Skip to main content

Backdoor.Win32.Xtrat_2aa3138e37


Trojan.Win32.Llac.duoa (Kaspersky), Gen:Variant.Symmi.27111 (AdAware), Backdoor.Win32.Xtrat.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 2aa3138e37c58b1797a7bb34aff89b1a

SHA1: 5a3b64c3c8057fed536a4b341054485c783d263d

SHA256: ae2c492dc0a568ba53cf2200d59513d3bcc8bc0e14c637894ad68d2fc496ba1a

SSDeep: 49152:8kwkn9IMHea6yyD6rNIZT2pP5S/7T0/TcbSAF2VmahK0wQm2NWaPCS:3dnVCArNIkxc7ITIn PC

Size: 2833408 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2014-01-25 11:23:05

Analyzed on: WindowsXP SP3 32-bit

Summary: Backdoor. Malware that enables a remote control of victim's machine.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

%original file name%.exe:1488

The Backdoor injects its code into the following process(es):

Win7 Activator 5.0.exe:528
calc.exe:1156
svchost.exe:308

File activity

The process %original file name%.exe:1488 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\svchost.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (2113 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Win7 Activator 5.0.exe (17894 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (11529 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\svchost.exe (601 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (0 bytes)

The process Win7 Activator 5.0.exe:528 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\popup[1].js (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\v4s5_2[1].css (445 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\download01[1].png (1340 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@analytics.hosting24[1].txt (165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\v4s5_2[2].css (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cbox[2].txt (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\chat[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\v4s5_2[1].css (445 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\tmyv0TK[1].png (15410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\box[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\count[1].php (960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\box[1] (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jsc_compact_696[2].js (1958 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\online[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\online[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jsc_compact_696[1].js (1050 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery.min[1].js (4372 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cbox[1].txt (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\v4s5_2[2].css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\box[1].htm (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\box[1] (487 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (3856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bg_popup[1].png (4 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@imgur[1].txt (217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\hostinger-600x400-2[1].gif (18292 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@cbox[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\v4s5_2[2].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\v4s5_2[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\box[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\v4s5_2[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\box[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jsc_compact_696[1].js (0 bytes)

The process calc.exe:1156 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%WinDir%\InstallDir\svchost.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)

Registry activity

The process %original file name%.exe:1488 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 1F 35 F9 6F 33 2A 34 63 67 9E 24 C1 36 81 28"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process Win7 Activator 5.0.exe:528 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014050620140507]
"CachePrefix" = ":2014050620140507:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014050620140507]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014050620140507\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014050620140507]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014050620140507]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 57 FA A5 85 DE 14 16 19 EA 6C B9 E6 0E A8 BA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014050620140507]
"CacheRepair" = "0"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process calc.exe:1156 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 19 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "998081552"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}]
"StubPath" = "%WinDir%\InstallDir\svchost.exe restart"

[HKCU\Software\1r8Uw1LlJrXpZi]
"ServerName" = "%WinDir%\InstallDir\svchost.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC E7 E5 FD A4 CA B9 63 91 FE 2B 6C 9A 95 D8 17"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "calc.exe"

[HKCU\Software\1r8Uw1LlJrXpZi]
"ServerStarted" = "06/05/2014 18:34:16"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKLM" = "%WinDir%\InstallDir\svchost.exe"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HKCU" = "%WinDir%\InstallDir\svchost.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
aa0faead19646182544dcf22875ea2afc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Win7 Activator 5.0.exe
b5959ef1b80f0fa4a8d61f06213feb61c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\svchost.exe
b5959ef1b80f0fa4a8d61f06213feb61c:\Documents and Settings\"%CurrentUserName%"\Start Menu\Programs\Startup\svchost.exe
b5959ef1b80f0fa4a8d61f06213feb61c:\WINDOWS\InstallDir\svchost.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1488

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\%current user%\Local Settings\Temp\svchost.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (2113 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Win7 Activator 5.0.exe (17894 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (11529 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\svchost.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\popup[1].js (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\v4s5_2[1].css (445 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\download01[1].png (1340 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@analytics.hosting24[1].txt (165 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\v4s5_2[2].css (1 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cbox[2].txt (214 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\chat[1].htm (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\v4s5_2[1].css (445 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\tmyv0TK[1].png (15410 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\box[1].htm (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\count[1].php (960 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\box[1] (544 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jsc_compact_696[2].js (1958 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\online[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\online[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jsc_compact_696[1].js (1050 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery.min[1].js (4372 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cbox[1].txt (214 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\v4s5_2[2].css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\box[1].htm (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\box[1] (487 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (3856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bg_popup[1].png (4 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@imgur[1].txt (217 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\hostinger-600x400-2[1].gif (18292 bytes)
    %WinDir%\InstallDir\svchost.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HKLM" = "%WinDir%\InstallDir\svchost.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "HKCU" = "%WinDir%\InstallDir\svchost.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: H&F
Product Name: Win7 Activator 5.0
Product Version: 5.0.0.0
Legal Copyright: (c) 2010-2013
Legal Trademarks: HwNL & Fabianator
Original Filename: Win7 Activator 5.0.exe
Internal Name: Win7 Activator 5.0.exe
File Version: 5.0.0.0
File Description: Win7 Activator
Comments: System Tools Pack
Language: Language Neutral

Company Name: H&FProduct Name: Win7 Activator 5.0Product Version: 5.0.0.0Legal Copyright: (c) 2010-2013Legal Trademarks: HwNL & FabianatorOriginal Filename: Win7 Activator 5.0.exeInternal Name: Win7 Activator 5.0.exeFile Version: 5.0.0.0File Description: Win7 ActivatorComments: System Tools PackLanguage: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40965730445734404.6312674af66fa540568c59b3868e78900e476
.rdata5775361821221822724.0072576c856afaad699ad9fe099fc6a9ce33
.data76185640756250881.38934e6d2e204147f7cdc3055011093632f54
.rsrc802816200880720090885.3389411a73226ee4f1bfe2d8253ed049460b4
.reloc281395242082424963.63105c2f6ddaeef894b7510c3be928eeae5dd

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://win7activator.netai.net/net/online.html31.170.161.116
hxxp://win7activator.netai.net/tools/chat.html31.170.161.116
hxxp://myhomepage.altervista.org/net/online.html
hxxp://myhomepage.altervista.org/tools/chat.html
hxxp://win7activator.netai.net/app/online.html31.170.161.116
hxxp://myhomepage.altervista.org/tools/online.html
hxxp://myhomepage.altervista.org/tools/download01.png
hxxp://www4.cbox.ws/box/?boxid=3777848&boxtag=l1g6f7&sec=main
hxxp://www4.cbox.ws/box/?boxid=3777848&boxtag=l1g6f7&sec=form
hxxp://i.imgur.com/tmyv0TK.png103.31.6.35
hxxp://analytics.hosting24.com/count.php
hxxp://www4.cbox.ws/styles/v4s5_2.css
hxxp://googleapis.l.google.com/ajax/libs/jquery/1.8.3/jquery.min.js
hxxp://hostinger.com.ua/banners/ru/hostinger-600x400-2.gif
hxxp://analytics.hosting24.com/popup/bg_popup.png
hxxp://analytics.hosting24.com/popup/popup.js
hxxp://www4.cbox.ws/js/jsc_compact_696.js
hxxp://www.hostinger.com.ua/banners/ru/hostinger-600x400-2.gif
hxxp://ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js173.194.69.95
hxxp://www.cbox.ws/styles/v4s5_2.css
hxxp://stats.hosting24.com/popup/bg_popup.png
hxxp://stats.hosting24.com/popup/popup.js
hxxp://static.cbox.ws/js/jsc_compact_696.js162.159.243.249
narare.dyndns.org41.37.33.183

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /app/online.html HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: win7activator.netai.net

Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently

Date: Tue, 06 May 2014 15:34:23 GMT

Server: Apache

Location: hXXp://myhomepage.altervista.org/tools/online.html

Content-Length: 258

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="hXXp://myhomepage.altervista.org/tools/online.html">here</a>.</p>.</body></html>...

GET /net/online.html HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: myhomepage.altervista.org

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 06 May 2014 15:34:24 GMT

Server: Apache

Last-Modified: Fri, 31 May 2013 15:45:48 GMT

ETag: "14da6a3-566-4de05823bc300"

Accept-Ranges: bytes

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 761

Keep-Alive: timeout=1, max=100

Connection: Keep-Alive

Content-Type: text/html

..........}TQS.6.~....>..`.pm..}3.....a.3)O.......Hk.K.....]!@..,...v..]...?-....RC.......Z..2.u.`.8?&...?~ {QLr... ......).5@.06.C4."c ..f..k..o.!.AF%.t..c..Fi.=B.wpp0...../.....;..['......!.......2............:X.o(a.......JjArc.K.d.R.k%. .-K....y..KS.w......< .26!......7..7/yqUY..2.x.f.......W..j.............C}B'.\m<.........X.!....4.D[.m%u..MH..n.HJ.s....m........jpu...]}.a).c.o.'.b....)J.y.k..{...M/....IX..... {. .G.../.z[.]...,.|5../8.....Oq..(..ve#3.W.............<....y.. [ .....N.%..d..[u...`..>.B..j.%.. .#z..h....e.............W.../^b.7Ai.......9Q.Agw.}.cd.(|..0......:.8{......"$....P..v..rZ...s/m....F.i.%.3..H.]b.Wt..."..[....M....8......$^a..(yF..{..n.....M.%...?/................K.....\.....Oq...N....../dB..b..?.....2..W..........C..:$=0f...HTTP/1.1 200 OK..Date: Tue, 06 May 2014 15:34:24 GMT..Server: Apache..Last-Modified: Fri, 31 May 2013 15:45:48 GMT..ETag: "14da6a3-566-4de05823bc300"..Accept-Ranges: bytes..Vary: Accept-Encoding..Content-Encoding: gzip..Content-Length: 761..Keep-Alive: timeout=1, max=100..Connection: Keep-Alive..Content-Type: text/html............}TQS.6.~....>..`.pm..}3.....a.3)O.......Hk.K.....]!@..,...v..]...?-....RC.......Z..2.u.`.8?&...?~ {QLr... ......).5@.06.C4."c ..f..k..o.!.AF%.t..c..Fi.=B.wpp0...../.....;..['......!.......2............:X.o(a.......JjArc.K.d.R.k%. .-K....y..KS.w......< .26!......7..7/yqUY..2.x.f.......W..j.............C}B'.\m<.........X.!....4.D[.m%u..MH..n.HJ.s....m........jpu...]}.a).c.o.'.b....)J.y.k..{...M/....IX..... {. .G.../.z

<<

<<< skipped >>>

GET /tools/online.html HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: myhomepage.altervista.org

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 06 May 2014 15:34:24 GMT

Server: Apache

Last-Modified: Tue, 22 Jan 2013 13:59:36 GMT

ETag: "14da679-4aa-4d3e0fce76200"

Accept-Ranges: bytes

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 686

Keep-Alive: timeout=1, max=99

Connection: Keep-Alive

Content-Type: text/html

...........S]o.0.}&...Hl..GW.mi....L.....O.M.............P..yI..{.=....`<....N......oo.G.\._.G.?.........y..%..j*8f.?."@..u.....[.=!..~.o,W......Cz..P.Dm.M......]^^v.6....*.1.\.|o.*F#.5...ok. ..b..F..;...R..7:w/...ES.H.8.F~wt"....6,O.T)[..u./W..y..r7..e......>.w...y .......yt.".Z.........T0!Cx...w.':;........l....kB.R...,.A.2...QA.........X)VD.....N5].gd.....N....8Q.\..2k..!..x.....c.N..irw.=..._. ..&..n..R....wQo..~ ..(YP~.C .k!!R5.;..6Pr..F..&.B..N.^..zbV ./...G.....9.q{.......5g.g^k=.X..=...a........0d..>...5.....t..;...N..)....%....M.5/..i....^.{..|ct.............N. .T...O.JZk0E...f....w.f.y.S....w.y.h.ptl.Bs8" ..y.Fk....^cF.>:.{u...N.N&..... .(b.....0....q.i...@...6z.*....HTTP/1.1 200 OK..Date: Tue, 06 May 2014 15:34:24 GMT..Server: Apache..Last-Modified: Tue, 22 Jan 2013 13:59:36 GMT..ETag: "14da679-4aa-4d3e0fce76200"..Accept-Ranges: bytes..Vary: Accept-Encoding..Content-Encoding: gzip..Content-Length: 686..Keep-Alive: timeout=1, max=99..Connection: Keep-Alive..Content-Type: text/html.............S]o.0.}&...Hl..GW.mi....L.....O.M.............P..yI..{.=....`<....N......oo.G.\._.G.?.........y..%..j*8f.?."@..u.....[.=!..~.o,W......Cz..P.Dm.M......]^^v.6....*.1.\.|o.*F#.5...ok. ..b..F..;...R..7:w/...ES.H.8.F~wt"....6,O.T)[..u./W..y..r7..e......>.w...y .......yt.".Z.........T0!Cx...w.':;........l....kB.R...,.A.2...QA.........X)VD.....N5].gd.....N....8Q.\..2k..!..x.....c.N..irw.=..._. ..&..n..R....wQo..~ ..(YP~.C .k!!R5.;..6Pr..F..&.B..N.^..zbV ./...G.....9.q{.......5g.g^k=.X..=...a........0d.

<<

<<< skipped >>>

GET /tools/download01.png HTTP/1.1

Accept: */*

Referer: hXXp://myhomepage.altervista.org/tools/online.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: myhomepage.altervista.org

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 06 May 2014 15:34:25 GMT

Server: Apache

Last-Modified: Tue, 22 Jan 2013 13:59:36 GMT

ETag: "14da698-20a2-4d3e0fce76200"

Accept-Ranges: bytes

Content-Length: 8354

Cache-Control: max-age=2592000

Expires: Thu, 05 Jun 2014 15:34:25 GMT

Keep-Alive: timeout=1, max=98

Connection: Keep-Alive

Content-Type: image/png

.PNG........IHDR... ...6.....g{D.....tEXtSoftware.Adobe ImageReadyq.e<.. DIDATx..].t.E......HB....H..YC...... ..@p...7"<TF...tt.3(0O.s|.....s..q......qT.K.............W.uW......{....N..vWUWUW}...--.....'I...L.F.WH..\q....rG..:..UU..$I..:..vH......A............&.<...y...|..!5..@.>...V.W\qn..QQ.s.sAE.F......_.....-.0..E...e..,a.4........ ...58K.<N@.Y..W..$rXu.....x...$..re/9*n%s....G.....<:..90.m5........[.w0...MQXC...>....?.......?......#.bx.X............O...!Z..t~.............zd....0..R7~.....K.M"@...q,.5..O.......r . ...@<..........5V..B.?:.T.5.iX~...6,<.....c........./.....a........o..!.Q$.y.f..s...E..w......Z@.{.K.h.9.=i*...$..[.\q%V5.:......*f&..4...0...F...Vx......o.l.9.'>...~.s./.>..K.h3.a0k~D=..(..P..<:.S...ar?........O.g.2...o%...U.V&W\i... ......B.`H-..V........ ._.|xp..0>..^.`1......o...-.....Z5..W..GV5...;.B.c|].n........@./.Hn.H<..J.. .......PP. .......*.o...,...H...Q-....]....ggGb.E..c@..@$:...M@....c...BD..t..{.{...v.&7..}.... Q......W...a.fv d@...1 .lx...f...>#...ND.L|..0.\x .....E...HF;..@2....Ys.B. T...7....(......G...V..l@..h@.,...e.`.....\....Z.)~.J.....3.v]T..kN....l1..48....I. .....d..#..C.V.ner........mIgA.@H.C.4.H.f..1 .`d.......3.. .3%..x.7.0'.b..g..........n.2.Gg@..A...e1.... m.!.....b.2 )...3.........0`.........9.......1(.O~~>\....zyy9l...jkk.o?A.;U..?~.8l........c.. E. .U0.@. 4...... ....s%..S;P@.#6,.....DV!.^.s....GA...e...t...={L..c/....!C.W.......Bhnn.O?..2/...aE..N.:...m......F....#..K...B...MQ`..u...PP.$.. .......#.2k.j......N..#.D.

<<

<<< skipped >>>

GET /popup/bg_popup.png HTTP/1.1

Accept: */*

Referer: hXXp://myhomepage.altervista.org/tools/chat.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: stats.hosting24.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 06 May 2014 15:34:25 GMT

Server: Apache

Last-Modified: Fri, 18 Jan 2013 14:36:32 GMT

Accept-Ranges: bytes

Content-Length: 4356

Connection: close

Content-Type: image/png

.PNG........IHDR..............e)....dPLTE................................................................................................555......000HHH.........MMM[[[.........xxx.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................&...ftRNS................................... #%((* -036<EGMNOTUVVXYkmo.........................................N4.....IDATx....{......~...rv..a... ..Y.v.(..F7...r.#,.)l.......iR....yA..M ....:.].<[<.}8..q....,...|....v...]...qA.m..E>4..8.....>...E.A].....8.~.@./....q..>...<...P..Cy(...<...P..Cy.{..A.K* ..m.%1.g...u._. ....I.....................q.R.3y&...<.g.L..3y&...<.g.L....&..v..Zxm....3.ZF...^W.Z.w.........q...S.:...q.h......w...._.z...y..Y.W......=....S.;..S.;..S.;..S.;..S.;..S.;..S.;..S.;..S.;..S.;..S.;..S.;..Sk..t.w\Hc...Y...;9s.. .X./../._... ....hI...y..s.Brq.o%..\.]...."q*...<q.XT.........../...rfdO..k..fJ.q|..W...x.uI_3.5q.e..Q|.....~..}f.!..=^......6..~*.?3oYP...3%8S.3.8S.3.8S.3.8S.3.8S.3.8S.3.8S.3.8S.3.8S.3.8S.3.8S.3.8S.3.8S.3.8S.3.8S.3.8S.3.8S.3.8S.3.8S.V...L..T.L%.T.L%.T.L%.T.L%.T.L%.T.=../s)..t.......Kg.fi.k.b..:...k.g.

<<

<<< skipped >>>

GET /tmyv0TK.png HTTP/1.1

Accept: */*

Referer: hXXp://myhomepage.altervista.org/net/online.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: i.imgur.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: cloudflare-nginx

Date: Tue, 06 May 2014 15:34:25 GMT

Content-Type: image/png

Content-Length: 59415

Connection: keep-alive

Set-Cookie: __cfduid=d8172cf6349b6fefb4fc7dd406da2e96d1399390465107; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.imgur.com; HttpOnly

Last-Modified: Fri, 31 May 2013 15:31:29 GMT

ETag: "7d7858532e4707885ac3ac63c3692be2"

CF-Cache-Status: HIT

Expires: Wed, 06 May 2015 15:34:25 GMT

Cache-Control: public, max-age=31536000

Accept-Ranges: bytes

Access-Control-Allow-Methods: GET, OPTIONS

Access-Control-Allow-Origin: *

CF-RAY: 12663de6eea30c1d-AMS

.PNG........IHDR.............e=.$....pHYs................ cHRM..z%..............u0...`..:....o._.F....IDATx...y.\U...>..Z..z.;{.......4...:...3J.#.#Q...q.3#D..y~..0.8..3:c.. t@.B.eMwH.$.![wW.[U.v.9.?.....$@....^.tW.......|.......y..G.y...q... .<..#.<...G.y..G.y..#.<..#.<a..G.y..G.0..#.<..#O.y..G.y..'.<..#.<......B...J..j..%.y........3.G.y..G.y.i.SJ.....%r./.H........$..~..;.L.....G.y.....0.Q.Y$.I.B..4....S.RJ...VJ!.h........R.M..!....#.<...da.1...i.......R..HebY&.X.T*E,..J......:..........C....p3..=...;.K.......G.y..G.0.(.sF...4.i.L&..........UWOUU.e%....)-......D"...=..C....A.uJJJ.....>...M.ye.G.y.....0].D.....)-...\t.E..mo.....={6........e..4...2S.<x..;w.......v.....B..~..]...2..#.<........[..b.Ai.......s.U...K......3.6.:.U. I...`..)......~~.._.......~...<.e&Q..G.y.....0]..B...hhh...}/---......tlb.../....t.:H..a....7{..#..b1.. ...f..F.]|>..v....2.b<......G?..]]]..~/26O.y..G.y...S.$...TTT..w\..W\Aum..@........!~..Wt.....pa...B|F.MJNo\B......e<.g26...(*%(.......]W.....'TX.@:. ...._n...~It2.4-.....s@]E.i......:J..i....&.t"o......Q...,....*..:JY......4.wab).M.4l..D .B)..... ..9..........Xx.y.....K.%,t.GY&...(.f!.......).r,.......Wf........@w.G".......b`..u.[.{...m...z.D..Z...@J..4....G`....H{..qQh.LT...c..^......uk(e..K.. .X=........t(.X....k..b:.'..!M.............g......Bw..<...-C.....BPY^..%....K8..%...P.(.p......x...QX.d....T.....,.....~.G&8m....9Jdp..Iw_.Dz.x<..D.......S[U._..:../?IMe-.d...>....C........Igr.f.p.T...B..... ..Ai...-...#d..G.G....%|6A.....

<<

<<< skipped >>>

GET /popup/popup.js HTTP/1.1

Accept: */*

Referer: hXXp://myhomepage.altervista.org/tools/chat.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: stats.hosting24.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 06 May 2014 15:34:25 GMT

Server: Apache

Last-Modified: Fri, 18 Jan 2013 14:10:44 GMT

Accept-Ranges: bytes

Content-Length: 3556

Connection: close

Content-Type: application/javascript

/*********************************************************************************.. * @name: bPopup.. * @author: (c)Bjoern Klinggaard (http://dinbror.dk/bpopup - twitter@bklinggaard).. * @version: 0.8.0.min.. *********************************************************************************/..(function(b){b.fn.bPopup=b.bPopup=function(r,u){function s(){j=v(c,a.amsl);f=l?a.position[1]:j[1];g=m?a.position[0]:j[0];t=w();a.modal&&b('<div class="bModal ' d '"></div>').css({"background-color":a.modalColor,height:"100%",left:0,opacity:0,position:"fixed",top:0,width:"100%","z-index":a.zIndex n}).each(function(){a.appending&&b(this).appendTo(a.appendTo)}).fadeTo(a.fadeSpeed,a.opacity);c.data("bPopup",a).data("id",d).css({left:!(!a.follow[0]&&m||k)?g h.scrollLeft():g,position:a.positionStyle||"absolute",top:!(!a.follow[1]&&l||k)?f h.scrollTop():f,"z-index":a.zIndex n 1}).each(function(){a.appending&&b(this).appendTo(a.appendTo)}).fadeIn(a.fadeSpeed,function(){p(u);e.data("bPopup",n);c.delegate("." a.closeClass,"click." d,q);a.modalClose&&b(".bModal." d).css("cursor","pointer").bind("click",q);!x&&(a.follow[0]||a.follow[1])&&e.bind("scroll." d,function(){t&&c.stop().animate({left:a.follow[0]&&!k?g h.scrollLeft():g,top:a.follow[1]&&!k?f h.scrollTop():f},a.followSpeed)}).bind("resize." d,function(){if(t=w())j=v(c,a.amsl),a.follow[0]&&(g=m?g:j[0]),a.follow[1]&&(f=l?f:j[1]),c.stop().each(function(){k?b(this).css({left:g,top:f}):b(this).animate({left:!m?g h.scrollLeft():g,top:!l?f h.scrollTop():f},a.followSpeed)})}

<<

<<< skipped >>>

GET /net/online.html HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: win7activator.netai.net

Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently

Date: Tue, 06 May 2014 15:34:23 GMT

Server: Apache

Location: hXXp://myhomepage.altervista.org/net/online.html

Content-Length: 256

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="hXXp://myhomepage.altervista.org/net/online.html">here</a>.</p>.</body></html>...

GET /count.php HTTP/1.1

Accept: */*

Referer: hXXp://myhomepage.altervista.org/tools/chat.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: analytics.hosting24.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 06 May 2014 15:34:25 GMT

Server: Apache

X-Powered-By: PHP/5.2.17

Set-Cookie: a_visited_already=true; expires=Tue, 13-May-2014 15:34:25 GMT

Content-Length: 960

Connection: close

Content-Type: application/javascript

document.write('<script src="hXXp://ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"></script>');document.write('<script src="hXXp://stats.hosting24.com/popup/popup.js"></script>');document.write('<style media="screen" type="text/css">.popup {display:block;width:666px;height: 474px;background-image:url(hXXp://stats.hosting24.com/popup/bg_popup.png);background-position: center top;background-repeat: no-repeat;} .popup a.close {display:block;float:right;width:44px;height:44px;} .ikuruzkrauti{margin:30px;}</style>');document.write('<div id="visas_style_div" style="display:none;" class="popup"><a href="" class="close bClose"></a><div class="ikuruzkrauti"><a href="hXXp://hostinger.com.ua"><img src="hXXp://hostinger.com.ua/banners/ru/hostinger-600x400-2.gif" border="0" /></a></div></div>');document.write('<script type="text/javascript">$(document).ready(function(){$("#visas_style_div").bPopup({contentContainer:".ikuruzkrauti"});});</script>');..

GET /tools/chat.html HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: win7activator.netai.net

Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently

Date: Tue, 06 May 2014 15:34:23 GMT

Server: Apache

Location: hXXp://myhomepage.altervista.org/tools/chat.html

Content-Length: 256

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="hXXp://myhomepage.altervista.org/tools/chat.html">here</a>.</p>.</body></html>...

GET /js/jsc_compact_696.js HTTP/1.1

Accept: */*

Referer: hXXp://www4.cbox.ws/box/?boxid=3777848&boxtag=l1g6f7&sec=form

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.cbox.ws

Connection: Keep-Alive

Cookie: __cfduid=d7ba6d745d3634ce89bc7fe7e1f52bf251399390464804

HTTP/1.1 200 OK

Server: cloudflare-nginx

Date: Tue, 06 May 2014 15:34:25 GMT

Content-Type: application/x-javascript

Transfer-Encoding: chunked

Connection: keep-alive

Expires: Fri, 03 May 2024 15:34:25 GMT

Cache-Control: public, max-age=315360000

CF-Cache-Status: HIT

CF-RAY: 12663dea67de08bd-FRA

Content-Encoding: gzip

203a.............=iw........./K."H..1..i...O.km.IvF...P........i.....t..$'..$..}TWWW.......n..}.9.....{x.;.*....E..7[..(..A...1.~......u.x.n..."L..7...0..{s.O..2...<..y..%..^..2..w.87A.%.]...].05..4..6...6!.....*A.}h..w.U...'l.U..9...@T.j..j[(..{....@....sw...Sd......^..Dy.Y..8c..'S.=...a..Et.........I......)/.0.y..5...-j...T..s.oa.P..Lq.#H2.2....`..n..b......1..p..7..\K...N...a...............90&<.4.0b.yj....".u............A..x....M.V.h....]4*..`a..\.e.*^.:K..h....(.......<>.<.{.AT..^.E...:...F.=A.z.z......m......"..b..n..M......]..!m.,J.....cX.%\7Mb...,...Fo;............R9..$...........}(.0...z.~~r..~0[.L.~....q....V.[.o.31.......$R...F........JK!....kL.&...;F[C....8........(...9..6.o.E........A2.w:e..$m;S\.....0'{[HT=...%......,.L...{8.@...T..` dA%M.w5:.5..j....v.W.7N..@dA..b);....]....:.v9.1./.....h.bH[...5:....3=...Q..}.B...r.l.d.MO...Am.Bp..D.s/pX;y...a..._B.X..Xl.-.........q...........4.d.....h0....~.[.$.i .F......a...\zu.gSo.xw.=q...........Ya...Th$.Q..Z.....T.H..\E.......b.sp..`.I...!.A.v:ZAqD..,.Gn.{..6?.M.oX@w....?..U.wL.a...=..[.w.-...~`.7...._..y..C........C.[...4........k)..4.........].....c..F......I..:.1.....5.".[w......o.| .$....'v.w...P.c-.&...<....y.r..d.ls..W7......... ..b....2...............m.......j.v..=.>.m..B...$.B...b...N.A.".&.....w.i..d......o........Y.N`.....Z...Y.fK:g.[.(..{.J...@...t......0...hc...f..`.Z..,]Jc.......*.M........[....I .BN6.,..Q......S..L..A.b...o.aG.[.9r,.M......[..Y>Y.....iu.....?.'V.H..../....H.eZ9#.wG...2.A6Y>Di!..|..:D.Tv%.J...........T

<<

<<< skipped >>>

GET /banners/ru/hostinger-600x400-2.gif HTTP/1.1

Accept: */*

Referer: hXXp://myhomepage.altervista.org/tools/chat.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Host: VVV.hostinger.com.ua

HTTP/1.1 200 OK

Date: Tue, 06 May 2014 15:34:25 GMT

Server: Apache

Last-Modified: Wed, 22 Feb 2012 11:18:04 GMT

Accept-Ranges: bytes

Content-Length: 67322

Connection: close

Content-Type: image/gif

GIF89aX...................,....r,........................r.@..(.~......Q.....,..w.....@.......................c.j.........1........\.l*....9.Z..................x'....qF.....i...........y.j...8.....[..!....H.z....<.....x.......f....../....G4G.t..>.&&&....5.c.........Y..........b4..n......................]......S........S.dWe..m....r........I..........T......z._4c...Z............Z........N.......z2...y......S.w.5..u...........l....s.k...[.....F.l...B.f._..A....&.>.....................h ..r.?.W.<....H.lc4.....%.o...m..F.W.x..........e.....i.^$.......U'kr......b.............|:...._............#...........F.I.b......u.....i.]L.j.t......................G.e.{.C.^......M.r....O.N.mx...H..............o.......X..I.^....^..2..8..[.........................N.}X...p..Q............|...!..NETSCAPE2.0.....!.......,....X.......#..H......*\......#J.H.....3j...... C.4.....(K.Jy.....R....f.GHp...s.N]@..M..h..H.*].FD..D.....*..l..t*...._E.. ....e.....mZ.p.....,.".... ....{..........*>.aWa.E.E.Lf.....T ..r.j..T#....j.N..4..kNd...].....9....v...~....w....'W...s....Q..z.=5.h.......!(..O......._...{..F..O......../I..........h...&..@....J>=.RI\...N).a.<..C..<...NH.$TPF....Jq...-.%BV......l...^....d.%.[B....f.QU.JV.$]M..$`~.E.]T.v...a.....VDed.ifh.5..a.I..gdV.....v.k...[j..v.....'n......%..r.=.....W.r.UZ........vW.{..*......~....}......*.(.......&.....z...OlaD.......&k..?....r<...EUkTQG..".J..I.W]5.&H<..Q\u...^....`...[..i..m-)WU.5.._.<..3x.yW..#\Y..W..a..&qg.)Lg..e|1..ul.l..6..$.l....L.., .r....h..uj.....

<<

<<< skipped >>>

GET /styles/v4s5_2.css HTTP/1.1

Accept: */*

Referer: hXXp://www4.cbox.ws/box/?boxid=3777848&boxtag=l1g6f7&sec=form

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.cbox.ws

Connection: Keep-Alive

Cookie: __cfduid=d7ba6d745d3634ce89bc7fe7e1f52bf251399390464804

HTTP/1.1 200 OK

Server: cloudflare-nginx

Date: Tue, 06 May 2014 15:34:25 GMT

Content-Type: text/css

Transfer-Encoding: chunked

Connection: keep-alive

Expires: Fri, 03 May 2024 15:34:25 GMT

Cache-Control: public, max-age=315360000

CF-Cache-Status: HIT

CF-RAY: 12663de9477d08bd-FRA

Content-Encoding: gzip

1bd.............SMo.0..O.? .J. . ...?.&m-..J.-C..K..:.ccZrh..9..sA..IT....}rG..3..2Q.9...af.Z....A.....4....).t.~..:...V..R.....*...a.0<h..l...z..J..yR..R..,_..>_V....~......n.)....h.E.?[x}z.n7g..j .nD....G@.f.|....../:Fn...I.t8!.fF.qO<.V ...S.q...i.c.=$......jj.:.c.w.d..\u..../....n.Q.sPW`C..-w..4@'.... =....H..Pn.$y.h...._...(d.g.N......}.j.P.........C.......$..q...B.F..$...5.^...0....A.I.5.....=2...R.i@Q.W..P.EE * ....Q_.b..>... ....>....'K.....0..HTTP/1.1 200 OK..Server: cloudflare-nginx..Date: Tue, 06 May 2014 15:34:25 GMT..Content-Type: text/css..Transfer-Encoding: chunked..Connection: keep-alive..Expires: Fri, 03 May 2024 15:34:25 GMT..Cache-Control: public, max-age=315360000..CF-Cache-Status: HIT..CF-RAY: 12663de9477d08bd-FRA..Content-Encoding: gzip..1bd.............SMo.0..O.? .J. . ...?.&m-..J.-C..K..:.ccZrh..9..sA..IT....}rG..3..2Q.9...af.Z....A.....4....).t.~..:...V..R.....*...a.0<h..l...z..J..yR..R..,_..>_V....~......n.)....h.E.?[x}z.n7g..j .nD....G@.f.|....../:Fn...I.t8!.fF.qO<.V ...S.q...i.c.=$......jj.:.c.w.d..\u..../....n.Q.sPW`C..-w..4@'.... =....H..Pn.$y.h...._...(d.g.N......}.j.P.........C.......$..q...B.F..$...5.^...0....A.I.5.....=2...R.i@Q.W..P.EE * ....Q_.b..>... ....>....'K.....0..

<<

<<< skipped >>>

GET /tools/chat.html HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: myhomepage.altervista.org

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 06 May 2014 15:34:24 GMT

Server: Apache

Last-Modified: Tue, 22 Jan 2013 13:59:35 GMT

ETag: "14da678-8d4-4d3e0fcd81fc0"

Accept-Ranges: bytes

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 1033

Keep-Alive: timeout=1, max=100

Connection: Keep-Alive

Content-Type: text/html

...........UYo.6.~.~...l..D....].E.>."..w..(...(..D...j.....w....>t.....7.o...O.'..?.An..>.9..q....v0..tz.w.... .|.j&ka...........F...Ko9.......,V`...k6,..$........u..Lptt.Z....v]..Z ..H.*a)....X0..'.a.>).*...x..l....w|..|.!p..JpM...~....\o.......0..0..{&.E...h....pq9...1s..R.7.1....XDd......u....[D._.j.....kn..I.C..Q.0.?.".5.S..K4.i...k..8........!..L%.]....~s^..Pz.o............. ..Vc..Q..3d".j........M.JQ.G0e.*..\p.....=..Z..Y2....<5#.-|/2..F2S....>8...F.8[r...!..Y.M......!....GU....Xif...H..,..rbm.B....X.&W....@....:.....a?.}S9.I.qH..rB....X..@.d6g.&. [.V..N.2...~c..."..y....v.......c.E{V......-6....c.-F..$].yJ.j^.D-e..l.l<.7.vrv...&'.w..m.x.V.......mG$b."....{..9.zuY!2.....,.n.%.'..q(R.J..s.4....`{'&...?$..E$8.G|.o..a....~...fpppp8<.be5F.aYT.......<.J&$..J{..^...w.C..x..67.. ..l.Y.4..:"k^...}KB.....h..o~.T .U!.1y$....hy..e...... jR...Q#..1-.?..~hF...?hj..LS..r=.:....%.g...(i..k/........`....SE.Rf1....\:....c...[.Y.j....{.T.F.5zIxk.....cc.<)..[{....7..4.K.xU^Y.....R...'x..~..v..^......O....*mZB...K.L.:}......R.....HTTP/1.1 200 OK..Date: Tue, 06 May 2014 15:34:24 GMT..Server: Apache..Last-Modified: Tue, 22 Jan 2013 13:59:35 GMT..ETag: "14da678-8d4-4d3e0fcd81fc0"..Accept-Ranges: bytes..Vary: Accept-Encoding..Content-Encoding: gzip..Content-Length: 1033..Keep-Alive: timeout=1, max=100..Connection: Keep-Alive..Content-Type: text/html.............UYo.6.~.~...l..D....].E.>."..w..(...(..D...j.....w....>t.....7.o...O.'..?.An..>.9..q....v0..tz.w.... .|.j&ka...........F...Ko9....

<<

<<< skipped >>>

GET /box/?boxid=3777848&boxtag=l1g6f7&sec=form HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://myhomepage.altervista.org/tools/chat.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: www4.cbox.ws

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: cloudflare-nginx

Date: Tue, 06 May 2014 15:34:24 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d86e67632ee52c86b4c9fb49693f0166f1399390464816; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.cbox.ws; HttpOnly

P3P: CP="NOI DSP COR NID CURa OUR NOR"

Expires: Wed, 06 May 2015 15:34:24 GMT

Cache-Control: public, max-age=31536000

CF-RAY: 12663de51eec01af-FRA

Content-Encoding: gzip

7c6..............ks...s. ..$.&...[...s..\;..2.p..,........D .... ).........X,.o..&.K..D.h>....8W...k..y.:w2w._... .V3.........a.t.O...]z5.\dr...hg...Z..|.B.c...Dz.\*...~.. x..|.........*.K...)d4.......b.n..[..[...s[...%....'}}...z.{.?.c....C.........~......t..i<p.%....A..'.Y.M.M.t.1{2.......k.\.~.>.K....7...~...|jC..w........[.a .....K...}..?...%0......n.u`.Q...{.pr2i1..e....WW...)..Z&..5..Z.~. ....#H...........w\..:*...7.rb9K.........UL.....H.L.).=.s.=..B...p. ...'.t..P.#..|..Q....O......^...]....C..P.............a..W<xxXf....Tk......N.H|...._PQ...?.s.-..:C...tw.$...C..\.f*.:.f..e..x!nJ.M.S6j|.......Q#v.k.m...M..=........8j.)&5/.0..}QQ2..@..`..H....T.NC....-7$4.:-F...J,e.zAU2}...f&..,....1.....L~F........&%.9!?...b*.6?..........M..b.s,.|.e.a.w.h.6...3.bm....3.!.....,w{.1.6.....V..e.KI.a...-U.bcp...A*.z(.(.b)T..u.u.2q!.-...0.9tD. ...wV.F.........^.P........../...\...F.h.@u...%..".I....Qe. l.U.P..;c..J..*$..N Qn.]l.3[..6.......50...G.6.I8..!....0Fl......zXzf*...LP....Hl../K)W..:..;.......D?.T.J...w".Oh1.p.,Le....R.......v.*7....x_.K#"...x8. ...q.!....l..G...U..Ek#...oK...9...8..xB.,7.t..h.V...A(..>bO........:;........G..C;.\.(..Xp[..H..Hp..b.=....{.&.i.......|...5..w[..........Pg.........Z...>O..i..-.)..... .z.s#..B.....t&...h.......%...^......W..q..../.......#u.}"S......f.W.F.06..S..0......D...r.....if....4-D...vk.Vh...f.p0x.....zE........S..|.W.>HE..5..3o.]......FJ...I...X.....(e.%...~...u...]o]...W<_I ..1.m...?G.s....h.....H.r.W....:..#\.Z.9c<$dp@....y.#.jcU......2.dy.stdifS7.F.....

<<

<<< skipped >>>

GET /ajax/libs/jquery/1.8.3/jquery.min.js HTTP/1.1

Accept: */*

Referer: hXXp://myhomepage.altervista.org/tools/chat.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ajax.googleapis.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/javascript; charset=UTF-8

Last-Modified: Tue, 13 Nov 2012 19:53:02 GMT

Date: Thu, 01 May 2014 18:13:39 GMT

Expires: Fri, 01 May 2015 18:13:39 GMT

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 33471

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=31536000

Age: 422446

Alternate-Protocol: 80:quic

............{w.F./..].~.....f...d.=.`..v&..kb.$....HPBL..........Uu7. .x....!...guu.........Iq.t{>....G.....<_.m.M^\...y...........u6..<..U......?..n......&..a7.......Q..o.dTnVi....."...i6..g.@U;[..x...!].E.E..q2..E..~....4.F."...o...d.......N..{........e\&~0..dt.T/..H..*..`L.WT_.<.6...d......("4.UE.x..Y.w.xU..\n.z..&........b2,.W.*) ..&..M\.._.|.....n.W4.e......z...*.NT;=iE3...../......(..............zS..{.k2..dZ..`.gU....t......H3.s..M.m/....... ..S...=.<.n....d.7.X..{.Z?....XZ.GI.~..n.U.'..........%..p.U...F.....X......F...............Tb[J...N ....*4...:...U....".....5iRSZ.|.#[..*!.....`\E..`.A..i.^.E|...<:..7s...M>..~..^.2.\."...U>.......5~}.r...^%x...W.U.]W7A.5....?...5}.J..............7..j..g3@_..$..%5. ...eIaz.m3pF.B..Zv. ....&._..5.0...>V.*i........T..T.....=......*....j...D..5.'.z..^..,.3.F5.J=i.."...ap .........L.Y.......rA}I.W4...N.#w...!.P.{.7#.i[%qa.hy|...'T>Z'.u...y..."i...F....J.....$,".!U...(.x..W.z.:P....l....T.../Wy.x$.2)r|L H]XS..a.U...)..!.$.6uE....}.]...l.,.zU..I.....h...sE.q..j.d"W. _.'..|...&...<.....x...].n...........O].{ _..".`4...........=..H..m.l>.hC..;...s..iL..5..Wg..4K.......zAh.aBDF../V.n.....t.t...^g.h.Iw...9c......5..m......@s..0...!-!h'.<Pt.....Ay..KONpp........v.=.._:...^Bp?/iG)o..^....)..~.q.(.8.........'....E..a.3Bd..8......%...B..r....QY......7..f..W..9UM.......F...6.O....f.8..I........*4.&..B...*.k..;U..n...............V..........z..z^(......Y.H(.. .....8s......f....g....N.... ..........t..L.lH&`...xWy.H...FJ ...OB.M..Eu.M..3@..Nz..8.

<<

<<< skipped >>>

GET /box/?boxid=3777848&boxtag=l1g6f7&sec=main HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://myhomepage.altervista.org/tools/chat.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: www4.cbox.ws

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: cloudflare-nginx

Date: Tue, 06 May 2014 15:34:24 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d7ba6d745d3634ce89bc7fe7e1f52bf251399390464804; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.cbox.ws; HttpOnly

P3P: CP="NOI DSP COR NID CURa OUR NOR"

Expires: Wed, 17 Nov 2004 05:00:00 GMT

Cache-Control: private, must-revalidate, max-age=0

Last-Modified: Tue, 06 May 2014 15:34:24 GMT

CF-RAY: 12663de5050001af-FRA

Content-Encoding: gzip

2b7.............V[o.0.~...`Y.....%.R`.Y MZ.n.....&....nH...$M.....CS?..s..9...OM.C?e..~....1E...e....0L....`....@.V.U.. N....?./zS.q!p...$.F......VG@.Dr.K.o2.Y8#r..f..L,@.X.@.......Z.2...`...Q.EgQt...E....../.....o...~w.....1...R.3B.!B.(.B....(..X...cY...rA.6....Ys.S..V.f2.........\...r./5j......._..>....w>.t.2.@B..i...`.j.6..\2.X.=|g$...&..V..B..L.p`.....4...:......}_f..............U..cg0....jh.2....r.E.....k0t..`..#.]..j.>.*...B.hCa...3......=... ..C.ON..~.......%.....Y..xo.?y..siR.>..T....*.v.PE.2IZ..:U.9.Q....o4....^...\.q..............X...?..U..L.W.iU'bab...oL.>_._y......T.iI..X....^}..O......U..o.....CK|.._~piwm$...n......mr.....p....7Y,*.f.:.R-.K2...E.......a4.$.X.VH...=P..Lv.6.........86.......0.._%R.......c.SE".rM.....U..}>.p..V.u..q.%.|.Li=oR...ZNC.....Z.m....a.;b......F...G..}_%.R......(..,...0.b..bCF..7..p.............6f.."%h..SR,S.MR.R.R...S.R...SR.|`R.LI1HINI%3h.sJp......_........bH.../WHN.S.T(-NU(..,.%.rhi`. }...A8................132...XMK.0.......m..t......... .G...3m$..)E..NZ.....d&.......#.2.KL0..c\..3.x..c...E$..A&q..._...........z.=.........O..U.VE.'.*z..#.g..#[.t..V.;....T.38SAS6iV...q.$..bJY'..g.....\..T=L.w.\W"m..C...x>s>.8...E..~..(;>.C..........t.Z.L......'..ZS.g/`.(.<..{P...j..D..2......Zw..9.,\....e..jJ..X...P.].6l.1.~.......1d9..tXMo.0.=._Lrhm..@h..\*.......[%.4.|d.H.......(.6\.g.y....44U5...(.o...]]a.....].."t....m.s....4.IG]..I..A.R?....Vu1.f./.e)..R.l.X...5.;..4.K...=......F~C...l).C.!~..a>.-_^...y......]...a...R....m...B..*.k.]../..u.d...Q.!... ..

<<

<<< skipped >>>

GET /styles/v4s5_2.css HTTP/1.1

Accept: */*

Referer: hXXp://www4.cbox.ws/box/?boxid=3777848&boxtag=l1g6f7&sec=main

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.cbox.ws

Connection: Keep-Alive

Cookie: __cfduid=d7ba6d745d3634ce89bc7fe7e1f52bf251399390464804

HTTP/1.1 200 OK

Server: cloudflare-nginx

Date: Tue, 06 May 2014 15:34:25 GMT

Content-Type: text/css

Transfer-Encoding: chunked

Connection: keep-alive

Expires: Fri, 03 May 2024 15:34:25 GMT

Cache-Control: public, max-age=315360000

CF-Cache-Status: HIT

CF-RAY: 12663de762e208bd-FRA

Content-Encoding: gzip

1bd.............SMo.0..O.? .J. . ...?.&m-..J.-C..K..:.ccZrh..9..sA..IT....}rG..3..2Q.9...af.Z....A.....4....).t.~..:...V..R.....*...a.0<h..l...z..J..yR..R..,_..>_V....~......n.)....h.E.?[x}z.n7g..j .nD....G@.f.|....../:Fn...I.t8!.fF.qO<.V ...S.q...i.c.=$......jj.:.c.w.d..\u..../....n.Q.sPW`C..-w..4@'.... =....H..Pn.$y.h...._...(d.g.N......}.j.P.........C.......$..q...B.F..$...5.^...0....A.I.5.....=2...R.i@Q.W..P.EE * ....Q_.b..>... ....>....'K.....0..HTTP/1.1 200 OK..Server: cloudflare-nginx..Date: Tue, 06 May 2014 15:34:25 GMT..Content-Type: text/css..Transfer-Encoding: chunked..Connection: keep-alive..Expires: Fri, 03 May 2024 15:34:25 GMT..Cache-Control: public, max-age=315360000..CF-Cache-Status: HIT..CF-RAY: 12663de762e208bd-FRA..Content-Encoding: gzip..1bd.............SMo.0..O.? .J. . ...?.&m-..J.-C..K..:.ccZrh..9..sA..IT....}rG..3..2Q.9...af.Z....A.....4....).t.~..:...V..R.....*...a.0<h..l...z..J..yR..R..,_..>_V....~......n.)....h.E.?[x}z.n7g..j .nD....G@.f.|....../:Fn...I.t8!.fF.qO<.V ...S.q...i.c.=$......jj.:.c.w.d..\u..../....n.Q.sPW`C..-w..4@'.... =....H..Pn.$y.h...._...(d.g.N......}.j.P.........C.......$..q...B.F..$...5.^...0....A.I.5.....=2...R.i@Q.W..P.EE * ....Q_.b..>... ....>....'K.....0..

<<

<<< skipped >>>

GET /banners/ru/hostinger-600x400-2.gif HTTP/1.1

Accept: */*

Referer: hXXp://myhomepage.altervista.org/tools/chat.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: hostinger.com.ua

Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently

Date: Tue, 06 May 2014 15:34:25 GMT

Server: Apache

Location: hXXp://VVV.hostinger.com.ua/banners/ru/hostinger-600x400-2.gif

Content-Length: 270

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="hXXp://VVV.hostinger.com.ua/banners/ru/hostinger-600x400-2.gif">here</a>.</p>.</body></html>...

Map

The Backdoor connects to the servers at the folowing location(s):

Strings from Dumps

svchost.exe_308:

.rsrc

.rsrc

.Xk:<</pre><pre>y.cc[X</pre><pre>=wv%f</pre><pre>Hr.kD</pre><pre>o/Y.Xdij</pre><pre>.CE|U</pre><pre>.bO]S</pre><pre>&''&$%&##</pre><pre>KERNEL32.DLL</pre><pre>MSVBVM60.DLL</pre><pre>mmmmm.exe</pre><b>svchost.exe_308_rwx_10000000_0004A000:</b><pre>.idata</pre><pre>.rdata</pre><pre>P.reloc</pre><pre>P.rsrc</pre><pre>ServerKeyloggerU</pre><pre>789:;<&'()* ,-./12345</pre><pre>%SERVER%</pre><pre>URLMON.DLL</pre><pre>shell32.dll</pre><pre>http://</pre><pre>advapi32.dll</pre><pre>kernel32.dll</pre><pre>mpr.dll</pre><pre>version.dll</pre><pre>comctl32.dll</pre><pre>gdi32.dll</pre><pre>opengl32.dll</pre><pre>user32.dll</pre><pre>wintrust.dll</pre><pre>msimg32.dll</pre><pre>2.5.29.46</pre><pre>2.5.29.30</pre><pre>0.9.2342.19200300.100.1.25</pre><pre>CertDllVerifyCTLUsage</pre><pre>GetKeyboardType</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>oleaut32.dll</pre><pre>RegOpenKeyExW</pre><pre>RegCreateKeyW</pre><pre>GetWindowsDirectoryW</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookExW</pre><pre>MapVirtualKeyW</pre><pre>GetKeyboardLayout</pre><pre>GetKeyState</pre><pre>shlwapi.dll</pre><pre>SHDeleteKeyW</pre><pre>FindExecutableW</pre><pre>URLDownloadToCacheFileW</pre><pre>wininet.dll</pre><pre>FtpPutFileW</pre><pre>FtpSetCurrentDirectoryW</pre><pre>GetKeyboardState</pre><pre>ShellExecuteW</pre><pre>ntdll.dll</pre><pre>1 1$1(1,10141</pre><pre>KWindows</pre><pre>TSErverKeylogger</pre><pre>x.html</pre><pre>HKEY_CLASSES_ROOT</pre><pre>HKEY_CURRENT_USER</pre><pre>HKEY_LOCAL_MACHINE</pre><pre>HKEY_USERS</pre><pre>HKEY_CURRENT_CONFIG</pre><pre>[Execute]</pre><pre>KeyDelBackspace</pre><pre><meta http-equiv="Content-Type" content="text/html;charset=UTF-8" /></pre><pre>.html</pre><pre>XtremeKeYlogger</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>.functions</pre><pre>icon=shell32.dll,4</pre><pre>shellexecute=</pre><pre>Autorun.inf</pre><pre>\Microsoft\Windows\</pre><pre>ÞFAULTBROWSER%</pre><pre>svchost.exe</pre><pre>narare.dyndns.org</pre><pre>ftpuser</pre><pre>calc.exe</pre><pre>{5460C4DF-B266-909E-CB58-E32B79832EB2}</pre><pre>HKCU\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>ftp.ftpserver.com</pre><b>calc.exe_1156:</b><pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>SHELL32.dll</pre><pre>msvcrt.dll</pre><pre>ADVAPI32.dll</pre><pre>KERNEL32.dll</pre><pre>GDI32.dll</pre><pre>USER32.dll</pre><pre>hhctrl.ocx</pre><pre>CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32</pre><pre>calc.pdb</pre><pre>j.OXO</pre><pre>_acmdln</pre><pre>RegCloseKey</pre><pre>RegOpenKeyExA</pre><pre>name="Microsoft.Windows.Shell.calc"</pre><pre>version="5.1.0.0"</pre><pre><description>Windows Shell</description></pre><pre>name="Microsoft.Windows.Common-Controls"</pre><pre>version="6.0.0.0"</pre><pre>publicKeyToken="6595b64144ccf1df"</pre><pre>CalcMsgPumpWnd</pre><pre>The requested operation may take a very long time to complete.</pre><pre>Do you want to let the calculation continue, or stop the operation now?</pre><pre>Windows Calculator application file</pre><pre>5.1.2600.0 (xpclient.010817-1148)</pre><pre>CALC.EXE</pre><pre>Windows</pre><pre>Operating System</pre><pre>5.1.2600.0</pre><pre>Operation was canceled.-Calc does not have enough memory to continue.eThe requested function may take a very long time to complete.</pre><pre>Do you want to abort the operation now?</pre><pre>calc.hlp</pre><pre>Cannot open Clipboard.TThere is not enough memory for data.</pre><pre>calc.chm</pre><b>calc.exe_1156_rwx_10000000_0004A000:</b><pre>.idata</pre><pre>.rdata</pre><pre>P.reloc</pre><pre>P.rsrc</pre><pre>ServerKeyloggerU</pre><pre>789:;<&'()* ,-./12345</pre><pre>%SERVER%</pre><pre>URLMON.DLL</pre><pre>shell32.dll</pre><pre>http://</pre><pre>advapi32.dll</pre><pre>kernel32.dll</pre><pre>mpr.dll</pre><pre>version.dll</pre><pre>comctl32.dll</pre><pre>gdi32.dll</pre><pre>opengl32.dll</pre><pre>user32.dll</pre><pre>wintrust.dll</pre><pre>msimg32.dll</pre><pre>2.5.29.46</pre><pre>2.5.29.30</pre><pre>0.9.2342.19200300.100.1.25</pre><pre>CertDllVerifyCTLUsage</pre><pre>GetKeyboardType</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>oleaut32.dll</pre><pre>RegOpenKeyExW</pre><pre>RegCreateKeyW</pre><pre>GetWindowsDirectoryW</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookExW</pre><pre>MapVirtualKeyW</pre><pre>GetKeyboardLayout</pre><pre>GetKeyState</pre><pre>shlwapi.dll</pre><pre>SHDeleteKeyW</pre><pre>FindExecutableW</pre><pre>URLDownloadToCacheFileW</pre><pre>wininet.dll</pre><pre>FtpPutFileW</pre><pre>FtpSetCurrentDirectoryW</pre><pre>GetKeyboardState</pre><pre>ShellExecuteW</pre><pre>ntdll.dll</pre><pre>1 1$1(1,10141</pre><pre>KWindows</pre><pre>TSErverKeylogger</pre><pre>x.html</pre><pre>HKEY_CLASSES_ROOT</pre><pre>HKEY_CURRENT_USER</pre><pre>HKEY_LOCAL_MACHINE</pre><pre>HKEY_USERS</pre><pre>HKEY_CURRENT_CONFIG</pre><pre>[Execute]</pre><pre>KeyDelBackspace</pre><pre><meta http-equiv="Content-Type" content="text/html;charset=UTF-8" /></pre><pre>.html</pre><pre>XtremeKeYlogger</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>.functions</pre><pre>icon=shell32.dll,4</pre><pre>shellexecute=</pre><pre>Autorun.inf</pre><pre>\Microsoft\Windows\</pre><pre>ÞFAULTBROWSER%</pre><pre>svchost.exe</pre><pre>narare.dyndns.org</pre><pre>ftpuser</pre><pre>calc.exe</pre><pre>{5460C4DF-B266-909E-CB58-E32B79832EB2}</pre><pre>HKCU\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>ftp.ftpserver.com</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\svchost.exe</pre>


Related articles