Trojan.Win32.Swrort.3.FD, GenericAutorunWorm.YR, GenericInjector.YR, PackedMoleBoxVS.YR (Lavasoft MAS)Behaviour: Trojan, Worm, Packed, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 715690f93c7a1f79468deffc8e432147
SHA1: b3f09bf8a88eb6aa67cb71258ba49d48c540da32
SHA256: a605dd89c34c37ca3fff432507df43cb8d6f754cc75e0c099c0d8334e7adcb62
SSDeep: 98304:19Y02Ch0TDVy7pfFPNeTp39u1bSJEwF1QKTwhhLf0iNBwox1uTyX1vyJzsq R:1xnWDVy9fF1eTR b RF1QIwvfbwoiylN
Size: 5012656 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit
Summary: Packed. A packed file can be a compressed and/or encrypted in a manner that prevents matching the memory image of that file and the actual file on disk. Sometimes used for copy protection, packers are often used to make Spyware less easy to analyze/detect.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Packed's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Packed creates the following process(es):
net1.exe:580
net1.exe:1368
ping.exe:1484
net.exe:2008
net.exe:916
%original file name%.exe:1332
sort.exe:1788
sort.exe:868
find.exe:1376
find.exe:1264
The Packed injects its code into the following process(es):
getsusp_300373.exe:900
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process getsusp_300373.exe:900 makes changes in the file system.
The Packed creates and/or writes to the following file(s):
C:\ (4 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories (4 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists (4 bytes)
%Documents and Settings%\%current user%\Favorites (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8A8D2383C68A1A48B9237A20571B2203 (360 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30 (96 bytes)
%WinDir%\GetSusp.sys (588 bytes)
%Documents and Settings%\All Users\Documents\My Music (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\570FB14ABC805C46708F32F92F10C3B4 (324 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\B69D763EB21649DA26F20618312DEE70 (232 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData (8 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment (4 bytes)
%Documents and Settings%\All Users\Documents (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 (164 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0 (4 bytes)
%System%\drivers (32 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\3130B1871A126520A8C47861EFE3ED4D (240 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\E04822AD18D472EA5B582E6E6F8C6B9A (256 bytes)
%Program Files%\Common Files\System (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment (4 bytes)
%Documents and Settings%\LocalService (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\D41693DAFE5DEF0C36959FF1FCEF5C96 (603 bytes)
%System%\config\SystemProfile (4 bytes)
%WinDir%\WinSxS (12 bytes)
%Documents and Settings%\Default User\NTUSER.DAT (36 bytes)
%WinDir%\AppPatch (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar5.tmp (2712 bytes)
%Documents and Settings%\Default User (540 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30 (224 bytes)
%WinDir% (1264 bytes)
C:\$Directory (1792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab4.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\207B9FD92391B9B2A60A89B4C965D5DF (324 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\3130B1871A126520A8C47861EFE3ED4D (521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\XP7\Logs\Network.xsl (4 bytes)
C:\PROGRAM FILES (8 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\D41693DAFE5DEF0C36959FF1FCEF5C96 (308 bytes)
%Documents and Settings%\%current user%\My Documents (4 bytes)
%System%\config (96 bytes)
%System%\wbem (1064 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs (4 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft (4 bytes)
%Documents and Settings%\All Users\Application Data (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\XP7\GetSusp1.tmp (44 bytes)
C:\DOCUMENTS AND SETTINGS (4 bytes)
%Documents and Settings%\Default User\Local Settings (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (130 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\0797C381B2F87EB5A1D5573BD15BA4F4 (37 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab6.tmp (54 bytes)
%Program Files%\Internet Explorer (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 (933 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\E04822AD18D472EA5B582E6E6F8C6B9A (528 bytes)
%WinDir%\REGISTRATION (4 bytes)
%System%\CatRoot2\dberr.txt (155 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\570FB14ABC805C46708F32F92F10C3B4 (573 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0 (8 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft (4 bytes)
%System% (8396 bytes)
%Documents and Settings%\LocalService\Local Settings (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\E8974A4669383843486E5AFDB09650F5 (2 bytes)
%Program Files%\COMMON FILES (4 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\0797C381B2F87EB5A1D5573BD15BA4F4 (240 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0 (8 bytes)
%Program Files%\Common Files\Microsoft Shared (4 bytes)
%Documents and Settings%\%current user%\APPLICATION DATA (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WFV3.tmp (8 bytes)
%Documents and Settings%\Default User\Start Menu\Programs (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content (8 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\B69D763EB21649DA26F20618312DEE70 (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\XP7\Logs\Files.xsl (784 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5 (4 bytes)
%System%\oobe (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft (4 bytes)
%Program Files%\Common Files\VMware\Drivers (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games (4 bytes)
%Program Files%\WIRESHARK (16 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8A8D2383C68A1A48B9237A20571B2203 (1 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\E8974A4669383843486E5AFDB09650F5 (224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\XP7\Logs\GetSusp.xsl (196 bytes)
%Documents and Settings%\All Users (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C554DCF706A5AAB8B360FAD227EAB9C7 (1 bytes)
%Documents and Settings%\Default User\ntuser.dat.LOG (1560 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C554DCF706A5AAB8B360FAD227EAB9C7 (176 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\207B9FD92391B9B2A60A89B4C965D5DF (588 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Documents and Settings%\NetworkService\Local Settings (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar7.tmp (2712 bytes)
%Documents and Settings%\NetworkService (4 bytes)
The Packed deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Cab4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\GetSusp.opt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\XP7\GetSusp.opt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\XP7\GetSusp1.tmp (0 bytes)
The process %original file name%.exe:1332 makes changes in the file system.
The Packed creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\blat.dll (7370 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\libintl3.dll (3713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\spltmp.bmp (5356 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\gawk.exe (8159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\uniq.exe (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\blat.exe (7821 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\zip.exe (7631 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\PsInfo.exe (10556 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\du.exe (6070 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\wput.exe (2603 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\regex2.dll (2289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\sleep.exe (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\date.exe (246 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\pcre3.dll (4114 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\autorunsc.exe (14680 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\AdvSplash.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\grep.exe (3739 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\pslist.exe (7328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\libeay32.dll (29364 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\libssl32.dll (5340 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\ssleay32.dll (6842 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\libiconv2.dll (28246 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\wget.exe (14326 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\getsusp_300373.exe (51601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\unzip.exe (4782 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\psloglist.exe (4656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\sed.exe (1240 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\SARS_o.bat (5704 bytes)
The Packed deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\spltmp.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\AdvSplash.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk1.tmp (0 bytes)
The process sort.exe:1788 makes changes in the file system.
The Packed creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\XP7_info.txt (2 bytes)
The process sort.exe:868 makes changes in the file system.
The Packed creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\SARS.LOG (2 bytes)
Registry activity
The process net1.exe:580 makes changes in the system registry.
The Packed creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE D0 93 1A 79 08 52 A2 57 C9 C8 01 7C 96 98 FF"
The process net1.exe:1368 makes changes in the system registry.
The Packed creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 CF 91 61 D4 98 2B 8A E5 9C 9C E7 A5 6C 0B FB"
The process ping.exe:1484 makes changes in the system registry.
The Packed creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 97 9D F3 7B AD C1 33 A3 C9 68 5A 79 D2 4C 17"
The process net.exe:2008 makes changes in the system registry.
The Packed creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 3F 55 F9 1E E8 CB DA E0 CF DF 15 59 83 EE 94"
The process net.exe:916 makes changes in the system registry.
The Packed creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E 2B 63 BB 5A 28 79 6B 9F 6C 2E 82 AE AA BD 67"
The process getsusp_300373.exe:900 makes changes in the system registry.
The Packed creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD ED CA CD AE 39 F9 C5 7A C4 B3 93 A4 4C 1F E1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\System\CurrentControlSet\Control\hivelist\\REGISTRY\MACHINE]
"1" = "\Device\HarddiskVolume1\Documents and Settings\Default User\NTUSER.DAT"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Packed deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
[HKLM\System\CurrentControlSet\Control\hivelist\\REGISTRY\MACHINE]
"1"
The process %original file name%.exe:1332 makes changes in the system registry.
The Packed creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 43 8A B7 33 F5 3A 24 80 54 64 AF F6 1C 25 09"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Security Analysis Response Script - Auto Upload\Components]
"Main" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process sort.exe:1788 makes changes in the system registry.
The Packed creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 D8 4D 0A 79 7A D7 F4 4D FF 08 DB 9F 83 65 27"
The process sort.exe:868 makes changes in the system registry.
The Packed creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 8B A8 5D B6 56 5E 77 C9 B8 FE 86 77 79 9A F4"
The process find.exe:1376 makes changes in the system registry.
The Packed creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF FC F1 45 A9 A4 A1 9E 03 12 E4 49 47 05 E0 C0"
The process find.exe:1264 makes changes in the system registry.
The Packed creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 15 0A A9 23 99 6E 53 C4 31 0D E2 E9 34 CB F9"
Dropped PE files
MD5 | File path |
---|---|
53e433146f2060b01e80128652d63c36 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\PsInfo.exe |
3872fdfe8b16111a123b215956db4fac | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\autorunsc.exe |
449ddec37abe10b10400e97906528784 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\blat.dll |
c7b92f83bd2658d2ca70c24dd8df20c9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\blat.exe |
5e978ec5f615396eaa1b14334197b68e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\date.exe |
96ef10196a343b237a21a06c66fe02c0 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\du.exe |
327c50edeb8e370392d5d55018b193c0 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\gawk.exe |
83a3d89f40a05038760110b1e6e54762 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\grep.exe |
6b854ffc12e5e2c32683a03714cf6c5d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\libeay32.dll |
331f570aa7c20bc93deb7b237b21cc9c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\libiconv2.dll |
db7aabf38d66b4f8152f12e0f313d00c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\libintl3.dll |
37580b9354e984bf7c1a2b4ed7fa824b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\libssl32.dll |
57cac848fa14ae38f14f9441f8933282 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\pcre3.dll |
ad06aa36e330434560593590330222e6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\pslist.exe |
328ba584bd06c3083e3a66cb47779eac | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\psloglist.exe |
547c43567ab8c08eb30f6c6bacb479a3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\regex2.dll |
289c007f63e4216757e3c03c38555133 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\sed.exe |
b23b2c00cb9f44b9b2d05012cfee1db4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\sleep.exe |
3f73eb468ad5f5977ca2f4cd36c46b94 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\ssleay32.dll |
959312470e74c3b2220e74ff181abece | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\uniq.exe |
fecf803f7d84d4cfa81277298574d6e6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\unzip.exe |
aa173375c21ea31b8cc615dccb54e43b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\wget.exe |
f7438fb5b244eb8a4f409dc660b469e3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\wput.exe |
79aef4a7acaeb0e979537a4bc3dcc851 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\zip.exe |
4857084657ceff6cc7891dce8ada8507 | c:\WINDOWS\GetSusp.sys |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Packed's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
net1.exe:580
net1.exe:1368
ping.exe:1484
net.exe:2008
net.exe:916
%original file name%.exe:1332
sort.exe:1788
sort.exe:868
find.exe:1376
find.exe:1264 - Delete the original Packed file.
- Delete or disinfect the following files created/modified by the Packed:
C:\ (4 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories (4 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists (4 bytes)
%Documents and Settings%\%current user%\Favorites (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8A8D2383C68A1A48B9237A20571B2203 (360 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30 (96 bytes)
%WinDir%\GetSusp.sys (588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\570FB14ABC805C46708F32F92F10C3B4 (324 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\B69D763EB21649DA26F20618312DEE70 (232 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 (164 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0 (4 bytes)
%System%\drivers (32 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\3130B1871A126520A8C47861EFE3ED4D (240 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\E04822AD18D472EA5B582E6E6F8C6B9A (256 bytes)
%Program Files%\Common Files\System (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment (4 bytes)
%Documents and Settings%\LocalService (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\D41693DAFE5DEF0C36959FF1FCEF5C96 (603 bytes)
%System%\config\SystemProfile (4 bytes)
%WinDir%\WinSxS (12 bytes)
%Documents and Settings%\Default User\NTUSER.DAT (36 bytes)
%WinDir%\AppPatch (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar5.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30 (224 bytes)
C:\$Directory (1792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab4.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\207B9FD92391B9B2A60A89B4C965D5DF (324 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\3130B1871A126520A8C47861EFE3ED4D (521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\XP7\Logs\Network.xsl (4 bytes)
C:\PROGRAM FILES (8 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\D41693DAFE5DEF0C36959FF1FCEF5C96 (308 bytes)
%Documents and Settings%\%current user%\My Documents (4 bytes)
%System%\wbem (1064 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs (4 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\XP7\GetSusp1.tmp (44 bytes)
C:\DOCUMENTS AND SETTINGS (4 bytes)
%Documents and Settings%\Default User\Local Settings (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (130 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\0797C381B2F87EB5A1D5573BD15BA4F4 (37 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab6.tmp (54 bytes)
%Program Files%\Internet Explorer (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 (933 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\E04822AD18D472EA5B582E6E6F8C6B9A (528 bytes)
%WinDir%\REGISTRATION (4 bytes)
%System%\CatRoot2\dberr.txt (155 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\570FB14ABC805C46708F32F92F10C3B4 (573 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0 (8 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft (4 bytes)
%Documents and Settings%\LocalService\Local Settings (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\E8974A4669383843486E5AFDB09650F5 (2 bytes)
%Program Files%\COMMON FILES (4 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\0797C381B2F87EB5A1D5573BD15BA4F4 (240 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0 (8 bytes)
%Program Files%\Common Files\Microsoft Shared (4 bytes)
%Documents and Settings%\%current user%\APPLICATION DATA (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WFV3.tmp (8 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\B69D763EB21649DA26F20618312DEE70 (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\XP7\Logs\Files.xsl (784 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5 (4 bytes)
%System%\oobe (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft (4 bytes)
%Program Files%\Common Files\VMware\Drivers (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games (4 bytes)
%Program Files%\WIRESHARK (16 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8A8D2383C68A1A48B9237A20571B2203 (1 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\E8974A4669383843486E5AFDB09650F5 (224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\XP7\Logs\GetSusp.xsl (196 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C554DCF706A5AAB8B360FAD227EAB9C7 (1 bytes)
%Documents and Settings%\Default User\ntuser.dat.LOG (1560 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C554DCF706A5AAB8B360FAD227EAB9C7 (176 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\207B9FD92391B9B2A60A89B4C965D5DF (588 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Documents and Settings%\NetworkService\Local Settings (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar7.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\blat.dll (7370 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\libintl3.dll (3713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\spltmp.bmp (5356 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\gawk.exe (8159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\uniq.exe (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\blat.exe (7821 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\zip.exe (7631 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\PsInfo.exe (10556 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\du.exe (6070 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\wput.exe (2603 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\regex2.dll (2289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\sleep.exe (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\date.exe (246 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\pcre3.dll (4114 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\autorunsc.exe (14680 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\AdvSplash.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\grep.exe (3739 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\pslist.exe (7328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\libeay32.dll (29364 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\libssl32.dll (5340 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\ssleay32.dll (6842 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\libiconv2.dll (28246 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\wget.exe (14326 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\getsusp_300373.exe (51601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\unzip.exe (4782 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\psloglist.exe (4656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\sed.exe (1240 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\SARS_o.bat (5704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\XP7_info.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS.LOG (2 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Schlumberger Security Operations Team
Product Name: Security Analysis Response Script - Automatic Upload
Product Version: 1.0.7.6
Legal Copyright: (c) 2008-2013 - Unpublished work. All rights reserved.
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.7.6
File Description: Tool for IR Data Collection.
Comments:
Language: Language Neutral
Company Name: Schlumberger Security Operations TeamProduct Name: Security Analysis Response Script - Automatic UploadProduct Version: 1.0.7.6Legal Copyright: (c) 2008-2013 - Unpublished work. All rights reserved.Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.7.6File Description: Tool for IR Data Collection.Comments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23628 | 24064 | 4.46394 | 856b32eb77dfd6fb67f21d6543272da5 |
.rdata | 28672 | 4764 | 5120 | 3.4982 | dc77f8a1e6985a4361c55642680ddb4f |
.data | 36864 | 154712 | 1024 | 3.3278 | 7922d4ce117d7d5b3ac2cffe4b0b5e4f |
.ndata | 192512 | 32768 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 225280 | 130952 | 131072 | 3.4391 | 7861b17ec4aec8476bdfecd2dc4490bd |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://e6845.ce.akamaiedge.net/pca3.crl | |
hxxp://e6845.ce.akamaiedge.net/CSC3-2004.crl | |
hxxp://crl.slb.com/CertData/SRV001PKI_Schlumberger Corporate Root CA(1).crt | 199.6.154.95 |
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt | |
hxxp://e6845.ce.akamaiedge.net/CSC3-2009-2.crl | |
hxxp://e6845.ce.akamaiedge.net/pca3-g5.crl | |
hxxp://e6845.ce.akamaiedge.net/CSC3-2010.crl | |
hxxp://e6845.ce.akamaiedge.net/pca3-g2.crl | |
hxxp://e6845.ce.akamaiedge.net/CSC3-2009.crl | |
hxxp://a1363.g.akamai.net/pki/crl/products/WinIntPCA.crl | |
hxxp://a1363.g.akamai.net/pki/crl/products/tspca.crl | |
hxxp://crl.usertrust.com/UTN-USERFirst-Object.crl | 178.255.83.2 |
hxxp://a1363.g.akamai.net/pki/crl/products/MicrosoftRootAuthority.crl | |
hxxp://a1363.g.akamai.net/pki/crl/products/MicWinHarComPCA_2010-11-01.crl | |
hxxp://crl.microsoft.com/pki/crl/products/tspca.crl | 205.237.69.73 |
hxxp://crl.microsoft.com/pki/crl/products/WinIntPCA.crl | 205.237.69.73 |
hxxp://crl.verisign.com/pca3-g5.crl | 23.9.117.163 |
hxxp://csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl | 23.9.117.163 |
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftRootAuthority.crl | 205.237.69.73 |
hxxp://crl.verisign.com/pca3-g2.crl | 23.9.117.163 |
hxxp://crl.verisign.com/pca3.crl | 23.9.117.163 |
hxxp://csc3-2010-crl.verisign.com/CSC3-2010.crl | 23.9.117.163 |
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt | 205.237.69.74 |
hxxp://CSC3-2004-crl.verisign.com/CSC3-2004.crl | |
hxxp://csc3-2009-crl.verisign.com/CSC3-2009.crl | 23.9.117.163 |
hxxp://crl.microsoft.com/pki/crl/products/MicWinHarComPCA_2010-11-01.crl | 205.237.69.73 |
csc3-2004-crl.verisign.com | 23.9.117.163 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /UTN-USERFirst-Object.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.usertrust.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 25 Jun 2014 17:26:14 GMT
Content-Type: application/x-pkcs7-crl
Content-Length: 75433
Last-Modified: Tue, 24 Jun 2014 19:46:01 GMT
Connection: close
X-CCACDN-Mirror-ID: t8edcacrl3
Accept-Ranges: bytes
0..&.0..%....0...*.H........0..1.0...U....US1.0...U....UT1.0...U....Salt Lake City1.0...U....The USERTRUST Network1!0...U....hXXp://VVV.usertrust.com1.0...U....UTN-USERFirst-Object..140624194601Z..140628194601Z0..$.0"....2EY..aU..........050525083740Z0".....Iv...h ..ys.....050525090148Z0!..u.......|..xk.0...050602000000Z0".....6.z..........7..050602075356Z0"....!.$.KM(C@="..o}..050603153950Z0".......W%Ny.vD.q..Y..050607084159Z0".......3W]...$.#\F4..050613095931Z0!......(.62..2PLr.q..050630164737Z0"....BLA......)..5....050707141212Z0!..Wa........q#......050711082844Z0!.._j.....o...'...m..050715130339Z0!..?........N]B..Z...050721083234Z0!..RO.)@..Q...p._....050726090436Z0".....k......1.g......050729091017Z0"....l........o... ...050729134103Z0"....v.R..~...?.(..&..050803165854Z0!..6..;....sC.M.s:...050809135135Z0!...........^nH.U.(..050810132024Z0"......;.S...wU-K.c...050810211644Z0"......d..#IE..#|.g#..050811182050Z0"....!..|....]rR..-r..050817085053Z0"......Ai..xJ..q]Xi...050822140450Z0!..>...........t'6...050824025640Z0!..?3..rd5>ocV.. ....050824075512Z0"....|..5u[.}<..[.@...050908092147Z0!..GJ.C...<NM.i......050912092806Z0!....(.8....U.1.'....050912144650Z0!..*.(ECy.V.?x.3S_k..050915103419Z0!......./.....L...r..050919144257Z0!..Y....=....#.......050929000000Z0!..p.,.g.x..z:q~.....050930114111Z0"....-.."...\w...~....050930123007Z0!....o0........P.H...051004084832Z0".......=6......4.....051005122403Z0!..md\\...~.v.o......051013100954Z0!...6.D...hR..BO._...051013110610Z0!..5.x.1..6.p~}>.....0510181
<<
<<< skipped >>>
GET /pki/crl/products/WinIntPCA.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Mon, 05 Apr 2010 23:14:32 GMT
Accept-Ranges: bytes
ETag: "07ca8bf15d5ca1:0"
Server: Microsoft-IIS/8.0
VTag: 279616832800000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 528
Cache-Control: max-age=900
Date: Wed, 25 Jun 2014 17:25:49 GMT
Connection: keep-alive
0...0.....0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1806..U.../Microsoft Windows Verification Intermediate PCA..100405230430Z.A0?0...U.#..0.....[3.A...BrvWo..%Sz.0... .....7.......0...U.......0...*.H.............P^0...8..(3k&.SD..F6g.C...l...,...=.'V..u..l=..Qz..<...u...>.......A..:.........2./....u*. =.G..B&)"...'.I. x ......vOP...N..CE...Z. C407...U... ."..#.Z7P...E.t..$i..n..p......-.;...@.d..8.z....z....t[..X...0...n..}.D#.8....Nx.H- .....~.kC..`qFZ`w.............
GET /pki/crl/products/tspca.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sat, 24 May 2014 05:04:54 GMT
Accept-Ranges: bytes
ETag: "8ab194b3d77cf1:0"
Server: Microsoft-IIS/8.0
VTag: 791326843100000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 521
Cache-Control: max-age=900
Date: Wed, 25 Jun 2014 17:25:50 GMT
Connection: keep-alive
0...0.....0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Timestamping PCA..140514201017Z..440513202154Z.A0?0...U.#..0...o.N?..4.K......;AC..0... .....7.......0...U......)0...*.H..............*..6k..s...e".x(........C..L......rE/^......m....t.....I^.W.. ........`.Qa....V.c.3oA.....7.w...>.)...[IeO!.lm.....8`.v....Y.......z?.......n).~.:....\.l>.J.I2.17>.*...tl9.C.z."..BP..N. ..0....H......J?...>XF.G.....@....".Y..V.].?.7..7`.7...r...~.3..c..4.HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Sat, 24 May 2014 05:04:54 GMT..Accept-Ranges: bytes..ETag: "8ab194b3d77cf1:0"..Server: Microsoft-IIS/8.0..VTag: 791326843100000000..P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 521..Cache-Control: max-age=900..Date: Wed, 25 Jun 2014 17:25:50 GMT..Connection: keep-alive..0...0.....0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Timestamping PCA..140514201017Z..440513202154Z.A0?0...U.#..0...o.N?..4.K......;AC..0... .....7.......0...U......)0...*.H..............*..6k..s...e".x(........C..L......rE/^......m....t.....I^.W.. ........`.Qa....V.c.3oA.....7.w...>.)...[IeO!.lm.....8`.v....Y.......z?.......n).~.:....\.l>.J.I2.17>.*...tl9.C.z."..BP..N. ..0....H......J?...>XF.G.....@....".Y..V.].?.7..7`.7...r...~.3..c..4.....
<<
<<< skipped >>>
GET /pki/crl/products/MicrosoftRootAuthority.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sun, 22 Jun 2014 05:05:27 GMT
Accept-Ranges: bytes
ETag: "ec45e394d78dcf1:0"
Server: Microsoft-IIS/8.0
VTag: 791166943900000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 603
Cache-Control: max-age=900
Date: Wed, 25 Jun 2014 17:26:31 GMT
Connection: keep-alive
0..W0..?...0...*.H........0p1 0)..U..."Copyright (c) 1997 Microsoft Corp.1.0...U....Microsoft Corporation1!0...U....Microsoft Root Authority..140621173809Z..140920055809Z0:0...:..../...V..091210010336Z0........$... ..020225080156Z._0]0...U.#..0...J\u".F....9.N...`...0... .....7.......0...U......$0... .....7......140919174809Z0...*.H.............S.>l.._....)j.k%..vm.'Y.....Q......p,..X.#..6......8...............xT..>.E..H.#......U...'.../....p....(5.....,..F:.......~.....M.."......I"....;0.]..,.OI}.....f.2~.].,u...hp.W,.'wj..%<......Y.N.. ..u',.. ..v$#A....l..9..m.T:s... .>Z.k...l.....kVyi......o.....
GET /pki/crl/products/MicWinHarComPCA_2010-11-01.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sat, 24 May 2014 05:04:55 GMT
Accept-Ranges: bytes
ETag: "4af46b4d77cf1:0"
Server: Microsoft-IIS/8.0
VTag: 438117044800000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 588
Cache-Control: max-age=900
Date: Wed, 25 Jun 2014 17:26:31 GMT
Connection: keep-alive
0..H0..0...0...*.H..
GET /CSC3-2009.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2009-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "295161c3f5c709ceee58f31341af4cb2:1403687411"
Last-Modified: Wed, 25 Jun 2014 09:10:11 GMT
Accept-Ranges: bytes
Content-Length: 2249
Date: Wed, 25 Jun 2014 17:25:49 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Code Signing 2009 CA..140625090003Z..140709090003Z0...0!.....zOR.D...,oMa...090525061903Z0!......t.o=(..(..G...090520231844Z0!... ....M...m.Q.&...090517075442Z0!...T.Ay(..U...:_|...090608072333Z0!... .(.....F..9.....090805090059Z0!.......P..._}..;.x..090714150126Z0!.....5=.qOV[.cyg.&..090528172131Z0!...K...=$.6.........090521015930Z0!...-H...D...tDXUN...090527062050Z0!.......-.'@..<B{....090525110212Z0!......x..m*[.7.h#"..090702070220Z0!.....%.o.....kT.....090527062152Z0!..!.*;....)..Ef..k..090529084018Z0!..#.}h..."..........090527050204Z0!..$.I^./@.:7.p.,v...090521201736Z0!..&.5{.....Q;D......090521184343Z0!..&...T[.~y.........090903081104Z0!...q..m...G..i^.....090521025017Z0!../a.nS..[lA.lCB....090527045238Z0!..0.....R..iX.px....090605052910Z0!..2.h..).n......p;..090713144756Z0!..:.............. ..090605052934Z0!..;.0.*.v..*....P...090601001940Z0!..?..}p 2I..o.\..u..090527061825Z0!..?....@.Z`......l..090527022214Z0!..B..h~a..]..L.2....100512125735Z0!..B.U..ZF...........090527041620Z0!..F'....?xxnx.6Q....090528003453Z0!..F|A..r....#.@.&...090527062259Z0!..L.r....F..^..i.t..090608130549Z0!..Q...Y...Exm.._7...090520225737Z0!..TH..~.. ..({......090723115618Z0!..U.59Z..[.G.RmyR1..090527071534Z0!..V ].h.../".V<8-...090611075746Z0!..gHT...j5zdG....K..090521205535Z0!..mje.......;.......090521012215Z0!..p^..E.{.>.........09
<<
<<< skipped >>>
GET /CSC3-2004.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: CSC3-2004-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "bad60e8883e1e3037719ce5c0095e6e4:1403687410"
Last-Modified: Wed, 25 Jun 2014 09:10:10 GMT
Accept-Ranges: bytes
Content-Length: 96299
Date: Wed, 25 Jun 2014 17:25:34 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0..x&0..w.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA..140625090001Z..140705090001Z0..v$0!.....'...._.=.t.{...060411095352Z0!........]...n.d.^...041210180734Z0!....B.38..I....Z.Z..060522202503Z0!.....V..=.&..p.K_...041223173514Z0!...$fd{........ZKI..050727182105Z0!...'..P..Tk....i ...081114114704Z0!...*m.......$.e.iw..050113162826Z0!...4..&.....(.V.bD..060717184318Z0!...>.h`a.nZM.VIP....061027222850Z0!...?..!.....Z..%....080514074106Z0!...A.*T-.NB>Ro.S.~..070627153307Z0!...Wf....0?.1.<G4...080827011731Z0!...[.}7.8.t.........070607081209Z0!...^.@.....1..v..`..061207041025Z0!...ol4....{.........080520210256Z0!.....oP...._. .a....061205224400Z0!.....}...../5.=.....041018225848Z0!.....B.w5$.h..,."...060707142917Z0!....]....d..........041217144015Z0!.........1.9.fwI.a..050926191715Z0!............*.>W....041221185802Z0!...."....J..l.......050712133504Z0!....X.r..'7hK._.....080804054612Z0!....Q)..6.....4.[...051018015040Z0!.........Y.=.U=y....060308034429Z0!....:..I.. ......Y..060912161745Z0!......t..Au...e `...060406020106Z0!........&.zR.....J..080220163354Z0!...%.&.f./....>.H...070216105424Z0!...8....n..#b.dM....090505134237Z0!...E..1..>..........070621145128Z0!...L.k'.W..!.;w0....060711202546Z0!...U.......Te.c.....080829025216Z0!...qo..b..>...C.....081214140650Z0!.......?....War.y...061019142712Z0!.......^i7.6_m..W...070122210641Z0!....&.G.E.
<<
<<< skipped >>>
GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT
Accept-Ranges: bytes
ETag: "806f4cbb43dcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Date: Wed, 25 Jun 2014 17:25:43 GMT
Connection: keep-alive
X-CCC: US
X-CID: 2
1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-Length: 18..Date: Wed, 25 Jun 2014 17:25:43 GMT..Connection: keep-alive..X-CCC: US..X-CID: 2..1401CF3DB40B609892..
GET /CertData/SRV001PKI_Schlumberger Corporate Root CA(1).crt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.slb.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Connection: Keep-Alive
Set-Cookie: ISAWPLB{69E13F28-20AA-4495-9939-BA543948AF92}={3DA5B21E-753C-42F2-A8FD-AE14C3BA35B2}; HttpOnly; Path=/
Content-Length: 1544
Date: Wed, 25 Jun 2014 17:25:42 GMT
Content-Type: application/x-x509-ca-cert
ETag: "0253321785cb1:0"
Server: Microsoft-IIS/7.5
Accept-Ranges: bytes
Last-Modified: Mon, 15 Nov 2010 22:48:18 GMT
0...0..........m.......A..H_7fb0...*.H........0..1.0...U....US1.0...U....Texas1.0...U....Houston1.0...U....slb.com1.0...U....Schlumberger1'0%..U....Schlumberger Corporate Root CA0...071018201958Z..301115164814Z0..1.0...U....US1.0...U....Texas1.0...U....Houston1.0...U....slb.com1.0...U....Schlumberger1'0%..U....Schlumberger Corporate Root CA0.."0...*.H.............0.........L....%..2 ....qJ........R...c........Aq.?.")...]j.l.........B.`... ..]........h..'..v....['...a\..t-i...55.xW.J....Jt.=.....\&.g|(x..; }g?..4.$W~....{xt..........J...Y{i.3g.ae...Y....So~..3.....$..."AjF....F...L).3....w...B.}....z.....=B.u...Q.....F.go..d.W).t *.O..@[.....j.s.r.S........6\.YO.....W.(...Q....Q.M".......:.t9......k.O...0..g...zNh$b...=....=X...I.t.D..<R.@.P|,39t.|........,w..W.gy..,.(.!..|...XQ.k....l....[........*.......e'.be.....8le.?G......b.".N.....lyQB....T!.dt.jd..n..U.L.9.....m.xr..S.......v0t0...U........0...U.......0....0...U........P)..=.!..7...V}...0... .....7.......0#.. .....7........-.Pi..W........SQ.0...*.H............. ..^.R....-..pe....h...f1;...F........V.x.....GT ......'..........j.....fQ..4..gfJ.>.$..1....Y....w.W..V......o.2c.......5./_....X......'........Y...%....G .Z....^..;-._.%.|2..[@..2\r.....T1.|vv... b..k=...V..`Lx(.x.D.P.........-...9G..l..:....[......<9....K...'G.(.bG........f.`.~.L..1..@(.<....Cu......#.T=..}a.;f@..!....}....f.;......=.% K...3H7%B.0.f....c. .&..q...*...2.P_$.q.....M...:N.5x.....{.H.*=.yI............*.6....V`;.S......~...;lY.HLt..9..U..V..Rt&pB....z..\Vw.n."...uW..q....l
<<
<<< skipped >>>
GET /CSC3-2009-2.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2009-2-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "3149437b01e8720b11bd72c13d900647:1403687410"
Last-Modified: Wed, 25 Jun 2014 09:10:10 GMT
Accept-Ranges: bytes
Content-Length: 37388
Date: Wed, 25 Jun 2014 17:25:46 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA..140625090002Z..140709090002Z0...0!.....V..t..'.F(z....121202220203Z0!.... .;...9.7.......090826054212Z0!...\.)../F..^p..s...100722072726Z0!......P....A.x......100708154305Z0!.......O#.`n.5j.9...100930040708Z0!..../..8~p...h......091006052837Z0!.....(../L....--aK..091029040207Z0!...aW.....B.!.0..t..090909121104Z0!...g,..4(vv....mJ_..100514054218Z0!.....V.....(..-..p..090826162211Z0!....O..,J.N.n...Ly..091028032204Z0!....42r...I.Y@...3..100526162150Z0!.........}..Dt...!..090922192227Z0!.......2l....7i..?..101109030426Z0!.....p%...l,AogP....100523060224Z0!...,.P.C......*.....100303082219Z0!...NRPL.............100413090225Z0!....1w....d.&..8....091026111702Z0!......F....e........090608081352Z0!.....6..d6.7..4.....100924123027Z0!....$..*...s..&s....100219210742Z0!......Q_.G..|.......091009145530Z0!........>..O...=72..100616160934Z0!....Xlm$|".su.......090619194406Z0!......J)..E......C..100922142243Z0!...D......u.y.Iy{k..101026130323Z0!...El...)>..W..<K...101004225456Z0!...p..wy.i.zc...X...091117001921Z0!.....,{..^..........091203194409Z0!....B....d...*.P.@..100705023431Z0!.......m. .V.....~..101111134216Z0!...2.R.i.{..........091029071123Z0!...`F..q2..O.:......100602074221Z0!...a{.-...@...'.....100723194022Z0!........fW.y.,s.....101011182226Z0!....Um..}.8)........100324085953Z0!....,u.boxr....Z....
<<
<<< skipped >>>
GET /CSC3-2010.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2010-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "94bf67ac76d178e0363ec64a6a88e27a:1403687411"
Last-Modified: Wed, 25 Jun 2014 09:10:11 GMT
Accept-Ranges: bytes
Content-Length: 130966
Date: Wed, 25 Jun 2014 17:25:47 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0....0...x...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://www.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA..140625090004Z..140709090004Z0...Z0!....c..k....D.k.....120708062201Z0!... _...u.t.=.<.&...130218061114Z0!...&..].....P.k.:...120125130117Z0!...7P.x....8.Q...s..130227010252Z0!...J.....Q..Y.[.....110404153956Z0!...d...=..q!_...g9..130729145216Z0!...l.....h2<.H......120329152211Z0!...q.9...`H.*.Y.C...120525202212Z0!...s...TM.......0...121221080842Z0!...t..,.. ...eL.....130314222305Z0!...y..r.HW.v.....w..140423054643Z0!..../u.......A..5...101214165045Z0!.....0.Xc...%...iM..121102230226Z0!.......S.a&.X5t.E]..111206083350Z0!....c.(....B.[M83...140108164517Z0!....A.Sv.....f,.....110609003155Z0!.....z......!.ID{]..101228182208Z0!....b^......{d.J'...130102154110Z0!.......n........'u..140521222808Z0!......0..........I..130912181631Z0!....6e...~..T.......130131012247Z0!.........bD#*u......130226223939Z0!.......@..'$.).;}\..130121172259Z0!....7.v..........n..120724160733Z0!....P;.Y..d...c.(...120209181451Z0!.....].bb[.....!....140328205453Z0!.....a...L`..IV.....130402103508Z0!......fFW.z.....@T..130117000242Z0!...........].{7.....120730000000Z0!...".......Z.V.,.e..121031192224Z0!...'....[.1......g..130318195659Z0!...,GI.jH.|...J.....120518121623Z0!...<%a.=.d.......O..120424164254Z0!...@........... .a..121109212441Z0!...L.&L..o.8..=6....110311141238Z0!...L...5...s $.=.=..130205142241Z0!...O.c.........t...
<<
<<< skipped >>>
GET /pca3.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "aee817f55f40eda0bc5c25e988a42128:1396125923"
Last-Modified: Sat, 29 Mar 2014 20:45:23 GMT
Accept-Ranges: bytes
Content-Length: 933
Date: Wed, 25 Jun 2014 17:25:33 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..140320000000Z..140630235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2....{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I...Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1..7<.....e..010207211822Z0...*.H............_.w..J.l....[..H.X..)x.^.....S.O..v....K|.~.RP.k^.R.0........oF.l.w..4.W...A...}..8*.:rO6........%.C...........6$s....rQ....v...HTTP/1.1 200 OK..Server: Apache..ETag: "aee817f55f40eda0bc5c25e988a42128:1396125923"..Last-Modified: Sat, 29 Mar 2014 20:45:23 GMT..Accept-Ranges: bytes..Content-Length: 933..Date: Wed, 25 Jun 2014 17:25:33 GMT..Connection: keep-alive..Content-Type: application/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..140320000000Z..140630235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P.
<<
<<< skipped >>>
GET /pca3-g5.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "895f8ccd92dfec674c94f0d04d1b63bc:1396128308"
Last-Modified: Sat, 29 Mar 2014 21:25:08 GMT
Accept-Ranges: bytes
Content-Length: 533
Date: Wed, 25 Jun 2014 17:25:47 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G5..140320000000Z..140630235959Z0...*.H.............}...a.D[..8..i.....g8..S..tt..a.e.B]..v.l9.m.....~.G(l...G..#z{...Za..F.q....2^X..w.i'.&..n...4v8. &|/Y.B..%..J..g0."k.0....A..7.)h...=5....'Z........y.Ye.......M.._5.9..B.*.. .4z@.7#...... UL.F......iDg..6...'z$.E.E..*..g...2.@D.....&v...o..>..k1N...P...iHTTP/1.1 200 OK..Server: Apache..ETag: "895f8ccd92dfec674c94f0d04d1b63bc:1396128308"..Last-Modified: Sat, 29 Mar 2014 21:25:08 GMT..Accept-Ranges: bytes..Content-Length: 533..Date: Wed, 25 Jun 2014 17:25:47 GMT..Connection: keep-alive..Content-Type: application/pkix-crl..0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G5..140320000000Z..140630235959Z0...*.H.............}...a.D[..8..i.....g8..S..tt..a.e.B]..v.l9.m.....~.G(l...G..#z{...Za..F.q....2^X..w.i'.&..n...4v8. &|/Y.B..%..J..g0."k.0....A..7.)h...=5....'Z........y.Ye.......M.._5.9..B.*.. .4z@.7#...... UL.F......iDg..6...'z$.E.E..*..g...2.@D.....&v...o..>..k1N...P...i....
<<
<<< skipped >>>
GET /pca3-g2.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "072641a27cd10308fabc881f069f37c1:1396126208"
Last-Modified: Sat, 29 Mar 2014 20:50:08 GMT
Accept-Ranges: bytes
Content-Length: 1415
Date: Wed, 25 Jun 2014 17:25:48 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign Trust Network..140320000000Z..140630235959Z0...0!...=...X.FL...3..I..080403173458Z0!...SJs|.."E.G.......070412172616Z0!....E........W6.n...140129192923Z0!.......jvO..!....]..040401180422Z0!......\*....bO-.....080403173459Z0!....I..:.<....9..m..070412172523Z0!.........R.E!..=t...070522172634Z0!....}.....}.}.(q.C..040401180606Z0!...`.6..,...u.~x.:..080403173459Z0!.........wX.....~...080606171636Z0!..$.Jn>.t..d_j..."..040401180518Z0!.. ..N*(.}H..j......070412172308Z0!.. ..3.J......d..9..070522172711Z0!..50.h.:....s.K"....040401180542Z0!..7_f...s...........080403173459Z0!..<.J..y..)..~x7.e..080606171735Z0!..NS.c.f......7.p...070412172213Z0!..N.k;..-...9J..-...070522172748Z0!..Q..2pRv.WC.:..f...030109181346Z0!..Tq..m..*..........140129192925Z0!..^..CX4.3... F.R...070522172548Z0!..^..)..P3...7...L..080403173459Z0!..e........O.^.S....080403173457Z0!..jP....Wv..[.v.5H..070412172102Z0!..nk.l.!y.~...7G@...070412171752Z0!..r.q.I-Ln./........080403173458Z0!..t8....D...........080606171524Z0!..t.xn.tS....O_.....070412171951Z0!..v......Qnw..W.g...140129192921Z0...*.H................V.!F.Y..p.V......s..%..*l.z=...R./.F....q.......D.t......0b..?.R:9.(.|.....VBp8.......PZ...[o\p...U...........$).V.D....B@....
<<
<<< skipped >>>
Map
The Packed connects to the servers at the folowing location(s):
Strings from Dumps
cmd.exe_1076:
.text
.text
`.data
`.data
.rsrc
.rsrc
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
msvcrt.dll
msvcrt.dll
USER32.dll
USER32.dll
SetConsoleInputExeNameW
SetConsoleInputExeNameW
APerformUnaryOperation: '%c'
APerformUnaryOperation: '%c'
APerformArithmeticOperation: '%c'
APerformArithmeticOperation: '%c'
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
MPR.dll
MPR.dll
RegEnumKeyW
RegEnumKeyW
RegDeleteKeyW
RegDeleteKeyW
RegCloseKey
RegCloseKey
RegOpenKeyW
RegOpenKeyW
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
ShellExecuteExW
ShellExecuteExW
CmdBatNotification
CmdBatNotification
GetWindowsDirectoryW
GetWindowsDirectoryW
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
GetConsoleOutputCP
GetConsoleOutputCP
_pipe
_pipe
GetProcessWindowStation
GetProcessWindowStation
cmd.pdb
cmd.pdb
%EXEDIR%\%GETSUSPCMD% --silent --ePO --offline --COMMENT="SARS Version %SARSVer% COMPUTERNAME: %computername% DATE: ÚTESTAMP%" --ZIPPATH=%EXEDIR%
%EXEDIR%\%GETSUSPCMD% --silent --ePO --offline --COMMENT="SARS Version %SARSVer% COMPUTERNAME: %computername% DATE: ÚTESTAMP%" --ZIPPATH=%EXEDIR%
MOVE %EXEDIR%\%computername%\*.zip %EXEDIR% 1>NUL 2>NUL
MOVE %EXEDIR%\%computername%\*.zip %EXEDIR% 1>NUL 2>NUL
IF NOT ERRORLEVEL 0 CALL :writesarslogentry mcafee_getsusp, "ERROR: (%ERRORLEVEL%) EXECUTING COMMAND: %GETSUSPCMD% --silent --offline --COMMENT="SARS Version %SARSVer% COMPUTERNAME: %computername% DATE: ÚTESTAMP%" --ZIPPATH=%EXEDIR%"
IF NOT ERRORLEVEL 0 CALL :writesarslogentry mcafee_getsusp, "ERROR: (%ERRORLEVEL%) EXECUTING COMMAND: %GETSUSPCMD% --silent --offline --COMMENT="SARS Version %SARSVer% COMPUTERNAME: %computername% DATE: ÚTESTAMP%" --ZIPPATH=%EXEDIR%"
CALL :writesarslogentry mcafee_getsusp, "End Running McAfee GetSusp Version %GETSUSPCMD%"
CALL :writesarslogentry mcafee_getsusp, "End Running McAfee GetSusp Version %GETSUSPCMD%"
ECHO * This system appears to be running Windows 2000 *
ECHO * This system appears to be running Windows 2000 *
ECHO * This operating system is no longer supported *
ECHO * This operating system is no longer supported *
ECHO * http://www.ithelp.slb.com *
ECHO * http://www.ithelp.slb.com *
IF DEFINED DEBUG CALL :writesarslogentry os_warning, "* This system appears to be running Windows 2000 *"
IF DEFINED DEBUG CALL :writesarslogentry os_warning, "* This system appears to be running Windows 2000 *"
IF DEFINED DEBUG CALL :writesarslogentry os_warning, "* This operating system is no longer supported *"
IF DEFINED DEBUG CALL :writesarslogentry os_warning, "* This operating system is no longer supported *"
IF DEFINED DEBUG CALL :writesarslogentry os_warning, "* http://www.ithelp.slb.com *"
IF DEFINED DEBUG CALL :writesarslogentry os_warning, "* http://www.ithelp.slb.com *"
::References: http://www.dostips.com/DtTipsStringManipulation.php#Snippets.MidString
::References: http://www.dostips.com/DtTipsStringManipulation.php#Snippets.MidString
ECHO * Script Version: %SARSVer%
ECHO * Script Version: %SARSVer%
ECHO * Date/Time: ÚTESTAMP%
ECHO * Date/Time: ÚTESTAMP%
ECHO * Computer Name: %COMPUTERNAME%
ECHO * Computer Name: %COMPUTERNAME%
IF DEFINED DEBUG CALL :writesarslogentry banner, "* Script Version: %SARSVer%"
IF DEFINED DEBUG CALL :writesarslogentry banner, "* Script Version: %SARSVer%"
IF DEFINED DEBUG CALL :writesarslogentry banner, "* Date/Time: ÚTESTAMP%"
IF DEFINED DEBUG CALL :writesarslogentry banner, "* Date/Time: ÚTESTAMP%"
IF DEFINED DEBUG CALL :writesarslogentry banner, "* Computer Name: %COMPUTERNAME%"
IF DEFINED DEBUG CALL :writesarslogentry banner, "* Computer Name: %COMPUTERNAME%"
IF DEFINED DEBUG CALL :writesarslogentry banner, "* Spawned From: %SPAWNLOCATION%"
IF DEFINED DEBUG CALL :writesarslogentry banner, "* Spawned From: %SPAWNLOCATION%"
::Executes the GNU date utility becuase it is more accurate and returns a DATE
::Executes the GNU date utility becuase it is more accurate and returns a DATE
FOR /f %%a in ('%SPATH%\date.exe -u %%Y%%m%%d') DO SET archive_date=%%a
FOR /f %%a in ('%SPATH%\date.exe -u %%Y%%m%%d') DO SET archive_date=%%a
IF NOT ERRORLEVEL 0 CALL :writesarslogentry get_archive_name, "ERROR: (%ERRORLEVEL%) EXECUTING COMMAND: %SPATH%\date.exe -u %%Y%%m%%d"
IF NOT ERRORLEVEL 0 CALL :writesarslogentry get_archive_name, "ERROR: (%ERRORLEVEL%) EXECUTING COMMAND: %SPATH%\date.exe -u %%Y%%m%%d"
FOR /f %%a in ('%SPATH%\date.exe -u %%H%%M%%S') DO SET archive_time=%%a
FOR /f %%a in ('%SPATH%\date.exe -u %%H%%M%%S') DO SET archive_time=%%a
IF NOT ERRORLEVEL 0 CALL :writesarslogentry get_archive_name, "ERROR: (%ERRORLEVEL%) EXECUTING COMMAND: %SPATH%\date.exe -u %%H%%M%%S"
IF NOT ERRORLEVEL 0 CALL :writesarslogentry get_archive_name, "ERROR: (%ERRORLEVEL%) EXECUTING COMMAND: %SPATH%\date.exe -u %%H%%M%%S"
SET ARCNME=%archive_date%_%archive_time%_%computername%
SET ARCNME=%archive_date%_%archive_time%_%computername%
IF DEFINED DEBUG CALL :writesarslogentry get_archive_name, "Archive Name ==> %archive_date%_%archive_time%_%computername%"
IF DEFINED DEBUG CALL :writesarslogentry get_archive_name, "Archive Name ==> %archive_date%_%archive_time%_%computername%"
::1.0.7.0
::1.0.7.0
get_web_version
get_web_version
CALL :get_web_version
CALL :get_web_version
::Gets the current version posted on the WEB.
::Gets the current version posted on the WEB.
:get_web_version <value></value>
:get_web_version <value></value>
CALL :writesarslogentry get_web_version, "Start Checking the posted Web Version of SARS"
CALL :writesarslogentry get_web_version, "Start Checking the posted Web Version of SARS"
CALL :reachable REACHABLE "www.secops.slb.com"
CALL :reachable REACHABLE "www.secops.slb.com"
IF DEFINED DEBUG ECHO [get_web_version]Connectivity www.secops.slb.com got an ANSWER of %REACHABLE%
IF DEFINED DEBUG ECHO [get_web_version]Connectivity www.secops.slb.com got an ANSWER of %REACHABLE%
IF %REACHABLE%==N SET /p SARSWeb=%SARSVer% & GOTO :EOF
IF %REACHABLE%==N SET /p SARSWeb=%SARSVer% & GOTO :EOF
CALL :writesarslogentry get_web_version, "Getting currently published SARS Version!"
CALL :writesarslogentry get_web_version, "Getting currently published SARS Version!"
TITLE %SARSTITLE%
TITLE %SARSTITLE%
IF DEFINED DEBUG ECHO [get_web_version]About to run WGET
IF DEFINED DEBUG ECHO [get_web_version]About to run WGET
%EXEDIR%\wget --output-document=%LOGDIR%\web_version.txt --connect-timeout=2 --verbose http://www.secops.slb.com/version/sars/ 1> %LOGDIR%\web_errors.txt 2> %LOGDIR%\web_output.txt
%EXEDIR%\wget --output-document=%LOGDIR%\web_version.txt --connect-timeout=2 --verbose http://www.secops.slb.com/version/sars/ 1> %LOGDIR%\web_errors.txt 2> %LOGDIR%\web_output.txt
IF DEFINED DEBUG ECHO [get_web_version]Executed the WGET Command
IF DEFINED DEBUG ECHO [get_web_version]Executed the WGET Command
IF NOT ERRORLEVEL 0 CALL :writesarslogentry get_web_version, "ERROR: (%ERRORLEVEL%) EXECUTING COMMAND: %EXEDIR%\wget --output
IF NOT ERRORLEVEL 0 CALL :writesarslogentry get_web_version, "ERROR: (%ERRORLEVEL%) EXECUTING COMMAND: %EXEDIR%\wget --output
CMD Internal Error %s
CMD Internal Error %s
)(&&())))(&))
)(&&())))(&))
)&((&)&))&())
)&((&)&))&())
)&((&)&)&()))
)&((&)&)&()))
)(&&()))&))))
)(&&()))&))))
CMD.EXE
CMD.EXE
()|&=,;"
()|&=,;"
COPYCMD
COPYCMD
\XCOPY.EXE
\XCOPY.EXE
CMDCMDLINE
CMDCMDLINE
WKERNEL32.DLL
WKERNEL32.DLL
Software\Policies\Microsoft\Windows\System
Software\Policies\Microsoft\Windows\System
0123456789
0123456789
cmd.exe
cmd.exe
DIRCMD
DIRCMD
%d.%d.d
%d.%d.d
Ungetting: '%s'
Ungetting: '%s'
DisableCMD
DisableCMD
GeToken: (%x) '%s'
GeToken: (%x) '%s'
%s\Shell\Open\Command
%s\Shell\Open\Command
%x %c
%x %c
*** Unknown type: %x
*** Unknown type: %x
Args: `%s'
Args: `%s'
Cmd: %s Type: %x
Cmd: %s Type: %x
%s (%s) %s
%s (%s) %s
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables\getsusp_300373 --silent --ePO --offline --COMMENT="SARS Version 1.0.7.6 COMPUTERNAME: XP7 DATE: 20140625_172535" --ZIPPATH=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables\getsusp_300373 --silent --ePO --offline --COMMENT="SARS Version 1.0.7.6 COMPUTERNAME: XP7 DATE: 20140625_172535" --ZIPPATH=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables\getsusp_300373.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables\getsusp_300373.exe
NAME: XP7 DATE: 20140625_172535" --ZIPPATH=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables
NAME: XP7 DATE: 20140625_172535" --ZIPPATH=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables
o %eMail% -f %fromeMail% %subj% %server% %mdebug% %x%"
o %eMail% -f %fromeMail% %subj% %server% %mdebug% %x%"
nameOperations
nameOperations
> %LOGDIR%\%COMPUTERNAME%_pending_moves.txt"
> %LOGDIR%\%COMPUTERNAME%_pending_moves.txt"
ort.csv >> FOUNDINMDL.txt
ort.csv >> FOUNDINMDL.txt
.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
NDOWS;%WinDir%\System32\Wbem;c:\Program Files\Wireshark;C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables
NDOWS;%WinDir%\System32\Wbem;c:\Program Files\Wireshark;C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables
-vi "slb.atosorigin-asp.com" ^| sort ^| uniq -ui') do findstr /I /C:"%%A" mdl_export.csv >> FOUNDINMDL.txt
-vi "slb.atosorigin-asp.com" ^| sort ^| uniq -ui') do findstr /I /C:"%%A" mdl_export.csv >> FOUNDINMDL.txt
CMDEXTVERSION
CMDEXTVERSION
KEYS
KEYS
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables
%s %s
%s %s
(%s) %s
(%s) %s
%s %s%s
%s %s%s
&()[]{}^=;!%' ,`~
&()[]{}^=;!%' ,`~
d%sd%s
d%sd%s
-%sd%sd%sd
-%sd%sd%sd
d%sd%sd
d%sd%sd
%s=%s
%s=%s
X-X
X-X
.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS
.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS
<> -*/%()|^&=,
<> -*/%()|^&=,
\CMD.EXE
\CMD.EXE
Windows Command Processor
Windows Command Processor
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
Cmd.Exe
Cmd.Exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
Press any key to continue . . . %0
Press any key to continue . . . %0
operable program or batch file.
operable program or batch file.
The system cannot execute the specified program.
The system cannot execute the specified program.
and press any key when ready. %0
and press any key when ready. %0
Microsoft Windows XP [Version %1]%0
Microsoft Windows XP [Version %1]%0
a pipe operation.
a pipe operation.
KEYS is on.
KEYS is on.
KEYS is off.
KEYS is off.
The process tried to write to a nonexistent pipe.
The process tried to write to a nonexistent pipe.
The switch /Y may be preset in the COPYCMD environment variable.
The switch /Y may be preset in the COPYCMD environment variable.
to prompt on overwrites unless COPY command is being executed from
to prompt on overwrites unless COPY command is being executed from
Switches may be preset in the DIRCMD environment variable. Override
Switches may be preset in the DIRCMD environment variable. Override
Quits the CMD.EXE program (command interpreter) or the current batch
Quits the CMD.EXE program (command interpreter) or the current batch
CMD.EXE. If executed from outside a batch script, it
CMD.EXE. If executed from outside a batch script, it
will quit CMD.EXE
will quit CMD.EXE
ERRORLEVEL that number. If quitting CMD.EXE, sets the process
ERRORLEVEL that number. If quitting CMD.EXE, sets the process
Displays or sets a search path for executable files.
Displays or sets a search path for executable files.
Type PATH ; to clear all search-path settings and direct cmd.exe to search
Type PATH ; to clear all search-path settings and direct cmd.exe to search
Changes the cmd.exe command prompt.
Changes the cmd.exe command prompt.
$B | (pipe)
$B | (pipe)
$V Windows XP version number
$V Windows XP version number
Displays, sets, or removes cmd.exe environment variables.
Displays, sets, or removes cmd.exe environment variables.
Displays the Windows XP version.
Displays the Windows XP version.
Tells cmd.exe whether to verify that your files are written correctly to a
Tells cmd.exe whether to verify that your files are written correctly to a
Records comments (remarks) in a batch file or CONFIG.SYS.
Records comments (remarks) in a batch file or CONFIG.SYS.
Press any key to continue . . . %0
Press any key to continue . . . %0
Directs cmd.exe to a labeled line in a batch program.
Directs cmd.exe to a labeled line in a batch program.
NOT Specifies that Windows XP should carry out
NOT Specifies that Windows XP should carry out
will execute the command after the ELSE keyword if the
will execute the command after the ELSE keyword if the
I The new environment will be the original environment passed
I The new environment will be the original environment passed
to the cmd.exe and not the current environment.
to the cmd.exe and not the current environment.
SEPARATE Start 16-bit Windows program in separate memory space
SEPARATE Start 16-bit Windows program in separate memory space
SHARED Start 16-bit Windows program in shared memory space
SHARED Start 16-bit Windows program in shared memory space
If it is an internal cmd command or a batch file then
If it is an internal cmd command or a batch file then
the command processor is run with the /K switch to cmd.exe.
the command processor is run with the /K switch to cmd.exe.
If it is not an internal cmd command or batch file then
If it is not an internal cmd command or batch file then
parameters These are the parameters passed to the command/program
parameters These are the parameters passed to the command/program
under Windows XP.
under Windows XP.
Starts a new instance of the Windows XP command interpreter
Starts a new instance of the Windows XP command interpreter
CMD [/A | /U] [/Q] [/D] [/E:ON | /E:OFF] [/F:ON | /F:OFF] [/V:ON | /V:OFF]
CMD [/A | /U] [/Q] [/D] [/E:ON | /E:OFF] [/F:ON | /F:OFF] [/V:ON | /V:OFF]
/D Disable execution of AutoRun commands from registry (see below)
/D Disable execution of AutoRun commands from registry (see below)
/A Causes the output of internal commands to a pipe or file to be ANSI
/A Causes the output of internal commands to a pipe or file to be ANSI
/U Causes the output of internal commands to a pipe or file to be
/U Causes the output of internal commands to a pipe or file to be
variable var at execution time. The %var% syntax expands variables
variable var at execution time. The %var% syntax expands variables
of an executable file.
of an executable file.
If /D was NOT specified on the command line, then when CMD.EXE starts, it
If /D was NOT specified on the command line, then when CMD.EXE starts, it
either or both are present, they are executed first.
either or both are present, they are executed first.
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
can enable or disable extensions for all invocations of CMD.EXE on a
can enable or disable extensions for all invocations of CMD.EXE on a
following REG_DWORD values in the registry using REGEDT32.EXE:
following REG_DWORD values in the registry using REGEDT32.EXE:
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
particular invocation of CMD.EXE with the /V:ON or /V:OFF switch. You
particular invocation of CMD.EXE with the /V:ON or /V:OFF switch. You
can enable or disable completion for all invocations of CMD.EXE on a
can enable or disable completion for all invocations of CMD.EXE on a
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
at execution time.
at execution time.
CMD.EXE with the /F:ON or /F:OFF switch. You can enable or disable
CMD.EXE with the /F:ON or /F:OFF switch. You can enable or disable
completion for all invocations of CMD.EXE on a machine and/or user logon
completion for all invocations of CMD.EXE on a machine and/or user logon
the registry using REGEDT32.EXE:
the registry using REGEDT32.EXE:
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
Shift key with the control character will move through the list
Shift key with the control character will move through the list
&()[]{}^=;!%' ,`~
&()[]{}^=;!%' ,`~
Command Processor Extensions enabled by default. Use CMD /? for details.
Command Processor Extensions enabled by default. Use CMD /? for details.
ASSOC [.ext[=[fileType]]]
ASSOC [.ext[=[fileType]]]
.ext Specifies the file extension to associate the file type with
.ext Specifies the file extension to associate the file type with
ASSOC .pl=PerlScript
ASSOC .pl=PerlScript
FTYPE PerlScript=perl.exe %%1 %%*
FTYPE PerlScript=perl.exe %%1 %%*
script.pl 1 2 3
script.pl 1 2 3
set PATHEXT=.pl;%%PATHEXT%%
set PATHEXT=.pl;%%PATHEXT%%
The restartable option to the COPY command is not supported by
The restartable option to the COPY command is not supported by
this version of the operating system.
this version of the operating system.
The following usage of the path operator in batch-parameter
The following usage of the path operator in batch-parameter
The unicode output option to CMD.EXE is not supported by this
The unicode output option to CMD.EXE is not supported by this
version of the operating system.
version of the operating system.
If Command Extensions are enabled the DATE command supports
If Command Extensions are enabled the DATE command supports
If Command Extensions are enabled the TIME command supports
If Command Extensions are enabled the TIME command supports
If Command Extensions are enabled the PROMPT command supports
If Command Extensions are enabled the PROMPT command supports
is pretty simple and supports the following operations, in decreasing
is pretty simple and supports the following operations, in decreasing
! ~ - - unary operators
! ~ - - unary operators
* / %% - arithmetic operators
* / %% - arithmetic operators
- - arithmetic operators
- - arithmetic operators
&= ^= |= <<= >>=
&= ^= |= <<= >>=
If you use any of the logical or modulus operators, you will need to
If you use any of the logical or modulus operators, you will need to
values. If SET /A is executed from the command line outside of a
values. If SET /A is executed from the command line outside of a
assignment operator requires an environment variable name to the left of
assignment operator requires an environment variable name to the left of
the assignment operator. Numeric values are decimal numbers, unless
the assignment operator. Numeric values are decimal numbers, unless
occurrence of the remaining portion of str1.
occurrence of the remaining portion of str1.
Finally, support for delayed environment variable expansion has been
Finally, support for delayed environment variable expansion has been
added. This support is always disabled by default, but may be
added. This support is always disabled by default, but may be
enabled/disabled via the /V command line switch to CMD.EXE. See CMD /?
enabled/disabled via the /V command line switch to CMD.EXE. See CMD /?
of text is read, not when it is executed. The following example
of text is read, not when it is executed. The following example
So the actual FOR loop we are executing is:
So the actual FOR loop we are executing is:
%Í%% - expands to the current directory string.
%Í%% - expands to the current directory string.
%ÚTE%% - expands to current date using same format as DATE command.
%ÚTE%% - expands to current date using same format as DATE command.
%%CMDEXTVERSION%% - expands to the current Command Processor Extensions
%%CMDEXTVERSION%% - expands to the current Command Processor Extensions
%%CMDCMDLINE%% - expands to the original command line that invoked the
%%CMDCMDLINE%% - expands to the original command line that invoked the
If Command Extensions are enabled the SHIFT command supports
If Command Extensions are enabled the SHIFT command supports
control is passed to the statement after the label specified. You must
control is passed to the statement after the label specified. You must
%%4 %%5 ...)
%%4 %%5 ...)
CMD /? for details.
CMD /? for details.
This works because on old versions of CMD.EXE, SETLOCAL does NOT
This works because on old versions of CMD.EXE, SETLOCAL does NOT
command execution.
command execution.
non-executable files may be invoked through their file association just
non-executable files may be invoked through their file association just
by typing the name of the file as a command. (e.g. WORD.DOC would
by typing the name of the file as a command. (e.g. WORD.DOC would
launch the application associated with the .DOC file extension).
launch the application associated with the .DOC file extension).
When executing an application that is a 32-bit GUI application, CMD.EXE
When executing an application that is a 32-bit GUI application, CMD.EXE
the command prompt. This new behavior does NOT occur if executing
the command prompt. This new behavior does NOT occur if executing
When executing a command line whose first token is the string "CMD "
When executing a command line whose first token is the string "CMD "
without an extension or path qualifier, then "CMD" is replaced with
without an extension or path qualifier, then "CMD" is replaced with
the value of the COMSPEC variable. This prevents picking up CMD.EXE
the value of the COMSPEC variable. This prevents picking up CMD.EXE
When executing a command line whose first token does NOT contain an
When executing a command line whose first token does NOT contain an
extension, then CMD.EXE uses the value of the PATHEXT
extension, then CMD.EXE uses the value of the PATHEXT
.COM;.EXE;.BAT;.CMD
.COM;.EXE;.BAT;.CMD
When searching for an executable, if there is no match on any extension,
When searching for an executable, if there is no match on any extension,
If Command Extensions are enabled, and running on the Windows XP
If Command Extensions are enabled, and running on the Windows XP
forms of the FOR command are supported:
forms of the FOR command are supported:
Walks the directory tree rooted at [drive:]path, executing the FOR
Walks the directory tree rooted at [drive:]path, executing the FOR
passes the first blank separated token from each line of each file.
passes the first blank separated token from each line of each file.
is a quoted string which contains one or more keywords to specify
is a quoted string which contains one or more keywords to specify
different parsing options. The keywords are:
different parsing options. The keywords are:
be passed to the for body for each iteration.
be passed to the for body for each iteration.
where a back quoted string is executed as a
where a back quoted string is executed as a
FOR /F "eol=; tokens=2,3* delims=, " %%i in (myfile.txt) do @echo %%i %%j %%k
FOR /F "eol=; tokens=2,3* delims=, " %%i in (myfile.txt) do @echo %%i %%j %%k
would parse each line in myfile.txt, ignoring lines that begin with
would parse each line in myfile.txt, ignoring lines that begin with
a semicolon, passing the 2nd and 3rd token from each line to the for
a semicolon, passing the 2nd and 3rd token from each line to the for
line, which is passed to a child CMD.EXE and the output is captured
line, which is passed to a child CMD.EXE and the output is captured
IF CMDEXTVERSION number command
IF CMDEXTVERSION number command
The CMDEXTVERSION conditional works just like ERRORLEVEL, except it is
The CMDEXTVERSION conditional works just like ERRORLEVEL, except it is
CMDEXTVERSION conditional is never true when Command Extensions are
CMDEXTVERSION conditional is never true when Command Extensions are
%%CMDCMDLINE%% will expand into the original command line passed to
%%CMDCMDLINE%% will expand into the original command line passed to
CMD.EXE prior to any processing by CMD.EXE, provided that there is not
CMD.EXE prior to any processing by CMD.EXE, provided that there is not
already an environment variable with the name CMDCMDLINE, in which case
already an environment variable with the name CMDCMDLINE, in which case
%%CMDEXTVERSION%% will expand into a string representation of the
%%CMDEXTVERSION%% will expand into a string representation of the
current value of CMDEXTVERSION, provided that there is not already
current value of CMDEXTVERSION, provided that there is not already
an environment variable with the name CMDEXTVERSION, in which case you
an environment variable with the name CMDEXTVERSION, in which case you
under Windows XP, as command line editing is always enabled.
under Windows XP, as command line editing is always enabled.
CMD.EXE was started with the above path as the current directory.
CMD.EXE was started with the above path as the current directory.
UNC paths are not supported. Defaulting to Windows directory.
UNC paths are not supported. Defaulting to Windows directory.
CMD does not support UNC paths as current directories.
CMD does not support UNC paths as current directories.
UNC paths not supported for current directory. Using
UNC paths not supported for current directory. Using
to create temporary drive letter to support UNC current
to create temporary drive letter to support UNC current
Missing operand.
Missing operand.
Missing operator.
Missing operator.
The COMSPEC environment variable does not point to CMD.EXE.
The COMSPEC environment variable does not point to CMD.EXE.
The FAT File System only support Last Write Times
The FAT File System only support Last Write Times
of a batch script is reached, an implied ENDLOCAL is executed for any
of a batch script is reached, an implied ENDLOCAL is executed for any
application execution.
application execution.
The switch /Y may be present in the COPYCMD environment variable.
The switch /Y may be present in the COPYCMD environment variable.
to prompt on overwrites unless MOVE command is being executed from
to prompt on overwrites unless MOVE command is being executed from
when CMD.EXE started. This value either comes from the current console
when CMD.EXE started. This value either comes from the current console
The COLOR command sets ERRORLEVEL to 1 if an attempt is made to execute
The COLOR command sets ERRORLEVEL to 1 if an attempt is made to execute
getsusp_300373.exe_900:
!Win32 .EXE.
!Win32 .EXE.
.MPRESS1
.MPRESS1
`.MPRESS2
`.MPRESS2
`.rsrc
`.rsrc
t4Jt.Ju1 ]
t4Jt.Ju1 ]
N8SSh
N8SSh
PWSSh(
PWSSh(
Pj.j.SW
Pj.j.SW
Pj*j%SW
Pj*j%SW
[u.jD
[u.jD
!"#$%&'()* ,-..CC/0C122C34456789:CC;<=>?@AACCCCCCBBBBBBBB
!"#$%&'()* ,-..CC/0C122C34456789:CC;<=>?@AACCCCCCBBBBBBBB
Ht.Ht!
Ht.Ht!
It.It
It.It
SSh0~q
SSh0~q
F( %U
F( %U
3333333
3333333
?\u%f
?\u%f
FTPh8
FTPh8
St.Ht
St.Ht
FTPh
FTPh
.itst
.itst
PSSSh
PSSSh
SSSSh
SSSSh
FTPQ
FTPQ
F4PSSh
F4PSSh
t j%S
t j%S
!!!!!!""#$%&'(((((())* ,-.CCCCCCCC//C01234445656789:;9:;CCC<=>?@AB
!!!!!!""#$%&'(((((())* ,-.CCCCCCCC//C01234445656789:;9:;CCC<=>?@AB
FTPS
FTPS
d/d/%d d:d
d/d/%d d:d
HTTPS
HTTPS
161.69.31.104
161.69.31.104
GetUdpTable
GetUdpTable
AllocateAndGetUdpExTableFromStack
AllocateAndGetUdpExTableFromStack
GetExtendedUdpTable
GetExtendedUdpTable
GetTcpTable
GetTcpTable
AllocateAndGetTcpExTableFromStack
AllocateAndGetTcpExTableFromStack
GetExtendedTcpTable
GetExtendedTcpTable
%u.%u.%u.%u:%u
%u.%u.%u.%u:%u
<?xml-stylesheet type="text/xsl" href="Logs\GetSusp.xsl"?>
<?xml-stylesheet type="text/xsl" href="Logs\GetSusp.xsl"?>
<?xml-stylesheet type="text/xsl" href="Network.xsl"?>
<?xml-stylesheet type="text/xsl" href="Network.xsl"?>
<?xml-stylesheet type="text/xsl" href="Files.xsl"?>
<?xml-stylesheet type="text/xsl" href="Files.xsl"?>
\GetSusp.sys
\GetSusp.sys
GetSusp1.tmp
GetSusp1.tmp
Logs\McAfee-Product.txt
Logs\McAfee-Product.txt
Logs\Files.xml
Logs\Files.xml
Logs\Files.xsl
Logs\Files.xsl
Logs\Trace.log
Logs\Trace.log
Logs\Network.xsl
Logs\Network.xsl
Logs\Network.xml
Logs\Network.xml
Logs\GetSusp.xsl
Logs\GetSusp.xsl
Logs\GetSusp.log
Logs\GetSusp.log
GetSusp.tmp
GetSusp.tmp
GetSusp.xml
GetSusp.xml
\Windows\assembly\GAC_MSIL
\Windows\assembly\GAC_MSIL
avvclean.dat
avvclean.dat
avvnames.dat
avvnames.dat
avvscan.dat
avvscan.dat
XXXXXX
XXXXXX
FramePkg.exe
FramePkg.exe
\MCAFEE SECURITY SCAN\UNINSTALL.EXE
\MCAFEE SECURITY SCAN\UNINSTALL.EXE
\Windows\assembly\NativeImages
\Windows\assembly\NativeImages
Autoconfig-Url
Autoconfig-Url
Proxy-Port
Proxy-Port
3.0.0.373
3.0.0.373
EngineVersionMajor %d
EngineVersionMajor %d
AVDatVersion %d
AVDatVersion %d
AVDatDate %s
AVDatDate %s
Task/Actions/Exec/Arguments
Task/Actions/Exec/Arguments
Task/Actions/Exec/Command
Task/Actions/Exec/Command
Windows-Firewall
Windows-Firewall
%commonprogramw6432%
%commonprogramw6432%
%commonprogramfiles%
%commonprogramfiles%
Run-Key
Run-Key
\Prefetch\NTOSBOOT-B00DFAAD.pf
\Prefetch\NTOSBOOT-B00DFAAD.pf
0123456789
0123456789
%WinDir%\assembly\NativeImages
%WinDir%\assembly\NativeImages
Received unknown IO request type %d
Received unknown IO request type %d
rundll32.exe
rundll32.exe
server_passwd
server_passwd
url_artemis
url_artemis
url_upload
url_upload
Unknown-Error %d
Unknown-Error %d
Windows 2000
Windows 2000
Windows XP
Windows XP
Web Edition
Web Edition
Windows Server 2003,
Windows Server 2003,
Windows XP Professional x64 Edition
Windows XP Professional x64 Edition
Windows Home Server
Windows Home Server
Windows Storage Server 2003
Windows Storage Server 2003
Windows Server 2003 R2,
Windows Server 2003 R2,
Web Server Edition
Web Server Edition
Windows Server 2012
Windows Server 2012
Windows 8
Windows 8
Windows Server 2008 R2
Windows Server 2008 R2
Windows 7
Windows 7
Windows Server 2008
Windows Server 2008
Windows Vista
Windows Vista
--password
--password
1.3.6.1.4.1.311.72.1.1
1.3.6.1.4.1.311.72.1.1
Status: 0x%x
Status: 0x%x
network.proxy.autoconfig_url
network.proxy.autoconfig_url
network.proxy.http_port
network.proxy.http_port
"network.proxy.http"
"network.proxy.http"
network.proxy.type
network.proxy.type
network.proxy
network.proxy
.rsrc
.rsrc
config.dat
config.dat
u.u
u.u
Copyright (c) McAfee Inc. u. Created on u-%s-u. Version:%u.u
Copyright (c) McAfee Inc. u. Created on u-%s-u. Version:%u.u
'%s' Driver
'%s' Driver
KERNEL32.dll
KERNEL32.dll
%WinDir%\TEST.EXE
%WinDir%\TEST.EXE
).EXPORT
).EXPORT
).COPY
).COPY
.ITEM
.ITEM
.dump
.dump
midiOutShortMsg
midiOutShortMsg
midiOutLongMsg
midiOutLongMsg
keybd_event
keybd_event
WinExecErrorW
WinExecErrorW
WinExecErrorA
WinExecErrorA
WinExec
WinExec
WaitNamedPipeW
WaitNamedPipeW
WaitNamedPipeA
WaitNamedPipeA
WSARecvMsg
WSARecvMsg
WSAAsyncGetServByPort
WSAAsyncGetServByPort
VkKeyScanW
VkKeyScanW
VkKeyScanExW
VkKeyScanExW
VkKeyScanExA
VkKeyScanExA
VkKeyScanA
VkKeyScanA
UpdateICMRegKeyW
UpdateICMRegKeyW
UpdateICMRegKeyA
UpdateICMRegKeyA
UnregisterHotKey
UnregisterHotKey
UnloadKeyboardLayout
UnloadKeyboardLayout
UnhookWindowsHookEx
UnhookWindowsHookEx
UnhookWindowsHook
UnhookWindowsHook
TransactNamedPipe
TransactNamedPipe
TileWindows
TileWindows
ShellExecuteW
ShellExecuteW
ShellExecuteExW
ShellExecuteExW
ShellExecuteExA
ShellExecuteExA
ShellExecuteA
ShellExecuteA
SetWindowsHookW
SetWindowsHookW
SetWindowsHookExW
SetWindowsHookExW
SetWindowsHookExA
SetWindowsHookExA
SetWindowsHookA
SetWindowsHookA
SetViewportOrgEx
SetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
SetProcessWindowStation
SetProcessWindowStation
SetProcessShutdownParameters
SetProcessShutdownParameters
SetNamedPipeHandleState
SetNamedPipeHandleState
SetKeyboardState
SetKeyboardState
SetConsoleOutputCP
SetConsoleOutputCP
ScaleViewportExtEx
ScaleViewportExtEx
SHFileOperationW
SHFileOperationW
SHFileOperationA
SHFileOperationA
ReportEventW
ReportEventW
ReportEventA
ReportEventA
RegisterHotKey
RegisterHotKey
RegUnLoadKeyW
RegUnLoadKeyW
RegUnLoadKeyA
RegUnLoadKeyA
RegSetKeySecurity
RegSetKeySecurity
RegSaveKeyW
RegSaveKeyW
RegSaveKeyA
RegSaveKeyA
RegRestoreKeyW
RegRestoreKeyW
RegRestoreKeyA
RegRestoreKeyA
RegReplaceKeyW
RegReplaceKeyW
RegReplaceKeyA
RegReplaceKeyA
RegQueryInfoKeyW
RegQueryInfoKeyW
RegQueryInfoKeyA
RegQueryInfoKeyA
RegOpenKeyW
RegOpenKeyW
RegOpenKeyExW
RegOpenKeyExW
RegOpenKeyExA
RegOpenKeyExA
RegOpenKeyA
RegOpenKeyA
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegLoadKeyW
RegLoadKeyW
RegLoadKeyA
RegLoadKeyA
RegGetKeySecurity
RegGetKeySecurity
RegFlushKey
RegFlushKey
RegEnumKeyW
RegEnumKeyW
RegEnumKeyExW
RegEnumKeyExW
RegEnumKeyExA
RegEnumKeyExA
RegEnumKeyA
RegEnumKeyA
RegDeleteKeyW
RegDeleteKeyW
RegDeleteKeyA
RegDeleteKeyA
RegCreateKeyW
RegCreateKeyW
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
RegCreateKeyA
RegCreateKeyA
RegCloseKey
RegCloseKey
ProcessHRC
ProcessHRC
PeekNamedPipe
PeekNamedPipe
OpenWindowStationW
OpenWindowStationW
OpenWindowStationA
OpenWindowStationA
OleExecute
OleExecute
OffsetViewportOrgEx
OffsetViewportOrgEx
OemKeyScan
OemKeyScan
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
MapVirtualKeyW
MapVirtualKeyW
MapVirtualKeyExW
MapVirtualKeyExW
MapVirtualKeyExA
MapVirtualKeyExA
MapVirtualKeyA
MapVirtualKeyA
LoadKeyboardLayoutW
LoadKeyboardLayoutW
LoadKeyboardLayoutA
LoadKeyboardLayoutA
ImpersonateNamedPipeClient
ImpersonateNamedPipeClient
ImmSimulateHotKey
ImmSimulateHotKey
ImmGetVirtualKey
ImmGetVirtualKey
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
GetViewportOrgEx
GetViewportOrgEx
GetViewportExtEx
GetViewportExtEx
GetTcpStatisticsEx
GetTcpStatisticsEx
GetTcpStatistics
GetTcpStatistics
GetServiceKeyNameW
GetServiceKeyNameW
GetServiceKeyNameA
GetServiceKeyNameA
GetProcessWindowStation
GetProcessWindowStation
GetProcessShutdownParameters
GetProcessShutdownParameters
GetProcessHeaps
GetProcessHeaps
GetProcessHeap
GetProcessHeap
GetNamedPipeInfo
GetNamedPipeInfo
GetNamedPipeHandleStateW
GetNamedPipeHandleStateW
GetNamedPipeHandleStateA
GetNamedPipeHandleStateA
GetLargestConsoleWindowSize
GetLargestConsoleWindowSize
GetKeyboardType
GetKeyboardType
GetKeyboardState
GetKeyboardState
GetKeyboardLayoutNameW
GetKeyboardLayoutNameW
GetKeyboardLayoutNameA
GetKeyboardLayoutNameA
GetKeyboardLayoutList
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
GetKeyNameTextW
GetKeyNameTextW
GetKeyNameTextA
GetKeyNameTextA
GetConsoleOutputCP
GetConsoleOutputCP
GetCPInfo
GetCPInfo
GetAsyncKeyState
GetAsyncKeyState
FindExecutableW
FindExecutableW
FindExecutableA
FindExecutableA
ExitWindowsEx
ExitWindowsEx
EnumWindows
EnumWindows
EnumWindowStationsW
EnumWindowStationsW
EnumWindowStationsA
EnumWindowStationsA
EnumThreadWindows
EnumThreadWindows
EnumPortsW
EnumPortsW
EnumPortsA
EnumPortsA
EnumDesktopWindows
EnumDesktopWindows
EnumChildWindows
EnumChildWindows
DisconnectNamedPipe
DisconnectNamedPipe
DeletePortW
DeletePortW
DeletePortA
DeletePortA
CreateWindowStationW
CreateWindowStationW
CreateWindowStationA
CreateWindowStationA
CreatePipe
CreatePipe
CreateNamedPipeW
CreateNamedPipeW
CreateNamedPipeA
CreateNamedPipeA
CreateIoCompletionPort
CreateIoCompletionPort
CreateDialogIndirectParamW
CreateDialogIndirectParamW
CreateDialogIndirectParamA
CreateDialogIndirectParamA
ConnectNamedPipe
ConnectNamedPipe
ConfigurePortW
ConfigurePortW
ConfigurePortA
ConfigurePortA
CloseWindowStation
CloseWindowStation
CascadeWindows
CascadeWindows
CallNamedPipeW
CallNamedPipeW
CallNamedPipeA
CallNamedPipeA
CallMsgFilterW
CallMsgFilterW
CallMsgFilterA
CallMsgFilterA
ArrangeIconicWindows
ArrangeIconicWindows
AddPortW
AddPortW
AddPortA
AddPortA
ActivateKeyboardLayout
ActivateKeyboardLayout
WINSTART.BAT
WINSTART.BAT
AUTOEXEC.BAT
AUTOEXEC.BAT
SCRIPT.INI
SCRIPT.INI
NICK
NICK
OUTLOOK.APPLICATION
OUTLOOK.APPLICATION
SCRIPTING.FILESYSTEMOBJECT
SCRIPTING.FILESYSTEMOBJECT
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\
HKEY_LOCAL_MACHINE\
HKEY_LOCAL_MACHINE\
MSGBOX
MSGBOX
JOIN
JOIN
.GzVBj/&IA42[vrC89pEhqO
.GzVBj/&IA42[vrC89pEhqO
.encode
.encode
%s:x
%s:x
%s:x,x,x
%s:x,x,x
KERNEL32.DLL
KERNEL32.DLL
%WinDir%\
%WinDir%\
/usr/lib/test.so
/usr/lib/test.so
%WinDir%\TEST.DLL
%WinDir%\TEST.DLL
%WinDir%
%WinDir%
join
join
export
export
.memory_hook
.memory_hook
ÌdiouxXeEfgGnpsSaA
ÌdiouxXeEfgGnpsSaA
%WinDir%\SYSTEM32\
%WinDir%\SYSTEM32\
%WinDir%\SYSTEM
%WinDir%\SYSTEM
%d.d.d
%d.d.d
Timer, %u, 1/100ms,
Timer, %u, 1/100ms,
EINF, AV_APIVERSION_V%c
EINF, AV_APIVERSION_V%c
%s DAT version %ld.ld (%d.d)
%s DAT version %ld.ld (%d.d)
Driver version %ld (%d.d)
Driver version %ld (%d.d)
API version (%s - %s) API: V%d.d
API version (%s - %s) API: V%d.d
MCSCAN32.DLL
MCSCAN32.DLL
EREP, %d,
EREP, %d,
rwabs32.dll
rwabs32.dll
MCTOOL.EXE
MCTOOL.EXE
calwin32.dll
calwin32.dll
mcscan.log
mcscan.log
mcscan.vlt
mcscan.vlt
seqnum_%ld_thread_%s_
seqnum_%ld_thread_%s_
[%s;%s;%s]
[%s;%s;%s]
Scan started at: %s
Scan started at: %s
Scan completed at: %s
Scan completed at: %s
, %s: '%s'
, %s: '%s'
%s: '%s'
%s: '%s'
* %4s........ GFS Disabled
* %4s........ GFS Disabled
,not scanned (code %d)
,not scanned (code %d)
,not scanned (not executable).
,not scanned (not executable).
%s, %u, %u, %u,
%s, %u, %u, %u,
%s, %u, %u, %u
%s, %u, %u, %u
%s, %s
%s, %s
%s, %lu
%s, %lu
,%s {
,%s {
, %s, %s
, %s, %s
%s:%d
%s:%d
%sx
%sx
x -> x
x -> x
x [ xx ]
x [ xx ]
%s %s, %s
%s %s, %s
%s, %u
%s, %u
%s %lu
%s %lu
%s %d
%s %d
%s (%s - action %d)
%s (%s - action %d)
,not repaired (code %d)
,not repaired (code %d)
%s %s
%s %s
, normal hit "%s"
, normal hit "%s"
, negative hit "%s"
, negative hit "%s"
, "%s"
, "%s"
%s%lu
%s%lu
Leaving container (%d)
Leaving container (%d)
Entering container (%d)
Entering container (%d)
RegDeleteKeyExW
RegDeleteKeyExW
scan.dat
scan.dat
names.dat
names.dat
clean.dat
clean.dat
extra.dat
extra.dat
%s%c%s
%s%c%s
RegDeleteKeyExA
RegDeleteKeyExA
%s (ID X, VER X)
%s (ID X, VER X)
ERR_OPERATION_FAILED
ERR_OPERATION_FAILED
%s(X)
%s(X)
Runtime Check failed: %s in %s at line %d.
Runtime Check failed: %s in %s at line %d.
1.0.4
1.0.4
WFV*.tmp
WFV*.tmp
vd
vd
%c_%s
%c_%s
\\.\MCSCAN32.VXD
\\.\MCSCAN32.VXD
.data
.data
.petite
.petite
.tlsdir
.tlsdir
.neolit
.neolit
.avp-md
.avp-md
.ficken
.ficken
.BJFnt
.BJFnt
.pklstb
.pklstb
Emu Buffer written to %s
Emu Buffer written to %s
(x)x:
(x)x:
-_@{}~`!#() =[]
-_@{}~`!#() =[]
SYSTEM.INI
SYSTEM.INI
WIN.INI
WIN.INI
NTVDM.EXE
NTVDM.EXE
VDMDBG.DLL
VDMDBG.DLL
PSAPI.DLL
PSAPI.DLL
windows
windows
^$.[()|? *\
^$.[()|? *\
.tbz2
.tbz2
x.OLE
x.OLE
lld.ie
lld.ie
lx.OLE
lx.OLE
kernel32.dll
kernel32.dll
.relo2
.relo2
x.EXE
x.EXE
PEBUNDLE.LNK
PEBUNDLE.LNK
TEMP$01.EXE
TEMP$01.EXE
x.%.3s
x.%.3s
x.EML
x.EML
::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/ResetTable
::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/ResetTable
::DataSpace/Storage/MSCompressed/Transform/{0A9007C6-4076-11D3-8789-0000F8105754}/InstanceData/ResetTable
::DataSpace/Storage/MSCompressed/Transform/{0A9007C6-4076-11D3-8789-0000F8105754}/InstanceData/ResetTable
LINKCMDL.OLE
LINKCMDL.OLE
%lu%s
%lu%s
lX.VCH
lX.VCH
lX.OLE
lX.OLE
__SRP_%x
__SRP_%x
"$"#,##0_);\(
"$"#,##0_);\(
wininit.ini
wininit.ini
%s %s==0x%lx
%s %s==0x%lx
%s - %s %s - %s 0x%lx %s 0x%lx
%s - %s %s - %s 0x%lx %s 0x%lx
%s - %s %s - retrieved 0x%lx bytes from cache position 0x%lx
%s - %s %s - retrieved 0x%lx bytes from cache position 0x%lx
%s - %s %s - Read FAILURE error code %d %s 0x%lx %s 0x%lx
%s - %s %s - Read FAILURE error code %d %s 0x%lx %s 0x%lx
%s - %s read in 0 bytes - %s 0x%lx %s 0x%lx
%s - %s read in 0 bytes - %s 0x%lx %s 0x%lx
%s - %s %s %s 0x%lx %s 0x%lx
%s - %s %s %s 0x%lx %s 0x%lx
%s - %s %s - read 0x%lx %s 0x%lx
%s - %s %s - read 0x%lx %s 0x%lx
%s - %s %s %d %s 0x%lx %s 0x%lx
%s - %s %s %d %s 0x%lx %s 0x%lx
%s - %s 0x%lx,%s 0x%lx
%s - %s 0x%lx,%s 0x%lx
NTDLL.DLL
NTDLL.DLL
\\.\vwin32
\\.\vwin32
\\.\PhysicalDrive%ud
\\.\PhysicalDrive%ud
\\.\%c:
\\.\%c:
Address_x.mem
Address_x.mem
%s_x.mem
%s_x.mem
PID\%d
PID\%d
Ntdll.dll
Ntdll.dll
Kernel32.dll
Kernel32.dll
x.PDF
x.PDF
x,
x,
dwordbe:x
dwordbe:x
dword:x
dword:x
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\
script00.wsc
script00.wsc
content%d.rtf
content%d.rtf
attach%d.dat
attach%d.dat
X.%s
X.%s
0000000000000000000
0000000000000000000
h.dllhel32hkern
h.dllhel32hkern
rsrc.rsrrelo.relUPX1UPX0ExeS.eda
rsrc.rsrrelo.relUPX1UPX0ExeS.eda
rsrc.rsrrelo.relnoesExeS.eda.res
rsrc.rsrrelo.relnoesExeS.eda.res
.Ncryo
.Ncryo
.De-vir
.De-vir
x.B64
x.B64
x.bin
x.bin
operator
operator
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
1.2.5
1.2.5
zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
.?AV?$TIndexedManifestSection@E@@
.?AV?$TIndexedManifestSection@E@@
.?AVCNAICmdTarget@@
.?AVCNAICmdTarget@@
.?AVCPublicKeySection@@
.?AVCPublicKeySection@@
.?AVCExecLibrary@@
.?AVCExecLibrary@@
.?AVItfIndexedValidationDataStore@@
.?AVItfIndexedValidationDataStore@@
.?AVCFileContentDecoratorBufferOperationsToBlockOperations@@
.?AVCFileContentDecoratorBufferOperationsToBlockOperations@@
.?AV?$TKeyDataSet@UTOpt@CEmuOpt@EmulatorCPU@@I@@
.?AV?$TKeyDataSet@UTOpt@CEmuOpt@EmulatorCPU@@I@@
.?AV?$TKeyDataSet@KI@@
.?AV?$TKeyDataSet@KI@@
.?AV?$TKeyDataSet@U?$TObjSetRecord@UTImpSym@CGenDecode@@@@I@@
.?AV?$TKeyDataSet@U?$TObjSetRecord@UTImpSym@CGenDecode@@@@I@@
.?AV?$TKeyDataSet@U?$TObjSetRecord@UTImpLib@CGenDecode@@@@I@@
.?AV?$TKeyDataSet@U?$TObjSetRecord@UTImpLib@CGenDecode@@@@I@@
.?AV?$TKeyDataSet@U?$TObjSetRecord@V?$TSetBase@U?$TDataSetRecord@KKK@@ABU1@K@@@@I@@
.?AV?$TKeyDataSet@U?$TObjSetRecord@V?$TSetBase@U?$TDataSetRecord@KKK@@ABU1@K@@@@I@@
.?AV?$TKeyDataSet@U?$TObjSetRecord@V?$TSetBase@U?$TDataSetRecord@III@@ABU1@I@@@@I@@
.?AV?$TKeyDataSet@U?$TObjSetRecord@V?$TSetBase@U?$TDataSetRecord@III@@ABU1@I@@@@I@@
.?AV?$TKeyDataSet@UTFindEP@CiPEPolyHeur@@I@@
.?AV?$TKeyDataSet@UTFindEP@CiPEPolyHeur@@I@@
.?AV?$TKeyDataSet@UCMap@CEmuPEFile@@I@@
.?AV?$TKeyDataSet@UCMap@CEmuPEFile@@I@@
.?AVIImportRec@@
.?AVIImportRec@@
.?AVCWin32ImportRec@@
.?AVCWin32ImportRec@@
.?AVCEmuRegistryKey@@
.?AVCEmuRegistryKey@@
.?AVCMD5@@
.?AVCMD5@@
.?AVCImportantBlockSubStrategy@@
.?AVCImportantBlockSubStrategy@@
.?AVCHashValue@CObjectReporter@@
.?AVCHashValue@CObjectReporter@@
.?AVCObjectReporter@@
.?AVCObjectReporter@@
.?AVCDATMsg@@
.?AVCDATMsg@@
Replace and press any key when ready
Replace and press any key when ready
.?AVCImportMap@CFNCallGraph@@
.?AVCImportMap@CFNCallGraph@@
.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VCOM2EXEFile@@$0EDEPENDC@@@$0DL@@@@@
.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VCOM2EXEFile@@$0EDEPENDC@@@$0DL@@@@@
.?AV?$CompressedFileCreator@VCOM2EXEFile@@$0EDEPENDC@@@
.?AV?$CompressedFileCreator@VCOM2EXEFile@@$0EDEPENDC@@@
.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VCOM2EXEFile@@$0EDEPENDC@@@$0DL@@@
.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VCOM2EXEFile@@$0EDEPENDC@@@$0DL@@@
.?AVCOM2EXEFile@@
.?AVCOM2EXEFile@@
.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VW32EXEFile@@$0FHDDDCFI@@@$0DB@@@@@
.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VW32EXEFile@@$0FHDDDCFI@@@$0DB@@@@@
.?AV?$CompressedFileCreator@VW32EXEFile@@$0FHDDDCFI@@@
.?AV?$CompressedFileCreator@VW32EXEFile@@$0FHDDDCFI@@@
.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VW32EXEFile@@$0FHDDDCFI@@@$0DB@@@
.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VW32EXEFile@@$0FHDDDCFI@@@$0DB@@@
.?AVW32EXEFile@@
.?AVW32EXEFile@@
.?AVW32EXEUncompress@@
.?AVW32EXEUncompress@@
.?AVCexeFile@@
.?AVCexeFile@@
.?AVexe32packFile@@
.?AVexe32packFile@@
.?AVCW32EXEUncompressExt@@
.?AVCW32EXEUncompressExt@@
.?AVEXEBundleDirectory@@
.?AVEXEBundleDirectory@@
.?AVPEBundleEXEFile@@
.?AVPEBundleEXEFile@@
.?AVPEBundleEXERepair@@
.?AVPEBundleEXERepair@@
.?AVJoinerDirectory@@
.?AVJoinerDirectory@@
.?AVexe32packDecode@@
.?AVexe32packDecode@@
.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VWebScript@@$0FHFDEDFC@@@$0CP@@@@@
.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VWebScript@@$0FHFDEDFC@@@$0CP@@@@@
.?AV?$CompressedFileCreator@VWebScript@@$0FHFDEDFC@@@
.?AV?$CompressedFileCreator@VWebScript@@$0FHFDEDFC@@@
.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VWebScript@@$0FHFDEDFC@@@$0CP@@@
.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VWebScript@@$0FHFDEDFC@@@$0CP@@@
.?AVWebScript@@
.?AVWebScript@@
.?AVCHTMLWebScript@@
.?AVCHTMLWebScript@@
.?AVWebScriptDecode@@
.?AVWebScriptDecode@@
.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VLZEXEFile@@$0EMFKFI@@@$0BE@@@@@
.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VLZEXEFile@@$0EMFKFI@@@$0BE@@@@@
.?AV?$CompressedFileCreator@VLZEXEFile@@$0EMFKFI@@@
.?AV?$CompressedFileCreator@VLZEXEFile@@$0EMFKFI@@@
.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VLZEXEFile@@$0EMFKFI@@@$0BE@@@
.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VLZEXEFile@@$0EMFKFI@@@$0BE@@@
.?AVLZEXEFile@@
.?AVLZEXEFile@@
.?AVCOLE2Operator@@
.?AVCOLE2Operator@@
.?AVIOLE2Operator@@
.?AVIOLE2Operator@@
.?AVProcessHandler@@
.?AVProcessHandler@@
.?AVCRegOperator@@
.?AVCRegOperator@@
.?AVIRegOperator@@
.?AVIRegOperator@@
.?AVXRegOperator@CRegOperator@@
.?AVXRegOperator@CRegOperator@@
.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VW32EXEFile2@@$0FHDDDCFI@@@$0DB@@@@@
.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VW32EXEFile2@@$0FHDDDCFI@@@$0DB@@@@@
.?AV?$CompressedFileCreator@VW32EXEFile2@@$0FHDDDCFI@@@
.?AV?$CompressedFileCreator@VW32EXEFile2@@$0FHDDDCFI@@@
.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VW32EXEFile2@@$0FHDDDCFI@@@$0DB@@@
.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VW32EXEFile2@@$0FHDDDCFI@@@$0DB@@@
.?AVW32EXEFile2@@
.?AVW32EXEFile2@@
.?AVEXEStealthFile@@
.?AVEXEStealthFile@@
.?AV?$TGenericSeqParserArraySequenceImpl_GenericInner@V?$TGenericSequenceParserImplGenericOuter@VIGenericSequenceParserChar_Types@@VIGenericSequenceParserChar_BufferArray@@VCNAICmdTarget@@@@VIGenericSequenceParserChar_Types@@VIGenericSequenceParserChar_BufferArray@@@@
.?AV?$TGenericSeqParserArraySequenceImpl_GenericInner@V?$TGenericSequenceParserImplGenericOuter@VIGenericSequenceParserChar_Types@@VIGenericSequenceParserChar_BufferArray@@VCNAICmdTarget@@@@VIGenericSequenceParserChar_Types@@VIGenericSequenceParserChar_BufferArray@@@@
.?AV?$TGenericSequenceParserImplGenericOuter@VIGenericSequenceParserChar_Types@@VIGenericSequenceParserChar_BufferArray@@VCNAICmdTarget@@@@
.?AV?$TGenericSequenceParserImplGenericOuter@VIGenericSequenceParserChar_Types@@VIGenericSequenceParserChar_BufferArray@@VCNAICmdTarget@@@@
.?AVCO12Operator@@
.?AVCO12Operator@@
.?AVIO12Operator@@
.?AVIO12Operator@@
.?AVXO12Operator@CO12Operator@@
.?AVXO12Operator@CO12Operator@@
zcÁ
zcÁ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables\getsusp_300373.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables\getsusp_300373.exe
.BJ!J~s
.BJ!J~s
$D.FS
$D.FS
T.FaV
T.FaV
S_%cGrB\
S_%cGrB\
zM%C{n
zM%C{n
'I.EZT
'I.EZT
.vrgW
.vrgW
.qyxdf
.qyxdf
.Cr$!
.Cr$!
/k%X#
/k%X#
;|K%C
;|K%C
.DT.^
.DT.^
RS9_%D<\
RS9_%D<\
.=9_r.zDa
.=9_r.zDa
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
To download the latest version of GetSusp <A HREF="http://downloadcenter.mcafee.com/products/mcafee-avert/GetSusp/GetSusp.exe">Click Here</A>
To download the latest version of GetSusp <A HREF="http://downloadcenter.mcafee.com/products/mcafee-avert/GetSusp/GetSusp.exe">Click Here</A>
For GetSusp Suspicious Files Report, click on <A HREF="Logs\Files.xml">File Log</A>
For GetSusp Suspicious Files Report, click on <A HREF="Logs\Files.xml">File Log</A>
For GetSusp Network log, click on <A HREF="Logs\Network.xml">Network Log</A>
For GetSusp Network log, click on <A HREF="Logs\Network.xml">Network Log</A>
For information on installed McAfee products, click on <A HREF="Logs\McAfee-Product.txt">McAfee Product Log</A>
For information on installed McAfee products, click on <A HREF="Logs\McAfee-Product.txt">McAfee Product Log</A>
<A HREF="http://community.mcafee.com/community/security/malware_discussion">McAfee Community</A>
<A HREF="http://community.mcafee.com/community/security/malware_discussion">McAfee Community</A>
<h4 style="text-align:center">Network Statistics Report</h4>
<h4 style="text-align:center">Network Statistics Report</h4>
<xsl:text>https://www.virustotal.com/file/</xsl:text>
<xsl:text>https://www.virustotal.com/file/</xsl:text>
.text
.text
h.rdata
h.rdata
H.data
H.data
B.reloc
B.reloc
c:\buildbot\getsusp-s1\getsuspwip\driver\objfre_wnet_x86\i386\getsusp.pdb
c:\buildbot\getsusp-s1\getsuspwip\driver\objfre_wnet_x86\i386\getsusp.pdb
ntoskrnl.exe
ntoskrnl.exe
Thawte Certification1
Thawte Certification1
http://ocsp.thawte.com0
http://ocsp.thawte.com0
.http://crl.thawte.com/ThawteTimestampingCA.crl0
.http://crl.thawte.com/ThawteTimestampingCA.crl0
http://ts-ocsp.ws.symantec.com07
http://ts-ocsp.ws.symantec.com07
http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<</pre><pre> http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(</pre><pre>.Class 3 Public Primary Certification Authority0</pre><pre>2Terms of use at https://www.verisign.com/rpa (c)041.0,</pre><pre>https://www.verisign.com/rpa01</pre><pre>http://crl.verisign.com/pca3.crl0</pre><pre>.Class 3 Public Primary Certification Authority</pre><pre>Dhttp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0</pre><pre>n.aAHu</pre><pre>https://www.verisign.com/rpa0</pre><pre>/http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0u</pre><pre>http://ocsp.verisign.com0?</pre><pre>3http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0</pre><pre>http://www.mcafee.com 0</pre><pre>.pdata</pre><pre>c:\buildbot\getsusp-s1\getsuspwip\driver\objfre_wnet_amd64\amd64\getsusp.pdb</pre><pre>getsusp.exe</pre><pre>VERSION.dll</pre><pre>COMCTL32.dll</pre><pre>WINHTTP.dll</pre><pre>WinHttpOpen</pre><pre>WS2_32.dll</pre><pre>USERENV.dll</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>COMDLG32.dll</pre><pre>ADVAPI32.dll</pre><pre>SHELL32.dll</pre><pre>ole32.dll</pre><pre>OLEAUT32.dll</pre><pre>MAPI32.dll</pre><pre>WINTRUST.dll</pre><pre>CRYPT32.dll</pre><pre>CryptMsgClose</pre><pre>.6$$$~~~</pre><pre>hNULhYa.hh5</pre><pre><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="McAfee.GetSusp" type="win32"></assemblyIdentity><description>McAfee Labs GetSusp</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="highestAvailable" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo></assembly></pre><pre>\\.\GetSusp</pre><pre>ERROR: Login failed due to invalid proxy credentials</pre><pre>Login failed for user '%s'</pre><pre>eiphlpapi.dll</pre><pre>Please enter id and password.</pre><pre>%s ... is Suspicious !!!</pre><pre>%s\%s\ntuser.dat</pre><pre>\autorun.vnf</pre><pre>\autorun.ini</pre><pre>\autorun.inf</pre><pre>%COMPUTERNAME%</pre><pre>.EngineVersionMinor</pre><pre>reg export HKLM\SOFTWARE\MCAFEE Logs\McAfee-Product.txt</pre><pre>regedit /e Logs\McAfee-Product.txt HKEY_LOCAL_MACHINE\SOFTWARE\MCAFEE</pre><pre>Scan results are saved at %s.</pre><pre>GetSusp scan identified (%d) Suspicious file(s) and (%d) Unknown file(s).</pre><pre>%c Possibly Infected:.............%d</pre><pre>Boot Sector(s):.................%d</pre><pre>Master Boot Record(s):....%d</pre><pre>%s !!!</pre><pre>\Local Settings\Temporary Internet Files\Content.IE5</pre><pre>\AppData\Local\Microsoft\Windows\Temporary Internet Files</pre><pre>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\Winlogon</pre><pre>\Software\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>RunOnce key values for '%s'</pre><pre>\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>Run key values for '%s'</pre><pre>\$Recycle.Bin</pre><pre>%SYSTEMDRIVE%</pre><pre>\Microsoft.NET\Framework</pre><pre>\Windows NT</pre><pre>\Windows Media Player</pre><pre>\Opera</pre><pre>\Mozilla Firefox\Plugins</pre><pre>\Mozilla Firefox\Components</pre><pre>\Mozilla Firefox</pre><pre>\COMMON FILES\Microsoft Shared\Web Folders</pre><pre>Please specify Proxy address and port</pre><pre>\GetSusp.opt</pre><pre>Status: %u%%</pre><pre>Suspicious: %u</pre><pre>Unknown: %u</pre><pre>The GetSusp executable has been modified and may be infected.</pre><pre>-- Send only the report</pre><pre>-- Specify proxy address and port</pre><pre>-- Specify automatic configuration script url</pre><pre>http://downloadcenter.mcafee.com/products/mcafee-avert/GetSusp/GetSusp.exe</pre><pre>Unable to load scan engine, support DLL not found.</pre><pre>B%s ... is OK.</pre><pre>dnsapi.dll</pre><pre>Report saved to %s</pre><pre>Report</pre><pre>Could not write to %s file.</pre><pre>\GetSusp.txt</pre><pre>This operation will involve the transferring of files and other information from this machine, potentially including personal data to McAfee. Please confirm you have read and agree to this and the below license agreement before continuing</pre><pre>http://downloadcenter.mcafee.com/products/mcafee-avert/GetSusp/GetSusp.xml</pre><pre>Failed to execute GetSusp from long path.</pre><pre>%s could not be scanned (%d)!!!</pre><pre>%s ... is Unknown Scan Object !!!</pre><pre>%s ... is Zero Byte File !!!</pre><pre>%s ... Scan Aborted !!!</pre><pre>%s ... is Block-Char-Fifo Files !!!</pre><pre>%s ... is Out-Of-Memory !!!</pre><pre>%s ... is Encrypted !!!</pre><pre>%s ... is Corrupted !!!</pre><pre>Cannot save report file while a scan is in progress.</pre><pre>%s ... is Unknown !!!</pre><pre>chrome</pre><pre>firefox</pre><pre>http\shell\open\command</pre><pre>https://getclean.mcafee.com/getsusp</pre><pre>AutoConfigURL</pre><pre>Software\Microsoft\Windows\CurrentVersion\Internet Settings</pre><pre>\prefs.js</pre><pre>\Mozilla\Firefox\Profiles</pre><pre>\StringFileInfo\XX\%s</pre><pre>L\\.\SSFILTERDEV</pre><pre>\\.\WGUARDNT</pre><pre>3c224a00-5d51-11cf-b3ca-000000000001</pre><pre>/0123456789:;<=></pre><pre>0000000000000000</pre><pre>X\\?\</pre><pre>\\?\UNC</pre><pre>mscoree.dll</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>USER32.DLL</pre><pre>Save report to file</pre><pre>McAfee GetSusp 3.0.0.373</pre><pre>Report all scanned files</pre><pre>Port</pre><pre>Password:</pre><pre>getsusp.sys</pre><pre>5500-1093</pre><b>getsusp_300373.exe_900_rwx_00401000_00443000:</b><pre>t4Jt.Ju1 ]</pre><pre>N8SSh</pre><pre>PWSSh(</pre><pre>Pj.j.SW</pre><pre>Pj*j%SW</pre><pre>[u.jD</pre><pre>!"#$%&'()* ,-..CC/0C122C34456789:CC;<=>?@AACCCCCCBBBBBBBB</pre><pre>Ht.Ht!</pre><pre>It.It</pre><pre>SSh0~q</pre><pre>F( %U</pre><pre>3333333</pre><pre>?\u%f</pre><pre>FTPh8</pre><pre>St.Ht</pre><pre>FTPh</pre><pre>.itst</pre><pre>PSSSh</pre><pre>SSSSh</pre><pre>FTPQ</pre><pre>F4PSSh</pre><pre>t j%S</pre><pre>!!!!!!""#$%&'(((((())* ,-.CCCCCCCC//C01234445656789:;9:;CCC<=>?@AB</pre><pre>FTPS</pre><pre>d/d/%d d:d</pre><pre>HTTPS</pre><pre>161.69.31.104</pre><pre>GetUdpTable</pre><pre>AllocateAndGetUdpExTableFromStack</pre><pre>GetExtendedUdpTable</pre><pre>GetTcpTable</pre><pre>AllocateAndGetTcpExTableFromStack</pre><pre>GetExtendedTcpTable</pre><pre>%u.%u.%u.%u:%u</pre><pre><?xml-stylesheet type="text/xsl" href="Logs\GetSusp.xsl"?></pre><pre><?xml-stylesheet type="text/xsl" href="Network.xsl"?></pre><pre><?xml-stylesheet type="text/xsl" href="Files.xsl"?></pre><pre>\GetSusp.sys</pre><pre>GetSusp1.tmp</pre><pre>Logs\McAfee-Product.txt</pre><pre>Logs\Files.xml</pre><pre>Logs\Files.xsl</pre><pre>Logs\Trace.log</pre><pre>Logs\Network.xsl</pre><pre>Logs\Network.xml</pre><pre>Logs\GetSusp.xsl</pre><pre>Logs\GetSusp.log</pre><pre>GetSusp.tmp</pre><pre>GetSusp.xml</pre><pre>\Windows\assembly\GAC_MSIL</pre><pre>avvclean.dat</pre><pre>avvnames.dat</pre><pre>avvscan.dat</pre><pre>XXXXXX</pre><pre>FramePkg.exe</pre><pre>\MCAFEE SECURITY SCAN\UNINSTALL.EXE</pre><pre>\Windows\assembly\NativeImages</pre><pre>Autoconfig-Url</pre><pre>Proxy-Port</pre><pre>3.0.0.373</pre><pre>EngineVersionMajor %d</pre><pre>AVDatVersion %d</pre><pre>AVDatDate %s</pre><pre>Task/Actions/Exec/Arguments</pre><pre>Task/Actions/Exec/Command</pre><pre>Windows-Firewall</pre><pre>%commonprogramw6432%</pre><pre>%commonprogramfiles%</pre><pre>Run-Key</pre><pre>\Prefetch\NTOSBOOT-B00DFAAD.pf</pre><pre>0123456789</pre><pre>%WinDir%\assembly\NativeImages</pre><pre>Received unknown IO request type %d</pre><pre>rundll32.exe</pre><pre>server_passwd</pre><pre>url_artemis</pre><pre>url_upload</pre><pre>Unknown-Error %d</pre><pre>Windows 2000</pre><pre>Windows XP</pre><pre>Web Edition</pre><pre>Windows Server 2003,</pre><pre>Windows XP Professional x64 Edition</pre><pre>Windows Home Server</pre><pre>Windows Storage Server 2003</pre><pre>Windows Server 2003 R2,</pre><pre>Web Server Edition</pre><pre>Windows Server 2012</pre><pre>Windows 8</pre><pre>Windows Server 2008 R2</pre><pre>Windows 7</pre><pre>Windows Server 2008</pre><pre>Windows Vista</pre><pre>--password</pre><pre>1.3.6.1.4.1.311.72.1.1</pre><pre>Status: 0x%x</pre><pre>network.proxy.autoconfig_url</pre><pre>network.proxy.http_port</pre><pre>"network.proxy.http"</pre><pre>network.proxy.type</pre><pre>network.proxy</pre><pre>.rsrc</pre><pre>config.dat</pre><pre>u.u</pre><pre>Copyright (c) McAfee Inc. u. Created on u-%s-u. Version:%u.u</pre><pre>'%s' Driver</pre><pre>KERNEL32.dll</pre><pre>%WinDir%\TEST.EXE</pre><pre>).EXPORT</pre><pre>).COPY</pre><pre>.ITEM</pre><pre>.dump</pre><pre>midiOutShortMsg</pre><pre>midiOutLongMsg</pre><pre>keybd_event</pre><pre>WinExecErrorW</pre><pre>WinExecErrorA</pre><pre>WinExec</pre><pre>WaitNamedPipeW</pre><pre>WaitNamedPipeA</pre><pre>WSARecvMsg</pre><pre>WSAAsyncGetServByPort</pre><pre>VkKeyScanW</pre><pre>VkKeyScanExW</pre><pre>VkKeyScanExA</pre><pre>VkKeyScanA</pre><pre>UpdateICMRegKeyW</pre><pre>UpdateICMRegKeyA</pre><pre>UnregisterHotKey</pre><pre>UnloadKeyboardLayout</pre><pre>UnhookWindowsHookEx</pre><pre>UnhookWindowsHook</pre><pre>TransactNamedPipe</pre><pre>TileWindows</pre><pre>ShellExecuteW</pre><pre>ShellExecuteExW</pre><pre>ShellExecuteExA</pre><pre>ShellExecuteA</pre><pre>SetWindowsHookW</pre><pre>SetWindowsHookExW</pre><pre>SetWindowsHookExA</pre><pre>SetWindowsHookA</pre><pre>SetViewportOrgEx</pre><pre>SetViewportExtEx</pre><pre>SetProcessWindowStation</pre><pre>SetProcessShutdownParameters</pre><pre>SetNamedPipeHandleState</pre><pre>SetKeyboardState</pre><pre>SetConsoleOutputCP</pre><pre>ScaleViewportExtEx</pre><pre>SHFileOperationW</pre><pre>SHFileOperationA</pre><pre>ReportEventW</pre><pre>ReportEventA</pre><pre>RegisterHotKey</pre><pre>RegUnLoadKeyW</pre><pre>RegUnLoadKeyA</pre><pre>RegSetKeySecurity</pre><pre>RegSaveKeyW</pre><pre>RegSaveKeyA</pre><pre>RegRestoreKeyW</pre><pre>RegRestoreKeyA</pre><pre>RegReplaceKeyW</pre><pre>RegReplaceKeyA</pre><pre>RegQueryInfoKeyW</pre><pre>RegQueryInfoKeyA</pre><pre>RegOpenKeyW</pre><pre>RegOpenKeyExW</pre><pre>RegOpenKeyExA</pre><pre>RegOpenKeyA</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegLoadKeyW</pre><pre>RegLoadKeyA</pre><pre>RegGetKeySecurity</pre><pre>RegFlushKey</pre><pre>RegEnumKeyW</pre><pre>RegEnumKeyExW</pre><pre>RegEnumKeyExA</pre><pre>RegEnumKeyA</pre><pre>RegDeleteKeyW</pre><pre>RegDeleteKeyA</pre><pre>RegCreateKeyW</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>RegCreateKeyA</pre><pre>RegCloseKey</pre><pre>ProcessHRC</pre><pre>PeekNamedPipe</pre><pre>OpenWindowStationW</pre><pre>OpenWindowStationA</pre><pre>OleExecute</pre><pre>OffsetViewportOrgEx</pre><pre>OemKeyScan</pre><pre>MsgWaitForMultipleObjects</pre><pre>MapVirtualKeyW</pre><pre>MapVirtualKeyExW</pre><pre>MapVirtualKeyExA</pre><pre>MapVirtualKeyA</pre><pre>LoadKeyboardLayoutW</pre><pre>LoadKeyboardLayoutA</pre><pre>ImpersonateNamedPipeClient</pre><pre>ImmSimulateHotKey</pre><pre>ImmGetVirtualKey</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>GetViewportOrgEx</pre><pre>GetViewportExtEx</pre><pre>GetTcpStatisticsEx</pre><pre>GetTcpStatistics</pre><pre>GetServiceKeyNameW</pre><pre>GetServiceKeyNameA</pre><pre>GetProcessWindowStation</pre><pre>GetProcessShutdownParameters</pre><pre>GetProcessHeaps</pre><pre>GetProcessHeap</pre><pre>GetNamedPipeInfo</pre><pre>GetNamedPipeHandleStateW</pre><pre>GetNamedPipeHandleStateA</pre><pre>GetLargestConsoleWindowSize</pre><pre>GetKeyboardType</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayoutNameW</pre><pre>GetKeyboardLayoutNameA</pre><pre>GetKeyboardLayoutList</pre><pre>GetKeyboardLayout</pre><pre>GetKeyState</pre><pre>GetKeyNameTextW</pre><pre>GetKeyNameTextA</pre><pre>GetConsoleOutputCP</pre><pre>GetCPInfo</pre><pre>GetAsyncKeyState</pre><pre>FindExecutableW</pre><pre>FindExecutableA</pre><pre>ExitWindowsEx</pre><pre>EnumWindows</pre><pre>EnumWindowStationsW</pre><pre>EnumWindowStationsA</pre><pre>EnumThreadWindows</pre><pre>EnumPortsW</pre><pre>EnumPortsA</pre><pre>EnumDesktopWindows</pre><pre>EnumChildWindows</pre><pre>DisconnectNamedPipe</pre><pre>DeletePortW</pre><pre>DeletePortA</pre><pre>CreateWindowStationW</pre><pre>CreateWindowStationA</pre><pre>CreatePipe</pre><pre>CreateNamedPipeW</pre><pre>CreateNamedPipeA</pre><pre>CreateIoCompletionPort</pre><pre>CreateDialogIndirectParamW</pre><pre>CreateDialogIndirectParamA</pre><pre>ConnectNamedPipe</pre><pre>ConfigurePortW</pre><pre>ConfigurePortA</pre><pre>CloseWindowStation</pre><pre>CascadeWindows</pre><pre>CallNamedPipeW</pre><pre>CallNamedPipeA</pre><pre>CallMsgFilterW</pre><pre>CallMsgFilterA</pre><pre>ArrangeIconicWindows</pre><pre>AddPortW</pre><pre>AddPortA</pre><pre>ActivateKeyboardLayout</pre><pre>WINSTART.BAT</pre><pre>AUTOEXEC.BAT</pre><pre>SCRIPT.INI</pre><pre>NICK</pre><pre>OUTLOOK.APPLICATION</pre><pre>SCRIPTING.FILESYSTEMOBJECT</pre><pre>SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\</pre><pre>HKEY_LOCAL_MACHINE\</pre><pre>MSGBOX</pre><pre>JOIN</pre><pre>.GzVBj/&IA42[vrC89pEhqO</pre><pre>.encode</pre><pre>%s:x</pre><pre>%s:x,x,x</pre><pre>KERNEL32.DLL</pre><pre>%WinDir%\</pre><pre>/usr/lib/test.so</pre><pre>%WinDir%\TEST.DLL</pre><pre>%WinDir%</pre><pre>join</pre><pre>export</pre><pre>.memory_hook</pre><pre>ÌdiouxXeEfgGnpsSaA</pre><pre>%WinDir%\SYSTEM32\</pre><pre>%WinDir%\SYSTEM</pre><pre>%d.d.d</pre><pre>Timer, %u, 1/100ms,</pre><pre>EINF, AV_APIVERSION_V%c</pre><pre>%s DAT version %ld.ld (%d.d)</pre><pre>Driver version %ld (%d.d)</pre><pre>API version (%s - %s) API: V%d.d</pre><pre>MCSCAN32.DLL</pre><pre>EREP, %d,</pre><pre>rwabs32.dll</pre><pre>MCTOOL.EXE</pre><pre>calwin32.dll</pre><pre>mcscan.log</pre><pre>mcscan.vlt</pre><pre>seqnum_%ld_thread_%s_</pre><pre>[%s;%s;%s]</pre><pre>Scan started at: %s</pre><pre>Scan completed at: %s</pre><pre>, %s: '%s'</pre><pre>%s: '%s'</pre><pre>* %4s........ GFS Disabled</pre><pre>,not scanned (code %d)</pre><pre>,not scanned (not executable).</pre><pre>%s, %u, %u, %u,</pre><pre>%s, %u, %u, %u</pre><pre>%s, %s</pre><pre>%s, %lu</pre><pre>,%s {</pre><pre>, %s, %s</pre><pre>%s:%d</pre><pre>%sx</pre><pre> x -> x</pre><pre> x [ xx ]</pre><pre>%s %s, %s</pre><pre>%s, %u</pre><pre>%s %lu</pre><pre>%s %d</pre><pre>%s (%s - action %d)</pre><pre>,not repaired (code %d)</pre><pre>%s %s</pre><pre>, normal hit "%s"</pre><pre>, negative hit "%s"</pre><pre>, "%s"</pre><pre>%s%lu</pre><pre>Leaving container (%d)</pre><pre>Entering container (%d)</pre><pre>RegDeleteKeyExW</pre><pre>scan.dat</pre><pre>names.dat</pre><pre>clean.dat</pre><pre>extra.dat</pre><pre>%s%c%s</pre><pre>RegDeleteKeyExA</pre><pre>%s (ID X, VER X)</pre><pre>ERR_OPERATION_FAILED</pre><pre>%s(X)</pre><pre>Runtime Check failed: %s in %s at line %d.</pre><pre>1.0.4</pre><pre>WFV*.tmp</pre><pre>vd</pre><pre>%c_%s</pre><pre>\\.\MCSCAN32.VXD</pre><pre>.data</pre><pre>.petite</pre><pre>.tlsdir</pre><pre>.neolit</pre><pre>.avp-md</pre><pre>.ficken</pre><pre>.BJFnt</pre><pre>.pklstb</pre><pre>Emu Buffer written to %s</pre><pre>(x)x:</pre><pre>-_@{}~`!#() =[]</pre><pre>SYSTEM.INI</pre><pre>WIN.INI</pre><pre>NTVDM.EXE</pre><pre>VDMDBG.DLL</pre><pre>PSAPI.DLL</pre><pre>windows</pre><pre>^$.[()|? *\</pre><pre>.tbz2</pre><pre>x.OLE</pre><pre>lld.ie</pre><pre>lx.OLE</pre><pre>kernel32.dll</pre><pre>.relo2</pre><pre>x.EXE</pre><pre>PEBUNDLE.LNK</pre><pre>TEMP$01.EXE</pre><pre>x.%.3s</pre><pre>x.EML</pre><pre>::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/ResetTable</pre><pre>::DataSpace/Storage/MSCompressed/Transform/{0A9007C6-4076-11D3-8789-0000F8105754}/InstanceData/ResetTable</pre><pre>LINKCMDL.OLE</pre><pre>%lu%s</pre><pre>lX.VCH</pre><pre>lX.OLE</pre><pre>__SRP_%x</pre><pre>"$"#,##0_);\(</pre><pre>wininit.ini</pre><pre>%s %s==0x%lx</pre><pre>%s - %s %s - %s 0x%lx %s 0x%lx</pre><pre>%s - %s %s - retrieved 0x%lx bytes from cache position 0x%lx</pre><pre>%s - %s %s - Read FAILURE error code %d %s 0x%lx %s 0x%lx</pre><pre>%s - %s read in 0 bytes - %s 0x%lx %s 0x%lx</pre><pre>%s - %s %s %s 0x%lx %s 0x%lx</pre><pre>%s - %s %s - read 0x%lx %s 0x%lx</pre><pre>%s - %s %s %d %s 0x%lx %s 0x%lx</pre><pre>%s - %s 0x%lx,%s 0x%lx</pre><pre>NTDLL.DLL</pre><pre>\\.\vwin32</pre><pre>\\.\PhysicalDrive%ud</pre><pre>\\.\%c:</pre><pre>Address_x.mem</pre><pre>%s_x.mem</pre><pre>PID\%d</pre><pre>Ntdll.dll</pre><pre>Kernel32.dll</pre><pre>x.PDF</pre><pre>x,</pre><pre>dwordbe:x</pre><pre>dword:x</pre><pre>HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\</pre><pre>HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\</pre><pre>HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\</pre><pre>script00.wsc</pre><pre>content%d.rtf</pre><pre>attach%d.dat</pre><pre>X.%s</pre><pre>0000000000000000000</pre><pre>h.dllhel32hkern</pre><pre>rsrc.rsrrelo.relUPX1UPX0ExeS.eda</pre><pre>rsrc.rsrrelo.relnoesExeS.eda.res</pre><pre>.Ncryo</pre><pre>.De-vir</pre><pre>x.B64</pre><pre>x.bin</pre><pre>operator</pre><pre>deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler</pre><pre>1.2.5</pre><pre>zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll</pre><pre>.?AV?$TIndexedManifestSection@E@@</pre><pre>.?AVCNAICmdTarget@@</pre><pre>.?AVCPublicKeySection@@</pre><pre>.?AVCExecLibrary@@</pre><pre>.?AVItfIndexedValidationDataStore@@</pre><pre>.?AVCFileContentDecoratorBufferOperationsToBlockOperations@@</pre><pre>.?AV?$TKeyDataSet@UTOpt@CEmuOpt@EmulatorCPU@@I@@</pre><pre>.?AV?$TKeyDataSet@KI@@</pre><pre>.?AV?$TKeyDataSet@U?$TObjSetRecord@UTImpSym@CGenDecode@@@@I@@</pre><pre>.?AV?$TKeyDataSet@U?$TObjSetRecord@UTImpLib@CGenDecode@@@@I@@</pre><pre>.?AV?$TKeyDataSet@U?$TObjSetRecord@V?$TSetBase@U?$TDataSetRecord@KKK@@ABU1@K@@@@I@@</pre><pre>.?AV?$TKeyDataSet@U?$TObjSetRecord@V?$TSetBase@U?$TDataSetRecord@III@@ABU1@I@@@@I@@</pre><pre>.?AV?$TKeyDataSet@UTFindEP@CiPEPolyHeur@@I@@</pre><pre>.?AV?$TKeyDataSet@UCMap@CEmuPEFile@@I@@</pre><pre>.?AVIImportRec@@</pre><pre>.?AVCWin32ImportRec@@</pre><pre>.?AVCEmuRegistryKey@@</pre><pre>.?AVCMD5@@</pre><pre>.?AVCImportantBlockSubStrategy@@</pre><pre>.?AVCHashValue@CObjectReporter@@</pre><pre>.?AVCObjectReporter@@</pre><pre>.?AVCDATMsg@@</pre><pre>Replace and press any key when ready</pre><pre>.?AVCImportMap@CFNCallGraph@@</pre><pre>.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VCOM2EXEFile@@$0EDEPENDC@@@$0DL@@@@@</pre><pre>.?AV?$CompressedFileCreator@VCOM2EXEFile@@$0EDEPENDC@@@</pre><pre>.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VCOM2EXEFile@@$0EDEPENDC@@@$0DL@@@</pre><pre>.?AVCOM2EXEFile@@</pre><pre>.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VW32EXEFile@@$0FHDDDCFI@@@$0DB@@@@@</pre><pre>.?AV?$CompressedFileCreator@VW32EXEFile@@$0FHDDDCFI@@@</pre><pre>.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VW32EXEFile@@$0FHDDDCFI@@@$0DB@@@</pre><pre>.?AVW32EXEFile@@</pre><pre>.?AVW32EXEUncompress@@</pre><pre>.?AVCexeFile@@</pre><pre>.?AVexe32packFile@@</pre><pre>.?AVCW32EXEUncompressExt@@</pre><pre>.?AVEXEBundleDirectory@@</pre><pre>.?AVPEBundleEXEFile@@</pre><pre>.?AVPEBundleEXERepair@@</pre><pre>.?AVJoinerDirectory@@</pre><pre>.?AVexe32packDecode@@</pre><pre>.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VWebScript@@$0FHFDEDFC@@@$0CP@@@@@</pre><pre>.?AV?$CompressedFileCreator@VWebScript@@$0FHFDEDFC@@@</pre><pre>.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VWebScript@@$0FHFDEDFC@@@$0CP@@@</pre><pre>.?AVWebScript@@</pre><pre>.?AVCHTMLWebScript@@</pre><pre>.?AVWebScriptDecode@@</pre><pre>.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VLZEXEFile@@$0EMFKFI@@@$0BE@@@@@</pre><pre>.?AV?$CompressedFileCreator@VLZEXEFile@@$0EMFKFI@@@</pre><pre>.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VLZEXEFile@@$0EMFKFI@@@$0BE@@@</pre><pre>.?AVLZEXEFile@@</pre><pre>.?AVCOLE2Operator@@</pre><pre>.?AVIOLE2Operator@@</pre><pre>.?AVProcessHandler@@</pre><pre>.?AVCRegOperator@@</pre><pre>.?AVIRegOperator@@</pre><pre>.?AVXRegOperator@CRegOperator@@</pre><pre>.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VW32EXEFile2@@$0FHDDDCFI@@@$0DB@@@@@</pre><pre>.?AV?$CompressedFileCreator@VW32EXEFile2@@$0FHDDDCFI@@@</pre><pre>.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VW32EXEFile2@@$0FHDDDCFI@@@$0DB@@@</pre><pre>.?AVW32EXEFile2@@</pre><pre>.?AVEXEStealthFile@@</pre><pre>.?AV?$TGenericSeqParserArraySequenceImpl_GenericInner@V?$TGenericSequenceParserImplGenericOuter@VIGenericSequenceParserChar_Types@@VIGenericSequenceParserChar_BufferArray@@VCNAICmdTarget@@@@VIGenericSequenceParserChar_Types@@VIGenericSequenceParserChar_BufferArray@@@@</pre><pre>.?AV?$TGenericSequenceParserImplGenericOuter@VIGenericSequenceParserChar_Types@@VIGenericSequenceParserChar_BufferArray@@VCNAICmdTarget@@@@</pre><pre>.?AVCO12Operator@@</pre><pre>.?AVIO12Operator@@</pre><pre>.?AVXO12Operator@CO12Operator@@</pre><pre>zcÁ</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables\getsusp_300373.exe</pre><pre>.BJ!J~s</pre><pre>$D.FS</pre><pre>T.FaV</pre><pre>S_%cGrB\</pre><pre>zM%C{n</pre><pre>'I.EZT</pre><pre>.vrgW</pre><pre>.qyxdf</pre><pre>.Cr$!</pre><pre>/k%X#</pre><pre>;|K%C</pre><pre>.DT.^</pre><pre>RS9_%D<\</pre><pre>.=9_r.zDa</pre><pre>FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE</pre><pre>xmlns:xsl="http://www.w3.org/1999/XSL/Transform"></pre><pre>To download the latest version of GetSusp <A HREF="http://downloadcenter.mcafee.com/products/mcafee-avert/GetSusp/GetSusp.exe">Click Here</A></pre><pre>For GetSusp Suspicious Files Report, click on <A HREF="Logs\Files.xml">File Log</A></pre><pre>For GetSusp Network log, click on <A HREF="Logs\Network.xml">Network Log</A></pre><pre>For information on installed McAfee products, click on <A HREF="Logs\McAfee-Product.txt">McAfee Product Log</A></pre><pre><A HREF="http://community.mcafee.com/community/security/malware_discussion">McAfee Community</A></pre><pre><h4 style="text-align:center">Network Statistics Report</h4></pre><pre><xsl:text>https://www.virustotal.com/file/</xsl:text></pre><pre>.text</pre><pre>h.rdata</pre><pre>H.data</pre><pre>B.reloc</pre><pre>c:\buildbot\getsusp-s1\getsuspwip\driver\objfre_wnet_x86\i386\getsusp.pdb</pre><pre>ntoskrnl.exe</pre><pre>Thawte Certification1</pre><pre>http://ocsp.thawte.com0</pre><pre>.http://crl.thawte.com/ThawteTimestampingCA.crl0</pre><pre>http://ts-ocsp.ws.symantec.com07</pre><pre> http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<</pre><pre> http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(</pre><pre>.Class 3 Public Primary Certification Authority0</pre><pre>2Terms of use at https://www.verisign.com/rpa (c)041.0,</pre><pre>https://www.verisign.com/rpa01</pre><pre>http://crl.verisign.com/pca3.crl0</pre><pre>.Class 3 Public Primary Certification Authority</pre><pre>Dhttp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0</pre><pre>n.aAHu</pre><pre>https://www.verisign.com/rpa0</pre><pre>/http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0u</pre><pre>http://ocsp.verisign.com0?</pre><pre>3http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0</pre><pre>http://www.mcafee.com 0</pre><pre>.pdata</pre><pre>c:\buildbot\getsusp-s1\getsuspwip\driver\objfre_wnet_amd64\amd64\getsusp.pdb</pre><pre>getsusp.exe</pre><pre>VERSION.dll</pre><pre>COMCTL32.dll</pre><pre>WINHTTP.dll</pre><pre>WinHttpOpen</pre><pre>WS2_32.dll</pre><pre>USERENV.dll</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>COMDLG32.dll</pre><pre>ADVAPI32.dll</pre><pre>SHELL32.dll</pre><pre>ole32.dll</pre><pre>OLEAUT32.dll</pre><pre>MAPI32.dll</pre><pre>WINTRUST.dll</pre><pre>CRYPT32.dll</pre><pre>CryptMsgClose</pre><pre>\\.\GetSusp</pre><pre>ERROR: Login failed due to invalid proxy credentials</pre><pre>Login failed for user '%s'</pre><pre>eiphlpapi.dll</pre><pre>Please enter id and password.</pre><pre>%s ... is Suspicious !!!</pre><pre>%s\%s\ntuser.dat</pre><pre>\autorun.vnf</pre><pre>\autorun.ini</pre><pre>\autorun.inf</pre><pre>%COMPUTERNAME%</pre><pre>.EngineVersionMinor</pre><pre>reg export HKLM\SOFTWARE\MCAFEE Logs\McAfee-Product.txt</pre><pre>regedit /e Logs\McAfee-Product.txt HKEY_LOCAL_MACHINE\SOFTWARE\MCAFEE</pre><pre>Scan results are saved at %s.</pre><pre>GetSusp scan identified (%d) Suspicious file(s) and (%d) Unknown file(s).</pre><pre>%c Possibly Infected:.............%d</pre><pre>Boot Sector(s):.................%d</pre><pre>Master Boot Record(s):....%d</pre><pre>%s !!!</pre><pre>\Local Settings\Temporary Internet Files\Content.IE5</pre><pre>\AppData\Local\Microsoft\Windows\Temporary Internet Files</pre><pre>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\Winlogon</pre><pre>\Software\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>RunOnce key values for '%s'</pre><pre>\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>Run key values for '%s'</pre><pre>\$Recycle.Bin</pre><pre>%SYSTEMDRIVE%</pre><pre>\Microsoft.NET\Framework</pre><pre>\Windows NT</pre><pre>\Windows Media Player</pre><pre>\Opera</pre><pre>\Mozilla Firefox\Plugins</pre><pre>\Mozilla Firefox\Components</pre><pre>\Mozilla Firefox</pre><pre>\COMMON FILES\Microsoft Shared\Web Folders</pre><pre>Please specify Proxy address and port</pre><pre>\GetSusp.opt</pre><pre>Status: %u%%</pre><pre>Suspicious: %u</pre><pre>Unknown: %u</pre><pre>The GetSusp executable has been modified and may be infected.</pre><pre>-- Send only the report</pre><pre>-- Specify proxy address and port</pre><pre>-- Specify automatic configuration script url</pre><pre>http://downloadcenter.mcafee.com/products/mcafee-avert/GetSusp/GetSusp.exe</pre><pre>Unable to load scan engine, support DLL not found.</pre><pre>B%s ... is OK.</pre><pre>dnsapi.dll</pre><pre>Report saved to %s</pre><pre>Report</pre><pre>Could not write to %s file.</pre><pre>\GetSusp.txt</pre><pre>This operation will involve the transferring of files and other information from this machine, potentially including personal data to McAfee. Please confirm you have read and agree to this and the below license agreement before continuing</pre><pre>http://downloadcenter.mcafee.com/products/mcafee-avert/GetSusp/GetSusp.xml</pre><pre>Failed to execute GetSusp from long path.</pre><pre>%s could not be scanned (%d)!!!</pre><pre>%s ... is Unknown Scan Object !!!</pre><pre>%s ... is Zero Byte File !!!</pre><pre>%s ... Scan Aborted !!!</pre><pre>%s ... is Block-Char-Fifo Files !!!</pre><pre>%s ... is Out-Of-Memory !!!</pre><pre>%s ... is Encrypted !!!</pre><pre>%s ... is Corrupted !!!</pre><pre>Cannot save report file while a scan is in progress.</pre><pre>%s ... is Unknown !!!</pre><pre>chrome</pre><pre>firefox</pre><pre>http\shell\open\command</pre><pre>https://getclean.mcafee.com/getsusp</pre><pre>AutoConfigURL</pre><pre>Software\Microsoft\Windows\CurrentVersion\Internet Settings</pre><pre>\prefs.js</pre><pre>\Mozilla\Firefox\Profiles</pre><pre>\StringFileInfo\XX\%s</pre><pre>L\\.\SSFILTERDEV</pre><pre>\\.\WGUARDNT</pre><pre>3c224a00-5d51-11cf-b3ca-000000000001</pre><pre>/0123456789:;<=></pre><pre>0000000000000000</pre><pre>X\\?\</pre><pre>\\?\UNC</pre><pre>mscoree.dll</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>USER32.DLL</pre><pre>Save report to file</pre><pre>McAfee GetSusp 3.0.0.373</pre><pre>Report all scanned files</pre><pre>Port</pre><pre>Password:</pre><pre>getsusp.sys</pre></pre>