Susp_Dropper (Kaspersky), Backdoor.Generic.755288 (B) (Emsisoft), Backdoor.Generic.755288 (AdAware), Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, Worm, VirTool, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: a9538af39f6444c3569c04c0ef96c800
SHA1: ef14b21e42fac0d4b9c84ed1dcaec2a8bd5f989a
SHA256: 0c3afd78f13ffa7f9c812738f4845a417f3c2537483bb5d90810f75447fc9855
SSDeep: 1536:4oM8eAZ ZzVppvVKt5vQiM8eafNb2V8N5EGlaZ7YwjWt84cZ5Y9NtXQ4ZeXQcpDj:ZMqZ dVp1VOpVaZGU BniXQKDoBWlng0
Size: 88576 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: Installation helper
Created at: 2012-12-15 08:05:29
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Backdoor creates the following process(es):
%original file name%.exe:2716
FB_B2.tmp.exe:852
FB_B3.tmp.exe:2876
The Backdoor injects its code into the following process(es):
MicrosoftUpdate:2056
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process FB_B2.tmp.exe:852 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\FB_B3.tmp.exe (61 bytes)
The process FB_B3.tmp.exe:2876 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\MicrosoftUpdate.exe (61 bytes)
The process MicrosoftUpdate:2056 makes changes in the file system.
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\MicrosoftUpdate.exe (0 bytes)
Registry activity
The process %original file name%.exe:2716 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\,"
The process FB_B2.tmp.exe:852 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA F5 6B BB 2D 3B 6F D7 49 86 11 96 3E DF A7 17"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\,"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"FB_B3.tmp.exe" = "FB_B3.tmp"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The process FB_B3.tmp.exe:2876 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 A5 2D 7A 57 9B B4 C6 10 1F 0B 2F D8 89 4B BC"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\Microsoft]
"MicrosoftUpdate.exe" = "MicrosoftUpdate"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The process MicrosoftUpdate:2056 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 FB BC 7A FD E1 C8 3D 46 50 4C C8 D0 27 23 7B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicrosoftUpdate.exe" = "%Documents and Settings%\%current user%\Application Data\Microsoft\MicrosoftUpdate.exe"
Dropped PE files
MD5 | File path |
---|---|
2678a5b18392956aad1da388059abf4d | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\MicrosoftUpdate.exe |
18b070da891ed263be4eadf9a8e1a30c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\FB_B2.tmp.exe |
2678a5b18392956aad1da388059abf4d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\FB_B3.tmp.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:2716
FB_B2.tmp.exe:852
FB_B3.tmp.exe:2876 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temp\FB_B3.tmp.exe (61 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\MicrosoftUpdate.exe (61 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicrosoftUpdate.exe" = "%Documents and Settings%\%current user%\Application Data\Microsoft\MicrosoftUpdate.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version: 1, 0, 0, 1
Legal Copyright: Copyright ? 2012
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1, 0, 0, 1
File Description:
Comments:
Language: Language Neutral
Company Name: Product Name: Product Version: 1, 0, 0, 1Legal Copyright: Copyright ? 2012Legal Trademarks: Original Filename: Internal Name: File Version: 1, 0, 0, 1File Description: Comments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
UPX0 | 4096 | 40960 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
UPX1 | 45056 | 86016 | 86016 | 5.37941 | b2c11470cba39cd030fb70b86d24102d |
.rsrc | 131072 | 4096 | 1536 | 1.95072 | 4ad48a0a788f93f8c69aa59c83d0501d |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Backdoor connects to the servers at the folowing location(s):
Strings from Dumps
MicrosoftUpdate.exe_2056:
`.rsrc
`.rsrc
8W.kB
8W.kB
kernel32.dll
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
oleaut32.dll
EVariantBadIndexError
EVariantBadIndexError
u%CNu
u%CNu
TSocketPort
TSocketPort
TUdpSocket
TUdpSocket
TUdpSocketd
TUdpSocketd
LocalPort4
LocalPort4
RemotePort0
RemotePort0
%d.%d.%d.%d
%d.%d.%d.%d
0.0.0.0
0.0.0.0
PSAPI.dll
PSAPI.dll
Windows
Windows
Urlmon.dll
Urlmon.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
:\autorun.inf
:\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
icon=%SystemRoot%\system32\SHELL32.dll,4
\Mozilla Firefox\
\Mozilla Firefox\
nss3.dll
nss3.dll
mozcrt19.dll
mozcrt19.dll
sqlite3.dll
sqlite3.dll
nspr4.dll
nspr4.dll
plc4.dll
plc4.dll
plds4.dll
plds4.dll
nssutil3.dll
nssutil3.dll
softokn3.dll
softokn3.dll
PK11_GetInternalKeySlot
PK11_GetInternalKeySlot
userenv.dll
userenv.dll
\Mozilla\Firefox\
\Mozilla\Firefox\
profiles.ini
profiles.ini
\signons3.txt
\signons3.txt
MSGBOX
MSGBOX
Firefox
Firefox
windows
windows
Windows|
Windows|
WebDL
WebDL
URLDownloadToFileA
URLDownloadToFileA
StUDP|
StUDP|
KWindows
KWindows
UrlMon
UrlMon
GetCPInfo
GetCPInfo
RegOpenKeyExA
RegOpenKeyExA
RegFlushKey
RegFlushKey
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
ShellExecuteA
ShellExecuteA
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetKeyboardType
GetKeyboardType
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
.OusFd
.OusFd
BSS.dKv
BSS.dKv
KERNEL32.DLL
KERNEL32.DLL
advapi32.dll
advapi32.dll
shell32.dll
shell32.dll
SHFolder.dll
SHFolder.dll
user32.dll
user32.dll
version.dll
version.dll
wsock32.dll
wsock32.dll
%s.Seek not implemented$Operation not allowed on sorted list
%s.Seek not implemented$Operation not allowed on sorted list
Property %s does not exist
Property %s does not exist
Thread creation error: %s
Thread creation error: %s
Thread Error: %s (%d)
Thread Error: %s (%d)
%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot create file "%s". %s
Cannot open file "%s". %s$''%s'' is not a valid component name
Cannot open file "%s". %s$''%s'' is not a valid component name
Invalid property value List capacity out of bounds (%d)
Invalid property value List capacity out of bounds (%d)
List count out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Error reading %s%s%s: %s
Failed to set data for '%s'
Failed to set data for '%s'
Ancestor for '%s' not found
Ancestor for '%s' not found
Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread
Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
Class %s not found
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Operation not supported
External exception %x
External exception %x
Interface not supported
Interface not supported
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
!'%s' is not a valid integer value
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
MicrosoftUpdate.exe_2056_rwx_11491000_0002A000:
kernel32.dll
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
oleaut32.dll
EVariantBadIndexError
EVariantBadIndexError
u%CNu
u%CNu
TSocketPort
TSocketPort
TUdpSocket
TUdpSocket
TUdpSocketd
TUdpSocketd
LocalPort4
LocalPort4
RemotePort0
RemotePort0
%d.%d.%d.%d
%d.%d.%d.%d
0.0.0.0
0.0.0.0
PSAPI.dll
PSAPI.dll
Windows
Windows
Urlmon.dll
Urlmon.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
:\autorun.inf
:\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
icon=%SystemRoot%\system32\SHELL32.dll,4
\Mozilla Firefox\
\Mozilla Firefox\
nss3.dll
nss3.dll
mozcrt19.dll
mozcrt19.dll
sqlite3.dll
sqlite3.dll
nspr4.dll
nspr4.dll
plc4.dll
plc4.dll
plds4.dll
plds4.dll
nssutil3.dll
nssutil3.dll
softokn3.dll
softokn3.dll
PK11_GetInternalKeySlot
PK11_GetInternalKeySlot
userenv.dll
userenv.dll
\Mozilla\Firefox\
\Mozilla\Firefox\
profiles.ini
profiles.ini
\signons3.txt
\signons3.txt
MSGBOX
MSGBOX
Firefox
Firefox
windows
windows
Windows|
Windows|
WebDL
WebDL
URLDownloadToFileA
URLDownloadToFileA
StUDP|
StUDP|
KWindows
KWindows
UrlMon
UrlMon
GetCPInfo
GetCPInfo
RegOpenKeyExA
RegOpenKeyExA
RegFlushKey
RegFlushKey
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
ShellExecuteA
ShellExecuteA
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetKeyboardType
GetKeyboardType
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
%s.Seek not implemented$Operation not allowed on sorted list
%s.Seek not implemented$Operation not allowed on sorted list
Property %s does not exist
Property %s does not exist
Thread creation error: %s
Thread creation error: %s
Thread Error: %s (%d)
Thread Error: %s (%d)
%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot create file "%s". %s
Cannot open file "%s". %s$''%s'' is not a valid component name
Cannot open file "%s". %s$''%s'' is not a valid component name
Invalid property value List capacity out of bounds (%d)
Invalid property value List capacity out of bounds (%d)
List count out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Error reading %s%s%s: %s
Failed to set data for '%s'
Failed to set data for '%s'
Ancestor for '%s' not found
Ancestor for '%s' not found
Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread
Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
Class %s not found
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Operation not supported
External exception %x
External exception %x
Interface not supported
Interface not supported
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
!'%s' is not a valid integer value
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation