s File Search: Failed

%s %s :%s File Search: Already Running

%s %s :%s File Search: [Searched Files: %li | Matches: %li | Param: %s]

%s %s :%s File Search: [File: %s | Param: %s]

%s %s :%s Flood: Started [Type: %s | Host: %s | Port:

%s %s :%s Flood: Failed [Type: %s | Host: %s | Port:

%s %s :%s HTTP Flood: Stopped [Total Packets: %ld | Rate: %ld Packets/Second]

%s %s :%s HTTP Flood: Stopped

%s %s :%s UDP Flood: Stopped [Total Packets: %ld | Rate: %ld Packets/Second]

%s %s :%s ECF Flood: Stopped [Total Connections: %ld | Rate: %ld Connections/Second]

%s %s :%s Browser Based Flood: Started [Host: %s | Length: %ld seconds | Browser: %s]

%s %s :%s Browser Based Flood: Stopped [Host: %s]

%s %s :%s Browser Based Flood: Failed [Host: %s]

%s %s :%s Update Scheduled [File: %s | Wait Time: %ld Seconds]

%s %s :%s Download and Execute Scheduled [File: %s | Wait Time: %ld Seconds]

%s %s :%s Download and Execute: Failed [File: %s] (Could not not open file for writing)

%s %s :%s Download and Execute: Success [File: %s | MD5: %s]

%s %s :%s MD5 Mismatch [%s != %s]

%s %s :%s MD5 Matches Current File [%s == %s]

%s %s :%s Download and Execute: Success [File: %s | MD5: %s | Args: %s]

%s %s :%s Download and Execute: Failed [File: %s | MD5: %s] (Download Succeeded | Execute Failed)

%s %s :%s MD5 Hash [File: %s | MD5: %s]

%s %s :%s Download and Execute: Failed [File: %s] (Download Failed)

%s %s :%s Download and Execute: Aborted [File: %s | Remaining Time: %ld Seconds]

%s %s :%s Botkill: Started

%s %s :%s Botkill: Cycled once: [Killed Processes: %ld | File Modifications: %ld | Deleted Registry Keys: %ld]

%s %s :%s Botkill: Stopped

%s %s :%s Botkill: Counter: [Killed Processes: %ld | File Modifications: %ld | Deleted Registry Keys: %ld]

%s %s :%s Botkill: Counter: Cleared

%s %s :%s Skype Mass Messenger: Sent message to %i contacts

%s %s :%s Visit: Success [URL: %s | Mode: %s | Browser: %s]

%s %s :%s Visit: Failed [URL: %s]

%s %s :%s SmartView: Opened [URL: %s | Waited: %i Seconds | Closing In: %i Seconds | Browser: %s]

%s %s :%s SmartView: Closed [URL: %s | Waited: %i Seconds]

%s %s :%s SmartView: Scheduled [URL: %s | Wait Time: %i Seconds]

%s %s :%s SmartView: Cleared [Entries Cleared: %i]

%s %s :%s SmartView: Deleted Entry [URL: %s]

%s %s :%s FTP Upload: Failed (Could not open an internet connection)

%s %s :%s FTP Upload: Success [Original File: %s | New File: %s]

%s %s :%s FTP Upload: Failed

%s %s :%s FTP Upload: Failed (Could not connect)

%s %s :%s Failed to Create Thread

%s %s :%s Invalid Parameter(s)

%s %s :%s Hosts file restored

%s %s :%s Host Blocked [Param: %s]

%s %s :%s Host Redirected [Original: %s | Redirect: %s]

%s %s :%s FTP Recovered: %s [Host: %s | User: %s | Pass: %s]

%s %s :%s IM Recovered: %s [User: %s | Pass: %s]

%s %s :%s Browser Recovered: %s [URL: %s | User: %s | Pass: %s]

%s %s :%s IRC War: Connecting [Host: %s | Port: %ld]

%s %s :%s IRC War: Disconnecting [Host: %s | Port: %ld]

%s %s :%s IRC War: Command submitted [Type: %s]

%s %s :%s IRC War: Flood started [Type: %s | Target: %s]

%s %s :%s IRC War: Flood stopped [Type: %s | Target: %s]

%s %s :%s IRC War: [Validated Connections: %ld | Status: %s]

%s %s :%s IRC War: Kill User [Target: %s]

%s %s :%s IRC War: Kill Multiple Users [Targets: %s]

%s %s :%s IRC War: Stopped Kill Multiple Users

%s %s :%s IRC War: Successfully registered with NickServ [Socket: %ld]

%s %s :%s IRC War: Aborted registration with NickServ

%s\FileZilla\recentservers.xml

%s\.purple\accounts.xml

%s%s%i%s%s%s%s%s

%s\System32\drivers\etc\protocol

%s\Microsoft.NET\Framework\

v4.0.30319

v2.0.50727

\explorer.exe

HTTP/1.

text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

application/x-www-form-urlencoded

HTTP/1.

dnsapi.dll

update.microsoft.com

VVV.update.microsoft.com

windowsupdate.microsoft.com

VVV.microsoft.com

microsoft.com

%s & %s

Software\Microsoft\Windows\CurrentVersion\

\Microsoft\Windows

%s%s%s%s%i%s%s

:Zone.Identifier

%s\K%li.bat

document.write(unescape('%s'));

operator

global constructors keyed to

global destructors keyed to

operator""

VirtualQuery failed for %d bytes at address %p

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

fc_key

use_fc_key

jueswooda.pw

Flow (v2.5.0)

@auth PRIVMSG n[USA|A|D|W_XP|x86|1c]gghebefc :!

@auth PRIVMSG #

%WinDir%

%Program Files%

%Documents and Settings%\All Users

%Documents and Settings%\%current user%

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Start Menu\Programs\Startup

%Documents and Settings%\All Users\Start Menu\Programs\Startup

%Program Files%\Internet Explorer\iexplore.exe

%Program Files%\Opera\opera.exe

%Program Files%\Mozilla Firefox\firefox.exe

%Program Files%\Maxthon3\Bin\Maxthon.exe

axthon.exe

e.exe

ull)jnfhuwsdjueswooda.pw10000#botsFlow (v2.5.0)

-994442811

c:\%original file name%.exe

%WinDir%\-994442811

%WinDir%\-994442811\csrss.exe

NICK

JOIN

PRIVMSG

spoolsv.exe

GetProcessHeap

RegCloseKey

RegCreateKeyExA

RegFlushKey

RegOpenKeyExA

ShellExecuteA

FtpPutFileA

InternetOpenUrlA

.text

P`.data

.rdata

`@.eh_fram

0@.bss

.idata

Y.rS

?@.eh_

kernel32.dll

advapi32.dll

Aicmp.dll

surlmon.dll

gws2_32.dll

rpcrt4.dll

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps