Backdoor.Agent.ABIH_d77d8e7fc8

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.
IRCBot	A bot can communicate with command and control servers via IRC channel.
MSNWorm	A worm can spread its copies through the MSN Messanger.
DNSBlocker	A program can block designated DNS servers for making it difficult for users to locate specific domains or web sites on the Internet.
UDPFlooder	This program can make a UDP flood. A UDP flood attack is a denial-of-service attack using the User Datagram Protocol (UDP). It can be initiated by sending a large number of UDP packets to random ports on a remote host.
SYNFlooder	This program can make a SYN flood. It is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
Trojan-Proxy	This program can launch a proxy server (SOCKS4) on a designated TCP port.
USBInfector	A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.

Process activity

The Backdoor creates the following process(es):

ftp.exe:1724
%original file name%.exe:1316
%original file name%.exe:352

The Backdoor injects its code into the following process(es):

mscorsvw.exe:1924
svchost.exe:1276
csrss.exe:696
winlogon.exe:720
services.exe:764
svchost.exe:932
svchost.exe:1000
svchost.exe:1092
svchost.exe:1132
svchost.exe:1180
Explorer.EXE:1284
spoolsv.exe:1424
wmiprvse.exe:1792
jqs.exe:1972

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1316 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\temp.bin (601 bytes)

Registry activity

The process ftp.exe:1724 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 6E 40 7C 26 9A 97 79 08 DF BA AA 0A D2 48 EF"

The process %original file name%.exe:1316 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD AF 86 99 AD EA E5 26 FC E3 2F ED 13 76 32 18"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process %original file name%.exe:352 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D E5 1A F3 A9 FC E7 36 BB 23 96 B8 85 5A AA 78"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Backdoor installs the following user-mode hooks in WININET.dll:

HttpSendRequestW
InternetWriteFile
HttpSendRequestA

The Backdoor installs the following user-mode hooks in DNSAPI.dll:

DnsQuery_A
DnsQuery_W

The Backdoor installs the following user-mode hooks in WS2_32.dll:

send
GetAddrInfoW

The Backdoor installs the following user-mode hooks in kernel32.dll:

MoveFileA
CopyFileW
CopyFileA
MoveFileW
CreateFileW
CreateFileA

The Backdoor installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtResumeThread
NtQueryDirectoryFile
NtEnumerateValueKey

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.A worm can spread its copies through the MSN Messanger.

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):

   ftp.exe:1724
   %original file name%.exe:1316
   %original file name%.exe:352
   

3. Delete the original Backdoor file.
   
4. Delete or disinfect the following files created/modified by the Backdoor:

   %Documents and Settings%\%current user%\Application Data\temp.bin (601 bytes)

5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
CODE	4096	104728	104960	4.22238	1c263cb7e83ea2dd01b58b544eb7e67c
.rdata	110592	1526	1536	3.56443	557018ef6d0cf351cc418c910c4ab661
.kyt	114688	482	512	4.27462	a65af858122b16ff21eaf37f53867ed9
DATA	118784	8820	512	0.253352	882d6838e7eebcd40cccc50586f42507
.rsrc	131072	436	512	3.53365	8f4789a65bf6377b722e93bd644be4a7

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 12
9fc56d939e5dae03ab76a77c833aab80
4bc13bc48f9f13f3066ef398a5ff3126
06ffe2bc26f61e6023f55248367648e0
18e72ff55407a69dd11feaf400ab3145
46143118769a44ba0f5ef3e091004d1f
9a675eb628fee980fdd9cc69d5b00b7c
0a29c538eb19b863582ecc127b733ff6
72bde3ad8d76980d1427b2a90e49fe63
7124a568ce146042fa5813600fcd9952
d26db7d0c31c83d0ad7a53702f6ebef9
bb2f07fac36f384d7bf8b4efade8010c
4cc654ca44755d868ea4e18c5f0f2c28

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Backdoor connects to the servers at the folowing location(s):

Strings from Dumps

svchost.exe_1276:

.text

.text

`.data

`.data

.rsrc

.rsrc

ADVAPI32.dll

ADVAPI32.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

RPCRT4.dll

RPCRT4.dll

NETAPI32.dll

NETAPI32.dll

ole32.dll

ole32.dll

ntdll.dll

ntdll.dll

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

GetProcessHeap

GetProcessHeap

NtOpenKey

NtOpenKey

svchost.pdb

svchost.pdb

\PIPE\

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

svchost.exe

Windows

Windows

Operating System

Operating System

5.1.2600.5512

5.1.2600.5512

svchost.exe_1276_rwx_00090000_0001D000:

.text

.text

.data

.data

.rsrc

.rsrc

@.reloc

@.reloc

GetProcessHeap

GetProcessHeap

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

SHELL32.dll

SHELL32.dll

ole32.dll

ole32.dll

SHLWAPI.dll

SHLWAPI.dll

/c "%%SystemRoot%%\explorer.exe %Í%%%s & start %Í%%%s & exit"

/c "%%SystemRoot%%\explorer.exe %Í%%%s & start %Í%%%s & exit"

/c "start %Í%%%s & start %Í%%%s & exit"

/c "start %Í%%%s & start %Í%%%s & exit"

%SystemRoot%\system32\cmd.exe

%SystemRoot%\system32\cmd.exe

%SystemRoot%\system32\SHELL32.dll

%SystemRoot%\system32\SHELL32.dll

%s\temp.bin

%s\temp.bin

%s\_[$]_TESTFILE_[$]_

%s\_[$]_TESTFILE_[$]_

%s\%s

%s\%s

%s\%s.lnk

%s\%s.lnk

kernel32.dll

kernel32.dll

ntdll.dll

ntdll.dll

user32.dll

user32.dll

advapi32.dll

advapi32.dll

shell32.dll

shell32.dll

urlmon.dll

urlmon.dll

wininet.dll

wininet.dll

gdi32.dll

gdi32.dll

rpcrt4.dll

rpcrt4.dll

netapi32.dll

netapi32.dll

`.rdata

`.rdata

@.data

@.data

.reloc

.reloc

=MSG t

=MSG t

>MSG u`

>MSG u`

=PASS

=PASS

8httpu1

8httpu1

8httpuM

8httpuM

tlSSSSSSSSSShL0A

tlSSSSSSSSSShL0A

%s.%s

%s.%s

%s.%S

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

%s.p21-> Message hijacked!

msnmsg

msnmsg

CAL %d %6s

CAL %d %6s

ngr->blocksize: %d

ngr->blocksize: %d

block_size: %d

block_size: %d

\\.\pipe\%s

\\.\pipe\%s

%s_%d

%s_%d

-%sMutex

-%sMutex

%s-pid

%s-pid

%s-comm

%s-comm

JOIN #

JOIN #

PRIVMSG #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

PRIVMSG %5s

JOIN %5s

JOIN %5s

PRIVMSG

PRIVMSG

JOIN

JOIN

%s:%d

%s:%d

%s.%s%s

%s.%s%s

%S%s%s

%S%s%s

%s.%S%S

%s.%S%S

%S%S%S

%S%S%S

state_%s

state_%s

%s.%s (p='%S')

%s.%s (p='%S')

pop3://%s:%s@%s:%d

pop3://%s:%s@%s:%d

%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s.%s ->> %s : %s

%s-%s-%s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

webroot.

virusbuster.nprotect.

virusbuster.nprotect.

heck.tc

heck.tc

onecare.live.

onecare.live.

login[password]

login[password]

login[username]

login[username]

*members*.iknowthatgirl*/members*

*members*.iknowthatgirl*/members*

*youporn.*/login*

*youporn.*/login*

*members.brazzers.com*

*members.brazzers.com*

*bcointernacional*login*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*:2222/CMD_LOGIN*

*whcms*dologin*

*whcms*dologin*

*:2086/login*

*:2086/login*

*:2083/login*

*:2083/login*

*:2082/login*

*:2082/login*

*webnames.ru/*user_login*

*webnames.ru/*user_login*

Webnames

Webnames

*dotster.com/*login*

*dotster.com/*login*

loginid

loginid

*enom.com/login*

*enom.com/login*

login.Pass

login.Pass

login.User

login.User

*login.Pass=*

*login.Pass=*

*1and1.com/xml/config*

*1and1.com/xml/config*

*moniker.com/*Login*

*moniker.com/*Login*

LoginPassword

LoginPassword

LoginUserName

LoginUserName

*LoginPassword=*

*LoginPassword=*

*namecheap.com/*login*

*namecheap.com/*login*

loginname

loginname

*godaddy.com/login*

*godaddy.com/login*

Password

Password

*Password=*

*Password=*

*alertpay.com/login*

*alertpay.com/login*

*netflix.com/*ogin*

*netflix.com/*ogin*

*thepiratebay.org/login*

*thepiratebay.org/login*

*torrentleech.org/*login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*letitbit.net*

*what.cd/login*

*what.cd/login*

*oron.com/login*

*oron.com/login*

*filesonic.com/*login*

*filesonic.com/*login*

*speedyshare.com/login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploaded.to/*login*

*uploading.com/*login*

*uploading.com/*login*

loginUserPassword

loginUserPassword

loginUserName

loginUserName

*loginUserPassword=*

*loginUserPassword=*

*fileserv.com/login*

*fileserv.com/login*

*hotfile.com/login*

*hotfile.com/login*

*4shared.com/login*

*4shared.com/login*

txtpass

txtpass

*txtpass=*

*txtpass=*

*netload.in/index*

*netload.in/index*

*freakshare.com/login*

*freakshare.com/login*

login_pass

login_pass

*login_pass=*

*login_pass=*

*mediafire.com/*login*

*mediafire.com/*login*

*sendspace.com/login*

*sendspace.com/login*

*megaupload.*/*login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

*secure.logmein.*/*logincheck*

session[password]

session[password]

*password]=*

*password]=*

*twitter.com/sessions

*twitter.com/sessions

txtPassword

txtPassword

*&txtPassword=*

*&txtPassword=*

*.moneybookers.*/*login.pl

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*runescape*/*weblogin*

*&password=*

*&password=*

*no-ip*/login*

*no-ip*/login*

*steampowered*/login*

*steampowered*/login*

quick_password

quick_password

*hackforums.*/member.php

*hackforums.*/member.php

*facebook.*/login.php*

*facebook.*/login.php*

*login.yahoo.*/*login*

*login.yahoo.*/*login*

passwd

passwd

login

login

*passwd=*

*passwd=*

*login.live.*/*post.srf*

*login.live.*/*post.srf*

TextfieldPassword

TextfieldPassword

*TextfieldPassword=*

*TextfieldPassword=*

*gmx.*/*FormLogin*

*gmx.*/*FormLogin*

*Passwd=*

*Passwd=*

FLN-Password

FLN-Password

*FLN-Password=*

*FLN-Password=*

*pass=*

*pass=*

*bigstring.*/*index.php*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

*screenname.aol.*/login.psp*

password

password

loginId

loginId

*password=*

*password=*

*aol.*/*login.psp*

*aol.*/*login.psp*

Passwd

Passwd

*google.*/*ServiceLoginAuth*

*google.*/*ServiceLoginAuth*

login_password

login_password

login_email

login_email

*login_password=*

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

%s / ?%d HTTP/1.1

Host: %s

Host: %s

User-Agent: %s

User-Agent: %s

Mozilla/4.0

Mozilla/4.0

\\.\PHYSICALDRIVE0

\\.\PHYSICALDRIVE0

httpi

httpi

dnsapi.dll

dnsapi.dll

http://%s/%s

http://%s/%s

http://%s/

http://%s/

POST /23s

POST /23s

[%s{%s%s{%s

[%s{%s%s{%s

n%s[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

[DNS]: Redirecting "%s" to "%s"

%s|%s

%s|%s

[Logins]: Cleared %d logins

[Logins]: Cleared %d logins

FTP ->

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

http://

[Login]: %s

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

icon=shell32.dll,7

shellexecute=

shellexecute=

%windir%\system32\cmd.exe

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%.Trashes\%s

/c "start %Í%%.Trashes\%s

.Trashes

.Trashes

\\.\%c:

\\.\%c:

%sautorun.tmp

%sautorun.tmp

%sautorun.inf

%sautorun.inf

%0x.scr

%0x.scr

*bebo.*/c/profile/comment_post.json

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

msg_text

*facebook.*/ajax/chat/send.php*

*facebook.*/ajax/chat/send.php*

-_.!~*'()

-_.!~*'()

%s.%s hijacked!

%s.%s hijacked!

MSG %d %s %d

MSG %d %s %d

MSG %d %1s

MSG %d %1s

SDG %d %d

SDG %d %d

Content-Length: %d

Content-Length: %d

SDG %d

SDG %d

%s_0xX

%s_0xX

RegCreateKeyExW

RegCreateKeyExW

RegCreateKeyExA

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileW

URLDownloadToFileA

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestW

HttpSendRequestA

HttpSendRequestA

NtEnumerateValueKey

NtEnumerateValueKey

DNSAPI.dll

DNSAPI.dll

Secur32.dll

Secur32.dll

ShellExecuteA

ShellExecuteA

HttpQueryInfoA

HttpQueryInfoA

InternetOpenUrlA

InternetOpenUrlA

HttpQueryInfoW

HttpQueryInfoW

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

MSVCRT.dll

MSVCRT.dll

ConnectNamedPipe

ConnectNamedPipe

CreateNamedPipeA

CreateNamedPipeA

DisconnectNamedPipe

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryW

GetWindowsDirectoryA

GetWindowsDirectoryA

RegCloseKey

RegCloseKey

RegNotifyChangeKeyValue

RegNotifyChangeKeyValue

RegOpenKeyExA

RegOpenKeyExA

ADVAPI32.dll

ADVAPI32.dll

PASS %s

PASS %s

[.ShellClassInfo]

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

SSRR %s 0 0 :%s

KCIK %s

KCIK %s

SEND %s %s

SEND %s %s

PART %s

PART %s

PPPPMSG %s :%s

PPPPMSG %s :%s

QUIT :%s

QUIT :%s

PPNG %s

PPNG %s

PPPPMSG

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Login]: %s

[POP3 Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Login]: %s

[HTTP Traffic]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[DNS]: Blocked DNS "%s"

[MSN]: %s

[MSN]: %s

[HTTP]: %s

[HTTP]: %s

ftplog

ftplog

ftpinfect

ftpinfect

httplogin

httplogin

httptraff

httptraff

httpspread

httpspread

http://api.wipmania.com/

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\x_ipc

7 767<7><pre>8*808;8~8</pre><pre>{A5DCBF10-6530-11D2-901F-00C04FB951ED}</pre><pre>n\ftp.exe</pre><pre>\svchost.exe</pre><pre>%System%\ftp.exe</pre><pre>%s\Microsoft\%s.exe</pre><pre>\\.\pipe</pre><pre>Internet Explorer\iexplore.exe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\Desktop.ini</pre><pre>winlogon.exe</pre><pre>ftp.exe</pre><pre>Aadvapi32.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><b>svchost.exe_1276_rwx_00AC0000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>icon=shell32.dll,7</pre><pre>shellexecute=</pre><pre>%windir%\system32\cmd.exe</pre><pre>&&%%windir%%\explorer.exe %Í%%%s</pre><pre>/c "start %Í%%.Trashes\%s</pre><pre>.Trashes</pre><pre>\\.\%c:</pre><pre>%s\%s</pre><pre>%sautorun.tmp</pre><pre>%sautorun.inf</pre><pre>%0x.scr</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>j.redflash.info</pre><pre>j.artiho.com</pre><pre>j.jamtes.com</pre><pre>fbi.gov</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\31204d04</pre><pre>%System%\svchost.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Microsoft\Aukmkm.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Microsoft\%s.exe</pre><pre>\\.\pipe</pre><pre>Internet Explorer\iexplore.exe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\Desktop.ini</pre><pre>winlogon.exe</pre><pre>ftp.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe</pre><pre>-%System%\svchost.exe</pre><pre>c:\%original file name%.exe</pre><b>ftp.exe_1724:</b><pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>msvcrt.dll</pre><pre>ADVAPI32.dll</pre><pre>KERNEL32.dll</pre><pre>NTDLL.DLL</pre><pre>USER32.dll</pre><pre>WS2_32.dll</pre><pre>MSWSOCK.dll</pre><pre>PASS %s@%s</pre><pre>TYPE %s</pre><pre>TYPE %s %s</pre><pre>CWD %s</pre><pre>DELE %s</pre><pre>RNTO %s</pre><pre>RNFR %s</pre><pre>ACCT %s</pre><pre>PASS %s</pre><pre>USER %s</pre><pre>XMKD %s</pre><pre>XRMD %s</pre><pre>HELP %s</pre><pre>%s %s?</pre><pre>%s: %s</pre><pre>%s:%s</pre><pre>xpsp2res.dll</pre><pre>PORT %d,%d,%d,%d,%d,%d</pre><pre>EPRT |2|%s|%d|</pre><pre>%s %s</pre><pre>ftp.pdb</pre><pre>RegCloseKey</pre><pre>RegOpenKeyExA</pre><pre>GetProcessHeap</pre><pre>5.1.2600.5512 (xpsp.080413-0852)</pre><pre>ftp.exe</pre><pre>Windows</pre><pre>Operating System</pre><pre>5.1.2600.5512</pre><pre>Server port %1!d! in use!</pre><pre>%1 packet, foreign host %2, foreign port %3!d!:</pre><pre>ftp: error allocating memory.</pre><pre>ftp: ftp/tcp: unknown service.</pre><pre>Transfers files to and from a computer running an FTP server service</pre><pre>(sometimes called a daemon). Ftp can be used interactively.</pre><pre>FTP [-v] [-d] [-i] [-n] [-g] [-s:filename] [-a] [-w:windowsize] [-A] [host]</pre><pre>-n Suppresses auto-login upon initial connection.</pre><pre>-s:filename Specifies a text file containing FTP commands; the</pre><pre>commands will automatically run after FTP starts.</pre><pre>-A login as anonymous.</pre><pre>ftp> %0.</pre><pre>Usage: %1 host name [port]</pre><pre>%1: bad port number %2</pre><pre>We only support %1 mode.</pre><pre>We only support %1 format.</pre><pre>We only support %1 structure.</pre><pre>Use of PORT cmds: %1.</pre><pre>ftp: (%1!d! bytes/hash mark) %0.</pre><pre>Use of PORT cmds %1.</pre><pre>Usage: %1 username [password] [account]</pre><pre>Login failed.</pre><pre>Error reading password.</pre><pre>ftp: socket %0.</pre><pre>ftp: bind %0.</pre><pre>ftp: setsockopt (SO_KEEPALIVE) %0.</pre><pre>ftp: connect %0.</pre><pre>ftp: getsockname %0.</pre><pre>ftp: get %0.</pre><pre>ftp: setsockopt (reuse address) %0.</pre><pre>ftp: setsockopt (ignored) %0.</pre><pre>ftp: listen %0.</pre><pre>ftp: accept %0.</pre><pre>Password: %0.</pre><pre>ftp: WSAStartup: %0.</pre><pre>Connect to remote tftp %0.</pre><pre>Terminate ftp session %0.</pre><pre>Toggle use of PORT cmd for each data connection %0.</pre><pre>Terminate ftp session and exit %0.</pre><pre>Send arbitrary ftp command %0.</pre><pre>ftp: %1!ld! bytes received in %0.</pre><pre>ftp: %1!ld! bytes sent in %0.</pre><pre>Anonymous login failed.</pre><pre>Anonymous login succeeded for %1@%2</pre><pre>> ftp -T -T -T MohsinA5</pre><pre>ftp> put localfile /dev/null</pre><b>csrss.exe_696_rwx_00A80000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>icon=shell32.dll,7</pre><pre>shellexecute=</pre><pre>%windir%\system32\cmd.exe</pre><pre>&&%%windir%%\explorer.exe %Í%%%s</pre><pre>/c "start %Í%%.Trashes\%s</pre><pre>.Trashes</pre><pre>\\.\%c:</pre><pre>%s\%s</pre><pre>%sautorun.tmp</pre><pre>%sautorun.inf</pre><pre>%0x.scr</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>j.redflash.info</pre><pre>j.artiho.com</pre><pre>j.jamtes.com</pre><pre>fbi.gov</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\31204d04</pre><pre>\??\%System%\csrss.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Microsoft\Aukmkm.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Microsoft\%s.exe</pre><pre>\\.\pipe</pre><pre>Internet Explorer\iexplore.exe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\Desktop.ini</pre><pre>winlogon.exe</pre><pre>ftp.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\csrss.exe</pre><pre>c:\%original file name%.exe</pre><b>winlogon.exe_720_rwx_016F0000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0p</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>icon=shell32.dll,7</pre><pre>shellexecute=</pre><pre>%windir%\system32\cmd.exe</pre><pre>&&%%windir%%\explorer.exe %Í%%%s</pre><pre>/c "start %Í%%.Trashes\%s</pre><pre>.Trashes</pre><pre>\\.\%c:</pre><pre>%s\%s</pre><pre>%sautorun.tmp</pre><pre>%sautorun.inf</pre><pre>%0x.scr</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>j.redflash.info</pre><pre>j.artiho.com</pre><pre>j.jamtes.com</pre><pre>fbi.gov</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\31204d04</pre><pre>\??\%System%\winlogon.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Microsoft\Aukmkm.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Microsoft\%s.exe</pre><pre>\\.\pipe</pre><pre>Internet Explorer\iexplore.exe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\Desktop.ini</pre><pre>winlogon.exe</pre><pre>ftp.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\winlogon.exe</pre><pre>c:\%original file name%.exe</pre><b>services.exe_764_rwx_00B00000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>icon=shell32.dll,7</pre><pre>shellexecute=</pre><pre>%windir%\system32\cmd.exe</pre><pre>&&%%windir%%\explorer.exe %Í%%%s</pre><pre>/c "start %Í%%.Trashes\%s</pre><pre>.Trashes</pre><pre>\\.\%c:</pre><pre>%s\%s</pre><pre>%sautorun.tmp</pre><pre>%sautorun.inf</pre><pre>%0x.scr</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>j.redflash.info</pre><pre>j.artiho.com</pre><pre>j.jamtes.com</pre><pre>fbi.gov</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\31204d04</pre><pre>%System%\services.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Microsoft\Aukmkm.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Microsoft\%s.exe</pre><pre>\\.\pipe</pre><pre>Internet Explorer\iexplore.exe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\Desktop.ini</pre><pre>winlogon.exe</pre><pre>ftp.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\services.exe</pre><pre>c:\%original file name%.exe</pre><b>svchost.exe_932_rwx_00E90000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>icon=shell32.dll,7</pre><pre>shellexecute=</pre><pre>%windir%\system32\cmd.exe</pre><pre>&&%%windir%%\explorer.exe %Í%%%s</pre><pre>/c "start %Í%%.Trashes\%s</pre><pre>.Trashes</pre><pre>\\.\%c:</pre><pre>%s\%s</pre><pre>%sautorun.tmp</pre><pre>%sautorun.inf</pre><pre>%0x.scr</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>j.redflash.info</pre><pre>j.artiho.com</pre><pre>j.jamtes.com</pre><pre>fbi.gov</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\31204d04</pre><pre>%System%\svchost.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Microsoft\Aukmkm.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Microsoft\%s.exe</pre><pre>\\.\pipe</pre><pre>Internet Explorer\iexplore.exe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\Desktop.ini</pre><pre>winlogon.exe</pre><pre>ftp.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe</pre><pre>c:\%original file name%.exe</pre><b>svchost.exe_1000_rwx_00B50000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>icon=shell32.dll,7</pre><pre>shellexecute=</pre><pre>%windir%\system32\cmd.exe</pre><pre>&&%%windir%%\explorer.exe %Í%%%s</pre><pre>/c "start %Í%%.Trashes\%s</pre><pre>.Trashes</pre><pre>\\.\%c:</pre><pre>%s\%s</pre><pre>%sautorun.tmp</pre><pre>%sautorun.inf</pre><pre>%0x.scr</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>j.redflash.info</pre><pre>j.artiho.com</pre><pre>j.jamtes.com</pre><pre>fbi.gov</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\31204d04</pre><pre>%System%\svchost.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Microsoft\Aukmkm.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Microsoft\%s.exe</pre><pre>\\.\pipe</pre><pre>Internet Explorer\iexplore.exe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\Desktop.ini</pre><pre>winlogon.exe</pre><pre>ftp.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe</pre><pre>c:\%original file name%.exe</pre><b>svchost.exe_1092_rwx_032C0000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0-</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>icon=shell32.dll,7</pre><pre>shellexecute=</pre><pre>%windir%\system32\cmd.exe</pre><pre>&&%%windir%%\explorer.exe %Í%%%s</pre><pre>/c "start %Í%%.Trashes\%s</pre><pre>.Trashes</pre><pre>\\.\%c:</pre><pre>%s\%s</pre><pre>%sautorun.tmp</pre><pre>%sautorun.inf</pre><pre>%0x.scr</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>j.redflash.info</pre><pre>j.artiho.com</pre><pre>j.jamtes.com</pre><pre>fbi.gov</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\31204d04</pre><pre>%WinDir%\System32\svchost.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Microsoft\Aukmkm.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Microsoft\%s.exe</pre><pre>\\.\pipe</pre><pre>Internet Explorer\iexplore.exe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\Desktop.ini</pre><pre>winlogon.exe</pre><pre>ftp.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe</pre><pre>c:\%original file name%.exe</pre><b>svchost.exe_1132_rwx_00830000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>icon=shell32.dll,7</pre><pre>shellexecute=</pre><pre>%windir%\system32\cmd.exe</pre><pre>&&%%windir%%\explorer.exe %Í%%%s</pre><pre>/c "start %Í%%.Trashes\%s</pre><pre>.Trashes</pre><pre>\\.\%c:</pre><pre>%s\%s</pre><pre>%sautorun.tmp</pre><pre>%sautorun.inf</pre><pre>%0x.scr</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>j.redflash.info</pre><pre>j.artiho.com</pre><pre>j.jamtes.com</pre><pre>fbi.gov</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\31204d04</pre><pre>%System%\svchost.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Microsoft\Aukmkm.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Microsoft\%s.exe</pre><pre>\\.\pipe</pre><pre>Internet Explorer\iexplore.exe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\Desktop.ini</pre><pre>winlogon.exe</pre><pre>ftp.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe</pre><pre>c:\%original file name%.exe</pre><b>svchost.exe_1180_rwx_00BF0000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>icon=shell32.dll,7</pre><pre>shellexecute=</pre><pre>%windir%\system32\cmd.exe</pre><pre>&&%%windir%%\explorer.exe %Í%%%s</pre><pre>/c "start %Í%%.Trashes\%s</pre><pre>.Trashes</pre><pre>\\.\%c:</pre><pre>%s\%s</pre><pre>%sautorun.tmp</pre><pre>%sautorun.inf</pre><pre>%0x.scr</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>j.redflash.info</pre><pre>j.artiho.com</pre><pre>j.jamtes.com</pre><pre>fbi.gov</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\31204d04</pre><pre>%System%\svchost.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Microsoft\Aukmkm.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Microsoft\%s.exe</pre><pre>\\.\pipe</pre><pre>Internet Explorer\iexplore.exe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\Desktop.ini</pre><pre>winlogon.exe</pre><pre>ftp.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe</pre><pre>c:\%original file name%.exe</pre><b>Explorer.EXE_1284_rwx_01DB0000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>icon=shell32.dll,7</pre><pre>shellexecute=</pre><pre>%windir%\system32\cmd.exe</pre><pre>&&%%windir%%\explorer.exe %Í%%%s</pre><pre>/c "start %Í%%.Trashes\%s</pre><pre>.Trashes</pre><pre>\\.\%c:</pre><pre>%s\%s</pre><pre>%sautorun.tmp</pre><pre>%sautorun.inf</pre><pre>%0x.scr</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>j.redflash.info</pre><pre>j.artiho.com</pre><pre>j.jamtes.com</pre><pre>fbi.gov</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\31204d04</pre><pre>%WinDir%\Explorer.EXE</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Microsoft\Aukmkm.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Microsoft\%s.exe</pre><pre>\\.\pipe</pre><pre>Internet Explorer\iexplore.exe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\Desktop.ini</pre><pre>winlogon.exe</pre><pre>ftp.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\explorer.exe</pre><pre>c:\%original file name%.exe</pre><b>spoolsv.exe_1424_rwx_00DD0000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>icon=shell32.dll,7</pre><pre>shellexecute=</pre><pre>%windir%\system32\cmd.exe</pre><pre>&&%%windir%%\explorer.exe %Í%%%s</pre><pre>/c "start %Í%%.Trashes\%s</pre><pre>.Trashes</pre><pre>\\.\%c:</pre><pre>%s\%s</pre><pre>%sautorun.tmp</pre><pre>%sautorun.inf</pre><pre>%0x.scr</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>j.redflash.info</pre><pre>j.artiho.com</pre><pre>j.jamtes.com</pre><pre>fbi.gov</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\31204d04</pre><pre>%System%\spoolsv.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Microsoft\Aukmkm.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Microsoft\%s.exe</pre><pre>\\.\pipe</pre><pre>Internet Explorer\iexplore.exe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\Desktop.ini</pre><pre>winlogon.exe</pre><pre>ftp.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\spoolsv.exe</pre><pre>c:\%original file name%.exe</pre><b>wmiprvse.exe_1792_rwx_00DE0000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>icon=shell32.dll,7</pre><pre>shellexecute=</pre><pre>%windir%\system32\cmd.exe</pre><pre>&&%%windir%%\explorer.exe %Í%%%s</pre><pre>/c "start %Í%%.Trashes\%s</pre><pre>.Trashes</pre><pre>\\.\%c:</pre><pre>%s\%s</pre><pre>%sautorun.tmp</pre><pre>%sautorun.inf</pre><pre>%0x.scr</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>j.redflash.info</pre><pre>j.artiho.com</pre><pre>j.jamtes.com</pre><pre>fbi.gov</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\31204d04</pre><pre>%System%\wbem\wmiprvse.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Microsoft\Aukmkm.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Microsoft\%s.exe</pre><pre>\\.\pipe</pre><pre>Internet Explorer\iexplore.exe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\Desktop.ini</pre><pre>winlogon.exe</pre><pre>ftp.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\wbem\wmiprvse.exe</pre><pre>c:\%original file name%.exe</pre><b>mscorsvw.exe_1924_rwx_008E0000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>icon=shell32.dll,7</pre><pre>shellexecute=</pre><pre>%windir%\system32\cmd.exe</pre><pre>&&%%windir%%\explorer.exe %Í%%%s</pre><pre>/c "start %Í%%.Trashes\%s</pre><pre>.Trashes</pre><pre>\\.\%c:</pre><pre>%s\%s</pre><pre>%sautorun.tmp</pre><pre>%sautorun.inf</pre><pre>%0x.scr</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>j.redflash.info</pre><pre>j.artiho.com</pre><pre>j.jamtes.com</pre><pre>fbi.gov</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\31204d04</pre><pre>%WinDir%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Microsoft\Aukmkm.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Microsoft\%s.exe</pre><pre>\\.\pipe</pre><pre>Internet Explorer\iexplore.exe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\Desktop.ini</pre><pre>winlogon.exe</pre><pre>ftp.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</pre><pre>c:\%original file name%.exe</pre><b>jqs.exe_1972_rwx_010C0000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>icon=shell32.dll,7</pre><pre>shellexecute=</pre><pre>%windir%\system32\cmd.exe</pre><pre>&&%%windir%%\explorer.exe %Í%%%s</pre><pre>/c "start %Í%%.Trashes\%s</pre><pre>.Trashes</pre><pre>\\.\%c:</pre><pre>%s\%s</pre><pre>%sautorun.tmp</pre><pre>%sautorun.inf</pre><pre>%0x.scr</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>j.redflash.info</pre><pre>j.artiho.com</pre><pre>j.jamtes.com</pre><pre>fbi.gov</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\31204d04</pre><pre>%Program Files%\Java\jre6\bin\jqs.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Microsoft\Aukmkm.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Microsoft\%s.exe</pre><pre>\\.\pipe</pre><pre>Internet Explorer\iexplore.exe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\Desktop.ini</pre><pre>winlogon.exe</pre><pre>ftp.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\Program Files\Java\jre6\bin\jqs.exe</pre><pre>c:\%original file name%.exe</pre></7></pre></7></pre></7></pre></7></pre></7></pre></7></pre></7></pre></7></pre></7></pre></7></pre></7></pre></7></pre></7></pre></7></pre></7>