HEUR:Trojan.Win32.Generic (Kaspersky), Win32.Sality.2.OE (B) (Emsisoft), Win32.Sality.2.OE (AdAware), Backdoor.Win32.Farfli.FD, Virus.Win32.Sality.FD, Worm.Win32.Dorkbot.FD, VirusSality.YR, WormDorkbot.YR, GenericUDPFlooder.YR, GenericIRCBot.YR, GenericMSNWorm.YR, GenericUSBInfector.YR, GenericDNSBlocker.YR, GenericAutorunWorm.YR, GenericSYNFlooder.YR, GenericInjector.YR, BankerGeneric.YR, GenericProxy.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)Behaviour: Banker, Trojan, Backdoor, Flooder, Worm, Virus, WormAutorun, IRCBot, MSNWorm, DNSBlocker, UDPFlooder, SYNFlooder, Trojan-Proxy, USBInfector
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 020826a36d723a897bf74ce77c11f763
SHA1: 3b9bfcab5b7cb05f5cc5d4d784b57fbc4f4f10b7
SHA256: efe608a36f0e437edcacc97c90833bf6486fdf89f7f3589a324bf8332a409c8a
SSDeep: 6144:j522SyMr061JRFcEwBBQKtVxa6wtYlxDGhgPN6cI6KYfXEMI9 b:j02Nej5aBntVxfwtOxG2N6cI6K0cw
Size: 400896 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-06-20 14:06:56
Analyzed on: WindowsXP SP3 32-bit
Summary: Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
IRCBot | A bot can communicate with command and control servers via IRC channel. |
MSNWorm | A worm can spread its copies through the MSN Messanger. |
DNSBlocker | A program can block designated DNS servers for making it difficult for users to locate specific domains or web sites on the Internet. |
UDPFlooder | This program can make a UDP flood. A UDP flood attack is a denial-of-service attack using the User Datagram Protocol (UDP). It can be initiated by sending a large number of UDP packets to random ports on a remote host. |
SYNFlooder | This program can make a SYN flood. It is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. |
Trojan-Proxy | This program can launch a proxy server (SOCKS4) on a designated TCP port. |
USBInfector | A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer. |
Process activity
The Trojan creates the following process(es):
TELNET.EXE:2136
TELNET.EXE:584
TELNET.EXE:4084
TELNET.EXE:636
TELNET.EXE:1428
TELNET.EXE:2880
TELNET.EXE:2836
TELNET.EXE:2356
%original file name%.exe:336
%original file name%.exe:1092
NOTEPAD.EXE:2712
NOTEPAD.EXE:2596
NOTEPAD.EXE:2472
NOTEPAD.EXE:1324
NOTEPAD.EXE:576
NOTEPAD.EXE:2452
NOTEPAD.EXE:2820
NOTEPAD.EXE:2784
NOTEPAD.EXE:2564
NOTEPAD.EXE:368
NOTEPAD.EXE:2244
NOTEPAD.EXE:3580
NOTEPAD.EXE:2912
NOTEPAD.EXE:896
NOTEPAD.EXE:2212
NOTEPAD.EXE:2936
NOTEPAD.EXE:2764
NOTEPAD.EXE:168
NOTEPAD.EXE:3644
NOTEPAD.EXE:3720
NOTEPAD.EXE:1284
NOTEPAD.EXE:3612
NOTEPAD.EXE:1604
NOTEPAD.EXE:2496
NOTEPAD.EXE:2068
NOTEPAD.EXE:1008
NOTEPAD.EXE:2104
020826a36d723a8:1600
The Trojan injects its code into the following process(es):
imapi.exe:1780
mspaint.exe:1596
vmacthlp.exe:928
svchost.exe:1516
svchost.exe:832
svchost.exe:2160
csrss.exe:684
winlogon.exe:708
services.exe:752
Explorer.EXE:880
svchost.exe:956
svchost.exe:1020
svchost.exe:1104
svchost.exe:1156
svchost.exe:1200
spoolsv.exe:1444
jqs.exe:1976
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:336 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\ScreenSaverPro.scr (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SDYB8DEZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GPEBWPUN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\temp.bin (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4X6V4D2V\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G5VJ5DLJ\desktop.ini (67 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\winohue.exe.gonewiththewings (0 bytes)
The process mspaint.exe:1596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe (2321 bytes)
The Trojan deletes the following file(s):
C:\%original file name%.exe (0 bytes)
The process 020826a36d723a8:1600 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\inf\svchost.exe (688 bytes)
%WinDir%\system.ini (72 bytes)
%System%\drivers\ghkjmn.sys (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winohue.exe (15019 bytes)
The Trojan deletes the following file(s):
C:\13034f (0 bytes)
C:\12f768 (0 bytes)
%System%\drivers\ghkjmn.sys (0 bytes)
Registry activity
The process TELNET.EXE:2136 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 91 40 41 54 CE A5 B3 F1 95 E4 DD 88 69 DB 3D"
The process TELNET.EXE:584 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 0D FA 44 2E 3F 98 56 8A C9 8F 4B C6 5A CC 07"
The process TELNET.EXE:4084 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 27 18 15 6A 52 C0 C0 6B 31 70 A9 15 87 A7 9B"
The process TELNET.EXE:636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 7C 69 BF 69 84 12 2E 39 CE 1F 5E 06 51 0F EF"
The process TELNET.EXE:1428 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E 21 F0 F1 17 87 F9 F0 C0 55 3A 7F A9 70 EA 8B"
The process TELNET.EXE:2880 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 25 7C 0D 92 55 CC 5F 62 3E 74 DE AA 2E 7C 5C"
The process TELNET.EXE:2836 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 7A 46 48 7B 83 87 69 5A B3 4B F6 CE 9F BA 48"
The process TELNET.EXE:2356 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 A1 E0 30 8F 71 92 68 1B 57 63 78 D8 9F 7E 8F"
The process %original file name%.exe:336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 1B 36 62 B4 14 10 52 9F 7D 1C 70 1C FA 4E AD"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Screen Saver Pro 3.1" = "%Documents and Settings%\%current user%\Application Data\ScreenSaverPro.scr"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:1092 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA 83 A7 3C 31 DA 69 17 78 5F F2 D1 08 CC CE 51"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process NOTEPAD.EXE:2712 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 B2 B2 45 A7 C6 5D 3C 8B 35 FB CE F7 50 0F 6E"
The process NOTEPAD.EXE:2596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 AC 82 9F 83 01 65 88 8F D4 58 37 4C 2F 47 6A"
The process NOTEPAD.EXE:2472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB 24 C6 38 51 B4 92 6F 18 33 4D D3 85 88 D5 17"
The process NOTEPAD.EXE:1324 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 5F FA F6 7B 88 14 D4 19 EC 9E A6 53 DF 2D EA"
The process NOTEPAD.EXE:576 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 C8 B0 EF C2 27 3A 2A 5B 2D BA 5F AE A8 15 56"
The process NOTEPAD.EXE:2452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F EA F2 23 FA BD 77 28 96 71 57 0A 1A 62 17 A2"
The process NOTEPAD.EXE:2820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F E6 46 94 00 A4 C9 50 3B 36 D6 3B 16 3F C8 28"
The process NOTEPAD.EXE:2784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E B7 97 38 0D E3 59 75 F3 E7 DD B9 D4 6B FF 54"
The process NOTEPAD.EXE:2564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 86 B9 53 F5 40 2D 01 9B 79 02 22 D2 AB 92 50"
The process NOTEPAD.EXE:368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 0F 6B 23 62 D6 0C 23 DF AC 5D BB B2 02 C7 13"
The process NOTEPAD.EXE:2244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 D6 F5 18 A9 93 5A 11 60 3C C9 0A 69 97 A4 2E"
The process NOTEPAD.EXE:3580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 35 FD F4 EA 4E B9 48 4F 23 2A 5D 2E F0 88 02"
The process NOTEPAD.EXE:2912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 43 58 55 D2 08 7A D8 2A 1C 66 F4 FF 62 E3 D4"
The process NOTEPAD.EXE:896 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 13 D8 88 C3 28 F3 7A AA 5B A4 02 0D D7 64 3F"
The process NOTEPAD.EXE:2212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 61 8A 78 3A A8 72 C6 16 84 EE 86 B9 B2 B5 A3"
The process NOTEPAD.EXE:2936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 77 F0 F8 7F 15 CB 71 58 68 D8 98 63 7B A5 71"
The process NOTEPAD.EXE:2764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED 62 54 53 0D C3 6B 27 2A 74 41 2F 3B 2E 5B F6"
The process NOTEPAD.EXE:168 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 C6 1A 67 EE FA 1D 0F F5 DC A7 60 73 EF 04 06"
The process NOTEPAD.EXE:3644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F A6 A9 19 A5 4B 86 CF 83 D2 0C 6A D3 72 CD 72"
The process NOTEPAD.EXE:3720 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 71 83 1E DC C0 23 2F FD D7 60 4C 07 CF A0 A2"
The process NOTEPAD.EXE:1284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 14 67 E0 31 43 72 49 65 53 96 19 AF 51 27 6C"
The process NOTEPAD.EXE:3612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 82 72 4B B0 A1 B8 A0 E4 B7 D5 1A 48 1A BA 4A"
The process NOTEPAD.EXE:1604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B E9 90 8C 6B 77 AB A4 6D 2B D4 78 59 00 04 A9"
The process NOTEPAD.EXE:2496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 80 3C 45 17 7A 39 28 C6 7D 7B 21 3B FC 07 39"
The process NOTEPAD.EXE:2068 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A CA 3C 18 06 A1 86 4D D2 5F 96 A9 61 0E C0 DC"
The process NOTEPAD.EXE:1008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 4D 57 2F C8 22 5D A3 64 92 B0 B7 9C BA DB A9"
The process NOTEPAD.EXE:2104 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 AC 1D C4 FA 82 D2 23 AB 72 B4 B4 E8 8D FE 40"
The process mspaint.exe:1596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 95 2C D5 9C 14 96 35 3D 26 DC E5 1C C2 06 E4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Pukmkb" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process 020826a36d723a8:1600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Aas]
"a4_116" = "831618036"
"a4_157" = "1125551997"
"a3_149" = "1051199068"
"a4_156" = "1118382876"
"a3_148" = "1044210237"
"a2_180" = "1290438771"
"a4_159" = "1139890239"
"a2_182" = "1304773933"
"a2_183" = "1311955922"
"a2_184" = "1319124866"
"a2_185" = "1326295638"
"a2_186" = "1333448023"
"a4_158" = "1132721118"
"a2_188" = "1347789179"
"a2_189" = "1354971312"
"a3_223" = "1581849174"
"a1_185" = "2841016997"
[HKCU\Software\adm914]
"a2_14" = "100360546"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKCU\Software\Aas]
"a1_184" = "1680436870"
[HKCU\Software\adm914]
"a2_11" = "78856703"
"a2_10" = "71696130"
"a2_13" = "93193886"
"a2_12" = "86025988"
[HKCU\Software\Aas]
"a1_183" = "2376118893"
"a1_182" = "754844322"
"a3_193" = "1400620808"
"a1_181" = "2167807408"
"a1_180" = "974002961"
"a3_78" = "542637991"
"a3_79" = "549622726"
"a4_206" = "1476838926"
"a3_72" = "533156193"
"a3_73" = "506656128"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\Software\Aas]
"a3_71" = "525712590"
"a3_76" = "561686245"
"a3_77" = "568613636"
"a3_74" = "513568291"
"a3_75" = "554631746"
"a4_181" = "1297610901"
"a4_218" = "1562868378"
"a4_219" = "1570037499"
"a4_216" = "1548530136"
"a4_217" = "1555699257"
"a4_214" = "1534191894"
"a4_215" = "1541361015"
"a4_212" = "1519853652"
"a4_213" = "1527022773"
"a4_210" = "1505515410"
"a4_211" = "1512684531"
"a3_152" = "1106310065"
"a3_153" = "1080268752"
"a4_108" = "774265068"
"a4_109" = "781434189"
"a3_156" = "1135231285"
"a3_157" = "1108731220"
"a3_154" = "1087178867"
"a3_155" = "1127787666"
"a4_102" = "731250342"
"a4_103" = "738419463"
"a4_100" = "716912100"
"a4_101" = "724081221"
"a4_106" = "759926826"
"a4_107" = "767095947"
"a4_104" = "745588584"
"a4_105" = "752757705"
"a2_59" = "422985159"
"a2_58" = "415802895"
"a2_53" = "379966066"
"a2_52" = "372799183"
"a2_51" = "365618511"
"a2_50" = "358450036"
"a2_57" = "408648142"
"a2_56" = "401467894"
"a2_55" = "394300084"
"a2_54" = "387124347"
"a2_187" = "1340621844"
"a1_244" = "3197409294"
"a4_251" = "1799449371"
"a4_55" = "394301655"
"a4_54" = "387132534"
"a4_57" = "408639897"
"a4_56" = "401470776"
"a4_51" = "365625171"
"a4_50" = "358456050"
"a4_53" = "379963413"
"a4_52" = "372794292"
[HKCU\Software\Aas\695404737]
"50183847" = "91B7B29E83DF27BD845620F31F81699AEA234A0AF364777AFD8013C50880BEED261AF09F76D756B22D8490BFC624276D3076D4A74CC35D08D3701A2CD26E8FE302DFAECE118977A4B1E380EEB284A8F1F5762C79B4FF22C5F28C90BFC5888DEA3DA748B07164541111D2655DA3E285F8167DE1B62CBC7E30883AFB31B5B55DA8"
[HKCU\Software\Aas]
"a4_59" = "422978139"
"a4_58" = "415809018"
"a1_248" = "1387492550"
"a3_249" = "1801832560"
"a1_178" = "3377792460"
"a1_179" = "1860259493"
"a1_176" = "2260949770"
"a3_135" = "950830350"
"a1_174" = "1596948721"
"a1_175" = "3369392386"
"a1_172" = "214686579"
[HKCU\Software\Aas\695404737]
"21507363" = "0"
[HKCU\Software\Aas]
"a1_170" = "3214165462"
"a1_171" = "2586790790"
"a4_198" = "1419485958"
"a2_236" = "1691915499"
"a2_237" = "1699083594"
"a2_234" = "1677581085"
"a2_235" = "1684747092"
"a2_232" = "1663230365"
"a2_233" = "1670402032"
"a2_230" = "1648898425"
"a2_231" = "1656075020"
"a4_209" = "1498346289"
"a2_238" = "1706248788"
"a2_239" = "1713414917"
"a3_94" = "690598327"
"a4_42" = "301103082"
"a3_96" = "671534665"
"a3_97" = "678453992"
"a3_90" = "662052915"
"a3_91" = "669107282"
"a3_92" = "643004661"
"a4_43" = "308272203"
"a3_209" = "1481480472"
"a3_98" = "685967115"
"a4_40" = "286764840"
"a4_41" = "293933961"
"a4_46" = "329779566"
[HKCU\Software\adm914]
"a3_1" = "23986720"
[HKCU\Software\Aas]
"a2_181" = "1297603410"
"a4_44" = "315441324"
"a3_254" = "1837822487"
"a4_45" = "322610445"
"a1_138" = "529956100"
"a1_139" = "2097904279"
"a1_159" = "2362730081"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\Aas]
"a1_130" = "280509490"
"a3_238" = "1689270279"
[HKCU\Software\adm914\695404737]
"35845605" = "442"
[HKCU\Software\Aas]
"a2_156" = "1118387442"
"a2_155" = "1111218411"
"a1_131" = "2997956607"
"a2_153" = "1096868590"
"a2_152" = "1089703879"
"a2_99" = "709741748"
"a2_98" = "702575374"
"a2_97" = "695408038"
"a2_96" = "688241026"
"a2_95" = "681060624"
"a2_94" = "673890419"
"a2_93" = "666722922"
"a2_92" = "659566683"
"a2_91" = "652391302"
"a2_90" = "645225717"
"a4_151" = "1082537271"
[HKCU\Software\adm914\695404737]
"28676484" = "35"
[HKCU\Software\Aas]
"a4_153" = "1096875513"
"a4_152" = "1089706392"
"a4_155" = "1111213755"
"a4_154" = "1104044634"
"a1_58" = "2124183728"
"a1_59" = "724691502"
"a1_56" = "3493822530"
"a1_57" = "1043080655"
"a1_54" = "623309766"
"a1_55" = "751433857"
"a1_52" = "3171149961"
"a1_53" = "1042817473"
"a1_50" = "475277730"
"a1_51" = "534988269"
"a3_215" = "1524377438"
"a3_214" = "1517454143"
"a3_217" = "1572437008"
"a3_216" = "1565514737"
"a3_211" = "1529532890"
"a3_210" = "1488928187"
"a3_213" = "1510469276"
"a3_212" = "1536445053"
"a3_136" = "991836577"
"a3_219" = "1553446098"
"a3_218" = "1545867443"
"a1_155" = "4075896035"
"a4_208" = "1491177168"
"a1_217" = "1395354732"
"a3_43" = "324843106"
"a3_42" = "284237251"
"a3_41" = "277248416"
"a3_40" = "269796609"
"a3_47" = "353765350"
"a3_46" = "313221959"
"a3_45" = "305778468"
"a3_44" = "332278405"
"a1_132" = "107850578"
"a1_133" = "1592992309"
"a3_49" = "368270520"
"a3_48" = "360822809"
"a1_136" = "819332156"
"a2_119" = "853117360"
"a1_134" = "434269662"
"a1_135" = "1628732476"
"a4_99" = "709742979"
"a4_98" = "702573858"
"a2_118" = "845961556"
"a1_189" = "2613924128"
"a4_91" = "652390011"
"a4_90" = "645220890"
"a4_93" = "666728253"
"a4_92" = "659559132"
"a4_95" = "681066495"
"a4_94" = "673897374"
"a4_97" = "695404737"
"a4_96" = "688235616"
"a3_109" = "798021476"
"a3_108" = "790966981"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKCU\Software\Aas]
"a3_245" = "1773304572"
"a1_160" = "1925957101"
"a3_101" = "707522668"
"a3_100" = "733503437"
"a3_103" = "754977070"
"a3_102" = "714511503"
"a3_105" = "769475040"
"a3_104" = "762555713"
"a3_107" = "750493346"
"a3_106" = "742980099"
"a2_113" = "810118876"
"a1_250" = "1825664966"
"a2_112" = "802933287"
"a1_165" = "3612961744"
"a3_70" = "485103791"
"a1_164" = "4197737085"
"a2_110" = "788596153"
"a2_117" = "838794324"
"a2_116" = "831611035"
"a1_169" = "470826335"
"a2_115" = "824443454"
"a1_168" = "26850501"
"a2_114" = "817276069"
"a2_179" = "1283272906"
"a4_252" = "1806618492"
"a3_232" = "1646370241"
"a4_253" = "1813787613"
"a2_214" = "1534183819"
"a4_250" = "1792280250"
"a2_215" = "1541362472"
"a1_222" = "1786285277"
"a2_144" = "1032347804"
"a1_104" = "2243853017"
"a1_221" = "450095842"
"a1_226" = "3393046175"
"a1_227" = "2856660951"
"a1_224" = "3651497103"
"a2_145" = "1039515738"
"a1_228" = "1496093443"
"a2_217" = "1555695668"
"a2_146" = "1046685172"
"a2_218" = "1562862263"
"a2_147" = "1053867976"
"a4_254" = "1820956734"
"a2_219" = "1570031220"
"a2_140" = "1003679996"
"a2_253" = "1813779000"
"a2_141" = "1010849008"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Aas]
"a2_142" = "1018016289"
"a2_248" = "1777935397"
"a2_143" = "1025182402"
"a1_246" = "236390250"
"a1_240" = "1427860397"
"a3_150" = "1092336383"
"a2_193" = "1383641227"
"a2_192" = "1376476831"
"a2_191" = "1369308736"
"a3_151" = "1099259678"
"a3_133" = "970345548"
"a2_196" = "1405157263"
[HKCU\Software\Aas\695404737]
"35845605" = "343"
[HKCU\Software\Aas]
"a2_194" = "1390807970"
"a2_199" = "1426657672"
"a2_198" = "1419492877"
"a3_116" = "814879197"
"a3_117" = "821922428"
"a1_241" = "2869094783"
[HKCU\Software\adm914\695404737]
"21507363" = "0"
[HKCU\Software\Aas]
"a3_114" = "834001179"
"a4_182" = "1304780022"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Aas]
"a4_180" = "1290441780"
"a3_115" = "807894458"
"a1_89" = "2507957751"
"a1_88" = "3245978212"
"a4_184" = "1319118264"
"a4_185" = "1326287385"
"a1_85" = "1117085838"
"a1_84" = "2031130297"
"a1_87" = "1852670121"
"a1_86" = "898885369"
"a1_81" = "2457023215"
"a1_80" = "3147165453"
"a1_83" = "550441657"
"a3_159" = "1123168790"
"a3_110" = "771902343"
"a2_128" = "917644860"
"a2_129" = "924825382"
"a2_126" = "903300243"
"a2_127" = "910481687"
"a2_124" = "888965880"
"a3_111" = "778955814"
"a2_122" = "874629197"
"a2_123" = "881795841"
"a2_120" = "860295423"
"a2_121" = "867462846"
"a1_67" = "2117284313"
"a1_66" = "3570176863"
"a1_65" = "2118396117"
"a1_64" = "1079674138"
"a1_63" = "509790345"
"a1_62" = "106908330"
"a1_61" = "3419744159"
"a1_60" = "1828714209"
"a3_138" = "1006335587"
"a3_139" = "979823234"
"a4_162" = "1161397602"
"a4_163" = "1168566723"
"a4_164" = "1175735844"
"a4_165" = "1182904965"
"a1_69" = "3185741721"
"a1_68" = "2009511818"
"a1_12" = "1948468805"
"a1_13" = "4254185452"
"a1_10" = "487676345"
"a1_11" = "1508545360"
"a1_16" = "645713510"
"a1_17" = "3918487849"
"a1_14" = "3909076379"
"a1_15" = "2993041335"
"a4_115" = "824448915"
"a4_114" = "817279794"
"a1_18" = "3962158872"
"a1_19" = "1165609280"
"a4_111" = "795772431"
"a4_110" = "788603310"
"a4_113" = "810110673"
"a4_112" = "802941552"
"a2_48" = "344116983"
"a2_49" = "351284365"
"a4_140" = "1003676940"
"a2_40" = "286766295"
"a2_41" = "293930126"
"a2_42" = "301099852"
"a2_43" = "308268748"
"a2_44" = "315447474"
"a2_45" = "322615625"
"a2_46" = "329785273"
"a2_47" = "336950592"
[HKCU\Software\adm914]
"a1_2" = "836184835"
"a1_3" = "626096763"
"a1_0" = "316296286"
"a1_1" = "3634571327"
"a1_6" = "3130094367"
"a1_7" = "2282153581"
"a1_4" = "1599481307"
"a1_5" = "686403499"
"a1_8" = "1034684345"
"a1_9" = "2084193074"
[HKCU\Software\Aas]
"a4_146" = "1046691666"
[HKCU\Software\adm914]
"a3_4" = "11990981"
"a3_5" = "52532132"
"a3_6" = "59980807"
"a3_7" = "67033318"
"a3_0" = "17000001"
[HKCU\Software\Aas]
"a4_47" = "336948687"
[HKCU\Software\adm914]
"a3_2" = "31043203"
"a3_3" = "4934498"
[HKCU\Software\Aas]
"a4_48" = "344117808"
"a4_49" = "351286929"
[HKCU\Software\adm914]
"a3_8" = "40387913"
"a3_9" = "47964456"
[HKCU\Software\Aas]
"a4_137" = "982169577"
"a4_255" = "1828125855"
"a4_136" = "975000456"
"a3_205" = "1452936068"
"a4_147" = "1053860787"
"a3_244" = "1765852765"
"a1_161" = "625882197"
"a3_140" = "986812197"
"a1_163" = "2990856422"
"a1_162" = "1235935065"
"a3_18" = "112354555"
"a3_19" = "152901914"
"a1_167" = "1283675189"
"a1_166" = "3088065692"
"a3_14" = "83367783"
"a3_15" = "124488582"
"a3_16" = "131411001"
"a3_17" = "104906840"
"a3_10" = "88506851"
"a3_11" = "95435266"
"a3_12" = "69459621"
"a3_13" = "76378820"
"a4_37" = "265257477"
"a4_36" = "258088356"
"a4_35" = "250919235"
"a4_34" = "243750114"
"a4_33" = "236580993"
"a4_32" = "229411872"
"a4_31" = "222242751"
"a4_30" = "215073630"
"a3_241" = "1744311672"
"a4_39" = "279595719"
"a4_38" = "272426598"
"a2_175" = "1254590958"
"a2_174" = "1247420889"
"a1_103" = "472782938"
"a2_178" = "1276104845"
"a2_177" = "1268937963"
"a4_244" = "1749265524"
[HKCU\Software\adm914]
"a1_14" = "3302186630"
[HKCU\Software\Aas]
"a2_176" = "1261770071"
[HKCU\Software\adm914]
"a1_10" = "1490798705"
"a1_11" = "1266012798"
"a1_12" = "3434268231"
"a1_13" = "1330898259"
[HKCU\Software\Aas]
"a4_145" = "1039522545"
"a2_171" = "1225920915"
"a3_251" = "1782710578"
"a2_170" = "1218756474"
"a4_139" = "996507819"
"a1_102" = "3102790655"
"a4_138" = "989338698"
[HKCU\Software\Aas\695404737]
"28676484" = "35"
[HKCU\Software\Aas]
"a2_209" = "1498344267"
"a4_131" = "939154851"
[HKCU\Software\adm914]
"a3_14" = "83368719"
"a3_12" = "69456589"
"a3_13" = "76381868"
"a3_10" = "88509835"
"a3_11" = "95434346"
[HKCU\Software\Aas]
"a3_228" = "1617824845"
"a1_101" = "519189316"
"a1_249" = "3399687143"
"a1_237" = "641480839"
"a4_149" = "1068199029"
"a3_141" = "1027810116"
"a3_247" = "1753789374"
"a2_221" = "1584381605"
"a2_220" = "1577213689"
"a2_223" = "1598707125"
"a2_222" = "1591546600"
"a2_225" = "1613046622"
"a2_224" = "1605890346"
"a2_227" = "1627398057"
"a2_226" = "1620215682"
"a1_229" = "552338555"
"a3_229" = "1624875244"
"a2_207" = "1484002120"
"a3_181" = "1280611004"
"a2_88" = "630887571"
"a2_89" = "638054594"
"a3_180" = "1307180573"
"a2_84" = "602206933"
"a2_85" = "609384216"
"a2_86" = "616539157"
"a2_87" = "623720765"
"a2_80" = "573522054"
"a3_34" = "260325067"
"a2_82" = "587870746"
"a2_83" = "595041789"
"a4_124" = "888971004"
"a4_125" = "896140125"
"a1_29" = "1033716295"
"a1_28" = "527450867"
"a4_120" = "860294520"
"a4_121" = "867463641"
"a4_122" = "874632762"
"a4_123" = "881801883"
"a1_23" = "3353166089"
"a1_22" = "2985793400"
"a1_21" = "926403291"
"a1_20" = "3726222687"
"a1_27" = "3009096814"
"a1_26" = "1748703758"
"a1_25" = "1751293646"
"a1_24" = "3272950301"
"a4_141" = "1010846061"
"a3_187" = "1324038386"
"a3_186" = "1316586579"
"a3_189" = "1371566516"
"a3_227" = "1610836010"
"a3_50" = "341766363"
"a3_51" = "348755322"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Aas]
"a3_53" = "396796476"
"a3_54" = "370165343"
"a3_55" = "377748222"
"a3_56" = "384737041"
"a3_57" = "425210800"
"a3_58" = "432789459"
"a3_59" = "406145138"
"a1_127" = "3729014179"
"a1_126" = "3305136389"
"a1_121" = "1704639835"
"a1_120" = "163974893"
"a1_123" = "2751364184"
"a1_122" = "3296526984"
"a4_238" = "1706250798"
"a4_239" = "1713419919"
"a2_111" = "795780718"
"a4_230" = "1648897830"
"a4_231" = "1656066951"
"a4_232" = "1663236072"
"a4_233" = "1670405193"
"a4_234" = "1677574314"
"a4_235" = "1684743435"
"a4_236" = "1691912556"
"a4_237" = "1699081677"
"a3_178" = "1292673371"
"a3_179" = "1300121082"
"a3_174" = "1264145351"
"a3_175" = "1271198822"
"a3_176" = "1245079705"
"a3_177" = "1252068664"
"a3_170" = "1235731011"
"a3_171" = "1209100002"
"a3_172" = "1216092933"
"a3_173" = "1223671716"
"a2_31" = "222245559"
"a2_30" = "215079877"
"a2_33" = "236578448"
"a2_32" = "229419267"
"a2_35" = "250914352"
"a2_34" = "243748057"
"a2_37" = "265263489"
"a2_36" = "258081339"
"a2_39" = "279603788"
"a2_38" = "272431233"
"a4_79" = "566360559"
"a4_78" = "559191438"
"a3_226" = "1636956043"
"a1_223" = "670139083"
"a4_73" = "523345833"
"a4_72" = "516176712"
"a4_71" = "509007591"
"a4_70" = "501838470"
"a4_77" = "552022317"
"a4_76" = "544853196"
"a4_75" = "537684075"
"a4_74" = "530514954"
[HKCU\Software\adm914]
"a4_7" = "50183847"
"a4_6" = "43014726"
"a4_5" = "35845605"
"a4_4" = "28676484"
"a4_3" = "21507363"
"a4_2" = "14338242"
"a4_1" = "7169121"
"a4_0" = "0"
[HKCU\Software\Aas]
"a1_137" = "4000052568"
"a2_106" = "759925870"
[HKCU\Software\adm914]
"a4_9" = "64522089"
"a4_8" = "57352968"
[HKCU\Software\Aas]
"a4_86" = "616544406"
"a4_87" = "623713527"
"a4_84" = "602206164"
"a4_85" = "609375285"
"a4_82" = "587867922"
"a4_83" = "595037043"
"a4_80" = "573529680"
"a4_81" = "580698801"
"a4_183" = "1311949143"
"a1_225" = "1561147647"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
[HKCU\Software\Aas]
"a4_197" = "1412316837"
"a4_88" = "630882648"
"a4_89" = "638051769"
"a1_158" = "2897510531"
"a2_100" = "716910025"
"a4_196" = "1405147716"
[HKCU\Software\Aas\695404737]
"14338242" = "0"
[HKCU\Software\Aas]
"a2_107" = "767094654"
"a1_151" = "3956178155"
[HKCU\Software\Aas\695404737]
"7169121" = "198"
[HKCU\Software\Aas]
"a1_153" = "352823234"
"a1_154" = "1665383980"
"a2_102" = "731243355"
"a1_156" = "1425130090"
"a1_157" = "3631456804"
"a1_235" = "932499391"
"a2_229" = "1641732036"
"a1_188" = "3490947897"
"a2_103" = "738424936"
"a1_231" = "3785252574"
"a1_230" = "447371135"
"a1_233" = "1877146107"
"a2_228" = "1634564274"
"a2_104" = "745593995"
"a4_201" = "1440993321"
"a1_247" = "1710655277"
"a1_239" = "3839204310"
"a1_238" = "3659575676"
"a2_105" = "752759379"
"a2_210" = "1505512749"
"a2_211" = "1512675981"
"a2_212" = "1519860111"
"a2_213" = "1527026292"
[HKCU\Software\adm914]
"a2_9" = "64528251"
"a2_8" = "57359814"
[HKCU\Software\Aas]
"a2_216" = "1548528691"
"a1_177" = "3866318972"
[HKCU\Software\adm914]
"a2_5" = "35843897"
"a2_4" = "28673476"
"a2_7" = "50176177"
"a2_6" = "43010406"
"a2_1" = "7168686"
"a2_0" = "1743"
"a2_3" = "21509662"
"a2_2" = "14340627"
[HKCU\Software\Aas]
"a4_10" = "71691210"
"a3_221" = "1600966036"
"a1_96" = "3680829096"
"a3_185" = "1309597744"
"a1_173" = "2131272656"
"a2_244" = "1749267240"
"a1_232" = "644143676"
"a3_183" = "1328655230"
"a1_186" = "2775663558"
"a3_222" = "1608410679"
"a2_131" = "939149826"
"a2_130" = "931981221"
"a4_179" = "1283272659"
"a2_133" = "953496066"
"a2_132" = "946329891"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Aas]
"a2_135" = "967831832"
"a3_182" = "1288058591"
"a2_134" = "960663977"
"a1_107" = "1662670365"
"a2_137" = "982167241"
"a4_178" = "1276103538"
"a1_106" = "892021617"
"a4_227" = "1627390467"
"a2_136" = "974998356"
"a1_105" = "1757811884"
"a4_226" = "1620221346"
"a4_195" = "1397978595"
"a4_194" = "1390809474"
"a1_98" = "3793676798"
"a1_99" = "2820553901"
"a4_191" = "1369302111"
"a4_190" = "1362132990"
"a4_193" = "1383640353"
"a4_192" = "1376471232"
"a1_92" = "3789085686"
"a1_93" = "2787785314"
"a1_90" = "1636542049"
"a1_91" = "2081359793"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas]
"a1_97" = "3494699639"
"a1_94" = "1037571421"
"a1_95" = "1058853542"
"a2_75" = "537687484"
"a2_74" = "530518825"
"a2_77" = "552019822"
"a2_76" = "544857071"
"a2_71" = "509004306"
"a2_70" = "501830349"
"a2_73" = "523352933"
"a2_72" = "516170387"
"a2_139" = "996517507"
"a2_138" = "989334027"
"a1_100" = "3061203627"
"a2_79" = "566355652"
"a2_78" = "559189164"
"a1_74" = "1088747862"
"a1_75" = "221761186"
"a1_76" = "346457458"
"a1_77" = "2271621191"
"a1_70" = "3252069199"
"a1_71" = "674791611"
"a1_72" = "3016518642"
"a1_73" = "2636831472"
"a4_173" = "1240257933"
"a4_172" = "1233088812"
"a3_129" = "907869896"
"a3_128" = "934369961"
"a1_78" = "1019667360"
"a1_79" = "1222148280"
"a4_175" = "1254596175"
"a4_174" = "1247427054"
"a3_123" = "898388146"
"a3_239" = "1730403494"
"a3_122" = "891468819"
"a3_237" = "1682343908"
"a3_236" = "1708909381"
"a3_235" = "1701334818"
"a3_234" = "1660856963"
"a3_233" = "1653814880"
"a3_121" = "850861040"
"a3_231" = "1672935854"
"a3_230" = "1665877263"
"a3_252" = "1789764949"
"a3_120" = "843343697"
"a1_109" = "2113202038"
"a2_173" = "1240253358"
"a3_127" = "927442486"
"a1_108" = "1625408690"
"a3_126" = "886312343"
"a1_0" = "3034986106"
"a3_125" = "879323508"
"a3_198" = "1436076335"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKCU\Software\Aas]
"a3_196" = "1388556397"
"a3_197" = "1429034124"
"a3_194" = "1407548331"
"a3_124" = "905966805"
"a3_192" = "1393042153"
"a1_2" = "4249585053"
"a3_190" = "1345525207"
"a3_162" = "1144713035"
"a1_242" = "1772941326"
"a1_3" = "2312307834"
"a2_172" = "1233087679"
"a3_253" = "1830771188"
"a1_4" = "696406571"
"a4_171" = "1225919691"
"a1_5" = "2839273148"
"a4_170" = "1218750570"
"a1_6" = "3769092733"
"a4_177" = "1268934417"
"a1_7" = "209795580"
"a4_176" = "1261765296"
"a3_29" = "224867540"
"a3_28" = "183865525"
"a1_116" = "1246632634"
"a1_117" = "862623744"
"a1_110" = "4019542773"
"a1_111" = "930211761"
"a1_112" = "1473260750"
"a1_9" = "2775173847"
"a3_21" = "167399900"
"a3_20" = "159956413"
"a3_23" = "148336286"
"a3_22" = "140888703"
"a3_25" = "195929936"
"a3_24" = "188875569"
"a3_27" = "176880658"
"a3_26" = "169827315"
"a4_24" = "172058904"
"a4_25" = "179228025"
"a4_26" = "186397146"
"a4_27" = "193566267"
"a4_20" = "143382420"
"a4_21" = "150551541"
"a4_22" = "157720662"
"a4_23" = "164889783"
"a4_28" = "200735388"
"a4_29" = "207904509"
"a2_81" = "580703265"
"a4_203" = "1455331563"
"a3_93" = "649993492"
"a4_126" = "903309246"
"a1_190" = "204867395"
"a4_127" = "910478367"
"a1_208" = "211637102"
"a1_209" = "1824126092"
"a3_255" = "1844811446"
"a1_204" = "285247257"
"a1_205" = "2408973281"
"a1_206" = "4123966551"
"a1_207" = "1245164894"
"a1_200" = "3549174165"
"a1_201" = "953328979"
"a1_202" = "752187861"
"a3_99" = "726580138"
"a2_162" = "1161400946"
"a3_112" = "785940569"
"a2_163" = "1168569311"
"a2_160" = "1147055015"
"a2_161" = "1154235906"
"a1_243" = "1135304778"
"a2_254" = "1820951895"
"a4_128" = "917647488"
"a2_250" = "1792286691"
"a2_251" = "1799453736"
"a2_252" = "1806619255"
"a4_129" = "924816609"
"a3_113" = "826942712"
"a2_164" = "1175736897"
"a2_165" = "1182902500"
[HKCU\Software\adm914]
"a4_14" = "100367694"
"a4_13" = "93198573"
"a4_12" = "86029452"
"a4_11" = "78860331"
"a4_10" = "71691210"
[HKCU\Software\Aas]
"a2_101" = "724076482"
"a1_38" = "1727965753"
"a1_39" = "3751968667"
"a4_135" = "967831335"
"a4_134" = "960662214"
"a4_133" = "953493093"
"a4_132" = "946323972"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas]
"a4_130" = "931985730"
"a1_30" = "4126453763"
"a1_31" = "2022900454"
"a1_32" = "2932734581"
"a1_33" = "1935576125"
"a1_34" = "3443996242"
"a1_35" = "2511289981"
"a1_36" = "3611227158"
"a1_37" = "3812022476"
"a2_190" = "1362125353"
"a3_158" = "1115724279"
"a2_197" = "1412311477"
"a2_168" = "1204419807"
"a1_251" = "2048607141"
"a2_108" = "774258959"
"a2_109" = "781428644"
"a3_69" = "478110732"
"a3_68" = "470664173"
"a3_65" = "449123976"
"a3_64" = "442135145"
"a3_67" = "497168202"
"a3_66" = "489720619"
"a3_61" = "454263092"
"a3_60" = "413199509"
"a3_63" = "468244982"
"a3_62" = "461186391"
"a4_229" = "1641728709"
"a4_228" = "1634559588"
"a4_223" = "1598713983"
"a4_222" = "1591544862"
"a4_221" = "1584375741"
"a4_220" = "1577206620"
"a2_169" = "1211588117"
"a3_203" = "1472066242"
"a4_225" = "1613052225"
"a4_224" = "1605883104"
"a3_169" = "1228156448"
"a3_168" = "1187689857"
"a3_167" = "1180635502"
"a3_166" = "1206680783"
"a3_165" = "1199757484"
"a3_164" = "1192698893"
"a3_163" = "1151697898"
[HKCU\Software\adm914\695404737]
"43014726" = "0B00687474703A2F2F7777772E726573697374656E6369616E696768742E636F6D2E61722F696D616765732F6C6F676F2E67696600687474703A2F2F656173746C6F6E646F6E2D656D61696C2E636F6D2F6C6F676F2E67696600687474703A2F2F73686565736F6D2E706B2F696D616765732F627574746F6E2E67696600687474703A2F2F657368697070696E6762726173696C2E636F6D2E62722F696D672F6C6F676F2E67696600687474703A2F2F736D727574697376617374756E66656E67736875692E636F6D2F696D616765732F627574746F6E2E67696600687474703A2F2F666C6967687473746F75722E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F746174746F6F696E696E6469612E636F6D2F696D616765732F627574746F6E2E67696600687474703A2F2F6E6F6B74616B7561666F72756D2E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F70756E746173616E2E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F726564626F6D622E636F6D2E74722F726564626F6D622F6C6F676F2E67696600687474703A2F2F6831722E636F6D2F6C6F676F2E676966"
[HKCU\Software\Aas]
"a3_161" = "1171213096"
"a3_160" = "1163777673"
"a2_28" = "200732139"
"a2_29" = "207896749"
"a2_26" = "186394877"
"a2_27" = "193563687"
"a2_24" = "172052023"
"a2_25" = "179229998"
"a2_22" = "157727976"
"a2_23" = "164897172"
"a2_20" = "143380291"
"a2_21" = "150544936"
"a4_68" = "487500228"
"a4_69" = "494669349"
"a3_195" = "1380982730"
"a4_60" = "430147260"
"a4_61" = "437316381"
"a4_62" = "444485502"
"a4_63" = "451654623"
"a4_64" = "458823744"
"a4_65" = "465992865"
"a4_66" = "473161986"
"a4_67" = "480331107"
"a2_157" = "1125552920"
"a1_220" = "3515860741"
"a3_246" = "1746738975"
"a1_198" = "815964780"
"a3_250" = "1809280147"
"a4_200" = "1433824200"
"a3_191" = "1352568438"
"a2_7" = "50174829"
"a2_6" = "43008925"
"a2_5" = "35840778"
"a2_4" = "28684887"
"a2_3" = "21499252"
"a2_2" = "14341517"
"a2_1" = "7175610"
"a2_0" = "8759"
"a1_236" = "2014090408"
"a1_187" = "3695764358"
"a2_9" = "64526987"
"a4_5" = "35845605"
"a4_4" = "28676484"
"a4_7" = "50183847"
"a4_6" = "43014726"
"a4_1" = "7169121"
"a4_0" = "0"
"a4_3" = "21507363"
"a4_2" = "14338242"
"a1_143" = "1232544069"
"a1_142" = "1127160954"
"a1_141" = "3246391517"
"a1_140" = "2099258801"
"a4_9" = "64522089"
"a4_8" = "57352968"
"a1_145" = "2772041635"
"a1_144" = "3299928527"
"a3_52" = "389745053"
"a2_203" = "1455328641"
"a2_202" = "1448157440"
"a2_201" = "1440992643"
"a2_200" = "1433825707"
"a4_202" = "1448162442"
"a2_206" = "1476843768"
"a2_205" = "1469677230"
"a2_204" = "1462496163"
"a1_129" = "755121047"
"a1_192" = "3328186520"
"a2_8" = "57357922"
"a1_128" = "679395237"
"a3_87" = "607024862"
"a3_86" = "633131711"
"a3_85" = "626081308"
"a3_84" = "585598461"
"a3_83" = "578085210"
"a3_82" = "571034939"
"a3_81" = "597665944"
"a3_80" = "590099577"
"a2_154" = "1104036805"
"a1_218" = "2238527173"
"a1_149" = "1202768800"
"a3_89" = "654610320"
"a3_88" = "614067057"
"a1_125" = "827835256"
"a4_205" = "1469669805"
"a1_148" = "586544259"
"a1_124" = "1785505960"
"a4_186" = "1333456506"
"a4_168" = "1204412328"
"a4_187" = "1340625627"
"a1_234" = "4137136737"
"a3_199" = "1409969486"
"a3_242" = "1718323611"
"a1_194" = "2039193820"
"a1_212" = "1537326238"
"a4_204" = "1462500684"
"a1_245" = "2983106700"
"a4_245" = "1756434645"
"a4_169" = "1211581449"
"a4_188" = "1347794748"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 79 14 7F E0 6E 69 37 83 88 12 56 26 6D 88 E6"
[HKCU\Software\Aas]
"a4_148" = "1061029908"
"a4_189" = "1354963869"
"a2_125" = "896146736"
"a1_147" = "87246202"
"a3_243" = "1725243962"
"a1_195" = "96615143"
"a4_207" = "1484008047"
"a1_146" = "1914195097"
"a3_220" = "1593911669"
"a1_252" = "1769781263"
"a1_8" = "3632324995"
"a4_199" = "1426655079"
"a1_255" = "3329372109"
"a1_254" = "4012397414"
"a1_82" = "3956499021"
"a2_62" = "444487947"
"a2_63" = "451646420"
"a2_60" = "430153255"
"a2_61" = "437319147"
"a2_66" = "473168213"
"a2_67" = "480336944"
"a2_64" = "458818597"
"a2_65" = "465987182"
"a3_240" = "1737322713"
"a2_68" = "487505155"
"a2_69" = "494670337"
"a2_148" = "1061035907"
"a2_149" = "1068200764"
"a1_41" = "4073847551"
"a1_40" = "1229440638"
"a1_43" = "2186056470"
"a1_42" = "4149476944"
"a1_45" = "3833033688"
"a1_44" = "3949114069"
"a1_47" = "3619172250"
"a1_46" = "261255223"
"a1_49" = "3505021385"
"a1_48" = "1477682029"
"a4_144" = "1032353424"
[HKCU\Software\Aas\695404737]
"43014726" = "0A00687474703A2F2F616B7A696C2E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F7777772E63723473682E676F2E726F2F6C6F676F2E67696600687474703A2F2F6172746761732E636F6D2E62722F627574746F6E2E67696600687474703A2F2F6561726E6D6F6E657962642E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F736F68616D776F726C642E696E2F696D616765732F627574746F6E2E67696600687474703A2F2F73696D6963616E692E636F6D2F6C6F676F2E67696600687474703A2F2F7777772E73746F72667265652E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F6E65776E69726D616E2E696E2F627574746F6E2E67696600687474703A2F2F7777772E6D736963742E696E2F696D616765732F6C6F676F2E67696600687474703A2F2F67616E757A6173762E636F6D2F6C6F676F2E676966"
[HKCU\Software\Aas]
"a4_142" = "1018015182"
"a4_143" = "1025184303"
"a3_118" = "862924447"
"a3_119" = "869974846"
"a3_202" = "1465015971"
"a1_114" = "4211840619"
"a3_200" = "1416954337"
"a3_201" = "1424013824"
"a3_206" = "1493543975"
"a3_207" = "1500987462"
"a3_204" = "1445500773"
"a1_115" = "271911469"
"a1_197" = "1812101608"
"a2_166" = "1190068590"
"a3_208" = "1508041977"
"a2_195" = "1397976088"
"a1_199" = "2780384983"
"a4_246" = "1763603766"
"a1_203" = "233346036"
"a3_36" = "241268621"
"a3_37" = "248309804"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Aas]
"a3_35" = "267899754"
"a3_32" = "212854281"
"a3_33" = "253401768"
"a3_30" = "231909751"
"a3_31" = "205278614"
"a2_167" = "1197236812"
"a3_188" = "1364647189"
"a1_113" = "2391507082"
"a4_241" = "1727758161"
"a3_38" = "289377359"
"a3_39" = "296296686"
"a4_249" = "1785111129"
[HKCU\Software\adm914\695404737]
"50183847" = "0A70D5FCA195CB83BEBED648A815E847F0DC85BE0EE2F97D2AC38CFDD790CC241E8202CEE461E2D5991740B69B7CF3CDACF5340F5B1D7E8D600A6176F0420CF143677512BFBC755006B651B9B2AA88942902025C2879352316C3CF97738A0AEE074D5DAB82EB858FCE659FE5B096BD941957B6F358EF8828A957D5C184455C29"
[HKCU\Software\Aas]
"a3_184" = "1336102801"
"a4_248" = "1777942008"
"a3_130" = "915379051"
"a1_191" = "262133873"
"a3_131" = "922302346"
"a1_118" = "1618627084"
"a3_95" = "698045910"
"a3_132" = "962897965"
"a1_119" = "660508071"
"a2_17" = "121876931"
"a2_16" = "114711447"
"a2_15" = "107543120"
"a2_14" = "100362453"
"a2_13" = "93207356"
"a2_12" = "86026655"
"a2_11" = "78858188"
"a2_10" = "71693717"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
[HKCU\Software\Aas]
"a3_134" = "943841519"
"a4_247" = "1770772887"
"a2_19" = "136211909"
"a2_18" = "129045100"
"a4_11" = "78860331"
"a1_1" = "1455659574"
"a4_13" = "93198573"
"a4_12" = "86029452"
"a4_15" = "107536815"
"a4_14" = "100367694"
"a4_17" = "121875057"
"a4_16" = "114705936"
"a4_19" = "136213299"
"a4_18" = "129044178"
"a3_137" = "998890944"
"a4_240" = "1720589040"
"a4_160" = "1147059360"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Aas]
"a4_243" = "1742096403"
"a3_8" = "40388897"
"a3_9" = "47967552"
"a3_6" = "59977839"
"a3_7" = "67032206"
"a3_4" = "11991981"
"a3_5" = "52535244"
"a3_2" = "31040235"
"a3_3" = "4933386"
"a3_0" = "17001001"
"a3_1" = "23989832"
"a1_193" = "1706599254"
"a2_255" = "1828121160"
"a2_208" = "1491179504"
"a2_151" = "1082561221"
"a4_242" = "1734927282"
"a2_150" = "1075376389"
"a1_253" = "3969235844"
[HKCU\Software\adm914\695404737]
"14338242" = "0"
"7169121" = "275"
[HKCU\Software\Aas]
"a4_166" = "1190074086"
"a1_150" = "3452476264"
"a4_167" = "1197243207"
"a3_145" = "1022800088"
"a1_219" = "3318136757"
"a3_144" = "1015749817"
"a4_161" = "1154228481"
"a1_216" = "3272929671"
"a1_215" = "3978935499"
"a1_214" = "1281043579"
"a1_213" = "947654919"
"a3_147" = "1070844314"
"a1_211" = "885821091"
"a1_210" = "3938655535"
"a3_146" = "1063277947"
"a2_159" = "1139887445"
"a4_119" = "853125399"
"a2_158" = "1132713493"
"a1_196" = "2256002104"
"a4_118" = "845956278"
"a3_143" = "1008236550"
"a2_249" = "1785104275"
"a4_150" = "1075368150"
"a2_247" = "1770767477"
"a2_246" = "1763599125"
"a2_245" = "1756433011"
"a3_142" = "1034864615"
"a2_243" = "1742100020"
"a2_242" = "1734934095"
"a2_241" = "1727780846"
"a2_240" = "1720585615"
"a3_224" = "1588903625"
"a1_152" = "1112327382"
"a3_225" = "1629901672"
"a3_248" = "1761236945"
"a4_117" = "838787157"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
Task Manager is disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%System%\inf]
"svchost.exe" = "%System%\inf\svchost.exe:*:Enabled:@xpsp2res.dll,-22001"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
The Trojan deletes the following registry key(s):
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\termservice]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\TDI]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Browser]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBT]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sr.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WinMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\File system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\EventLog]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Messenger]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Ndisuio]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SharedAccess]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\RpcSs]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SCSI Class]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Tcpip]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot file system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\CryptSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Primary disk]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Netlogon]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vga.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\HelpSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WZCSVC]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmserver]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetMan]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Base]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\File system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmadmin]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AppMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanServer]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AFD]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Base]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DnsCache]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PlugPlay]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Dhcp]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmload.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmio.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\EventLog]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Network]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LmHosts]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SRService]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOS]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys]
The Trojan deletes the following value(s) in system registry:
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\File system]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot]
"AlternateShell"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Primary disk]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SCSI Class]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WZCSVC]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBT]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Tcpip]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Network]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\HelpSvc]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vga.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SharedAccess]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\EventLog]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmserver]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PlugPlay]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOS]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Base]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Netlogon]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LmHosts]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\EventLog]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmio.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\File system]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Browser]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Base]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WinMgmt]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot file system]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\RpcSs]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DnsCache]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SRService]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Filter]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetMan]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP Filter]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\CryptSvc]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AFD]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Ndisuio]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Messenger]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanServer]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmadmin]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Filter]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AppMgmt]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\TDI]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Dhcp]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sr.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmload.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\termservice]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
"(Default)"
Dropped PE files
MD5 | File path |
---|---|
8af83550360e977e51cf5caf13b2e59c | c:\WINDOWS\system32\inf\svchost.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan installs the following user-mode hooks in WININET.dll:
HttpSendRequestW
InternetWriteFile
HttpSendRequestA
The Trojan installs the following user-mode hooks in DNSAPI.dll:
DnsQuery_A
DnsQuery_W
The Trojan installs the following user-mode hooks in WS2_32.dll:
send
GetAddrInfoW
The Trojan installs the following user-mode hooks in kernel32.dll:
MoveFileA
CopyFileW
CopyFileA
MoveFileW
CreateFileW
CreateFileA
The Trojan installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtResumeThread
NtQueryDirectoryFile
NtEnumerateValueKey
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.A worm can spread its copies through the MSN Messanger.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
TELNET.EXE:2136
TELNET.EXE:584
TELNET.EXE:4084
TELNET.EXE:636
TELNET.EXE:1428
TELNET.EXE:2880
TELNET.EXE:2836
TELNET.EXE:2356
%original file name%.exe:336
%original file name%.exe:1092
NOTEPAD.EXE:2712
NOTEPAD.EXE:2596
NOTEPAD.EXE:2472
NOTEPAD.EXE:1324
NOTEPAD.EXE:576
NOTEPAD.EXE:2452
NOTEPAD.EXE:2820
NOTEPAD.EXE:2784
NOTEPAD.EXE:2564
NOTEPAD.EXE:368
NOTEPAD.EXE:2244
NOTEPAD.EXE:3580
NOTEPAD.EXE:2912
NOTEPAD.EXE:896
NOTEPAD.EXE:2212
NOTEPAD.EXE:2936
NOTEPAD.EXE:2764
NOTEPAD.EXE:168
NOTEPAD.EXE:3644
NOTEPAD.EXE:3720
NOTEPAD.EXE:1284
NOTEPAD.EXE:3612
NOTEPAD.EXE:1604
NOTEPAD.EXE:2496
NOTEPAD.EXE:2068
NOTEPAD.EXE:1008
NOTEPAD.EXE:2104
020826a36d723a8:1600 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Application Data\ScreenSaverPro.scr (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SDYB8DEZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GPEBWPUN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\temp.bin (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4X6V4D2V\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G5VJ5DLJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe (2321 bytes)
%System%\inf\svchost.exe (688 bytes)
%WinDir%\system.ini (72 bytes)
%System%\drivers\ghkjmn.sys (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winohue.exe (15019 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Screen Saver Pro 3.1" = "%Documents and Settings%\%current user%\Application Data\ScreenSaverPro.scr"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Pukmkb" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 14076 | 14336 | 3.50208 | cebd960abe2844bcc41235ee42bd9882 |
.data | 20480 | 3824 | 4096 | 0.100873 | 09376d519decebf72b935b6074d3ec76 |
.rdata | 24576 | 8320 | 8704 | 4.04746 | d9a8a6049e5a8e9928ce0f37ca7bd222 |
.bss | 36864 | 432 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.idata | 40960 | 780 | 1024 | 2.41451 | 659d2cb0b3d2f47ea4435777526c0539 |
.rsrc | 45056 | 139264 | 136704 | 5.4504 | 57e828792a30cf22c26d6719b084f895 |
.zdata | 184320 | 73728 | 73728 | 5.43825 | 8b31d886a0683298c5aaa5989ece792f |
.xdata | 258048 | 161004 | 161280 | 4.64128 | ebeae0057e94ec957ce8b4423425a22f |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
svchost.exe_1516:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
u SSh
u SSh
\INETINFO.exe
\INETINFO.exe
:*:Enabled:@xpsp2res.dll,-22001
:*:Enabled:@xpsp2res.dll,-22001
\inf\svchost.exe /autorun
\inf\svchost.exe /autorun
SOFTWARE\Microsoft\Windows\CurrentVersion\App paths\ckass.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App paths\ckass.exe
\svchost.exe
\svchost.exe
121.254.231.247
121.254.231.247
121.254.231.246
121.254.231.246
\scanip.txt
\scanip.txt
User-Agent: Mozilla/4.0
User-Agent: Mozilla/4.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, */*
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, */*
HTTP/1.0
HTTP/1.0
hXXp://
hXXp://
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
operator
operator
WS2_32.dll
WS2_32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyA
RegOpenKeyA
RegCreateKeyA
RegCreateKeyA
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
GetCPInfo
GetCPInfo
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Event Check
Windows Event Check
%System%\inf\svchost.exe
%System%\inf\svchost.exe
%System%
%System%
%WinDir%
%WinDir%
KERNEL32.DLL
KERNEL32.DLL
mscoree.dll
mscoree.dll
Port :
Port :
All Files (*.*)
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Page %u
Page %u
Pages %u-%u
Pages %u-%u
Output.prn1Printer Files (*.prn)|*.prn|All Files (*.*)|*.*||
Output.prn1Printer Files (*.prn)|*.prn|All Files (*.*)|*.*||
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
#Unable to load mail system support.
#Unable to load mail system support.
svchost.exe_1516_rwx_00650000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0f
tlSSSSSSSSSShL0f
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
-%sMutex
-%sMutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s{%s%s{%s
[%s{%s%s{%s
n%s[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%.Trashes\%s
/c "start %Ã%%.Trashes\%s
.Trashes
.Trashes
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.scr
%0x.scr
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
a.baerr000.ru
a.baerr000.ru
a.joerv06.com
a.joerv06.com
a.tsroxybaa.com
a.tsroxybaa.com
fbi.gov
fbi.gov
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
SSRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\312a36d2
\\.\pipe\312a36d2
%System%\inf\svchost.exe
%System%\inf\svchost.exe
%WinDir%
%WinDir%
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
7 767
7 767
8*808;8~8
8*808;8~8
%s\Microsoft\%s.exe
%s\Microsoft\%s.exe
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\inf\svchost.exe
\Device\HarddiskVolume1\WINDOWS\system32\inf\svchost.exe
hc:\%original file name%.exe
hc:\%original file name%.exe
svchost.exe_832:
.text
.text
`.data
`.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
RPCRT4.dll
RPCRT4.dll
NETAPI32.dll
NETAPI32.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
NtOpenKey
NtOpenKey
svchost.pdb
svchost.pdb
\PIPE\
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
svchost.exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
svchost.exe_832_rwx_00090000_00021000:
.text
.text
.data
.data
.rsrc
.rsrc
@.reloc
@.reloc
%systemroot%
%systemroot%
%programfiles%\Common Files\*\*.exe
%programfiles%\Common Files\*\*.exe
%appdata%\Microsoft\*.exe
%appdata%\Microsoft\*.exe
%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe
%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe
ole32.dll
ole32.dll
/c "%%SystemRoot%%\explorer.exe %Ã%%%s & start %Ã%%%s & exit"
/c "%%SystemRoot%%\explorer.exe %Ã%%%s & start %Ã%%%s & exit"
/c "start %Ã%%%s & start %Ã%%%s & exit"
/c "start %Ã%%%s & start %Ã%%%s & exit"
%SystemRoot%\system32\cmd.exe
%SystemRoot%\system32\cmd.exe
%SystemRoot%\system32\SHELL32.dll
%SystemRoot%\system32\SHELL32.dll
%s\temp.bin
%s\temp.bin
%s\_[$]_TESTFILE_[$]_
%s\_[$]_TESTFILE_[$]_
%s\%s
%s\%s
%s\%s.lnk
%s\%s.lnk
Windows_Shared_Mutex_231_thisittotalyfuckingshit
Windows_Shared_Mutex_231_thisittotalyfuckingshit
\ScreenSaverPro.scr
\ScreenSaverPro.scr
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
kernel32.dll
kernel32.dll
ntdll.dll
ntdll.dll
user32.dll
user32.dll
advapi32.dll
advapi32.dll
shell32.dll
shell32.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
gdi32.dll
gdi32.dll
rpcrt4.dll
rpcrt4.dll
netapi32.dll
netapi32.dll
*.exe
*.exe
.gonewiththewings
.gonewiththewings
*.gonewiththewings
*.gonewiththewings
wipmania.com
wipmania.com
hXXp://api.wipmania.net/icon/n.api
hXXp://api.wipmania.net/icon/n.api
WindowsId
WindowsId
Microsoft\%s
Microsoft\%s
%s\%s\%s.exe
%s\%s\%s.exe
:Zone.Identifier
:Zone.Identifier
.quarantined
.quarantined
"%s" -shell
"%s" -shell
"%s" -bind
"%s" -bind
userinit.exe
userinit.exe
explorer.exe
explorer.exe
Windows critical error, require reboot
Windows critical error, require reboot
Windows Update
Windows Update
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegOpenKeyA
RegOpenKeyA
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
RPCRT4.dll
RPCRT4.dll
URLDownloadToFileA
URLDownloadToFileA
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\WindowsId Manager Reader
Software\WindowsId Manager Reader
WindowsMark
WindowsMark
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0A
tlSSSSSSSSSShL0A
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
%s_%d
%s_%d
-%sMutex
-%sMutex
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s{%s%s{%s
[%s{%s%s{%s
n%s[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%.Trashes\%s
/c "start %Ã%%.Trashes\%s
.Trashes
.Trashes
\\.\%c:
\\.\%c:
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.scr
%0x.scr
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
URLDownloadToFileW
URLDownloadToFileW
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
SSRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
7 767
7 767
8*808;8~8
8*808;8~8
{A5DCBF10-6530-11D2-901F-00C04FB951ED}
{A5DCBF10-6530-11D2-901F-00C04FB951ED}
\mspaint.exe
\mspaint.exe
\svchost.exe
\svchost.exe
%System%\mspaint.exe
%System%\mspaint.exe
%s\Microsoft\%s.exe
%s\Microsoft\%s.exe
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
mspaint.exe_1596:
.text
.text
`.data
`.data
.rsrc
.rsrc
MFC42u.DLL
MFC42u.DLL
msvcrt.dll
msvcrt.dll
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
comdlg32.dll
comdlg32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHELL32.dll
SHELL32.dll
IMM32.dll
IMM32.dll
mspaint.chm
mspaint.chm
COMDLG32.DLL
COMDLG32.DLL
Fhhctrl.ocx
Fhhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
gdiplus.dll
gdiplus.dll
UxTheme.dll
UxTheme.dll
mspaint.pdb
mspaint.pdb
SSSShH
SSSShH
Ht@Ht.Ht
Ht@Ht.Ht
GdiplusShutdown
GdiplusShutdown
_wcmdln
_wcmdln
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyW
RegOpenKeyW
RegEnumKeyW
RegEnumKeyW
SetViewportExtEx
SetViewportExtEx
GetKeyState
GetKeyState
GetKeyboardLayout
GetKeyboardLayout
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
RegOpenKeyExA
RegOpenKeyExA
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.PAVCFileException@@
.PAVCFileException@@
.PAVCException@@
.PAVCException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
name="Microsoft.Windows.Shell.mspaint"
name="Microsoft.Windows.Shell.mspaint"
version="5.1.0.0"
version="5.1.0.0"
Windows Shell
Windows Shell
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
R.bbbbbbbbbbbbbbbbbbbbbbbbbbOR@lVSV\
R.bbbbbbbbbbbbbbbbbbbbbbbbbbOR@lVSV\
.bbbbbbbbbbbbbbbbbbb
.bbbbbbbbbbbbbbbbbbb
K6*z^H=.fMM
K6*z^H=.fMM
6 .BT[r!G
6 .BT[r!G
8-/|:5@0.FF
8-/|:5@0.FF
%d~%d
%d~%d
%u%su
%u%su
mspaint.hlp
mspaint.hlp
gdi32.dll
gdi32.dll
shell32.dll
shell32.dll
;*.jpeg
;*.jpeg
Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
imm32.dll
imm32.dll
SOFTWARE\Microsoft\Shared Tools\Graphics Filters\Import
SOFTWARE\Microsoft\Shared Tools\Graphics Filters\Import
SOFTWARE\Microsoft\Shared Tools\Graphics Filters\Export
SOFTWARE\Microsoft\Shared Tools\Graphics Filters\Export
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
MSPAINT.EXE
MSPAINT.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
24-bit Bitmap (*.bmp;*.dib)
24-bit Bitmap (*.bmp;*.dib)
Palette|*.pal|
Palette|*.pal|
untitled.pal
untitled.pal
.rlecOLE 2.0 was unable to start.
.rlecOLE 2.0 was unable to start.
Bitmap Files (*.bmp)
Bitmap Files (*.bmp)
Paint.Picture
Paint.Picture
Monochrome Bitmap (*.bmp;*.dib)
Monochrome Bitmap (*.bmp;*.dib)
16 Color Bitmap (*.bmp;*.dib)
16 Color Bitmap (*.bmp;*.dib)
256 Color Bitmap (*.bmp;*.dib)
256 Color Bitmap (*.bmp;*.dib)
,Displays instructions about how to use Help.%Displays Help for areas you click on..Displays Help for the current task or command.
,Displays instructions about how to use Help.%Displays Help for areas you click on..Displays Help for the current task or command.
.Centers this bitmap as the desktop background.
.Centers this bitmap as the desktop background.
!Pastes a file into the selection.%Selects the scanner or camera device.2Downloads a new document from a scanner or camera.
!Pastes a file into the selection.%Selects the scanner or camera device.2Downloads a new document from a scanner or camera.
%Sends a picture by using mail or fax.
%Sends a picture by using mail or fax.
Reduces the window to an icon.!Enlarges the window to full size.%Switches to the next document window.)Switches to the previous document window.>Closes the active window and asks if you want to save changes.
Reduces the window to an icon.!Enlarges the window to full size.%Switches to the next document window.)Switches to the previous document window.>Closes the active window and asks if you want to save changes.
gThere is not enough memory or resources to complete operation.
gThere is not enough memory or resources to complete operation.
Close some programs, and then try again.DLow on memory or resources.
Close some programs, and then try again.DLow on memory or resources.
JThis is not a valid bitmap file, or its format is not currently supported.
JThis is not a valid bitmap file, or its format is not currently supported.
This is not a valid .PCS file.
This is not a valid .PCS file.
6The grid spacing must be an integer between %d and %d.
6The grid spacing must be an integer between %d and %d.
%s bytes
%s bytes
%d x %d dots per inch
%d x %d dots per inch
PencilUErases a portion of the picture, using the selected eraser shape.
PencilUErases a portion of the picture, using the selected eraser shape.
,Flips or rotates the picture or a selection..Stretches or skews the picture or a selection.1Inverts the colors of the picture or a selection.&Changes the attributes of the picture. Clears the picture or selection.&The font size must be a numeric value.8Contains commands for working with the selected item(s).7Contains commands for selecting and transferring items..Contains commands for customizing this window.CContains commands for manipulating pictures and setting attributes.>Contains commands for using custom colors and drawing options.FContains commands for displaying Help for and information about Paint.
,Flips or rotates the picture or a selection..Stretches or skews the picture or a selection.1Inverts the colors of the picture or a selection.&Changes the attributes of the picture. Clears the picture or selection.&The font size must be a numeric value.8Contains commands for working with the selected item(s).7Contains commands for selecting and transferring items..Contains commands for customizing this window.CContains commands for manipulating pictures and setting attributes.>Contains commands for using custom colors and drawing options.FContains commands for displaying Help for and information about Paint.
Creates a new color.*Uses a previously saved palette of colors..Saves the current palette of colors to a file.
Creates a new color.*Uses a previously saved palette of colors..Saves the current palette of colors to a file.
Shows Paint Help.(Microsoft\Windows\CurrentVersion\Applets
Shows Paint Help.(Microsoft\Windows\CurrentVersion\Applets
Downloading picture,Reading data from the device (%d%% complete)
Downloading picture,Reading data from the device (%d%% complete)
Processing data (%d%% complete)!Transferring data (%d%% complete)
Processing data (%d%% complete)!Transferring data (%d%% complete)
svchost.exe_832_rwx_00AC0000_00002000:
KERNEL32.DLL
KERNEL32.DLL
svchost.exe_832_rwx_00AD0000_00001000:
|svchost.exeM_832_
|svchost.exeM_832_
svchost.exe_832_rwx_00D70000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
-%sMutex
-%sMutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s{%s%s{%s
[%s{%s%s{%s
n%s[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%.Trashes\%s
/c "start %Ã%%.Trashes\%s
.Trashes
.Trashes
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.scr
%0x.scr
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
a.baerr000.ru
a.baerr000.ru
a.joerv06.com
a.joerv06.com
a.tsroxybaa.com
a.tsroxybaa.com
fbi.gov
fbi.gov
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
SSRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\312a36d2
\\.\pipe\312a36d2
%System%\svchost.exe
%System%\svchost.exe
%WinDir%
%WinDir%
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
7 767
7 767
8*808;8~8
8*808;8~8
%s\Microsoft\%s.exe
%s\Microsoft\%s.exe
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
.%System%\svchost.exe
.%System%\svchost.exe
c:\%original file name%.exe
c:\%original file name%.exe
svchost.exe_832_rwx_01010000_0102A000:
hXXp://89.11?
hXXp://89.11?
kr/picassa.datE
kr/picassa.datE
.gifI888
.gifI888
hXXp://89.119.67.154/testo5/
hXXp://89.119.67.154/testo5/
hXXp://oceaninfo.co.kr/picassa.dat
hXXp://oceaninfo.co.kr/picassa.dat
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
hXXp://kukutrustnet987.info/home.gif
.text
.text
h.rdata
h.rdata
H.data
H.data
.reloc
.reloc
ntoskrnl.exe
ntoskrnl.exe
objfre\i386\FwHookDrv.sys
objfre\i386\FwHookDrv.sys
E:\Drivers\FWHOOK~2\Driver\objfre\i386\FwHookDrv.pdb
E:\Drivers\FWHOOK~2\Driver\objfre\i386\FwHookDrv.pdb
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
hXXp://VVV.kjwre9fqwieluoi.info/
hXXp://VVV.kjwre9fqwieluoi.info/
hXXp://kukutrustnet777.info/
hXXp://kukutrustnet777.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
%s:*:Enabled:ipsec
NOTEPAD.EXE
NOTEPAD.EXE
TELNET.EXE
TELNET.EXE
CMD.EXE
CMD.EXE
GdiPlus.dll
GdiPlus.dll
hXXp://
hXXp://
hXXp://kjwre77638dfqwieuoi.info/
hXXp://kjwre77638dfqwieuoi.info/
VVV.microsoft.com
VVV.microsoft.com
?%x=%d
?%x=%d
&%x=%d
&%x=%d
SYSTEM.INI
SYSTEM.INI
USER32.DLL
USER32.DLL
.%c%s
.%c%s
\\.\aic32p
\\.\aic32p
WINDOWS
WINDOWS
NTDLL.DLL
NTDLL.DLL
ADVAPI32.DLL
ADVAPI32.DLL
win%s.exe
win%s.exe
WININET.DLL
WININET.DLL
InternetOpenUrlA
InternetOpenUrlA
avast! Web Scanner
avast! Web Scanner
BackWeb Plug-in - 4476822
BackWeb Plug-in - 4476822
fshttps
fshttps
ProtoPort Firewall service
ProtoPort Firewall service
WebrootDesktopFirewallDataService
WebrootDesktopFirewallDataService
WebrootFirewall
WebrootFirewall
bpowqbvcfds677.info
bpowqbvcfds677.info
bmakemegood24.com
bmakemegood24.com
bperfectchoice1.com
bperfectchoice1.com
bcash-ddt.net
bcash-ddt.net
bddr-cash.net
bddr-cash.net
btrn-cash.net
btrn-cash.net
bmoney-frn.net
bmoney-frn.net
bclr-cash.net
bclr-cash.net
bxxxl-cash.net
bxxxl-cash.net
balsfhkewo7i487fksd.info
balsfhkewo7i487fksd.info
buynvf96.info
buynvf96.info
%d%d.tmp
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
KERNEL32.DLL
KERNEL32.DLL
Explorer.exe
Explorer.exe
ASHWEBSV.
ASHWEBSV.
BACKWEB-4476822.
BACKWEB-4476822.
DRWEB32W.
DRWEB32W.
DRWEBSCD.
DRWEBSCD.
DRWEBUPW.
DRWEBUPW.
FSGUIEXE.
FSGUIEXE.
MCVSSHLD.
MCVSSHLD.
NPFMSG.
NPFMSG.
SYMSPORT.
SYMSPORT.
WEBPROXY.
WEBPROXY.
WEBSCANX.
WEBSCANX.
WEBTRAP.
WEBTRAP.
dr.web
dr.web
M_%d_
M_%d_
%c%d_%d
%c%d_%d
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
c:\windows
c:\windows
hXXp://VVV.resistencianight.com.ar/images/logo.gif
hXXp://VVV.resistencianight.com.ar/images/logo.gif
hXXp://eastlondon-email.com/logo.gif
hXXp://eastlondon-email.com/logo.gif
hXXp://sheesom.pk/images/button.gif
hXXp://sheesom.pk/images/button.gif
hXXp://eshippingbrasil.com.br/img/logo.gif
hXXp://eshippingbrasil.com.br/img/logo.gif
hXXp://smrutisvastunfengshui.com/images/button.gif
hXXp://smrutisvastunfengshui.com/images/button.gif
hXXp://flightstour.com/images/logo.gif
hXXp://flightstour.com/images/logo.gif
hXXp://tattooinindia.com/images/button.gif
hXXp://tattooinindia.com/images/button.gif
hXXp://noktakuaforum.com/images/logo.gif
hXXp://noktakuaforum.com/images/logo.gif
hXXp://puntasan.com/images/logo.gif
hXXp://puntasan.com/images/logo.gif
hXXp://redbomb.com.tr/redbomb/logo.gif
hXXp://redbomb.com.tr/redbomb/logo.gif
hXXp://h1r.com/logo.gif
hXXp://h1r.com/logo.gif
%System%\drivers\ghkjmn.sys
%System%\drivers\ghkjmn.sys
12403433365
12403433365
GetWindowsDirectoryA
GetWindowsDirectoryA
GetProcessHeap
GetProcessHeap
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyA
RegCreateKeyA
RegCloseKey
RegCloseKey
RegEnumKeyExA
RegEnumKeyExA
SHFileOperationA
SHFileOperationA
`mt%u
`mt%u
ADVAPI32.dll
ADVAPI32.dll
MSVCRT.dll
MSVCRT.dll
SHELL32.dll
SHELL32.dll
USER32.dll
USER32.dll
WS2_32.dll
WS2_32.dll
mspaint.exe_1596_rwx_00DB0000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
-%sMutex
-%sMutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s{%s%s{%s
[%s{%s%s{%s
n%s[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%.Trashes\%s
/c "start %Ã%%.Trashes\%s
.Trashes
.Trashes
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.scr
%0x.scr
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
a.baerr000.ru
a.baerr000.ru
a.joerv06.com
a.joerv06.com
a.tsroxybaa.com
a.tsroxybaa.com
fbi.gov
fbi.gov
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
SSRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
c:\%original file name%.exe
c:\%original file name%.exe
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
\\.\pipe\312a36d2
\\.\pipe\312a36d2
%System%\mspaint.exe
%System%\mspaint.exe
%WinDir%
%WinDir%
312a36d2.scr
312a36d2.scr
7 767
7 767
8*808;8~8
8*808;8~8
%s\Microsoft\%s.exe
%s\Microsoft\%s.exe
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\mspaint.exe
\Device\HarddiskVolume1\WINDOWS\system32\mspaint.exe
mspaint.exe_1596_rwx_00E00000_00002000:
KERNEL32.DLL
KERNEL32.DLL
mspaint.exe_1596_rwx_00E10000_00001000:
|mspaint.exeM_1596_
|mspaint.exeM_1596_
svchost.exe_2160:
.text
.text
`.data
`.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
RPCRT4.dll
RPCRT4.dll
NETAPI32.dll
NETAPI32.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
NtOpenKey
NtOpenKey
svchost.pdb
svchost.pdb
\PIPE\
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
svchost.exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
svchost.exe_2160_rwx_00B80000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
-%sMutex
-%sMutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s{%s%s{%s
[%s{%s%s{%s
n%s[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%.Trashes\%s
/c "start %Ã%%.Trashes\%s
.Trashes
.Trashes
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.scr
%0x.scr
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
a.baerr000.ru
a.baerr000.ru
a.joerv06.com
a.joerv06.com
a.tsroxybaa.com
a.tsroxybaa.com
fbi.gov
fbi.gov
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
SSRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\312a36d2
\\.\pipe\312a36d2
%System%\svchost.exe
%System%\svchost.exe
%WinDir%
%WinDir%
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
7 767
7 767
8*808;8~8
8*808;8~8
%s\Microsoft\%s.exe
%s\Microsoft\%s.exe
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
c:\%original file name%.exe
c:\%original file name%.exe
csrss.exe_684_rwx_00B00000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
-%sMutex
-%sMutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s{%s%s{%s
[%s{%s%s{%s
n%s[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%.Trashes\%s
/c "start %Ã%%.Trashes\%s
.Trashes
.Trashes
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.scr
%0x.scr
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
a.baerr000.ru
a.baerr000.ru
a.joerv06.com
a.joerv06.com
a.tsroxybaa.com
a.tsroxybaa.com
fbi.gov
fbi.gov
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
SSRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\312a36d2
\\.\pipe\312a36d2
\??\%System%\csrss.exe
\??\%System%\csrss.exe
%WinDir%
%WinDir%
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
7 767
7 767
8*808;8~8
8*808;8~8
%s\Microsoft\%s.exe
%s\Microsoft\%s.exe
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\csrss.exe
\Device\HarddiskVolume1\WINDOWS\system32\csrss.exe
c:\%original file name%.exe
c:\%original file name%.exe
winlogon.exe_708_rwx_01530000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0T
tlSSSSSSSSSShL0T
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
-%sMutex
-%sMutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s{%s%s{%s
[%s{%s%s{%s
n%s[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%.Trashes\%s
/c "start %Ã%%.Trashes\%s
.Trashes
.Trashes
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.scr
%0x.scr
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
a.baerr000.ru
a.baerr000.ru
a.joerv06.com
a.joerv06.com
a.tsroxybaa.com
a.tsroxybaa.com
fbi.gov
fbi.gov
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
SSRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\312a36d2
\\.\pipe\312a36d2
\??\%System%\winlogon.exe
\??\%System%\winlogon.exe
%WinDir%
%WinDir%
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
7 767
7 767
8*808;8~8
8*808;8~8
%s\Microsoft\%s.exe
%s\Microsoft\%s.exe
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\winlogon.exe
\Device\HarddiskVolume1\WINDOWS\system32\winlogon.exe
c:\%original file name%.exe
c:\%original file name%.exe
services.exe_752_rwx_00B70000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
-%sMutex
-%sMutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s{%s%s{%s
[%s{%s%s{%s
n%s[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%.Trashes\%s
/c "start %Ã%%.Trashes\%s
.Trashes
.Trashes
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.scr
%0x.scr
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
a.baerr000.ru
a.baerr000.ru
a.joerv06.com
a.joerv06.com
a.tsroxybaa.com
a.tsroxybaa.com
fbi.gov
fbi.gov
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
SSRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\312a36d2
\\.\pipe\312a36d2
%System%\services.exe
%System%\services.exe
%WinDir%
%WinDir%
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
7 767
7 767
8*808;8~8
8*808;8~8
%s\Microsoft\%s.exe
%s\Microsoft\%s.exe
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\services.exe
\Device\HarddiskVolume1\WINDOWS\system32\services.exe
c:\%original file name%.exe
c:\%original file name%.exe
Explorer.EXE_880_rwx_00FF0000_00002000:
KERNEL32.DLL
KERNEL32.DLL
Explorer.EXE_880_rwx_01D70000_00001000:
|explorer.exeM_880_
|explorer.exeM_880_
Explorer.EXE_880_rwx_022A0000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
-%sMutex
-%sMutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s{%s%s{%s
[%s{%s%s{%s
n%s[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%.Trashes\%s
/c "start %Ã%%.Trashes\%s
.Trashes
.Trashes
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.scr
%0x.scr
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
a.baerr000.ru
a.baerr000.ru
a.joerv06.com
a.joerv06.com
a.tsroxybaa.com
a.tsroxybaa.com
fbi.gov
fbi.gov
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
SSRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\312a36d2
\\.\pipe\312a36d2
%WinDir%\Explorer.EXE
%WinDir%\Explorer.EXE
%WinDir%
%WinDir%
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
7 767
7 767
8*808;8~8
8*808;8~8
%s\Microsoft\%s.exe
%s\Microsoft\%s.exe
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\explorer.exe
\Device\HarddiskVolume1\WINDOWS\explorer.exe
c:\%original file name%.exe
c:\%original file name%.exe
svchost.exe_956_rwx_00ED0000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
-%sMutex
-%sMutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s{%s%s{%s
[%s{%s%s{%s
n%s[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%.Trashes\%s
/c "start %Ã%%.Trashes\%s
.Trashes
.Trashes
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.scr
%0x.scr
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
a.baerr000.ru
a.baerr000.ru
a.joerv06.com
a.joerv06.com
a.tsroxybaa.com
a.tsroxybaa.com
fbi.gov
fbi.gov
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
SSRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\312a36d2
\\.\pipe\312a36d2
%System%\svchost.exe
%System%\svchost.exe
%WinDir%
%WinDir%
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
7 767
7 767
8*808;8~8
8*808;8~8
%s\Microsoft\%s.exe
%s\Microsoft\%s.exe
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
c:\%original file name%.exe
c:\%original file name%.exe
svchost.exe_1020_rwx_00B50000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
-%sMutex
-%sMutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s{%s%s{%s
[%s{%s%s{%s
n%s[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%.Trashes\%s
/c "start %Ã%%.Trashes\%s
.Trashes
.Trashes
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.scr
%0x.scr
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
a.baerr000.ru
a.baerr000.ru
a.joerv06.com
a.joerv06.com
a.tsroxybaa.com
a.tsroxybaa.com
fbi.gov
fbi.gov
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
SSRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\312a36d2
\\.\pipe\312a36d2
%System%\svchost.exe
%System%\svchost.exe
%WinDir%
%WinDir%
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
7 767
7 767
8*808;8~8
8*808;8~8
%s\Microsoft\%s.exe
%s\Microsoft\%s.exe
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
c:\%original file name%.exe
c:\%original file name%.exe
svchost.exe_1104_rwx_02580000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0Y
tlSSSSSSSSSShL0Y
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
-%sMutex
-%sMutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s{%s%s{%s
[%s{%s%s{%s
n%s[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%.Trashes\%s
/c "start %Ã%%.Trashes\%s
.Trashes
.Trashes
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.scr
%0x.scr
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
a.baerr000.ru
a.baerr000.ru
a.joerv06.com
a.joerv06.com
a.tsroxybaa.com
a.tsroxybaa.com
fbi.gov
fbi.gov
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
SSRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\312a36d2
\\.\pipe\312a36d2
%WinDir%\System32\svchost.exe
%WinDir%\System32\svchost.exe
%WinDir%
%WinDir%
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
7 767
7 767
8*808;8~8
8*808;8~8
%s\Microsoft\%s.exe
%s\Microsoft\%s.exe
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
c:\%original file name%.exe
c:\%original file name%.exe
svchost.exe_1156_rwx_00830000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
-%sMutex
-%sMutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s{%s%s{%s
[%s{%s%s{%s
n%s[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%.Trashes\%s
/c "start %Ã%%.Trashes\%s
.Trashes
.Trashes
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.scr
%0x.scr
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
a.baerr000.ru
a.baerr000.ru
a.joerv06.com
a.joerv06.com
a.tsroxybaa.com
a.tsroxybaa.com
fbi.gov
fbi.gov
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
SSRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\312a36d2
\\.\pipe\312a36d2
%System%\svchost.exe
%System%\svchost.exe
%WinDir%
%WinDir%
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
7 767
7 767
8*808;8~8
8*808;8~8
%s\Microsoft\%s.exe
%s\Microsoft\%s.exe
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
c:\%original file name%.exe
c:\%original file name%.exe
svchost.exe_1200_rwx_00C80000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
-%sMutex
-%sMutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s{%s%s{%s
[%s{%s%s{%s
n%s[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%.Trashes\%s
/c "start %Ã%%.Trashes\%s
.Trashes
.Trashes
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.scr
%0x.scr
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
a.baerr000.ru
a.baerr000.ru
a.joerv06.com
a.joerv06.com
a.tsroxybaa.com
a.tsroxybaa.com
fbi.gov
fbi.gov
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
SSRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\312a36d2
\\.\pipe\312a36d2
%System%\svchost.exe
%System%\svchost.exe
%WinDir%
%WinDir%
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
7 767
7 767
8*808;8~8
8*808;8~8
%s\Microsoft\%s.exe
%s\Microsoft\%s.exe
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
c:\%original file name%.exe
c:\%original file name%.exe
spoolsv.exe_1444_rwx_00F90000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
-%sMutex
-%sMutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s{%s%s{%s
[%s{%s%s{%s
n%s[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%.Trashes\%s
/c "start %Ã%%.Trashes\%s
.Trashes
.Trashes
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.scr
%0x.scr
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
a.baerr000.ru
a.baerr000.ru
a.joerv06.com
a.joerv06.com
a.tsroxybaa.com
a.tsroxybaa.com
fbi.gov
fbi.gov
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
SSRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\312a36d2
\\.\pipe\312a36d2
%System%\spoolsv.exe
%System%\spoolsv.exe
%WinDir%
%WinDir%
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
7 767
7 767
8*808;8~8
8*808;8~8
%s\Microsoft\%s.exe
%s\Microsoft\%s.exe
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\spoolsv.exe
\Device\HarddiskVolume1\WINDOWS\system32\spoolsv.exe
c:\%original file name%.exe
c:\%original file name%.exe
imapi.exe_1780_rwx_00AB0000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
-%sMutex
-%sMutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s{%s%s{%s
[%s{%s%s{%s
n%s[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%.Trashes\%s
/c "start %Ã%%.Trashes\%s
.Trashes
.Trashes
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.scr
%0x.scr
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
a.baerr000.ru
a.baerr000.ru
a.joerv06.com
a.joerv06.com
a.tsroxybaa.com
a.tsroxybaa.com
fbi.gov
fbi.gov
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
SSRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\312a36d2
\\.\pipe\312a36d2
%System%\imapi.exe
%System%\imapi.exe
%WinDir%
%WinDir%
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
7 767
7 767
8*808;8~8
8*808;8~8
%s\Microsoft\%s.exe
%s\Microsoft\%s.exe
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\imapi.exe
\Device\HarddiskVolume1\WINDOWS\system32\imapi.exe
c:\%original file name%.exe
c:\%original file name%.exe
jqs.exe_1976_rwx_010C0000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
-%sMutex
-%sMutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s{%s%s{%s
[%s{%s%s{%s
n%s[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Ã%%%s
&&%%windir%%\explorer.exe %Ã%%%s
/c "start %Ã%%.Trashes\%s
/c "start %Ã%%.Trashes\%s
.Trashes
.Trashes
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.scr
%0x.scr
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
a.baerr000.ru
a.baerr000.ru
a.joerv06.com
a.joerv06.com
a.tsroxybaa.com
a.tsroxybaa.com
fbi.gov
fbi.gov
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
SSRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\312a36d2
\\.\pipe\312a36d2
%Program Files%\Java\jre6\bin\jqs.exe
%Program Files%\Java\jre6\bin\jqs.exe
%WinDir%
%WinDir%
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
%Documents and Settings%\%current user%\Application Data\Microsoft\Pukmkb.exe
7 767
7 767
8*808;8~8
8*808;8~8
%s\Microsoft\%s.exe
%s\Microsoft\%s.exe
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\Program Files\Java\jre6\bin\jqs.exe
\Device\HarddiskVolume1\Program Files\Java\jre6\bin\jqs.exe
c:\%original file name%.exe
c:\%original file name%.exe