Worm.Win32.Dorkbot_33915680fa

by malwarelabrobot on June 29th, 2014 in Malware Descriptions.

Trojan.Win32.Yakes.ffjd (Kaspersky), Trojan.GenericKD.1731252 (B) (Emsisoft), Trojan.GenericKD.1731252 (AdAware), Backdoor.Win32.Farfli.FD, Worm.Win32.Dorkbot.FD, Sinowal.YR, WormDorkbot.YR, GenericUDPFlooder.YR, GenericIRCBot.YR, GenericMSNWorm.YR, GenericUSBInfector.YR, GenericDNSBlocker.YR, GenericDownloader.YR, GenericAutorunWorm.YR, GenericSYNFlooder.YR, GenericInjector.YR, BankerGeneric.YR, GenericProxy.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Backdoor, Flooder, Worm, WormAutorun, IRCBot, MSNWorm, DNSBlocker, UDPFlooder, SYNFlooder, Trojan-Proxy, USBInfector


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 33915680fa02dae944b5b00dd0b72d71
SHA1: 52d1e45e4d3789c795852e73f68489cd16c0e317
SHA256: d01d0a7633d1b52a43f0038107c12300fb81428bae4d4239a06aaec2eb377bab
SSDeep: 6144:FSFNQ08XETv/Dwmxiv//jUD6M2Auezhu534zesTNj89:FSF6rXETU5PjkF3NR3Txs
Size: 302080 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-06-25 12:04:59
Analyzed on: WindowsXP SP3 32-bit


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
IRCBot A bot can communicate with command and control servers via IRC channel.
MSNWorm A worm can spread its copies through the MSN Messanger.
DNSBlocker A program can block designated DNS servers for making it difficult for users to locate specific domains or web sites on the Internet.
UDPFlooder This program can make a UDP flood. A UDP flood attack is a denial-of-service attack using the User Datagram Protocol (UDP). It can be initiated by sending a large number of UDP packets to random ports on a remote host.
SYNFlooder This program can make a SYN flood. It is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
Trojan-Proxy This program can launch a proxy server (SOCKS4) on a designated TCP port.
USBInfector A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.


Process activity

The Worm creates the following process(es):

%original file name%.exe:1288

The Worm injects its code into the following process(es):

svchost.exe:172
notepad.exe:1368
calc.exe:348
Explorer.EXE:880
xziujxahjas.exe:1100

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1288 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)

The Worm deletes the following file(s):

%Program Files%\Common Files\CreativeAudio\desktop.ini (0 bytes)

Registry activity

The process %original file name%.exe:1288 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 AC EA 14 31 68 6C 58 4D CC 02 7F 99 2B 4C CC"

[HKCU\Software\Win7zip]
"uuid" = "5A 84 38 BF 3E E0 5B 4F AE E8 D9 5D 95 EE B0 A8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"My Video" = "%Documents and Settings%\%current user%\My Documents\My Videos"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Classes\CLSID\{5A8438BF-3EE0-5B4F-AEE8-D95D95EEB0A8}\0E7302EC\CG1]
"HAL" = "05 EE 00 00"
"BID" = "20 00 08 00 1C 00 06 00 DE 07 00 00 14 00 88 FF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jwvrjsnjb.exe]
"DisableExceptionChainValidation" = ""

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.
A worm can spread its copies through the MSN Messanger.

VersionInfo

Company Name: Yandex
Product Name: Yandex.Disk
Product Version: 1.2.3.4532
Legal Copyright: (c) 2012-2014 YANDEX
Legal Trademarks:
Original Filename: YandexDiskStarter.exe
Internal Name: YandexDiskStarter
File Version: 1.2.3.4532
File Description: YandexDiskStarter
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 62437 62464 4.30973 84926deec295327aac6ecc998264bcc0
.rdata 69632 12826 13312 3.82477 a632cb13ee12b12ece2b1c08a160a3ff
.data 86016 67552 3584 1.89377 1dfdb3d269b4851702e4434eceb6928a
.rsrc 155648 221208 221696 4.91308 51c35e9c2992f8c58fea2b79e2eb6d98

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Worm connects to the servers at the folowing location(s):

svchost.exe_172:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512

svchost.exe_172_rwx_00090000_00029000:

.text
`.data
.rsrc
@.reloc
*windows defender*
*windowsupdate*
*drweb*
dwwin.exe
kernel32.dll
iphlpapi.dll
GetExtendedTcpTable
GetOwnerModuleFromTcpEntry
%systemroot%
%programfiles%\Common Files\*\*.exe
%appdata%\Identities\*.exe
%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe
ole32.dll
/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"
/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"
%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe
%SystemRoot%\system32\SHELL32.dll
%s\c731200
%s\%s
%s\%s.lnk
Windows_Shared_Mutex_231_c000100
ntdll.dll
\ScreenSaverPro.scr
\temp.bin
user32.dll
advapi32.dll
shell32.dll
urlmon.dll
wininet.dll
gdi32.dll
rpcrt4.dll
netapi32.dll
*.exe
.gonewiththewings
*.gonewiththewings
WinExec
URLDownloadToFileA
http://www.google.com
\calc.exe
\Reader_sl.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
notepad.exe
\notepad.exe
\svchost.exe
WindowsId
Identities\%s
%s\%s\%s.exe
:Zone.Identifier
.quarantined
"%s" -shell
"%s" -bind
userinit.exe
explorer.exe
Windows critical error, require reboot
Windows Update
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyA
RegEnumKeyA
RegCreateKeyExA
RegOpenKeyExA
ADVAPI32.dll
ShellExecuteExW
SHELL32.dll
SetTcpEntry
SHLWAPI.dll
RPCRT4.dll
NETAPI32.dll
DNSAPI.dll
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\WindowsId Manager Reader
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
WindowsMark
m1xg.org
mxxtxxt.biz
meob.me
%System%\notepad.exe
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0A
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
%s_%d
-%sMutex
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
httpi
dnsapi.dll
http://%s/%s
http://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
http://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
URLDownloadToFileW
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
Secur32.dll
ShellExecuteA
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
WS2_32.dll
MSVCRT.dll
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
RegNotifyChangeKeyValue
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
http://api.wipmania.com/
\\.\pipe\x_ipc
7 767<7~7
8*808;8~8
{A5DCBF10-6530-11D2-901F-00C04FB951ED}
shlwapi.dll
crypt32.dll
wtsapi32.dll
samcli.dll
netutils.dll
userenv.dll
WindowsSecondaryDesktop
\charmap.exe
\Windows Media Player\wmprph.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\xziujxahjas.exe
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
Aadvapi32.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

svchost.exe_172_rwx_009B0000_00029000:

.text
`.data
.rsrc
@.reloc
*windows defender*
*windowsupdate*
*drweb*
dwwin.exe
kernel32.dll
iphlpapi.dll
GetExtendedTcpTable
GetOwnerModuleFromTcpEntry
%systemroot%
%programfiles%\Common Files\*\*.exe
%appdata%\Identities\*.exe
%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe
ole32.dll
/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"
/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"
%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe
%SystemRoot%\system32\SHELL32.dll
%s\c731200
%s\%s
%s\%s.lnk
Windows_Shared_Mutex_231_c000100
ntdll.dll
\ScreenSaverPro.scr
\temp.bin
user32.dll
advapi32.dll
shell32.dll
urlmon.dll
wininet.dll
gdi32.dll
rpcrt4.dll
netapi32.dll
*.exe
.gonewiththewings
*.gonewiththewings
WinExec
URLDownloadToFileA
http://www.google.com
\calc.exe
\Reader_sl.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
notepad.exe
\notepad.exe
\svchost.exe
WindowsId
Identities\%s
%s\%s\%s.exe
:Zone.Identifier
.quarantined
"%s" -shell
"%s" -bind
userinit.exe
explorer.exe
Windows critical error, require reboot
Windows Update
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyA
RegEnumKeyA
RegCreateKeyExA
RegOpenKeyExA
ADVAPI32.dll
ShellExecuteExW
SHELL32.dll
SetTcpEntry
SHLWAPI.dll
RPCRT4.dll
NETAPI32.dll
DNSAPI.dll
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\WindowsId Manager Reader
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
WindowsMark
m1xg.org
mxxtxxt.biz
meob.me
%System%\notepad.exe
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0A
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
%s_%d
-%sMutex
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
httpi
dnsapi.dll
http://%s/%s
http://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
http://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
URLDownloadToFileW
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
Secur32.dll
ShellExecuteA
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
WS2_32.dll
MSVCRT.dll
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
RegNotifyChangeKeyValue
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
http://api.wipmania.com/
\\.\pipe\x_ipc
7 767<7~7
8*808;8~8
{A5DCBF10-6530-11D2-901F-00C04FB951ED}
shlwapi.dll
crypt32.dll
wtsapi32.dll
samcli.dll
netutils.dll
userenv.dll
WindowsSecondaryDesktop
\charmap.exe
\Windows Media Player\wmprph.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\xziujxahjas.exe
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
Aadvapi32.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

notepad.exe_1368:

.text
`.data
.rsrc
comdlg32.dll
SHELL32.dll
WINSPOOL.DRV
COMCTL32.dll
msvcrt.dll
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
notepad.chm
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
notepad.pdb
t%SSh
_acmdln
RegCloseKey
RegCreateKeyW
RegOpenKeyExA
SetViewportExtEx
GetKeyboardLayout
name="Microsoft.Windows.Shell.notepad"
version="5.1.0.0"
Windows Shell
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
&*$#$$#$*
MMMrMMM`MMMRMMMFMMM:MMM.MMM"MMM
*.txt
/.SETUP
5.1.2600.5512 (xpsp.080413-2105)
NOTEPAD.EXE
Windows
Operating System
5.1.2600.5512
notepad.hlp
Text Documents (*.txt)
You cannot quit Windows because the Save As dialog
dialog box, and then try quitting Windows again.
Common Dialog error (0xx)
Not enough memory available to complete this operation. Quit one or more applications to increase available memory, and then try again.KThe %% file is too large for Notepad.
Not a valid file name.MCannot create the %% file.
Make sure that the path and filename are correct.RCannot carry out the Word Wrap command because there is too much text in the file.
Page %d
Ln %d, Col %d

calc.exe_348:

.text
`.data
.rsrc
SHELL32.dll
msvcrt.dll
ADVAPI32.dll
KERNEL32.dll
GDI32.dll
USER32.dll
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
calc.pdb
j.OXO
_acmdln
RegCloseKey
RegOpenKeyExA
name="Microsoft.Windows.Shell.calc"
version="5.1.0.0"
Windows Shell
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
CalcMsgPumpWnd
The requested operation may take a very long time to complete.
Do you want to let the calculation continue, or stop the operation now?
Windows Calculator application file
5.1.2600.0 (xpclient.010817-1148)
CALC.EXE
Windows
Operating System
5.1.2600.0
Operation was canceled.-Calc does not have enough memory to continue.eThe requested function may take a very long time to complete.
Do you want to abort the operation now?
calc.hlp
Cannot open Clipboard.TThere is not enough memory for data.
calc.chm

notepad.exe_1368_rwx_000A0000_00029000:

.text
`.data
.rsrc
@.reloc
*windows defender*
*windowsupdate*
*drweb*
dwwin.exe
kernel32.dll
iphlpapi.dll
GetExtendedTcpTable
GetOwnerModuleFromTcpEntry
%systemroot%
%programfiles%\Common Files\*\*.exe
%appdata%\Identities\*.exe
%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe
ole32.dll
/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"
/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"
%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe
%SystemRoot%\system32\SHELL32.dll
%s\c731200
%s\%s
%s\%s.lnk
Windows_Shared_Mutex_231_c000100
ntdll.dll
\ScreenSaverPro.scr
\temp.bin
user32.dll
advapi32.dll
shell32.dll
urlmon.dll
wininet.dll
gdi32.dll
rpcrt4.dll
netapi32.dll
*.exe
.gonewiththewings
*.gonewiththewings
WinExec
URLDownloadToFileA
http://www.google.com
\calc.exe
\Reader_sl.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
notepad.exe
\notepad.exe
\svchost.exe
WindowsId
Identities\%s
%s\%s\%s.exe
:Zone.Identifier
.quarantined
"%s" -shell
"%s" -bind
userinit.exe
explorer.exe
Windows critical error, require reboot
Windows Update
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
a.aiphon1egalaxyblack42.com
a.ajjjqws1fkxx42.com
a.adoyou1understandme42.com
a.amous1epadsafa42.com
a.acaraka1lagroup42.com
a.aire1bobohayawen42.com
a.ajhvdqw1ladies42.com
a.biphon2egalaxyblack42.com
a.bmous2epadsafa42.com
a.bcaraka2lagroup42.com
a.anabok1hasn1aser42.com
a.athemall1gonowhaha42.com
a.bdoyou2understandme42.com
a.bnabok2hasn1aser42.com
a.bjjjqws2fkxx42.com
a.bjhvdqw2ladies42.com
a.bthemall2gonowhaha42.com
a.bire2bobohayawen42.com
a.cdoyou3understandme42.com
a.cmous3epadsafa42.com
a.dmous4epadsafa42.com
a.ciphon3egalaxyblack42.com
a.cnabok3hasn1aser42.com
a.cire3bobohayawen42.com
a.cthemall3gonowhaha42.com
a.cjhvdqw3ladies42.com
a.cjjjqws3fkxx42.com
a.ccaraka3lagroup42.com
a.diphon4egalaxyblack42.com
a.ddoyou4understandme42.com
a.dnabok4hasn1aser42.com
a.dire4bobohayawen42.com
a.djjjqws4fkxx42.com
a.djhvdqw4ladies42.com
a.dthemall4gonowhaha42.com
a.edoyou5understandme42.com
a.dcaraka4lagroup42.com
a.emous5epadsafa42.com
a.ecaraka5lagroup42.com
a.eiphon5egalaxyblack42.com
a.enabok5hasn1aser42.com
a.eire5bobohayawen42.com
a.ejjjqws5fkxx42.com
a.ejhvdqw5ladies42.com
a.ethemall5gonowhaha42.com
a.roooggeyyy2.com
a.roooggeyyy3.com
a.roooggeyyy4.com
a.so1aa00.com
a.saao20000.com
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyA
RegEnumKeyA
RegCreateKeyExA
RegOpenKeyExA
ADVAPI32.dll
ShellExecuteExW
SHELL32.dll
SetTcpEntry
SHLWAPI.dll
RPCRT4.dll
NETAPI32.dll
DNSAPI.dll
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\WindowsId Manager Reader
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
WindowsMark
m1xg.org
mxxtxxt.biz
meob.me
%System%\notepad.exe
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0A
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
%s_%d
-%sMutex
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
httpi
dnsapi.dll
http://%s/%s
http://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
http://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
URLDownloadToFileW
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
Secur32.dll
ShellExecuteA
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
WS2_32.dll
MSVCRT.dll
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
RegNotifyChangeKeyValue
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
http://api.wipmania.com/
\\.\pipe\x_ipc
7 767<7~7
8*808;8~8
{A5DCBF10-6530-11D2-901F-00C04FB951ED}
shlwapi.dll
crypt32.dll
wtsapi32.dll
samcli.dll
netutils.dll
userenv.dll
WindowsSecondaryDesktop
\charmap.exe
\Windows Media Player\wmprph.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\xziujxahjas.exe
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
Aadvapi32.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

calc.exe_348_rwx_000A0000_00002000:

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
w050c.exe
a7jme.exe
644cx.exe
6bejn.exe
igyrt.exe
vueil.exe
aljxn.exe
63kh8.exe
edcon.exe
idif4.exe
krrn1.exe
r6vos.exe
lxn7i.exe
4dm34.exe
lque1.exe
doc3d.exe
yn3z2.exe
3krro.exe
7anxa.exe
user32.dll
urlmon.dll
URLDownloadToFileA
wininet.dll
http://www.google.com

Explorer.EXE_880_rwx_01E50000_00027000:

.text
`.rdata
@.data
.rsrc
@.reloc
PSSSSSSh
PSSVSSh
RPVSSh
PSSh(
PSSh#
PSSh'
PSSh&
PSSh*
9p.uV

Explorer.EXE_880_rwx_01E78000_00070000:

Opera/9.00 (Windows NT 5.1; U; en)
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Mozilla/4.0 (compatible; MSIE 6.01; Windows NT 6.0)
Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2)
Opera 9.4 (Windows NT 6.1; U; en)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; NeosBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0; .NET CLR 1.1.4322; Windows-Media-Player/10.00.00.3990; InfoPath.2
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726)
SbieDll.dll
Software\Classes\CLSID\%s\X
Software\Classes\CLSID\%s\X\%s
0xX
SB:0xX
G:%s_0xX_%c:%s_v1$
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u
IEXPLORE.EXE
IE.HTTP
SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
IE.HTTPS
SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice
IE.AssocFile.HTM
HTTP\shell\open\command
Software\Microsoft\Windows\CurrentVersion\Ext\Settings\%s
Psapi.dll
%s\%s
Software\Adobe\Acrobat Reader\%s\Privileged
mscoree.dll
HARDWARE\DESCRIPTION\System\CentralProcessor\%u
SOFTWARE\Microsoft\Windows NT\CurrentVersion
nspr4.dll
nss3.dll
Urlmon.dll
URLDownloadToFileW
Netapi32.dll
76487-640-1457236-23837
76487-337-8429955-22614
76487-644-3177037-23510
76497-640-6308873-23835
55274-640-2673064-23950
76487-640-8834005-23195
76487-640-0716662-23535
76487-644-8648466-23106
00426-293-8170032-85146
76487-341-5883812-22420
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup
{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}
snxhk.dll
comctl32.dll
ZwSetValueKey
ZwDeleteValueKey
SOFTWARE\%s
update.microsoft.com
microsoft.com
windowsupdate.microsoft.com
JOIN
PRIVMSG
.rdata
cmd_option.%s
/c %s
cmd.exe
msvcrt.dll
--x-x-x-xx
Content-Type: multipart/form-data; boundary=x-x-x-xx
Content-Disposition: multipart/form-data; name="newfile"; filename="%d.jpeg"
%s?action=up&g=%s
xul.dll
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
?pid=%d
?page=%d
?id=%u
%s=%u&%s=%s
%s=%s&%s=%u
&%s=%s
&%s%u=
&%s%hu=
&%s=_%u
%d|%s|%s|%s
.info
httpget
GET /%s HTTP/1.1
Host: %s
Content-Length: %d
Accept: %s
Accept-Language: %s
Accept-Charset: %s
Accept-Encoding: %s
User-Agent: %s
Referer: %s
Connection: %s
http://
iexplore.exe
firefox.exe
tbb-firefox.exe
%s:%hu
windowsupdate
SSH2_MSG_KEXINIT
SSH2_MSG_DISCONNECT
SSH2_MSG_USERAUTH_SUCCESS
http://%s%s/image.php?id=%s
TaskDialogIndirect
http://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/corrupted-documents-folder/e2a7660f-8eea-4f27-b2e6-e77a0f0c1535
ÐxX
ntdll.dll
kernel32.dll
secur32.dll
crypt32.dll
user32.dll
advapi32.dll
wininet.dll
shell32.dll
shlwapi.dll
ole32.dll
version.dll
sfc.dll
dnsapi.dll
ws2_32.dll
8"808]9|9
9%9 919<9
=(=/=6==={=
4 4?4^4}4
6o6g6r6w6
9 9$9(90949
.text
`.rdata
@.data
.rsrc
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
Invalid parameter passed to C runtime function.
GetProcessWindowStation
USER32.DLL
GetKeyNameTextW
SetWindowsHookA
CascadeWindows
ExitWindowsEx
GetAsyncKeyState
GetKeyState
USER32.dll
GDI32.dll
SHLWAPI.dll
GetProcessHeap
GetCPInfo
KERNEL32.dll
.vrNr9
QRa%f
.Uy3.
.sn?O
D%/%F
%si%sk
.LLg-Y
.Mb A
%S6l0
oLCmD
-32}'
Software\Classes\CLSID\%S
G:%S_0xX
chrome.exe
opera.exe
safari.exe
maxthon.exe
:Mozilla\Firefox\Profiles
cookies.sqlite
%s\winsxs\x86_microsoft.windows.common-controls_*6.0.*_*
%s\winsxs\%s\comctl32.dll
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\%s
%s:*:Enabled
avcuf32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
prstrui.exe
Windows Defender
MpClient.dll
Windows Defender\MSASCui.exe
MpSvc.dll
msseces.exe
MsMpEng.exe
MSASCui.exe
MpAsDesc.dll
MsMpLics.dll
avgui.exe
avgidsagent.exe
avgwdsvc.exe
avgdiagex.exe
avgmfapx.exe
avgupd.exe
avgcfgex.exe
avgnt.exe
avguard.exe
avshadow.exe
avcenter.exe
update.dll
updaterc.dll
usrreq.exe
ccsvchst.exe
symerr.exe
NIS.exe
NAV.exe
navw32.exe
avastui.exe
AvastEmUpdate.exe
ashUpd.exe
WRSA.exe
zatray.exe
ForceField.exe
updating.dll
fshoster32.exe
fsaua.dll
PSUNMain.exe
PSUAService.exe
PSANHost.exe
PSUNScan.dll
epavjobs.exe
AVENGINE.exe
Upgrader.exe
adaware.exe
BullGuard.exe.manifest
BullGuardUpdate.exe
BullGuard.exe
BullGuardScanner.exe
BullGuardBhvScanner.exe
BullGuardUpdate2.exe
BgScan.exe
BgScanEngine.dll
.manifest
updater.exe
Backup\RSD\RSSetup\updater.exe
RsTray.exe
RavMonD.exe
RsMgrSvc.exe
rsmain.exe
RsScan.dll
RsTray.dll
mbamgui.exe
mbam.exe
pctsGui.exe
pctsAuxs.exe
pctsSvc.exe
Update.exe
UpdateHlpr.dll
Definitions\vcore.dll
sbamui.exe
SBAMTray.exe
updater_client_mod.dll
FProtTray.exe
FPWin.exe
scf.dat
ALUpdate.exe
update_tmp.exe
arcaclean.exe
BavUpdater.exe
rcfp.exe
CLPSLA.exe
op_mon.exe
niu.exe
K7TSUpdT.exe
sguardxup.exe
ccupdate.exe
caupdate.dll
a2guard.exe
a2start.exe
a2service.exe
AVKTray.exe
GDSC.exe
AVK.exe
GDFirewallTray.exe
Bka.exe
BLuPro.exe
BkavSystemServer.exe
BkavService.exe
LiveUpdate.dll
LiveConnect.dll
BaseFile\Bkav\LiveUpdate.dll
V3Lite.exe
ASDSvc.exe
autoup.exe
downloader.exe
%s.config
updatesrv.exe
updatemgr.dll
egui.exe
ekrn.exe
x86\ekrn.exe
uWinMgr.exe
coreServiceShell.exe
uiSeAgnt.exe
uiWatchDog.exe
plugins\plugUpdater.dll
UiFrmwrk\uiUpdateTray.exe
coreFrameworkHost.exe
mcagent.exe
McSvHost.exe
McUICnt.exe
McPvTray.exe
mcui_exe
mcpltui_exe
mcshell.exe
mcupdmgr.exe
mcupdate.exe
mcshield.exe
mcupdui.dll
McAPExe.exe
.config
Image File Execution Options\%s
SYSTEM\CurrentControlSet\services\%s
%c:\ntusbdriver.sys
%c:\*p.exe
%c:\%s
p.exe
%WinDir%\explorer.exe
/C start /d. %s&"%s"
%COMSPEC%
%WinDir%\system32\shell32.dll
%c:\%s.lnk
VisthAux.exe
explorer.exe
t.minecraft
Works! PID: %d, Name: %s
cmdvirth
%s%s\X
tcp://
svchost.exe
csrss.exe
lsass.exe
smss.exe
wscript.exe
cscript.exe
vbc.exe
rundll32.exe
regsvr32.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
winlogon.exe
services.exe
%s\x.lnk
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s
desktop.ini
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
wintrust.dll
chrome.dll
Applications\iexplore.exe\shell\open\command
%s_xx
x.zip
Navw32.exe
SysInspector.exe
avscan.exe
mfefire.exe
wuauclt.exe
WerFault.exe
lFileZilla\sitemanager.xml
port
Sites.dat
Quick.dat
%s\3\%s
%s\4\%s
spoolsv.exe
steam.exe
skype.exe
origin.exe
dwm.exe
tapi3.dll
/C copy "%s" "%s"
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
Windows Update Service
"%s" /%s
Software\Microsoft\Windows\CurrentVersion\RunOnce
/CREATE /SC ONLOGON /TN "Windows Update Check - 0xX" /TR "%s" /RL HIGHEST
schtasks.exe
/DELETE /TN "Windows Update Check - 0xX" /F
\Windows\Explorer.exe
Low_X
%s.manifest
PendingFileRenameOperations
%s\X
Windows\CurrentVersion\Run
CurrentVersion\Windows
Windows NT\CurrentVersion\Image File Execution Options\%s
Windows has encountered a corrupted folder on your hard drive
Multiple corrupted files have been found in the folder 'My Documents'. To prevent serious loss of data, please allow Windows to restore these files.
Corrupted folder: %s
Corrupted file count: %d
%s
/c start "" "%s" /%s "%s"
shell32,ShellExec_RunDLL "%s" /%s "%s"
You denied the proper privileges to the Windows file restoration utility. Please select YES on the following UAC prompt to allow Windows to restore the corrupted files.
Windows 3.1 Update Service
%s:Zone.Identifier
%s\X.pif
KERNEL32.DLL
KERNELBASE.DLL
kernelbase.dll
1.2.3.4532
YandexDiskStarter.exe
Yandex.Disk

xziujxahjas.exe_1100_rwx_00400000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0A
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
http://%s/%s
http://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
http://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
http://api.wipmania.com/
\\.\pipe\x_ipc
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1288

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    %Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)

  4. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2024 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now