Sample_27978af6bf

GenericAutorunWorm.YR (Lavasoft MAS) Behaviour: Worm, WormAutorun The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate info...
Blog rating:2 out of5 with1 ratings

Sample_27978af6bf

by malwarelabrobot on December 17th, 2014 in Malware Descriptions.

GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Worm, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 27978af6bfb56660e238499c89669c3c
SHA1: b3041d1bafb91cc54d22f82a694f8cf5b0ad7d0a
SHA256: ff4a72490d9169de6110c0c175ad5092c02b094f43bc73db21eedafe2626cd15
SSDeep: 24576:b201cUIhefdoW RMchfaT8dROhSpzXLTIY2lgHPUZSZJEDPAtZGAj2wc:b2mrfOB5aTk8YLUYLUZSZJ6APz1c
Size: 1531752 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: Blue Squirrel
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7Ada SP1 64-bit


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Worm creates the following process(es):

TPAutoConnSvc.exe:1776
grabsite.exe:1040
regsvr32.exe:3644
%original file name%.exe:3716
27978af6bfb56660e238499c89669c3c.tmp:2484

The Worm injects its code into the following process(es):

WORDPAD.EXE:1672

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process grabsite.exe:1040 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\Grab-a-Site 5.1\ix.dll (716 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\grabsite.INI (28 bytes)

The process regsvr32.exe:3644 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\Grab-a-Site 5.1\WebGrabber.dll (712 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\pi.dll (131 bytes)

The process %original file name%.exe:3716 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MPIKU.tmp\27978af6bfb56660e238499c89669c3c.tmp (1423 bytes)

The process 27978af6bfb56660e238499c89669c3c.tmp:2484 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\Grab-a-Site 5.1\is-ECLB2.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-482OA.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-74JU1.tmp (5109 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Grab-a-Site\Grab-a-Site Help.lnk (1 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\Edge\is-RL3EB.tmp (11 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-T9JMM.tmp (186 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-DG9RB.tmp (14 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Grab-a-Site\Grab-a-Site ReadMe.lnk (990 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-1ME24.tmp (23 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-D5M1P.tmp (7547 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-1093R.tmp (407 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-HLA0C.tmp (4545 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-3NKQ3.tmp (30 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-JQC9U.tmp (132 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Grab-a-Site\Blue Squirrel.lnk (836 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-T0507.tmp (206 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\unins000.dat (1376 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-482OA.tmp\_isetup\_setup64.tmp (6 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-CBQID.tmp (3073 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\Edge\is-6GA2P.tmp (1 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-8SVDJ.tmp (603 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-6E51A.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-482OA.tmp\_isetup\_RegDLL.tmp (4 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-GOMKQ.tmp (40 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Grab-a-Site\Grab-a-Site 5.lnk (1 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\grabsite.exe (49 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-99FQ1.tmp (673 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-M90HH.tmp (4545 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-EE0M9.tmp (2105 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-IGF3R.tmp (601 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\REGSVR32.EXE (32 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\unins000.msg (463 bytes)

Registry activity

The process TPAutoConnSvc.exe:1776 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\ThinPrint\TPPrnUI\NPI456AB0 (HP LaserJet Professional M1212nf MFP)#:1]
"TrayData" = "2,Tray 3, 3,Tray 2, 1,Tray 1, 4,Manual Feed, 7,Auto Select"
"FormData" = "1,2159,2794,Letter¶40,40,2086,2712, 5,2159,3556,Legal¶40,40,2086,3474, 9,2100,2970,A4¶39,39,2032,2890, 7,1842,2667,Executive¶40,40,1761,2585, 258,2159,3302,8.5 x 13 (custom)¶40,40,2086,3220, 11,1480,2100,A5¶39,39,1408,2020, 70,1050,1480,A6¶39,39,975,1399, 13,1820,2570,B5 (JIS)¶39,39,1747,2490, 264,1950,2700,16K 195x270¶39,39,1882,2620, 263,1840,2600,16K 184x260¶39,39,1761,2520, 257,1970,2730,16K 197x273¶39,39,1896,2650, 43,1000,1480,Japanese Postcard¶39,39,921,1399, 82,1480,2000,Double Japan Postcard Rotated¶39,39,1408,1919, 20,1046,2413,Envelope #10¶40,40,975,2331, 37,983,1905,Envelope Monarch¶40,40,907,1823, 34,1760,2500,Envelope B5¶39,39,1693,2420, 28,1620,2290,Envelope C5¶39,39,1544,2209, 27,1100,2200,Envelope DL¶39,39,1029,2120"
"DelAfterCreate" = "1"

[HKU\.DEFAULT\Printers\DevModes2]
"NPI456AB0 (HP LaserJet Professional M1212nf MFP)#:1" = "4E 00 50 00 49 00 34 00 35 00 36 00 41 00 42 00"

The Worm deletes the following registry key(s):

[HKLM\SOFTWARE\ThinPrint\TPPrnUI\NPI456AB0 (HP LaserJet Professional M1212nf MFP)#:1]

The process grabsite.exe:1040 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\uSSPESOQsu0yNqTumyyPLBWW]
"Xva_h1UE7YrwkGIs" = "bq2ZfC0JSgMnCO_xX3Sj31femCWW"
"haZRuEa_l4wKeRnJG!byuQ0SkJEKRC4KCEeSuwaHkL24cBp6GSmW" = "hkFHua0Bl4kFeRn8HE!yuaDB49EFcRkrCE!guaAS44oFcRx9!HmW"

The process WORDPAD.EXE:1672 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Font Management\Auto Activation Languages]
"en-Latn-US" = "1033"

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Font Management]
"Active Languages" = "09 04 00 00"
"Inactive Fonts" = "Large Fonts, 8514oem, Marlett, Andalus, Arial Unicode MS, Arabic Typesetting, HGMaruGothicMPRO, Estrangelo Edessa, Microsoft Uighur, MV Boli, Sakkal Majalla, Simplified Arabic, Simplified Arabic Fixed, Traditional Arabic, FangSong, KaiTi, Microsoft YaHei, NSimSun, SimHei, SimSun, SimSun-ExtB, DFKai-SB, Microsoft JhengHei, MingLiU, MingLiU-ExtB, MingLiU_HKSCS, MingLiU_HKSCS-ExtB, PMingLiU, PMingLiU-ExtB, Euphemia, Lao UI, Plantagenet Cherokee, Aharoni, David, FrankRuehl, Gisha, Levenim MT, Miriam, Miriam Fixed, Narkisim, Rod, Aparajita, Gautami, Iskoola Pota, Kalinga, Kartika, Kokila, Latha, Mangal, Raavi, Shonar Bangla, Shruti, Tunga, Utsaah, Vani, Vijaya, Vrinda, Meiryo, Meiryo UI, MS Gothic, MS Mincho, MS PGothic, MS PMincho, MS UI Gothic, Batang, BatangChe, Dotum, DotumChe, Gulim, GulimChe, Gungsuh, GungsuhChe, Malgun Gothic, Ebrima, Microsoft Himalaya, Microsoft New Tai Lue, Microsoft PhagsPa, Microsoft Tai Le, Microsoft Yi Baiti, Mongolian Baiti, Nyala, Sylfaen, Angsana New, AngsanaUPC, Browallia New, BrowalliaUPC, Cordia New, CordiaUPC, DaunPenh, DilleniaUPC, DokChampa, EucrosiaUPC, FreesiaUPC睲ȁ"

The process regsvr32.exe:3644 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\Interface\{8AA23DB2-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Interface\{5BBB7C44-D873-11D1-BA47-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{8AA23DB1-9CAE-11D1-8648-00A0246D0300}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{8AA23DB2-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{8AA23DB0-9CAE-11D1-8648-00A0246D0300}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{ADB18B66-EFFD-11D1-BA6A-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{ADB18B66-EFFD-11D1-BA6A-00104B1F427E}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{B3DF250F-DF76-11D1-BA52-00104B1F427E}]
"(Default)" = "IGrabberEnumFilter"

[HKCR\Wow6432Node\Interface\{82630067-FB0C-11D1-BA79-00104B1F427E}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{ADB18B66-EFFD-11D1-BA6A-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Interface\{0BFF46C3-C4C6-11D1-BA2E-00104B1F427E}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{ADB18B66-EFFD-11D1-BA6A-00104B1F427E}]
"(Default)" = "IGrabberEnumUrl"

[HKCR\Wow6432Node\Interface\{B3DF250F-DF76-11D1-BA52-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Interface\{8AA23DB0-9CAE-11D1-8648-00A0246D0300}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{8AA23DB2-9CAE-11D1-8648-00A0246D0300}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{D0136EF6-A2F8-11D1-864E-00A0246D0300}]
"(Default)" = "IGrabberEvents"

[HKCR\Interface\{8AA23DB0-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{B3DF250F-DF76-11D1-BA52-00104B1F427E}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{8AA23DA3-9CAE-11D1-8648-00A0246D0300}\1.0\HELPDIR]
"(Default)" = "%Program Files% (x86)\Grab-a-Site 5.1\"

[HKCR\TypeLib\{8AA23DA3-9CAE-11D1-8648-00A0246D0300}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{8AA23DB2-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Interface\{82630067-FB0C-11D1-BA79-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Interface\{0BFF46C3-C4C6-11D1-BA2E-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Interface\{8AA23DB2-9CAE-11D1-8648-00A0246D0300}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{8AA23DB5-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Wow6432Node\Interface\{ADB18B66-EFFD-11D1-BA6A-00104B1F427E}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{8AA23DB2-9CAE-11D1-8648-00A0246D0300}]
"(Default)" = "IGrabberUrl"

[HKCR\TypeLib\{8AA23DA3-9CAE-11D1-8648-00A0246D0300}\1.0\0\win32]
"(Default)" = "%Program Files% (x86)\Grab-a-Site 5.1\webgrabber.dll"

[HKCR\Interface\{0BFF46C3-C4C6-11D1-BA2E-00104B1F427E}]
"(Default)" = "IGrabberUrlStatus"

[HKCR\Wow6432Node\Interface\{8AA23DB5-9CAE-11D1-8648-00A0246D0300}]
"(Default)" = "IGrabberEnumChild"

[HKCR\Interface\{8AA23DB0-9CAE-11D1-8648-00A0246D0300}]
"(Default)" = "IGrabber"

[HKCR\Wow6432Node\Interface\{ADB18B66-EFFD-11D1-BA6A-00104B1F427E}]
"(Default)" = "IGrabberEnumUrl"

[HKCR\Interface\{B3DF250F-DF76-11D1-BA52-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Wow6432Node\Interface\{82630067-FB0C-11D1-BA79-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Interface\{B3DF2506-DF76-11D1-BA52-00104B1F427E}]
"(Default)" = "IGrabberFilter"

[HKCR\Wow6432Node\Interface\{8AA23DB0-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{5BBB7C44-D873-11D1-BA47-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{8AA23DB5-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{82630067-FB0C-11D1-BA79-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{B3DF250F-DF76-11D1-BA52-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{D0136EF6-A2F8-11D1-864E-00A0246D0300}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{82630067-FB0C-11D1-BA79-00104B1F427E}]
"(Default)" = "DGrabberEvents"

[HKCR\Interface\{ADB18B66-EFFD-11D1-BA6A-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{B3DF250F-DF76-11D1-BA52-00104B1F427E}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{B3DF2506-DF76-11D1-BA52-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{8AA23DB5-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Wow6432Node\Interface\{B3DF250F-DF76-11D1-BA52-00104B1F427E}]
"(Default)" = "IGrabberEnumFilter"

[HKCR\Interface\{B3DF250F-DF76-11D1-BA52-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\WebGrabber.Grabber]
"(Default)" = "WebGrabber Class"

[HKCR\Interface\{8AA23DB5-9CAE-11D1-8648-00A0246D0300}]
"(Default)" = "IGrabberEnumChild"

[HKCR\Wow6432Node\CLSID\{8AA23DB1-9CAE-11D1-8648-00A0246D0300}\ProgID]
"(Default)" = "WebGrabber.Grabber.1"

[HKCR\WebGrabber.Grabber.1\CLSID]
"(Default)" = "{8AA23DB1-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Wow6432Node\Interface\{0BFF46C3-C4C6-11D1-BA2E-00104B1F427E}]
"(Default)" = "IGrabberUrlStatus"

[HKCR\Wow6432Node\Interface\{D0136EF6-A2F8-11D1-864E-00A0246D0300}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Wow6432Node\Interface\{8AA23DB0-9CAE-11D1-8648-00A0246D0300}]
"(Default)" = "IGrabber"

[HKCR\Wow6432Node\CLSID\{8AA23DB1-9CAE-11D1-8648-00A0246D0300}]
"(Default)" = "WebGrabber Class"

[HKCR\Wow6432Node\Interface\{B3DF2506-DF76-11D1-BA52-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Wow6432Node\Interface\{0BFF46C3-C4C6-11D1-BA2E-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\WebGrabber.Grabber.1]
"(Default)" = "WebGrabber Class"

[HKCR\Wow6432Node\Interface\{0BFF46C3-C4C6-11D1-BA2E-00104B1F427E}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{5BBB7C44-D873-11D1-BA47-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Wow6432Node\CLSID\{8AA23DB1-9CAE-11D1-8648-00A0246D0300}\VersionIndependentProgID]
"(Default)" = "WebGrabber.Grabber"

[HKCR\Wow6432Node\Interface\{0BFF46C3-C4C6-11D1-BA2E-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Wow6432Node\Interface\{8AA23DB0-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Interface\{B3DF2506-DF76-11D1-BA52-00104B1F427E}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{5BBB7C44-D873-11D1-BA47-00104B1F427E}]
"(Default)" = "IGrabberPrefs"

[HKCR\Wow6432Node\Interface\{B3DF2506-DF76-11D1-BA52-00104B1F427E}\TypeLib]
"Version" = "1.0"

[HKCR\WebGrabber.Grabber\CLSID]
"(Default)" = "{8AA23DB1-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Interface\{82630067-FB0C-11D1-BA79-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{5BBB7C44-D873-11D1-BA47-00104B1F427E}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{8AA23DB2-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{B3DF2506-DF76-11D1-BA52-00104B1F427E}]
"(Default)" = "IGrabberFilter"

[HKCR\Wow6432Node\Interface\{B3DF2506-DF76-11D1-BA52-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{5BBB7C44-D873-11D1-BA47-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\WebGrabber.Grabber\CurVer]
"(Default)" = "WebGrabber.Grabber.1"

[HKCR\Interface\{8AA23DB5-9CAE-11D1-8648-00A0246D0300}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{8AA23DB5-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{B3DF2506-DF76-11D1-BA52-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Interface\{D0136EF6-A2F8-11D1-864E-00A0246D0300}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{D0136EF6-A2F8-11D1-864E-00A0246D0300}]
"(Default)" = "IGrabberEvents"

[HKCR\Wow6432Node\Interface\{D0136EF6-A2F8-11D1-864E-00A0246D0300}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{8AA23DB2-9CAE-11D1-8648-00A0246D0300}]
"(Default)" = "IGrabberUrl"

[HKCR\Interface\{5BBB7C44-D873-11D1-BA47-00104B1F427E}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{5BBB7C44-D873-11D1-BA47-00104B1F427E}]
"(Default)" = "IGrabberPrefs"

[HKCR\Interface\{0BFF46C3-C4C6-11D1-BA2E-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{D0136EF6-A2F8-11D1-864E-00A0246D0300}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Wow6432Node\Interface\{ADB18B66-EFFD-11D1-BA6A-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\TypeLib\{8AA23DA3-9CAE-11D1-8648-00A0246D0300}\1.0]
"(Default)" = "WebGrabber 1.0 Type Library"

[HKCR\Interface\{82630067-FB0C-11D1-BA79-00104B1F427E}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{8AA23DB5-9CAE-11D1-8648-00A0246D0300}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{8AA23DB1-9CAE-11D1-8648-00A0246D0300}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Grab-a-Site 5.1\webgrabber.dll"

[HKCR\Wow6432Node\Interface\{82630067-FB0C-11D1-BA79-00104B1F427E}]
"(Default)" = "DGrabberEvents"

[HKCR\Interface\{8AA23DB0-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"

[HKCR\Interface\{D0136EF6-A2F8-11D1-864E-00A0246D0300}\TypeLib]
"Version" = "1.0"

The process 27978af6bfb56660e238499c89669c3c.tmp:2484 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCR\.gas]
"(Default)" = "Grab-a-Site.Document"

[HKLM\SOFTWARE\Wow6432Node\Blue Squirrel\IX\Settings]
"rootDir" = "c:\Users\Public\IX\"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Grab-a-Site_is1]
"QuietUninstallString" = "%Program Files% (x86)\Grab-a-Site 5.1\unins000.exe /SILENT"

[HKCR\webwhacker\shell\open\command]
"(Default)" = "%Program Files% (x86)\Grab-a-Site 5.1\grabsite.exe /%1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Grab-a-Site_is1]
"URLInfoAbout" = "http://www.BlueSquirrel.com"
"InstallDate" = "20141216"
"Publisher" = "Blue Squirrel"
"Inno Setup: Language" = "default"
"Inno Setup: User" = "%CurrentUserName%"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\%Program Files% (x86)\Grab-a-Site 5.1]
"iundo.exe" = "RUNASADMIN"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Grab-a-Site_is1]
"DisplayVersion" = "5.1"
"MinorVersion" = "1"
"DisplayName" = "Blue Squirrel Grab-a-Site 5.1"
"HelpLink" = "http://www.BlueSquirrel.com"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\%Program Files% (x86)\Grab-a-Site 5.1]
"iu.exe" = "RUNASADMIN"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Grab-a-Site_is1]
"MajorVersion" = "5"
"Inno Setup: App Path" = "%Program Files% (x86)\Grab-a-Site 5.1"
"Inno Setup: Icon Group" = "Grab-a-Site"

[HKCU\.gas\OpenWithList]
"a" = "grabsite.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Grab-a-Site_is1]
"Inno Setup: Setup Version" = "5.3.9 (a)"

[HKCU\.gas\OpenWithList]
"(Default)" = ""

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Grab-a-Site_is1]
"EstimatedSize" = "4441"
"NoModify" = "1"
"UninstallString" = "%Program Files% (x86)\Grab-a-Site 5.1\unins000.exe"
"InstallLocation" = "%Program Files% (x86)\Grab-a-Site 5.1\"

[HKCR\Grab-a-Site.Document]
"(Default)" = "Grab-a-Site Document"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Grab-a-Site_is1]
"NoRepair" = "1"

[HKCU\.gas\OpenWithList]
"MURList" = "a"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Grab-a-Site_is1]
"URLUpdateInfo" = "http://www.BlueSquirrel.com"

Dropped PE files

MD5 File path
c8ae2251ef395dddf4e8ec3a84701e5b c:\Program Files (x86)\Grab-a-Site 5.1\REGSVR32.EXE
35fbe8ed171b91e312df1b24c91a551e c:\Program Files (x86)\Grab-a-Site 5.1\WebGrabber.dll
106eda7931123e6fd3c44c5eed4e4f41 c:\Program Files (x86)\Grab-a-Site 5.1\autorun.exe
6dc74d4d670e2f5904a4d92731fc59ed c:\Program Files (x86)\Grab-a-Site 5.1\grabsite.exe
710590af15d47364111204e0c5af6ea9 c:\Program Files (x86)\Grab-a-Site 5.1\iu.exe
9b5bd8b5b70f6bf240b71bff59dad854 c:\Program Files (x86)\Grab-a-Site 5.1\iundo.exe
9b5af98a22740d2eb0180c852aa21a2d c:\Program Files (x86)\Grab-a-Site 5.1\ix.dll
14652be5311a039d6e8db6689ee871f1 c:\Program Files (x86)\Grab-a-Site 5.1\pi.dll
da6d09a571f57114ced2cc49f05165ac c:\Program Files (x86)\Grab-a-Site 5.1\unins000.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: Blue Squirrel
Product Name: Grab-a-Site
Product Version: 5.1.0.0
Legal Copyright: Copyright (c) 2010 Blue Squirrel
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 5.1.0.0
File Description: Grab-a-Site Setup
Comments: This installation was built with Inno Setup.
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 37504 37888 4.53167 5d87ded351b0b41961d927fb546efca7
DATA 45056 588 1024 1.89606 e8b4b57d70dce84e92f20fc39f4aa0ce
BSS 49152 3668 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 53248 2384 2560 3.07115 bb5485bf968b970e5ea81292af2acdba
.tls 57344 8 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 61440 24 512 0.14174 9ba824905bf9c7922b6fc87a38b74366
.reloc 65536 2224 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 69632 11264 11264 3.10504 800e1f2bb4575d7fa0346bb489692bca

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 2
3a3c56d67684a559adf7d98a549bc424
459db64ac881b403827643aba31a6bc6

URLs

URL IP
hxxp://a1363.g.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.g.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.g.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d5a231e1604969a1
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2ccd8f4b9a46853c
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=
hxxp://a1363.g.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= 23.43.139.27
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl 87.245.202.16
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2ccd8f4b9a46853c 87.245.202.24
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= 23.43.139.27
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d5a231e1604969a1 87.245.202.24
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl 87.245.202.16
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= 23.43.139.27
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl 87.245.202.16
hxxp://crl.verisign.com/pca3.crl 23.43.133.163
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl 87.245.202.16
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= 23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= 23.43.139.27


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum

Traffic

GET /pca3.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.verisign.com


HTTP/1.1 200 OK
Server: Apache
ETag: "8f6b3bcd9bb64555001fba64f5b01b92:1411517716"
Last-Modified: Wed, 24 Sep 2014 00:15:16 GMT
Date: Tue, 16 Dec 2014 14:25:26 GMT
Content-Length: 933
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U
....Class 3 Public Primary Certification Authority..140922000000Z..141
231235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y
.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.....
..fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R
.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....
u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2..
..{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N
....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w
`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I..
.Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1
..7<.....e..010207211822Z0...*.H............M....s#..Lo...TU...tM.3
...'.U......:Z...w.x.=....K.0;...!....D....9...,!....B.t. <........
..-.....k.$<i{O.<.E...*.......Ow _..J.HTTP/1.1 200 OK..Server: A
pache..ETag: "8f6b3bcd9bb64555001fba64f5b01b92:1411517716"..Last-Modif
ied: Wed, 24 Sep 2014 00:15:16 GMT..Date: Tue, 16 Dec 2014 14:25:26 GM
T..Content-Length: 933..Connection: keep-alive..Content-Type: applicat
ion/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSig
n, Inc.1705..U....Class 3 Public Primary Certification Authority..1409
22000000Z..141231235959Z0..x0!...v....a_>..2......020924164823Z0!..
...A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0
!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....0209231715
<<< skipped >>>


GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?d5a231e1604969a1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT
If-None-Match: "0b96c77303ecf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: application/octet-stream
Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT
Accept-Ranges: bytes
ETag: "805a83f2b9cecf1:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: ASP.NET
Content-Length: 56928
Date: Tue, 16 Dec 2014 14:25:10 GMT
Connection: keep-alive
MSCF....`.......,...................I.................,E.Y .authroot.s
tl..Y-..8..CK...<T...g.v!M.d..f.%d..}K..5..F. ...T..%.,YJ.,!T......
_..x.<=O.....yy....;3..>.|..~..\.....|......;..8..~.za...."A...q
.......g..m......<X........j"I........!..-w.....w....P...H..(.?}..2
.N. .u..a. ...=.C..D.F>rC.. ..|).=.. ..3b.8H.M...(...u8.%...W.g...\
YB.m:.....dE.........V....$....Dn:....0...S."...o..q.....K...I..K...(x
%....>A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,
....`0$z.@..&.x"....T..H...<........~..E..".....<<.\B(.......
..............@.....L.........KNAy8/"...f.......k..Jm7j....R.5q....Rz.
.!@...].......Y.[........4.. .D8..&...t.J^O..Q.._..1.J.m5<'k.,....%
T....i.\.;.;q..S./ 8.?Bu.............}D.Q....L....*..[.."e......15m...
_.0.M........#..v!..<...@..?sc.y....*.....tX[........{.W4.Q...^u@..
*..QP.......~.L9N....2r...4.....B..-\(...b.d...K...O.8..Un.......V.<
;.......A...V.....(..s..f..q.{N0.hS.,..;M.|G|.@.M.._.....7._6...C.0...
A;L....%...M=Y.....f.JV.(.5.....0..?*...KZ....jM...8.6U...#...ew.?..?.
..........WE.Or..O>..{.'W2.........3m.O.u..Z8....H4@.w}.o:?~....]&l
t;!...%....}@.d...L.p.a.g ..K."..N1!%..S.bT.H.-.....e..`.0$...0t..DX..
{.....#./...8.5..M...T.......D......V\C.zy.....3E:..>.{..).QW......
q....9..n..1....8%,.........r.p@.>. ...Q.?.p..7.?..7...&..!........
.`. .=....Sf..q.l.A.....L...t.}g..;...f....=.e.~.z....C..*R....H-..=..
.f..(t'.."....F...g._....n.J..U.4vr`}.....1..o@.....@.#...R. L8....z..
].|......3..y..-./....K..6{...s.<R`.}6....?.......-..@.g..S....
<<< skipped >>>


GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 13 Nov 2014 06:02:42 GMT
Accept-Ranges: bytes
ETag: "88cab6f7ffcf1:0"
Server: Microsoft-IIS/8.5
VTag: 791936916300000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Tue, 16 Dec 2014 14:25:47 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..141112173206Z..150211055206Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......W0... .....7......150210174206Z0.
..*.H................].`...D..9.>LO.ey...Qx%.^.P.& ...D.......b}.K.
.[.....5.m....).....H..6R....G/ju.........:..A.#.9!......D5...|".w.x..
=.u..X6.7{..).XN....g......B.8.!&...........<7fS$..........t<X)%
.b(0.L@..i..Kn.......fX... ,...K\....U1cp).........y.T..?rm.t..Y.}.E..
-@...



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1453
content-transfer-encoding: binary
Cache-Control: max-age=380474, public, no-transform, must-revalidate
Last-Modified: Sun, 14 Dec 2014 00:03:56 GMT
Expires: Sun, 21 Dec 2014 00:03:56 GMT
Date: Tue, 16 Dec 2014 14:25:16 GMT
Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....2014121
4000356Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a.
.eR&.....Y.)..".\....20141214000356Z....20141221000356Z0...*.H........
........t.(:....I.m....0..C...1...5.....3.E._.'=.B...T0...&KN9..[.....
'......F....>..o"9T...Jn......]..K....`$_......Rb....K*...ln......F
.>/..^.V...]..]..a..2..QO .Jw>....4.Q6..;..S...%4......h.v%...VM
......}...on.=,...6..._..\p@4..<R...Pm..XkK..f7U.-...a....2B....0..
.0...0..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U.
...VeriSign, Inc.1705..U....Class 3 Public Primary Certification Autho
rity0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symante
c Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Clas
s 3 PCA - G1 OCSP Responder Certificate 30.."0...*.H.............0....
......'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....
H..3-; ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M..
.T..pS.p..^|o....S..v.).).....r.v.qo$......C.V!....@.h#qh...u1T.].G0.]
E...=._...... ........TE...Sa.s4........r...3.............0..0...U....
0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps
0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U..
......0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.....
........$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e....
...a..D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :
,....
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=357331, public, no-transform, must-revalidate
Last-Modified: Sat, 13 Dec 2014 17:38:38 GMT
Expires: Sat, 20 Dec 2014 17:38:38 GMT
Date: Tue, 16 Dec 2014 14:25:21 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2014121
3173838Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
..M.s.Q~...@?j.......20141213173838Z....20141220173838Z0...*.H........
........;....f...2H.:.v...h.n...1..N4.1..PppH[vj(....I..T.`..!.G..>
F.....OK..I.......U4.......qF3qe..'VB.n...X..#..."j:.?......... ..6{e.
_........l..|.....6...H.4z.Mw6....\.!..B..^A..e....;Gm.BqF.1...Y....L.
A...0.T...Tb...n.uC..3.$....^{..@j.Q.v...i...........>...#0...0...0
..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of us
e at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Cod
e Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0
...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Term
s of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign C
lass 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0....
.....{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(.
.........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG
.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l.
...(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...
U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.veri
sign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS inco
rp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U..
......0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H
<<< skipped >>>


GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 812
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 23 Oct 2014 05:05:32 GMT
If-None-Match: "a2f3ff97eeecf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Thu, 23 Oct 2014 05:05:32 GMT
ETag: "a2f3ff97eeecf1:0"
Cache-Control: max-age=900
Date: Tue, 16 Dec 2014 14:24:55 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Mo
dified: Thu, 23 Oct 2014 05:05:32 GMT..ETag: "a2f3ff97eeecf1:0"..Cache
-Control: max-age=900..Date: Tue, 16 Dec 2014 14:24:55 GMT..Connection
: keep-alive......


GET /pki/crl/products/WinPCA.crl HTTP/1.1


Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 06 Oct 2014 05:06:02 GMT
If-None-Match: "3e1c83923e1cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Mon, 06 Oct 2014 05:06:02 GMT
ETag: "3e1c83923e1cf1:0"
Cache-Control: max-age=900
Date: Tue, 16 Dec 2014 14:25:00 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Mo
dified: Mon, 06 Oct 2014 05:06:02 GMT..ETag: "3e1c83923e1cf1:0"..Cache
-Control: max-age=900..Date: Tue, 16 Dec 2014 14:25:00 GMT..Connection
: keep-alive......


GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1


Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 04 Oct 2014 05:06:12 GMT
If-None-Match: "58cddbea90dfcf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Sat, 04 Oct 2014 05:06:12 GMT
ETag: "58cddbea90dfcf1:0"
Cache-Control: max-age=900
Date: Tue, 16 Dec 2014 14:25:05 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Mo
dified: Sat, 04 Oct 2014 05:06:12 GMT..ETag: "58cddbea90dfcf1:0"..Cach
e-Control: max-age=900..Date: Tue, 16 Dec 2014 14:25:05 GMT..Connectio
n: keep-alive..



GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?2ccd8f4b9a46853c HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT
If-None-Match: "0b96c77303ecf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: application/octet-stream
Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT
Accept-Ranges: bytes
ETag: "805a83f2b9cecf1:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: ASP.NET
Content-Length: 56928
Date: Tue, 16 Dec 2014 14:25:11 GMT
Connection: keep-alive
MSCF....`.......,...................I.................,E.Y .authroot.s
tl..Y-..8..CK...<T...g.v!M.d..f.%d..}K..5..F. ...T..%.,YJ.,!T......
_..x.<=O.....yy....;3..>.|..~..\.....|......;..8..~.za...."A...q
.......g..m......<X........j"I........!..-w.....w....P...H..(.?}..2
.N. .u..a. ...=.C..D.F>rC.. ..|).=.. ..3b.8H.M...(...u8.%...W.g...\
YB.m:.....dE.........V....$....Dn:....0...S."...o..q.....K...I..K...(x
%....>A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,
....`0$z.@..&.x"....T..H...<........~..E..".....<<.\B(.......
..............@.....L.........KNAy8/"...f.......k..Jm7j....R.5q....Rz.
.!@...].......Y.[........4.. .D8..&...t.J^O..Q.._..1.J.m5<'k.,....%
T....i.\.;.;q..S./ 8.?Bu.............}D.Q....L....*..[.."e......15m...
_.0.M........#..v!..<...@..?sc.y....*.....tX[........{.W4.Q...^u@..
*..QP.......~.L9N....2r...4.....B..-\(...b.d...K...O.8..Un.......V.<
;.......A...V.....(..s..f..q.{N0.hS.,..;M.|G|.@.M.._.....7._6...C.0...
A;L....%...M=Y.....f.JV.(.5.....0..?*...KZ....jM...8.6U...#...ew.?..?.
..........WE.Or..O>..{.'W2.........3m.O.u..Z8....H4@.w}.o:?~....]&l
t;!...%....}@.d...L.p.a.g ..K."..N1!%..S.bT.H.-.....e..`.0$...0t..DX..
{.....#./...8.5..M...T.......D......V\C.zy.....3E:..>.{..).QW......
q....9..n..1....8%,.........r.p@.>. ...Q.?.p..7.?..7...&..!........
.`. .=....Sf..q.l.A.....L...t.}g..;...f....=.e.~.z....C..*R....H-..=..
.f..(t'.."....F...g._....n.J..U.4vr`}.....1..o@.....@.#...R. L8....z..
].|......3..y..-./....K..6{...s.<R`.}6....?.......-..@.g..S....
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=357371, public, no-transform, must-revalidate
Last-Modified: Sat, 13 Dec 2014 17:38:40 GMT
Expires: Sat, 20 Dec 2014 17:38:40 GMT
Date: Tue, 16 Dec 2014 14:25:39 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2014121
3173840Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.l$.%t...............20141213173840Z....20141220173840Z0...*.H........
.....!..d..........w [7*A.u.&....n.k...Z.@c..5....;5..D....W1.....d...
.oj....c....R...&....6[._.?..../...(h.......&.C............kL$....|.h$
.A.MJ....=%....7.....b....Z.g.W.2.6.t...".....4.4......Y.....,.'=m..#)
.E_..}.E.L`. ...O....Ruc1:..=.,.$.Sk.is...'K.....PI...#0...0...0......
....<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriS
ign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at h
ttps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Sign
ing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U..
..VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of u
se at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3
 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{
(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(.......
...p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}..
.r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n.
.i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0
.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.c
om/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by
 reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........
0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H......
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1697
content-transfer-encoding: binary
Cache-Control: max-age=484303, public, no-transform, must-revalidate
Last-Modified: Mon, 15 Dec 2014 04:54:07 GMT
Expires: Mon, 22 Dec 2014 04:54:07 GMT
Date: Tue, 16 Dec 2014 14:25:32 GMT
Connection: keep-alive
0..........0..... .....0......0...0...A0?1=0;..U...4VeriSign Class 3 C
ode Signing 2004 CA OCSP Responder..20141215045407Z0s0q0I0... ........
?.@..w.........Y.!......Q...==d6|h.[x....7..`..........cV.!.....201412
15045407Z....20141222045407Z0...*.H.............O.1.P*........i..]w.. 
..P.Z.....4....t#..LzE8>.4".....:..t9..eUg.U....1..J\=.'...I....?,.
mr. |4<I..!..........Vd...m. ......H[x.1H./........f).........}....
W8..bv?.CHZ2.hK..wx..ia....z@.f-o8.l....)>..Z..`$.p9.E..p...y..;4.n
^.o.........Q....p..3.,..Lz>...3.....0...0...0..{.........[..I|....
.Zm..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U..
..VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisig
n.com/rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA0...140
428000000Z..150729235959Z0?1=0;..U...4VeriSign Class 3 Code Signing 20
04 CA OCSP Responder0.."0...*.H.............0.........Y....h..@..>.
....%.-.....O...' y.........x..Gw.xF.....?..Z..u,.X.&..........3C..H.l
.....f..;]s!.\"v...|....].@.....K7m2...N......-S.I......5n...G7. ..W..
..n..*..-f?EY.......UN...r...........-_.%..,P;b.....)(.P.4...,.%....&l
t;..6.....[r^X.EV..S...5#'Y.. .TD...........0...0...U.......0.0...U.%.
.0... .......0...U...........0... .....0......0f..U. ._0]0[..`.H...E..
..0L0#.. .........hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.sym
cb.com/rpa0!..U....0...0.1.0...U....TGV-B-1080...U......"...?....`>
q..i1o...0...U.#..0.....Q...==d6|h.[x....70...*.H.............B8@.$..w
o......E.....P52"b*@'C\.y.(...n....h.f..7f.....v...pb<...]..|..
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=503590, public, no-transform, must-revalidate
Last-Modified: Mon, 15 Dec 2014 10:19:02 GMT
Expires: Mon, 22 Dec 2014 10:19:02 GMT
Date: Tue, 16 Dec 2014 14:25:53 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2014121
5101902Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.A..2.....:...:......20141215101902Z....20141222101902Z0...*.H........
.....A.?v....x...R..IV..........9.%...OQ.&lm..L81!.l4......v,.....:e..
.....m.2\$K.I.GS..E95.J.G;...T...lj.....f.=.5!$..cM..0'....F.k.n.$.6s.
..V.<.xbrT....).nC...`Q.m18d.....V...?9O..X.$...bZ...[.....%z^.....
'...l..e....b.(q..CH. .........T.M.d.:...@4.Sk.d!..-,....#0...0...0...
.......<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
..{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(....
......p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.
}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....
(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U..
..0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisig
n.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp.
 by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U.....
...0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...
<<< skipped >>>

The Worm connects to the servers at the folowing location(s):

grabsite.exe_1040:

.text
`.rdata
@.data
.rsrc
t.HuY
.tTPV
FTPjK
FtPj;
F.PjRWj
u.WWj
u.VVj
u$SShe
@u.Wj
proxy.htm
reset.htm
index.html
index.txt
\/:*?"<>|=&
/:*?"<>|=&
broken.gif
broken.jpg
hXXp://
hXXps://
PTF://
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
GDI32.DLL
CNotSupportedException
{X-X-X-XX-XXXXXX}
%*.*f
windows
MSWHEEL_ROLLMSG
File%d
CMDIFrameWnd
MSH_SCROLL_LINES_MSG
ddeexec
%s\ShellNew
%s\DefaultIcon
%s\shell\printto\%s
%s\shell\print\%s
%s\shell\open\%s
ole32.dll
__MSVCRT_HEAP_SELECT
portuguese-brazilian
user32.dll
VERSION.dll
GetCPInfo
KERNEL32.dll
GetKeyNameTextA
MapVirtualKeyA
UnhookWindowsHookEx
SetWindowsHookExA
GetKeyState
CreateDialogIndirectParamA
GetAsyncKeyState
USER32.dll
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GDI32.dll
comdlg32.dll
WINSPOOL.DRV
RegCloseKey
RegOpenKeyA
RegOpenKeyExA
RegDeleteKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
COMCTL32.dll
oledlg.dll
OLEAUT32.dll
c:\snapshot.wwp
snapshot.wwp
notepad.exe
Export
{C6266CF2-244C-45B8-A37A-DBEE76EE58B2}
{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}
WebWhacker For Palm Snapshot
snapshot.htm
URL Protocol
URL: WebWhacker For Palm Protocol
iexplore.exe
.PAVCOleException@@
Ftp_ProxyPort
FTP_Proxy
Http_ProxyPort
HTTP_Proxy
Software\Microsoft\Windows\CurrentVersion\Internet Settings
http:=
http=
;http=
user_pref("network.proxy.http",
user_pref("network.proxy.http_port",
user_pref("network.proxy.type",
user_pref("network.proxy.ftp_port",
user_pref("network.proxy.ftp",
prefs.js
.PAVCFileException@@
user_pref("network.proxy.type", 1);
.html
mozilla.exe
netscape.exe
grabsite.ini
foot.htm
head.htm
contents.htm
index.htm
export.htm
<INSERT URL HERE>
B~.INI
SetUpdateNamePassword
SetPurchaseMsgUpdate
SetPurchaseMsg
SetNewLicenseKeyFlag
SetLicenseKey32
SetClientToServerMsg
GetPurchaseMsgUpdate
GetPurchaseMsg
GetNewLicenseKeyFlag
GetLicenseKey32
%s%siu.exe
IX.dll
Application requires Microsoft Windows 32-bit extensions.
Attempt was made to load a compressed executable file. The file must be decompressed before it can be loaded.
Attempt was made to load a second instance of an executable file containing multiple data segments that were not marked read-only.
Attempt was made to load a real-mode application(developed for an earlier version of Windows)
Type of executable file was unknown
The program is designed for another operating system
Invalid executable, corrupt executable or non-Windows executable
Incorrect version of Windows
Path was not found - %s
File not found - %s
Unable to run %s
System out of memory or executable is corrupt
C:\Programming\PROJECTS\web2pqa\LeftView.cpp
IDispatch error #%d
d:d:d
grabasite.log
C:\Programming\PROJECTS\web2pqa\MainFrm.cpp
<A HREF=hXXp://VVV.bluesquirrel.com/grabasite/download.html>
<A HREF=hXXp://VVV.bluesquirrel.com/grabasite/index.html>
edge.htm
Need a URL to grab.
instaide.dll
%s\x
software\microsoft\windows nt\currentversion\perflib
KERNEL32.DLL
webwhacker
*.bat
CUrlSheet
C:\Programming\PROJECTS\web2pqa\UrlSheet.cpp
%sx%s
URLWiz
C:\Programming\PROJECTS\web2pqa\URLWiz.cpp
URLWizConfig
URLWizFilter
URLWizSched
URLWizSelect
hXXp://VVV.
http-equiv="refresh"
hXXp://VVV.bluesquirrel.com/cart/cart.asp?P=GAS&k=2
\Buy Grab-a-Site.url
hXXp://VVV.bluesquirrel.com/cart/cart.asp?P=GAS&k=1
\~backup\ix.dll
grabasite.bluesquirrel.com
\iundo.exe "Grab-a-Site"
%i %d %t
%dReplace
%dSearch
RunCmd
%b Üontents.htm
command.com /c
(801)352-1551
ix.dll
https:
http:
C:\Programming\PROJECTS\web2pqa\Web2PQA.cpp
CWeb2PQADoc
gsurl.dbf
C:\Programming\PROJECTS\web2pqa\Web2PQADoc.cpp
Advise failed: %x
Advise failed(dialog): %x
Exporting...
pGrabber.CreateInstance FAILED
WebGrabber.Grabber
webgrabber.dll
regsvr32.exe
OPEN=autorun.exe
autorun.inf
autorun.exe
*.htm*
CWeb2PQAView
WWW_OpenURL
WWW_OpenURLResult
An invalid transaction identifier was passed to a DDEML function. Once the application has returned from an XTYP_XACT_COMPLETE callback, the transaction identifier for that callback function is no longer valid.
A parameter failed to be validated by the DDEML. Some of the possible causes follow: The application used a data handle initialized with a different item name handle than was required by the transaction.The application used a data handle that was initialized with a different clipboard data format than was required by the transaction.The application used a client-side conversation handle with a server-side function or vice versa.The application used a freed data handle or string handle.More than one instance of the application used the same object.
A request for a synchronous execute transaction has timed out.
An application initialized as APPCLASS_MONITOR hasattempted to perform a dynamic data exchange (DDE) transaction, or an application initialized as APPCMD_CLIENTONLY has attempted to perform server transactions.
A DDEML function was called without first callingthe DdeInitialize function, or an invalid instanceidentifier was passed to a DDEML function.
Web DDE Error
yyFlexLexer::yylex invoked but %option yyclass used
Warning: This program requires comctl32.dll version 4.71 or greater.
comctl32.dll
&%d %s
%s-SCBar-%d
.?AVCCmdTarget@@
.PAVCException@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCResourceException@@
.PAVCMemoryException@@
.PAVCNotSupportedException@@
.?AVCNotSupportedException@@
.?AVCStatusCmdUI@@
.?AVCToolCmdUI@@
.?AVCMDIFrameWnd@@
.PAVCArchiveException@@
zcÁ
%Program Files% (x86)\Grab-a-Site 5.1\grabsite.exe
{4AFE05E6-595E-42A6-907D-CF3B1AE98720} = s 'Web2Palm'
'Web2Palm.EXE'
val AppID = s {4AFE05E6-595E-42A6-907D-CF3B1AE98720}
Web2Palm.Palmer.1 = s 'Web2Palm Class'
CLSID = s '{4D1E5FE6-C4B7-42F3-B359-01A110C236BD}'
Web2Palm.Palmer = s 'Web2Palm Class'
CurVer = s 'Web2Palm.Palmer.1'
ForceRemove {4D1E5FE6-C4B7-42F3-B359-01A110C236BD} = s 'Web2Palm Class'
ProgID = s 'Web2Palm.Palmer.1'
VersionIndependentProgID = s 'Web2Palm.Palmer'
val AppID = s '{4AFE05E6-595E-42A6-907D-CF3B1AE98720}'
'TypeLib' = s '{B0149167-787A-4178-BCC7-3CDA49DFC29B}'
stdole2.tlbWWW
Web2PalmLibW
AddURLWW
urlW
Web2Palm 1.0 Type LibraryW
Web2Palm Class
method AddURLW
333333333
;;<<<><>
_[__[_[[_[[[[
[_[__[[[[_[
;<;><<;<><<?<??
??=??@?@?@@@@
[____[_[_[[_[[
))))(()))
[[_[_[[_
____[_[_
688869899
882()))).
)&&&&&&&&&&&&&&&&%X
&&&&%&%&
>><{<<>?>??
'&&&&&&&&&&%&&&&%X
<<><><<?>?
/0/02009
/00/20209
))))()))
/0/0///0/2/
;;;>>><<
0/202/0:
8868869\
:::;;;:;;;;
223222232355353
:::;:;:;:;;;;>>;<;<>>
@??@?@@@@
0/00/02202222
;>;<><><<
<;;<<><>>
"[_[__[[_[
;>;<<>><>
8588868
__[[__[_[[
????=?=@?@@@@
)%)))()())
/000//2/2
--0-0/-/0//02//2
--.k.kk-k
-)--.----
222225232355535
::;:;::;:;;;;
::;:;:;;;:;;
;<;;<<><<
-.j--.-.kk-
>;<<>>><
;;>;<<>><
-..---0.
//0202022
;>;<;<>><<>
6868868996999
-.-k.kk
::::;:;;;;:
;;>;><<>><
:9::::;::;:;;;;<;;<;<
:9::::;:;;:;;;
00/0/02000
22222255235333
)()())))
????@?@@?@@
//00/0/0220022
222223225233533
-00-00/00
//0/2/222/222322525533535
6888698
=?=@@@@?@@
;;;>>;<{>
2222523233553353338
/002202/2
<<><>><<?
??@?=?@?@@@
--..kk-0
::::;;:;:;;;;
>;;<;<<<<
22222325522355333
?=?=@@?@@@@
/0/00/02/2/2
2222223232533558338
888888889
=??@?@@?@@@@
00//0//202/
["[_[_[[[
00/0/20222
?=??=@@?@@@
[__[[_[[[
____[__[_
__[["[_[[[
/00/0//2
))()()))
"____[_[[
//2022/222322323355533
[[[[_[_[
=??@@?@@@@
&%&&%%&&&%
88888898
022222252525332553
/02202223223553555
-.jk.-kk-
;><><><<
0-/-/0/0/00/22/22
:::;:;;:;;;;
--.---0-
;;;>;><><>
22222523552335355
38688886889
.kk-k/
88888888
[_"[[_[[[
9999:9::::;::;;;;:
[___["[[[
<;<;<<><
00/0220//222
6888888
[[_[_[[[_[[
[_[[_[[[
_"["__[__[[[[_[[
[[_["[[_[[[
222223253555
8688866
523555353
;;;><<<<
9999999
>====|=|?=>
;<><><<<>?
??@?@@?@@@@
::::;:;;;;
_[[[\\\__
;;<><>><
_"[[\[[\\
:::;:;;;:;;;
<>><>>?<
;<><>><<
<<;<;<;>{><<
__["[_[[_[\
____["[[_
["[[[_[_[
_[[[_[[[
[["[_[[[
[__[[[_[[[
___[[_[_[[[
"["[__[__[_[[[[
___[_[[_[[[[
[__[_[_[__
__[_[_[[[_
___[[_[[[
2.%&&'&'&&'&&'&&&&&.vc!Z
!b*&&&%&&&&&&&&&%&&'&.cg
'&&&&&&&&&&&&2)'&&&&&&'&&%&&&&&''.wW
v'&&&&&&&&&&&&&&&&&&&%&&&&&&&&&&&&&&%&%X
v&&&&&&&%&'&&&&'&&.jh&&&&&&&&&&&&&&&&'P
c&%&&&&&&&&&&&&&%X
&&&&'&&&&'&&&&'3
d'&&&&&&&&&&%&&&%X
/'&'&'&''&'&''''2
''&&&'&'&&&''&&&'&'>
[____[_[_[__[____[[_[
0'''&'&'&''&'&''5
;52-))%)%
TU.WRX
1114445
InternetExplorer.Application
&Import URL(s)...
&Export Content...
&URL Properties
Url Menu
URL Properties
Grab URL
Refresh URL
Skip URL
Delete URL
Export URL Tree
Export URL Page
New Url
Large Icon (.BMP):
Small Icon (.BMP):
Please enter the name and location of you're WCA Builder (WCABuild.EXE):
Palm's Web Clipping Application (Palm Query Application) Builder is requirred to build PQA files.
(.GIF, .JPG, .HTM, .HTML)
&Skip this URL
&Url:
(Example: zip,exe,pdf)
URL Wizard (step 1 of 4)
&URL to Add:
URL Wizard (step 2 of 4)
Select the number of levels of this web site you wish to download
Select the types of files that you do not want to download from this web site
URL Wizard (4 of 4)
WebWhacker For Palm
Enter a user name and password if required by this site:
&Password:
Port:
Note: Palm's Web Clipping Application Builder is used to create PQA (Palm Query Application) files.
Web Browser Emulation
Browse Web Pages With:
Shell (command.com /c)
Autorun.inf
URL Wizard (step 3 of 4)
Full URL (hXXp://...)
Enter filename from the edge directory or a fully qualified URL.
VIP Key Error
Error GS0345 - The VIP key you used has been invalidated. Click OK to purchase a new key.
jWebWhacker For Palm
WebWhacker For Palm Files (*.wwp)
WWPalm.Document
WWPalm DocumentXWeb2Help
Web2He
Web2Help Files (*.w2h)
Web2Help.Document
Web2Help DocumentdGrab-a-Site
Grab-a-Site Files (*.gas)
Grab-a-Site.Document
WebWhacker For Palm Options
Browse&WebWhacker For Palm Project Properties
%1LFinished downloading web site(s).
Would you like to build the PQA file now?OThe URL you entered is not valid. The format is:
hXXp://<server>/dir/page.html
Microsoft Web Proxy Server
Wingate SOCKS Proxy Server,Document size filter must be greater that 0.#Levels must be set to 1 or greater.PLevels must be left blank or set to 1 or greater to override
inherited behavior.4Would you like to begin downloading web site(s) now?
WCABuild.exe
Please enter a positive integerLFinished downloading web site(s).
Would you like to build the HLP file now?1There has been an error createding the help file.qThe PQA needs to be rebuilt in order for property changes to
take effect. Would you like to rebuild the PQA now?4hXXp://VVV.palmos.com/dev/tech/tools/wca_builder.zip
hXXp://VVV.bluesquirrel.com/
http:\VVV.palm.comVYou must first enter the URL of at least one
web site that you would like to download.
Import Are you sure you want to delete this URL?
Unable to open file for Import.
GIF Files (*.gif)
*.gif
JPG Files (*.jpg)
*.jpg
HTML Files (*.htm;*.html)
*.htm;*.html
Executable (*.exe)
*.exe
PQA Files (*.pqa)
*.pqa
Bitmap Files (*.bmp)
*.bmp
*.txt
Text Files (*.txt)
The required component IX.DLL was unable to load.
It is recommended that you reinstall Grab-a-Site.ySorry, Grab-a-Site is unable to continue due to authentication
problem. Please call technical support at 1-801-352-1551. You have the latest version of Grab-a-Site.
Unable to launch IUNDO.EXE:hXXp://VVV.bluesquirrel.com/scripts/orderpage.asp?skey=GAS
You can purchase Grab-a-Site at hXXp://VVV.bluesquirrel.com/scripts/orderform.asp?skey=GAS or call at 1-800-403-0925 or 801-352-1551.ChXXp://VVV.bluesquirrel.com/scripts/upgradepage.asp?skey=GASUPGRADE
#Your evaluation period has expired.WWe thank you for evaluating this product and look forward to serving you in the future.
1-801-352-1551 Sales:1-800-403-0925>E-mail: info@bluesquirrel.com
WWW: hXXp://VVV.bluesquirrel.com
The required component IU.EXE was not found.
Printed <Úte%>
: <%company%>
: <%city%>
: <%state%>
: <%country%>
: <úx%>
How did you find out about WebWhacker For Palm?
WebWhacker For Palm Order Form
: $49.95**
: <%creditcardtype%>
: <%creditcardnumber%>
Grab-a-Site V.I.P. Key Form
WebWhacker For Palm VIP Key Form
V.I.P. Key
: <%vipkey%>
Insert a new URL
'Begin Grabbing Web Site(s)
Properties"Edit URL Properties
URL Properties:Open local version of URL in your Browser
Browse Local URL>Open the PQA version of this URL in you Browser
Browse PQA URL
.Check for an online update to this application1Revert back to the version before the last update#Invoke the InstantX Settings dialog"Don't include this URL in the PQA.
,Begin Refreshing Web Site(s)
Refresh Site(s)<Open remote version of URL in your Browser
Browse Remote URL
Delete Selected URL
Delete4Visit the Blue Squirrel Web Site
Register WebWhacker For Palm
*Begin Grabbing Selected Web Site
Grab Site/Begin Refreshing Selected Web Site
View ContentsMImport URL(s) from a Text or HTML file into the current project
Import URL(s)%Export grabbed content
Export Content
Replace%Select the entire document
All Files (*.*)
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
#Unable to load mail system support.
Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Disk full while accessing %1..An attempt was made to access %1 past its end.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
5.0.1.1
grabsite.exe

WORDPAD.EXE_1672:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
GDI32.dll
USER32.dll
MFC42u.dll
msvcrt.dll
COMDLG32.dll
SHELL32.dll
ole32.dll
SHLWAPI.dll
COMCTL32.dll
OLEAUT32.dll
PROPSYS.dll
RPCRT4.dll
WINMM.dll
urlmon.dll
XmlLite.dll
VERSION.dll
Wordpad.exe
SSSh,
 FtPW
1.1.4
application/vnd.oasis.opendocument.text
u%Sjo
PVSSh
COMDLG32.DLL
Invalid parameter passed to C runtime function.
oledlg.dll
gdiplus.dll
WININET.dll
GdiplusShutdown
InternetCanonicalizeUrlW
ntdll.dll
RegCloseKey
RegOpenKeyExW
RegQueryInfoKeyW
RegDeleteKeyW
RegCreateKeyExW
RegEnumKeyExW
GetProcessHeap
GetViewportOrgEx
GetKeyboardLayout
EnumWindows
GetKeyState
UnhookWindowsHookEx
SetWindowsHookExW
__crtLCMapStringW
__crtGetStringTypeW
_amsg_exit
_wcmdln
ShellExecuteExW
ShellExecuteW
wordpad.pdb
.PAVCException@@
.PAVCFileException@@
.?AVCCmdTarget@@
.?AVCDummyCmdUI@@
.?AVCCmdUI@@
.?AVCUnsupportedElement@@
.?AVUnsupportedSaveFormatDialog@@
.?AVXCmdGalSiteCommandHandler@CCommandGalSite@@
name="Microsoft.Windows.Shell.wordpad"
version="5.1.0.0"
<description>Windows Shell</description>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
<windowsSettings>
<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
</windowsSettings>
;:::999966
-d}y[s
!$$$%'*,112
...3.433345
...33335555
54445555555
45555555555
$555-5555&
4 HuJ.gI
=7.pp9
52511515111111115
)))')')')
.Ess3
/1/1/1//1///
2222222222
22222222220000000
2222222222000000
22222220002
2222002
22222222222222222
22222202
2222222
22222222222
(''''&%%
''%%%'%'%
@.lF!=^
.pppF
/888 888
>888)888
9888#888
888ˆ8/
888!888)8881
888 888$888)88808884
3888(888
7888&888
888 888(8881
888#888(888/8883
>888;88878887888:
<888#888
2229222
2220222
888 888ˆ8 8881
%Mgr.RhY4RfE5Qd:5w
y'MfR Og>-Qh".Sj
Kha"OjR(RkB.Sj42Sh04Re15Re!5Rf
Nkh$RnZ)VoH.Wn92Wn.5Vk'6Th 5Qe
poq.uuv
ppq.qpq
[[[%UUU
KEYW
1 1(14181]1
:,:0:8:<:
9!9&9&:0:5:
8$81878=8
2&323>3\3
6o6x6
4"4(4.4\4
:(:.:4:_:
: :$:(:,:0:4:8:
3#3'3 3/3
11X1
1'282@2~2
3 3$3(3,30343
Microsoft\Windows\CurrentVersion\Applets
WORDPAD.HLP
w:tcPr
w:webSettings
w:webHidden
Software\Microsoft\Windows\CurrentVersion\Wordpad\COMChecks
MSFTEDIT.DLL
DOCX Element With Id: %d,ParentId: %d
Ignoring Error: Func %s Line %d: setting line rule to auto
\u%d?
.docx
#%;\<>:/|"?*
Ignoring Error: Func %s Line %d: unknown tab leader set to none, %ws
hXXp://VVV.w3.org/XML/1998/namespace
hXXp://schemas.microsoft.com/office/word/2006/wordml
hXXp://schemas.openxmlformats.org/wordprocessingml/2006/main
hXXp://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
hXXp://schemas.openxmlformats.org/officeDocument/2006/math
hXXp://schemas.openxmlformats.org/markup-compatibility/2006
hXXp://schemas.openxmlformats.org/officeDocument/2006/relationships
hXXp://schemas.openxmlformats.org/officeDocument/2006/relationships/hyperlink
application/vnd.openxmlformats-package.core-properties xml
application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings xml
application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable xml
application/vnd.openxmlformats-officedocument.theme xml
application/vnd.openxmlformats-officedocument.wordprocessingml.settings xml
application/vnd.openxmlformats-officedocument.extended-properties xml
text:url
text:report-type
text:use-keys-as-entries
text:protection-key
text:key2-phonetic
text:key2
text:key1-phonetic
text:key1
text:key
table:sql-statement
table:protection-key
table:password
table:parse-sql-statement
table:operator
table:execute
smil:keyTimes
smil:keySplines
draw:stroke-linejoin
hXXp://VVV.w3.org/2002/xforms
hXXp://VVV.w3.org/1998/Math/MathML
hXXp://VVV.w3.org/1999/xlink
hXXp://purl.org/dc/elements/1.1/
application/vnd.openxmlformats-officedocument.wordprocessingml.styles xml
/word/styles.xml
hXXp://schemas.openxmlformats.org/officeDocument/2006/relationships/styles
application/vnd.openxmlformats-officedocument.wordprocessingml.document.main xml
word/document.xml
hXXp://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument
application/vnd.openxmlformats-officedocument.wordprocessingml.numbering xml
/word/numbering.xml
numbering.xml
hXXp://schemas.openxmlformats.org/officeDocument/2006/relationships/numbering
OLEUI_MSG_HELP
text:sort-key
text:keywords
text:execute-macro
table:operation
table:database-source-sql
meta:keyword
form:password
config:config-item-map-indexed
Ignoring Error: Func %s Line %d: AppendWpadFormat failed for element:%ws
Ignoring Error: Func %s Line %d: Picture has size 0.Skipping Picture.
Ignoring Error: Func %s Line %d: OLE Object has size 0.Skipping OLE Object.
Ignoring Error: Func %s Line %d: Failed to Embed an OLE object
Ignoring Error: Func %s Line %d: skipping this oleobject
should have fSupported = %d.
Ignoring Error: Func %s Line %d: %ws
Ignoring hr=0X%0x for elem=%s attr=%s val=%s
Error: Func %s Line %d: Not a Cell Element inside the Table
Error: Func %s Line %d: Not a Row Element inside the Table
Error: Func %s Line %d: No. of cells > richedit maximum!
Ignoring Error: Func %s Line %d: %s
Error: Func %s Line %d: min cell width 1 twip for RE 4.1
Error: Func %s Line %d: insert in map failed, out of memory ?
Ignoring Error: Func %s Line %d: Ignoring error on start of elem
Error: Func %s Line %d: Out of memory for m_pParaFmtAlloc
Error: Func %s Line %d: Out of memory for m_pCharFmtAlloc
Error: Func %s Line %d: Out of memory for m_pRowWithMaskAlloc
Error: Func %s Line %d: Out of memory for m_pCellWithMaskAlloc
Ignoring Error: Func %s Line %d: table row has fewer cells than defined in grid
Error: Func %s Line %d: GetTempPath failed
Error: Func %s Line %d: GetTempFileName failed
Error: Func %s Line %d: Out of memory for temp file name
Ignoring Error: Func %s Line %d: Unable to insert style: %s
Ignoring Error: Func %s Line %d: Unable to insert default format
Ignoring Error: Func %s Line %d: mapping bar tab to left aligned tab
\StringFileInfo\xx\OriginalFilename
\sppsvc.exe
\slui.exe
\sppuinotify.dll
Ignoring Error: Func %s Line %d: Table is corrupt. Ignoring Table.
Error: Func %s Line %d: invalid value %ws
Ignoring Error: Func %s Line %d: AppendWpadFormat failed for table properties.
Ignoring Error: Func %s Line %d: AppendWpadFormat failed for style:%ws
/word/document.xml
Error: Func %s Line %d: %ws
hr=%d from xml lite for string %s
styles.xml
Error: Func %s Line %d: family outside Array!
Error: Func %s Line %d: Out of memory for pParaFmtAlloc
meta.xml
Error: Func %s Line %d: Insert object failed
Error: Func %s Line %d: Table Style given but not found
Error: Func %s Line %d: No name specified for this formatting element to be used
Error: Func %s Line %d: Invalid element
Error: Func %s Line %d: mask not set in parent
Error: Func %s Line %d: negative lenght not allowed
Error: Func %s Line %d: Out of memory
%0.6fin solid #xxx
>Tabled
TableColumndd
TableRowdd
TableCellddd
mshelp://windows/?id=7479c387-8dc4-40b6-9506-cc7a58c61f0a
xPTF.
https:
http:
Software\Microsoft\Windows\CurrentVersion\Applets\
A%s\%s
pct%d
pkgRId%d
docRId%d
width:%fpt;height:%fpt
rectole%s
hXXp://schemas.openxmlformats.org/officeDocument/2006/relationships/image
application/vnd.openxmlformats-officedocument.oleObject
hXXp://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject
%s%d%s
0d
XXX
?hXXp://xml.org/sax/features/namespace-prefixes
Ignoring Error: Func %s Line %d: discarding hidden table
Ignoring Error: Func %s Line %d: %ws not list style
Ignoring Error: Func %s Line %d: failure:%ws
Ignoring Error: Func %s Line %d: list level not found:%ws
Ignoring Error: Func %s Line %d: style not found:%ws
Ignoring Error: Func %s Line %d: Skipped an element inside draw:frame
Ignoring Error: Func %s Line %d: discarding hidden draw frame
Ignoring Error: Func %s Line %d: Could not resolve style %ws
family %d name %s
Ignoring Error: Func %s Line %d: Could not resolve default style of family %ws
Error: Func %s Line %d: Row Style element given but not found
Error: Func %s Line %d: Truncating large count specified for text:s
Error: Func %s Line %d: No style for Table Found
Ignoring Error: Func %s Line %d: Resolve() failed
Error: Func %s Line %d: duplicate list level
Error: Func %s Line %d: list level too deep
Ignoring Error: Func %s Line %d: using default bullet char formatting
Ignoring Error: Func %s Line %d: too many tab stops, discarding one
Error: Func %s Line %d: level not specified
Error: Func %s Line %d: tabstop should be child of tabstops and grandchild of para properties
Ignoring Error: Func %s Line %d: tab stop alignment or leader was mapped
Ignoring Error: Func %s Line %d: unsupported or invalid char for tab type char
Ignoring Error: Func %s Line %d: No position for tab stop!
Error: Func %s Line %d: parent style not found: %ws
Ignoring Error: Func %s Line %d: Style not found:%ws
Error: Func %s Line %d: font scale/delta without parent char format/size
Error: Func %s Line %d: font scale/delta without parent style
Error: Func %s Line %d: No paraformat in parent style to resolve
Error: Func %s Line %d: No parent style found to resolve
Ignoring Error: Func %s Line %d: tab char is not one char!
Ignoring Error: Func %s Line %d: invalid line style: %ws
Ignoring Error: Func %s Line %d: invalid line type: %ws
Ignoring Error: Func %s Line %d: invalid line Width: %ws
Ignoring Error: Func %s Line %d: invalid tab position:%ws
Ignoring Error: Func %s Line %d: invalid tab type:%ws
Ignoring Error: Func %s Line %d: invalid or unsupported attribute: %ws
Error: Func %s Line %d: unknown attribute %s
Error: Func %s Line %d: invalid style family %s
Error: Func %s Line %d: unexpcted parent type
COdtAttributeParser::OdtPfFromMarginLeftParent
Error: Func %s Line %d: GetDC Failed
Error: Func %s Line %d: percentage not allowed: %ws
Error: Func %s Line %d: doing nothing for conditionally hidden text, will display by default
Ignoring Error: Func %s Line %d: Too long font name:%ws
Error: Func %s Line %d: need non-empty font family
Error: Func %s Line %d: unsupported or invalid text transform %ws
Error: Func %s Line %d: mapping double strikeout to single strikeout
Ignoring Error: Func %s Line %d: unknown writing mode %ws
Error: Func %s Line %d: %% font height unsupported for %ws
Error: Func %s Line %d: Mapping text-position %s to subscript
Error: Func %s Line %d: Mapping text-position %s to superscript
dODT Element With Id: %d,ParentId: %d
2 15 5 2 2 2 4 3 2 4
Error: Func %s Line %d: PFM_RTLPARA not set
Error: Func %s Line %d: PFM_SPACEAFTER not set
Error: Func %s Line %d: PFM_SPACEBEFORE not set
Error: Func %s Line %d: right indent not set
Error: Func %s Line %d: offset not set
Error: Func %s Line %d: start indent not set
Error: Func %s Line %d: alignment not set
Error: Func %s Line %d: line spacing not set
Error: Func %s Line %d: Unknown line spacing rule
Error: Func %s Line %d: CFM_STRIKEOUT not set
Error: Func %s Line %d: CFM_ITALIC not set
Error: Func %s Line %d: CFM_IMPRINT not set
Error: Func %s Line %d: both CFE_EMBOSS and CFE_IMPRINT are set, discarding imprint
Error: Func %s Line %d: CFM_EMBOSS not set
Error: Func %s Line %d: CFM_SHADOW not set
Error: Func %s Line %d: CFM_OUTLINE not set
Error: Func %s Line %d: CFM_HIDDEN not set
Error: Func %s Line %d: CFM_ALLCAPS not set
Error: Func %s Line %d: CFM_SMALLCAPS not set
Error: Func %s Line %d: text color not set
Error: Func %s Line %d: back color not set
#xxx
Error: Func %s Line %d: CFM_FACE not set
Error: Func %s Line %d: weight / bold not set
Error: Func %s Line %d: offset/subscript/superscript not set
Error: Func %s Line %d: conflict for subscript and superscript
Error: Func %s Line %d: CFM_SIZE not set
#%2x%2x%2x
Error: Func %s Line %d: PFM_NUMBERING not set
META-INF/manifest.xml
content.xml
OleObj%d
Error: Func %s Line %d: Numbering flag not set
Error: Func %s Line %d: table row end outside table!
windows
UIInitPropertyFromString(UIKEY_Title) failed
{mswrd8.wpc
write.wpc
mswrd6.wpc
Windows Wordpad Application
6.1.7601.17514 (win7sp1_rtm.101119-1850)
WORDPAD.EXE
Windows
Operating System
6.1.7601.17514
Microsoft-Windows-Wordpad/Diagnostic
Microsoft-Windows-Wordpad/Debug
Microsoft-Windows-Wordpad/Admin
Wordpad_LivePreviewExecute


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    TPAutoConnSvc.exe:1776
    grabsite.exe:1040
    regsvr32.exe:3644
    %original file name%.exe:3716
    27978af6bfb56660e238499c89669c3c.tmp:2484

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    %Program Files% (x86)\Grab-a-Site 5.1\ix.dll (716 bytes)
    %Program Files% (x86)\Grab-a-Site 5.1\grabsite.INI (28 bytes)
    %Program Files% (x86)\Grab-a-Site 5.1\WebGrabber.dll (712 bytes)
    %Program Files% (x86)\Grab-a-Site 5.1\pi.dll (131 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MPIKU.tmp\27978af6bfb56660e238499c89669c3c.tmp (1423 bytes)
    %Program Files% (x86)\Grab-a-Site 5.1\is-ECLB2.tmp (289 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-482OA.tmp\_isetup\_shfoldr.dll (47 bytes)
    %Program Files% (x86)\Grab-a-Site 5.1\is-74JU1.tmp (5109 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Grab-a-Site\Grab-a-Site Help.lnk (1 bytes)
    %Program Files% (x86)\Grab-a-Site 5.1\Edge\is-RL3EB.tmp (11 bytes)
    %Program Files% (x86)\Grab-a-Site 5.1\is-T9JMM.tmp (186 bytes)
    %Program Files% (x86)\Grab-a-Site 5.1\is-DG9RB.tmp (14 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Grab-a-Site\Grab-a-Site ReadMe.lnk (990 bytes)
    %Program Files% (x86)\Grab-a-Site 5.1\is-1ME24.tmp (23 bytes)
    %Program Files% (x86)\Grab-a-Site 5.1\is-D5M1P.tmp (7547 bytes)
    %Program Files% (x86)\Grab-a-Site 5.1\is-1093R.tmp (407 bytes)
    %Program Files% (x86)\Grab-a-Site 5.1\is-HLA0C.tmp (4545 bytes)
    %Program Files% (x86)\Grab-a-Site 5.1\is-3NKQ3.tmp (30 bytes)
    %Program Files% (x86)\Grab-a-Site 5.1\is-JQC9U.tmp (132 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Grab-a-Site\Blue Squirrel.lnk (836 bytes)
    %Program Files% (x86)\Grab-a-Site 5.1\is-T0507.tmp (206 bytes)
    %Program Files% (x86)\Grab-a-Site 5.1\unins000.dat (1376 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-482OA.tmp\_isetup\_setup64.tmp (6 bytes)
    %Program Files% (x86)\Grab-a-Site 5.1\is-CBQID.tmp (3073 bytes)
    %Program Files% (x86)\Grab-a-Site 5.1\Edge\is-6GA2P.tmp (1 bytes)
    %Program Files% (x86)\Grab-a-Site 5.1\is-8SVDJ.tmp (603 bytes)
    %Program Files% (x86)\Grab-a-Site 5.1\is-6E51A.tmp (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-482OA.tmp\_isetup\_RegDLL.tmp (4 bytes)
    %Program Files% (x86)\Grab-a-Site 5.1\is-GOMKQ.tmp (40 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Grab-a-Site\Grab-a-Site 5.lnk (1 bytes)
    %Program Files% (x86)\Grab-a-Site 5.1\grabsite.exe (49 bytes)
    %Program Files% (x86)\Grab-a-Site 5.1\is-99FQ1.tmp (673 bytes)
    %Program Files% (x86)\Grab-a-Site 5.1\is-M90HH.tmp (4545 bytes)
    %Program Files% (x86)\Grab-a-Site 5.1\is-EE0M9.tmp (2105 bytes)
    %Program Files% (x86)\Grab-a-Site 5.1\is-IGF3R.tmp (601 bytes)
    %Program Files% (x86)\Grab-a-Site 5.1\REGSVR32.EXE (32 bytes)
    %Program Files% (x86)\Grab-a-Site 5.1\unins000.msg (463 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Average: 2 (1 vote)


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now