MD5: 174683c655c425d56b3e8ddfad4016cb
SHA1: 35631256aae47a66a786ff309ad5be94ebf91c07
SHA256: ade48939cddafdbd32ce27154a78b4191a643e42dea8b692b638da3cb5ec0e62
SSDeep: 6144:uBIiwEL6njVp4vC5k08aF6B7WZ5SeEsdb7FeaCNu ajQ0bZiWWheWUHMHvhcR:EIiwQAjVp5N8i54kFxRQpzqHuJE
Size: 332800 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: AirInstaller
Created at: 2014-01-15 11:06:55
Analyzed on: WindowsXP SP3 32-bit

Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

Redupdater.exe:812
D9IZAPWZPPYB151IYACOGMKG6BFQLQ8H..COM:120
%original file name%.exe:1380
attrib.exe:1188
attrib.exe:1180
notepad.exe:612

The Backdoor injects its code into the following process(es):

notepad.exe:1912
iexplore.exe:376

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process D9IZAPWZPPYB151IYACOGMKG6BFQLQ8H..COM:120 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\Microsoft Network\Redupdater.exe (4545 bytes)
%System%\drivers\etc\hosts (771 bytes)

The process %original file name%.exe:1380 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\D9IZAPWZPPYB151IYACOGMKG6BFQLQ8H..COM (3749 bytes)
%Documents and Settings%\%current user%\Application Data\%original file name%.exe (2105 bytes)

The process notepad.exe:612 makes changes in the file system.
The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\D9IZAPWZPPYB151IYACOGMKG6BFQLQ8H..COM (0 bytes)

Registry activity

The process Redupdater.exe:812 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 9C 3E 32 A6 9B CE A3 0A 5B 6E C3 44 FA 1C 63"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\CurrentVersion\Explorern]
"NoControlPanel" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

User account control (UAC) is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA" = "0"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

The following service is disabled:

[HKLM\System\CurrentControlSet\Services\wscsvc]
"Start" = "4"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

Firewall notifications are enabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "0"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Connections" = "%Documents and Settings%\All Users\Start Menu\Programs\Microsoft Network\Redupdater.exe"

The process D9IZAPWZPPYB151IYACOGMKG6BFQLQ8H..COM:120 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 A2 21 8B 09 DA 65 56 60 AA 02 48 20 15 A9 C6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Start Menu\Programs\Microsoft Network]
"Redupdater.exe" = "Remote Service Application"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Backdoor adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\Start Menu\Programs\Microsoft Network\Redupdater.exe"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Connections" = "%Documents and Settings%\All Users\Start Menu\Programs\Microsoft Network\Redupdater.exe"

The process %original file name%.exe:1380 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 D3 AA 3C E0 1C D4 AA A1 E7 EE A7 0D E7 A8 C0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"D9IZAPWZPPYB151IYACOGMKG6BFQLQ8H..COM" = "Remote Service Application"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"rakabulle" = "%Documents and Settings%\%current user%\Application Data\%original file name%.exe"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process attrib.exe:1188 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC CC E4 93 F0 B0 3E D5 96 6D 68 37 C8 CB 84 23"

The process attrib.exe:1180 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 47 10 D4 FB CE CB 8D 4B 07 F5 1D B3 88 4C 17"

The process notepad.exe:612 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 78 F7 E0 90 A6 2E 95 47 46 B7 AD 59 B1 26 51"

The process notepad.exe:1912 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 AA 82 D6 A7 2C A9 D5 5A 6B E6 50 E5 9C 21 EC"

Dropped PE files

HOSTS file anomalies

The Backdoor modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 771 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Backdoor connects to the servers at the folowing location(s):

.text

`.data

.rsrc

KERNEL32.dll

NTDLL.DLL

msvcrt.dll

USER32.dll

SetConsoleInputExeNameW

APerformUnaryOperation: '%c'

APerformArithmeticOperation: '%c'

ADVAPI32.dll

SHELL32.dll

MPR.dll

RegEnumKeyW

RegDeleteKeyW

RegCloseKey

RegOpenKeyW

RegCreateKeyExW

RegOpenKeyExW

ShellExecuteExW

CmdBatNotification

GetWindowsDirectoryW

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

_pipe

GetProcessWindowStation

cmd.pdb

CMD Internal Error %s

)(&&())))(&))

)&((&)&))&())

)&((&)&)&()))

)(&&()))&))))

CMD.EXE

()|&=,;"

COPYCMD

\XCOPY.EXE

CMDCMDLINE

WKERNEL32.DLL

Software\Policies\Microsoft\Windows\System

0123456789

cmd.exe

DIRCMD

%d.%d.d

Ungetting: '%s'

DisableCMD

GeToken: (%x) '%s'

%s\Shell\Open\Command

%x %c

*** Unknown type: %x

Args: `%s'

Cmd: %s Type: %x

%s (%s) %s

ttrib "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\D9IZAPWZPPYB151IYACOGMKG6BFQLQ8H..COM"  s  h

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\D9IZAPWZPPYB151IYACOGMKG6BFQLQ8H..COM"  s  h

WZPPYB151IYACOGMKG6BFQLQ8H..COM"  s  h

.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

%WinDir%;%WinDir%\System32\Wbem;c:\Program Files\Wireshark

CMDEXTVERSION

KEYS

%s %s

(%s) %s

%s %s%s

&()[]{}^=;!%' ,`~

d%sd%s

-%sd%sd%sd

d%sd%sd

%s=%s

X-X

.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS

<> -*/%()|^&=,

\CMD.EXE

Windows Command Processor

5.1.2600.5512 (xpsp.080413-2111)

Cmd.Exe

Windows

Operating System

5.1.2600.5512

Press any key to continue . . . %0

operable program or batch file.

The system cannot execute the specified program.

and press any key when ready. %0

Microsoft Windows XP [Version %1]%0

a pipe operation.

KEYS is on.

KEYS is off.

The process tried to write to a nonexistent pipe.

The switch /Y may be preset in the COPYCMD environment variable.

to prompt on overwrites unless COPY command is being executed from

Switches may be preset in the DIRCMD environment variable. Override

Quits the CMD.EXE program (command interpreter) or the current batch

CMD.EXE. If executed from outside a batch script, it

will quit CMD.EXE

ERRORLEVEL that number. If quitting CMD.EXE, sets the process

Displays or sets a search path for executable files.

Type PATH ; to clear all search-path settings and direct cmd.exe to search

Changes the cmd.exe command prompt.

$B | (pipe)

$V Windows XP version number

Displays, sets, or removes cmd.exe environment variables.

Displays the Windows XP version.

Tells cmd.exe whether to verify that your files are written correctly to a

Records comments (remarks) in a batch file or CONFIG.SYS.

Press any key to continue . . . %0

Directs cmd.exe to a labeled line in a batch program.

NOT Specifies that Windows XP should carry out

will execute the command after the ELSE keyword if the

I The new environment will be the original environment passed

to the cmd.exe and not the current environment.

SEPARATE Start 16-bit Windows program in separate memory space

SHARED Start 16-bit Windows program in shared memory space

If it is an internal cmd command or a batch file then

the command processor is run with the /K switch to cmd.exe.

If it is not an internal cmd command or batch file then

parameters These are the parameters passed to the command/program

under Windows XP.

Starts a new instance of the Windows XP command interpreter

CMD [/A | /U] [/Q] [/D] [/E:ON | /E:OFF] [/F:ON | /F:OFF] [/V:ON | /V:OFF]

/D Disable execution of AutoRun commands from registry (see below)

/A Causes the output of internal commands to a pipe or file to be ANSI

/U Causes the output of internal commands to a pipe or file to be

variable var at execution time. The %var% syntax expands variables

of an executable file.

If /D was NOT specified on the command line, then when CMD.EXE starts, it

either or both are present, they are executed first.

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun

HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun

can enable or disable extensions for all invocations of CMD.EXE on a

following REG_DWORD values in the registry using REGEDT32.EXE:

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions

HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions

particular invocation of CMD.EXE with the /V:ON or /V:OFF switch. You

can enable or disable completion for all invocations of CMD.EXE on a

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion

HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion

at execution time.

CMD.EXE with the /F:ON or /F:OFF switch. You can enable or disable

completion for all invocations of CMD.EXE on a machine and/or user logon

the registry using REGEDT32.EXE:

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar

HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar

HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar

Shift key with the control character will move through the list

&()[]{}^=;!%' ,`~

Command Processor Extensions enabled by default. Use CMD /? for details.

ASSOC [.ext[=[fileType]]]

.ext Specifies the file extension to associate the file type with

ASSOC .pl=PerlScript

FTYPE PerlScript=perl.exe %%1 %%*

script.pl 1 2 3

set PATHEXT=.pl;%%PATHEXT%%

The restartable option to the COPY command is not supported by

this version of the operating system.

The following usage of the path operator in batch-parameter

The unicode output option to CMD.EXE is not supported by this

version of the operating system.

If Command Extensions are enabled the DATE command supports

If Command Extensions are enabled the TIME command supports

If Command Extensions are enabled the PROMPT command supports

is pretty simple and supports the following operations, in decreasing

! ~ - - unary operators

* / %% - arithmetic operators

  - - arithmetic operators

&= ^= |= <<= >>=

If you use any of the logical or modulus operators, you will need to

values. If SET /A is executed from the command line outside of a

assignment operator requires an environment variable name to the left of

the assignment operator. Numeric values are decimal numbers, unless

occurrence of the remaining portion of str1.

Finally, support for delayed environment variable expansion has been

added. This support is always disabled by default, but may be

enabled/disabled via the /V command line switch to CMD.EXE. See CMD /?

of text is read, not when it is executed. The following example

So the actual FOR loop we are executing is:

%Í%% - expands to the current directory string.

%ÚTE%% - expands to current date using same format as DATE command.

%%CMDEXTVERSION%% - expands to the current Command Processor Extensions

%%CMDCMDLINE%% - expands to the original command line that invoked the

If Command Extensions are enabled the SHIFT command supports

control is passed to the statement after the label specified. You must

%%4 %%5 ...)

CMD /? for details.

This works because on old versions of CMD.EXE, SETLOCAL does NOT

command execution.

non-executable files may be invoked through their file association just

by typing the name of the file as a command. (e.g. WORD.DOC would

launch the application associated with the .DOC file extension).

When executing an application that is a 32-bit GUI application, CMD.EXE

the command prompt. This new behavior does NOT occur if executing

When executing a command line whose first token is the string "CMD "

without an extension or path qualifier, then "CMD" is replaced with

the value of the COMSPEC variable. This prevents picking up CMD.EXE

When executing a command line whose first token does NOT contain an

extension, then CMD.EXE uses the value of the PATHEXT

.COM;.EXE;.BAT;.CMD

When searching for an executable, if there is no match on any extension,

If Command Extensions are enabled, and running on the Windows XP

forms of the FOR command are supported:

Walks the directory tree rooted at [drive:]path, executing the FOR

passes the first blank separated token from each line of each file.

is a quoted string which contains one or more keywords to specify

different parsing options. The keywords are:

be passed to the for body for each iteration.

where a back quoted string is executed as a

FOR /F "eol=; tokens=2,3* delims=, " %%i in (myfile.txt) do @echo %%i %%j %%k

would parse each line in myfile.txt, ignoring lines that begin with

a semicolon, passing the 2nd and 3rd token from each line to the for

line, which is passed to a child CMD.EXE and the output is captured

IF CMDEXTVERSION number command

The CMDEXTVERSION conditional works just like ERRORLEVEL, except it is

CMDEXTVERSION conditional is never true when Command Extensions are

%%CMDCMDLINE%% will expand into the original command line passed to

CMD.EXE prior to any processing by CMD.EXE, provided that there is not

already an environment variable with the name CMDCMDLINE, in which case

%%CMDEXTVERSION%% will expand into a string representation of the

current value of CMDEXTVERSION, provided that there is not already

an environment variable with the name CMDEXTVERSION, in which case you

under Windows XP, as command line editing is always enabled.

CMD.EXE was started with the above path as the current directory.

UNC paths are not supported. Defaulting to Windows directory.

CMD does not support UNC paths as current directories.

UNC paths not supported for current directory. Using

to create temporary drive letter to support UNC current

Missing operand.

Missing operator.

The COMSPEC environment variable does not point to CMD.EXE.

The FAT File System only support Last Write Times

of a batch script is reached, an implied ENDLOCAL is executed for any

application execution.

The switch /Y may be present in the COPYCMD environment variable.

to prompt on overwrites unless MOVE command is being executed from

when CMD.EXE started. This value either comes from the current console

The COLOR command sets ERRORLEVEL to 1 if an attempt is made to execute

cmd.exe_460:

.text

`.data

.rsrc

KERNEL32.dll

NTDLL.DLL

msvcrt.dll

USER32.dll

SetConsoleInputExeNameW

APerformUnaryOperation: '%c'

APerformArithmeticOperation: '%c'

ADVAPI32.dll

SHELL32.dll

MPR.dll

RegEnumKeyW

RegDeleteKeyW

RegCloseKey

RegOpenKeyW

RegCreateKeyExW

RegOpenKeyExW

ShellExecuteExW

CmdBatNotification

GetWindowsDirectoryW

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

_pipe

GetProcessWindowStation

cmd.pdb

CMD Internal Error %s

)(&&())))(&))

)&((&)&))&())

)&((&)&)&()))

)(&&()))&))))

CMD.EXE

()|&=,;"

COPYCMD

\XCOPY.EXE

CMDCMDLINE

WKERNEL32.DLL

Software\Policies\Microsoft\Windows\System

0123456789

cmd.exe

DIRCMD

%d.%d.d

Ungetting: '%s'

DisableCMD

GeToken: (%x) '%s'

%s\Shell\Open\Command

%x %c

*** Unknown type: %x

Args: `%s'

Cmd: %s Type: %x

%s (%s) %s

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"  s  h

.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

%WinDir%;%WinDir%\System32\Wbem;c:\Program Files\Wireshark

CMDEXTVERSION

KEYS

%s %s

(%s) %s

%s %s%s

&()[]{}^=;!%' ,`~

d%sd%s

-%sd%sd%sd

d%sd%sd

%s=%s

X-X

.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS

<> -*/%()|^&=,

\CMD.EXE

Windows Command Processor

5.1.2600.5512 (xpsp.080413-2111)

Cmd.Exe

Windows

Operating System

5.1.2600.5512

Press any key to continue . . . %0

operable program or batch file.

The system cannot execute the specified program.

and press any key when ready. %0

Microsoft Windows XP [Version %1]%0

a pipe operation.

KEYS is on.

KEYS is off.

The process tried to write to a nonexistent pipe.

The switch /Y may be preset in the COPYCMD environment variable.

to prompt on overwrites unless COPY command is being executed from

Switches may be preset in the DIRCMD environment variable. Override

Quits the CMD.EXE program (command interpreter) or the current batch

CMD.EXE. If executed from outside a batch script, it

will quit CMD.EXE

ERRORLEVEL that number. If quitting CMD.EXE, sets the process

Displays or sets a search path for executable files.

Type PATH ; to clear all search-path settings and direct cmd.exe to search

Changes the cmd.exe command prompt.

$B | (pipe)

$V Windows XP version number

Displays, sets, or removes cmd.exe environment variables.

Displays the Windows XP version.

Tells cmd.exe whether to verify that your files are written correctly to a

Records comments (remarks) in a batch file or CONFIG.SYS.

Press any key to continue . . . %0

Directs cmd.exe to a labeled line in a batch program.

NOT Specifies that Windows XP should carry out

will execute the command after the ELSE keyword if the

I The new environment will be the original environment passed

to the cmd.exe and not the current environment.

SEPARATE Start 16-bit Windows program in separate memory space

SHARED Start 16-bit Windows program in shared memory space

If it is an internal cmd command or a batch file then

the command processor is run with the /K switch to cmd.exe.

If it is not an internal cmd command or batch file then

parameters These are the parameters passed to the command/program

under Windows XP.

Starts a new instance of the Windows XP command interpreter

CMD [/A | /U] [/Q] [/D] [/E:ON | /E:OFF] [/F:ON | /F:OFF] [/V:ON | /V:OFF]

/D Disable execution of AutoRun commands from registry (see below)

/A Causes the output of internal commands to a pipe or file to be ANSI

/U Causes the output of internal commands to a pipe or file to be

variable var at execution time. The %var% syntax expands variables

of an executable file.

If /D was NOT specified on the command line, then when CMD.EXE starts, it

either or both are present, they are executed first.

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun

HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun

can enable or disable extensions for all invocations of CMD.EXE on a

following REG_DWORD values in the registry using REGEDT32.EXE:

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions

HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions

particular invocation of CMD.EXE with the /V:ON or /V:OFF switch. You

can enable or disable completion for all invocations of CMD.EXE on a

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion

HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion

at execution time.

CMD.EXE with the /F:ON or /F:OFF switch. You can enable or disable

completion for all invocations of CMD.EXE on a machine and/or user logon

the registry using REGEDT32.EXE:

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar

HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar

HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar

Shift key with the control character will move through the list

&()[]{}^=;!%' ,`~

Command Processor Extensions enabled by default. Use CMD /? for details.

ASSOC [.ext[=[fileType]]]

.ext Specifies the file extension to associate the file type with

ASSOC .pl=PerlScript

FTYPE PerlScript=perl.exe %%1 %%*

script.pl 1 2 3

set PATHEXT=.pl;%%PATHEXT%%

The restartable option to the COPY command is not supported by

this version of the operating system.

The following usage of the path operator in batch-parameter

The unicode output option to CMD.EXE is not supported by this

version of the operating system.

If Command Extensions are enabled the DATE command supports

If Command Extensions are enabled the TIME command supports

If Command Extensions are enabled the PROMPT command supports

is pretty simple and supports the following operations, in decreasing

! ~ - - unary operators

* / %% - arithmetic operators

  - - arithmetic operators

&= ^= |= <<= >>=

If you use any of the logical or modulus operators, you will need to

values. If SET /A is executed from the command line outside of a

assignment operator requires an environment variable name to the left of

the assignment operator. Numeric values are decimal numbers, unless

occurrence of the remaining portion of str1.

Finally, support for delayed environment variable expansion has been

added. This support is always disabled by default, but may be

enabled/disabled via the /V command line switch to CMD.EXE. See CMD /?

of text is read, not when it is executed. The following example

So the actual FOR loop we are executing is:

%Í%% - expands to the current directory string.

%ÚTE%% - expands to current date using same format as DATE command.

%%CMDEXTVERSION%% - expands to the current Command Processor Extensions

%%CMDCMDLINE%% - expands to the original command line that invoked the

If Command Extensions are enabled the SHIFT command supports

control is passed to the statement after the label specified. You must

%%4 %%5 ...)

CMD /? for details.

This works because on old versions of CMD.EXE, SETLOCAL does NOT

command execution.

non-executable files may be invoked through their file association just

by typing the name of the file as a command. (e.g. WORD.DOC would

launch the application associated with the .DOC file extension).

When executing an application that is a 32-bit GUI application, CMD.EXE

the command prompt. This new behavior does NOT occur if executing

When executing a command line whose first token is the string "CMD "

without an extension or path qualifier, then "CMD" is replaced with

the value of the COMSPEC variable. This prevents picking up CMD.EXE

When executing a command line whose first token does NOT contain an

extension, then CMD.EXE uses the value of the PATHEXT

.COM;.EXE;.BAT;.CMD

When searching for an executable, if there is no match on any extension,

If Command Extensions are enabled, and running on the Windows XP

forms of the FOR command are supported:

Walks the directory tree rooted at [drive:]path, executing the FOR

passes the first blank separated token from each line of each file.

is a quoted string which contains one or more keywords to specify

different parsing options. The keywords are:

be passed to the for body for each iteration.

where a back quoted string is executed as a

FOR /F "eol=; tokens=2,3* delims=, " %%i in (myfile.txt) do @echo %%i %%j %%k

would parse each line in myfile.txt, ignoring lines that begin with

a semicolon, passing the 2nd and 3rd token from each line to the for

line, which is passed to a child CMD.EXE and the output is captured

IF CMDEXTVERSION number command

The CMDEXTVERSION conditional works just like ERRORLEVEL, except it is

CMDEXTVERSION conditional is never true when Command Extensions are

%%CMDCMDLINE%% will expand into the original command line passed to

CMD.EXE prior to any processing by CMD.EXE, provided that there is not

already an environment variable with the name CMDCMDLINE, in which case

%%CMDEXTVERSION%% will expand into a string representation of the

current value of CMDEXTVERSION, provided that there is not already

an environment variable with the name CMDEXTVERSION, in which case you

under Windows XP, as command line editing is always enabled.

CMD.EXE was started with the above path as the current directory.

UNC paths are not supported. Defaulting to Windows directory.

CMD does not support UNC paths as current directories.

UNC paths not supported for current directory. Using

to create temporary drive letter to support UNC current

Missing operand.

Missing operator.

The COMSPEC environment variable does not point to CMD.EXE.

The FAT File System only support Last Write Times

of a batch script is reached, an implied ENDLOCAL is executed for any

application execution.

The switch /Y may be present in the COPYCMD environment variable.

to prompt on overwrites unless MOVE command is being executed from

when CMD.EXE started. This value either comes from the current console

The COLOR command sets ERRORLEVEL to 1 if an attempt is made to execute

iexplore.exe_376:

.text

`.itext

`.data

.idata

.rdata

@.reloc

B.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

%s_%d

EInvalidGraphicOperation

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes

%s, ClassID: %s

%s, ProgID: "%s"

ole32.dll

USER32.DLL

uxtheme.dll

DWMAPI.DLL

clWebSnow

clWebFloralWhite

clWebLavenderBlush

clWebOldLace

clWebIvory

clWebCornSilk

clWebBeige

clWebAntiqueWhite

clWebWheat

clWebAliceBlue

clWebGhostWhite

clWebLavender

clWebSeashell

clWebLightYellow

clWebPapayaWhip

clWebNavajoWhite

clWebMoccasin

clWebBurlywood

clWebAzure

clWebMintcream

clWebHoneydew

clWebLinen

clWebLemonChiffon

clWebBlanchedAlmond

clWebBisque

clWebPeachPuff

clWebTan

clWebYellow

clWebDarkOrange

clWebRed

clWebDarkRed

clWebMaroon

clWebIndianRed

clWebSalmon

clWebCoral

clWebGold

clWebTomato

clWebCrimson

clWebBrown

clWebChocolate

clWebSandyBrown

clWebLightSalmon

clWebLightCoral

clWebOrange

clWebOrangeRed

clWebFirebrick

clWebSaddleBrown

clWebSienna

clWebPeru

clWebDarkSalmon

clWebRosyBrown

clWebPaleGoldenrod

clWebLightGoldenrodYellow

clWebOlive

clWebForestGreen

clWebGreenYellow

clWebChartreuse

clWebLightGreen

clWebAquamarine

clWebSeaGreen

clWebGoldenRod

clWebKhaki

clWebOliveDrab

clWebGreen

clWebYellowGreen

clWebLawnGreen

clWebPaleGreen

clWebMediumAquamarine

clWebMediumSeaGreen

clWebDarkGoldenRod

clWebDarkKhaki

clWebDarkOliveGreen

clWebDarkgreen

clWebLimeGreen

clWebLime

clWebSpringGreen

clWebMediumSpringGreen

clWebDarkSeaGreen

clWebLightSeaGreen

clWebPaleTurquoise

clWebLightCyan

clWebLightBlue

clWebLightSkyBlue

clWebCornFlowerBlue

clWebDarkBlue

clWebIndigo

clWebMediumTurquoise

clWebTurquoise

clWebCyan

clWebPowderBlue

clWebSkyBlue

clWebRoyalBlue

clWebMediumBlue

clWebMidnightBlue

clWebDarkTurquoise

clWebCadetBlue

clWebDarkCyan

clWebTeal

clWebDeepskyBlue

clWebDodgerBlue

clWebBlue

clWebNavy

clWebDarkViolet

clWebDarkOrchid

clWebMagenta

clWebDarkMagenta

clWebMediumVioletRed

clWebPaleVioletRed

clWebBlueViolet

clWebMediumOrchid

clWebMediumPurple

clWebPurple

clWebDeepPink

clWebLightPink

clWebViolet

clWebOrchid

clWebPlum

clWebThistle

clWebHotPink

clWebPink

clWebLightSteelBlue

clWebMediumSlateBlue

clWebLightSlateGray

clWebWhite

clWebLightgrey

clWebGray

clWebSteelBlue

clWebSlateBlue

clWebSlateGray

clWebWhiteSmoke

clWebSilver

clWebDimGray

clWebMistyRose

clWebDarkSlateBlue

clWebDarkSlategray

clWebGainsboro

clWebDarkGray

clWebBlack

comctl32.dll

AutoHotkeys

AutoHotkeysH-C

\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreviewd

WindowState,/C

OnKeyDown

OnKeyPress

OnKeyUp

GlassFrame.Bottom

GlassFrame.Enabled

GlassFrame.Left

GlassFrame.Right

GlassFrame.SheetOfGlass

GlassFrame.Top

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

User32.dll

TKeyEvent

TKeyPressEvent

HelpKeyword(nA

crSQLWait

%s (%s)

imm32.dll

TSocketPort

%d.%d.%d.%d

0.0.0.0

PSAPI.dll

TSampleGrabberCBInt8%F

TDCWebCam

127.0.0.1

BuildImportTable: can't load library:

BuildImportTable: ReallocMemory failed

BuildImportTable: GetProcAddress failed

BTMemoryLoadLibary: BuildImportTable failed

BTMemoryGetProcAddress: no export table found

BTMemoryGetProcAddress: DLL doesn't export anything

BTMemoryGetProcAddress: exported symbol not found

1.2.3

dwmapi.dll

127.0.0.1:1604

#KCMDDC51#-

5.2.0

cmd.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

hkey

\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

*.torrent

\Internet Explorer\iexplore.exe

explorer.exe

wlanapi.dll

80211_SHARED_KEY

user32.dll

notepad.exe

KEYNAME

%ShortCut#

RELATEDCMD

ping 127.0.0.1 -n 4 > NUL && "

DRKey

CRKey

DelMSKey

InstallHKEY

ActiveOnlineKeylogger

UnActiveOnlineKeylogger

KeylogOn

ActiveOfflineKeylogger

UnActiveOfflineKeylogger

ActiveOnlineKeyStrokes

UnActiveOnlineKeyStrokes

OpenWebPage

DLURLDownloadFile

tmpprint.txt

URLUpdate

c:\test.exe

MSGBOX

#BOT#VisitUrl

#BOT#OpenUrl

HTTP://

http://

BTRESULTOpen URL|

Command successfully executed!|

#BOT#URLUpdate

BTERRORUpdate from URL| Error on downloading file check if you type the correct url...|

BTRESULTUpdate from URL|Update : File Downloaded , Executing new one in temp dir...|

#BOT#URLDownload

BTERRORDownload File| Error on downloading file check if you type the correct url...|

BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|

GetActivePorts

out.txt

tmp.txt

DDOSHTTPFLOOD

DDOSUDPFLOOD

%IPPORTSCAN

SAPI.SpVoice

WEBCAMLIVE

WEBCAMSTOP

PASSWORD

UPLOADEXEC

UPANDEXEC

FTPPORT

FTPPASS

FTPUSER

FTPHOST

FTPROOT

FTPUPLOADK

FTPSIZE

BTRESULTUDP Flood|UDP Flood task finished!|

PortScanAdd

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

BTRESULTVisit URL|finished to visit

BTERRORVisit URL|An exception occured in the thread|

GET / HTTP/1.1\r\n\r\n

BTRESULTHTTP Flood|Http Flood task finished!|

ERR|Cannot listen to port, try another one..|

TCaptureWebcam

taskmgr.exe

\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

DC3_FEXEC

Windows NT 4.0

Windows 2000

Windows XP

Windows Server 2003

Windows Vista

Windows 7

Windows 95

Windows 98

Windows Me

S-%u-

FAKEMSG

MSGICON

MSGTITLE

MSGCORE

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

%Documents and Settings%\%current user%\Application Data\dclogs\2014-06-19-5.dc

advapi32.dll

RegOpenKeyExA

RegCloseKey

GetKeyboardType

keybd_event

VkKeyScanA

UnhookWindowsHookEx

SetWindowsHookExA

MsgWaitForMultipleObjectsEx

MsgWaitForMultipleObjects

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutNameA

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

ExitWindowsEx

EnumWindows

EnumThreadWindows

EnumChildWindows

ActivateKeyboardLayout

gdi32.dll

SetViewportOrgEx

version.dll

WinExec

PeekNamedPipe

GetWindowsDirectoryA

GetProcessHeap

GetCPInfo

CreatePipe

RegQueryInfoKeyA

RegOpenKeyA

RegFlushKey

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyExA

RegCreateKeyA

wsock32.dll

shell32.dll

ShellExecuteExA

ShellExecuteA

SHFileOperationA

URLMON.DLL

URLDownloadToFileA

wininet.dll

InternetOpenUrlA

FtpPutFileA

winmm.dll

netapi32.dll

gdiplus.dll

GdiplusShutdown

msacm32.dll

ntdll.dll

WS2_32.DLL

SHFolder.dll

SHELL32.DLL

AVICAP32.DLL

1!1,1=1|1

6 6$6(6,6064686

=!=%=)=-=1=5=9=

2 2$2(2,20242

9 9$9(9,90989

4!4L4G4K4o4w4

1=2"3<3;4

6 6$6(6,60646

<#<'< 
9%9s9
3 373<3]3
3#3-3A3Q3m3}3
= =$=(=,=0=4=8=<=
UntKeylogger
KWindows
UrlMon
UntActivePorts
UntControlKey
UntCaptureWebcam
UntWebCam
_UntUDPFlood
YUntScanPorts
0UntPasswordAndData
XUntHTTPFlood
UntCPU
UntFTP
66006666
No help found for %s#No context-sensitive help installed
No help found for context$No topic-based help system installedNUnable to retrieve a pointer to a running object registered with OLE for %s/%s
Invalid clipboard format Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Not enough timers available@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Unsupported clipboard format
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to create key %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
No argument for format '%s'"Variant method calls not supported
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
!'%s' is not a valid integer value('%s' is not a valid floating point value!'%s' is not a valid date and time
'%s' is not a valid GUID value
I/O error %d
1, 0, 0, 1
MSRSAAP.EXE
4, 0, 0, 0

iexplore.exe_376_rwx_00400000_000B5000:


.text
`.itext
`.data
.idata
.rdata
@.reloc
B.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
%s_%d
EInvalidGraphicOperation
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
%s, ClassID: %s
%s, ProgID: "%s"
ole32.dll
USER32.DLL
uxtheme.dll
DWMAPI.DLL
clWebSnow
clWebFloralWhite
clWebLavenderBlush
clWebOldLace
clWebIvory
clWebCornSilk
clWebBeige
clWebAntiqueWhite
clWebWheat
clWebAliceBlue
clWebGhostWhite
clWebLavender
clWebSeashell
clWebLightYellow
clWebPapayaWhip
clWebNavajoWhite
clWebMoccasin
clWebBurlywood
clWebAzure
clWebMintcream
clWebHoneydew
clWebLinen
clWebLemonChiffon
clWebBlanchedAlmond
clWebBisque
clWebPeachPuff
clWebTan
clWebYellow
clWebDarkOrange
clWebRed
clWebDarkRed
clWebMaroon
clWebIndianRed
clWebSalmon
clWebCoral
clWebGold
clWebTomato
clWebCrimson
clWebBrown
clWebChocolate
clWebSandyBrown
clWebLightSalmon
clWebLightCoral
clWebOrange
clWebOrangeRed
clWebFirebrick
clWebSaddleBrown
clWebSienna
clWebPeru
clWebDarkSalmon
clWebRosyBrown
clWebPaleGoldenrod
clWebLightGoldenrodYellow
clWebOlive
clWebForestGreen
clWebGreenYellow
clWebChartreuse
clWebLightGreen
clWebAquamarine
clWebSeaGreen
clWebGoldenRod
clWebKhaki
clWebOliveDrab
clWebGreen
clWebYellowGreen
clWebLawnGreen
clWebPaleGreen
clWebMediumAquamarine
clWebMediumSeaGreen
clWebDarkGoldenRod
clWebDarkKhaki
clWebDarkOliveGreen
clWebDarkgreen
clWebLimeGreen
clWebLime
clWebSpringGreen
clWebMediumSpringGreen
clWebDarkSeaGreen
clWebLightSeaGreen
clWebPaleTurquoise
clWebLightCyan
clWebLightBlue
clWebLightSkyBlue
clWebCornFlowerBlue
clWebDarkBlue
clWebIndigo
clWebMediumTurquoise
clWebTurquoise
clWebCyan
clWebPowderBlue
clWebSkyBlue
clWebRoyalBlue
clWebMediumBlue
clWebMidnightBlue
clWebDarkTurquoise
clWebCadetBlue
clWebDarkCyan
clWebTeal
clWebDeepskyBlue
clWebDodgerBlue
clWebBlue
clWebNavy
clWebDarkViolet
clWebDarkOrchid
clWebMagenta
clWebDarkMagenta
clWebMediumVioletRed
clWebPaleVioletRed
clWebBlueViolet
clWebMediumOrchid
clWebMediumPurple
clWebPurple
clWebDeepPink
clWebLightPink
clWebViolet
clWebOrchid
clWebPlum
clWebThistle
clWebHotPink
clWebPink
clWebLightSteelBlue
clWebMediumSlateBlue
clWebLightSlateGray
clWebWhite
clWebLightgrey
clWebGray
clWebSteelBlue
clWebSlateBlue
clWebSlateGray
clWebWhiteSmoke
clWebSilver
clWebDimGray
clWebMistyRose
clWebDarkSlateBlue
clWebDarkSlategray
clWebGainsboro
clWebDarkGray
clWebBlack
comctl32.dll
AutoHotkeys
AutoHotkeysH-C
\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreviewd
WindowState,/C
OnKeyDown
OnKeyPress
OnKeyUp
GlassFrame.Bottom
GlassFrame.Enabled
GlassFrame.Left
GlassFrame.Right
GlassFrame.SheetOfGlass
GlassFrame.Top
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
User32.dll
TKeyEvent
TKeyPressEvent
HelpKeyword(nA
crSQLWait
%s (%s)
imm32.dll
TSocketPort
%d.%d.%d.%d
0.0.0.0
PSAPI.dll
TSampleGrabberCBInt8%F
TDCWebCam
127.0.0.1
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
1.2.3
dwmapi.dll
127.0.0.1:1604
#KCMDDC51#-
5.2.0
cmd.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
hkey
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
*.torrent
\Internet Explorer\iexplore.exe
explorer.exe
wlanapi.dll
80211_SHARED_KEY
user32.dll
notepad.exe
KEYNAME
%ShortCut#
RELATEDCMD
ping 127.0.0.1 -n 4 > NUL && "
DRKey
CRKey
DelMSKey
InstallHKEY
ActiveOnlineKeylogger
UnActiveOnlineKeylogger
KeylogOn
ActiveOfflineKeylogger
UnActiveOfflineKeylogger
ActiveOnlineKeyStrokes
UnActiveOnlineKeyStrokes
OpenWebPage
DLURLDownloadFile
tmpprint.txt
URLUpdate
c:\test.exe
MSGBOX
#BOT#VisitUrl
#BOT#OpenUrl
HTTP://
http://
BTRESULTOpen URL|
Command successfully executed!|
#BOT#URLUpdate
BTERRORUpdate from URL| Error on downloading file check if you type the correct url...|
BTRESULTUpdate from URL|Update : File Downloaded , Executing new one in temp dir...|
#BOT#URLDownload
BTERRORDownload File| Error on downloading file check if you type the correct url...|
BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|
GetActivePorts
out.txt
tmp.txt
DDOSHTTPFLOOD
DDOSUDPFLOOD
%IPPORTSCAN
SAPI.SpVoice
WEBCAMLIVE
WEBCAMSTOP
PASSWORD
UPLOADEXEC
UPANDEXEC
FTPPORT
FTPPASS
FTPUSER
FTPHOST
FTPROOT
FTPUPLOADK
FTPSIZE
BTRESULTUDP Flood|UDP Flood task finished!|
PortScanAdd
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
BTRESULTVisit URL|finished to visit
BTERRORVisit URL|An exception occured in the thread|
GET / HTTP/1.1\r\n\r\n
BTRESULTHTTP Flood|Http Flood task finished!|
ERR|Cannot listen to port, try another one..|
TCaptureWebcam
taskmgr.exe
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
DC3_FEXEC
Windows NT 4.0
Windows 2000
Windows XP
Windows Server 2003
Windows Vista
Windows 7
Windows 95
Windows 98
Windows Me
S-%u-
FAKEMSG
MSGICON
MSGTITLE
MSGCORE
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
%Documents and Settings%\%current user%\Application Data\dclogs\2014-06-19-5.dc
advapi32.dll
RegOpenKeyExA
RegCloseKey
GetKeyboardType
keybd_event
VkKeyScanA
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutNameA
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
ExitWindowsEx
EnumWindows
EnumThreadWindows
EnumChildWindows
ActivateKeyboardLayout
gdi32.dll
SetViewportOrgEx
version.dll
WinExec
PeekNamedPipe
GetWindowsDirectoryA
GetProcessHeap
GetCPInfo
CreatePipe
RegQueryInfoKeyA
RegOpenKeyA
RegFlushKey
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyA
wsock32.dll
shell32.dll
ShellExecuteExA
ShellExecuteA
SHFileOperationA
URLMON.DLL
URLDownloadToFileA
wininet.dll
InternetOpenUrlA
FtpPutFileA
winmm.dll
netapi32.dll
gdiplus.dll
GdiplusShutdown
msacm32.dll
ntdll.dll
WS2_32.DLL
SHFolder.dll
SHELL32.DLL
AVICAP32.DLL
1!1,1=1|1
6 6$6(6,6064686
=!=%=)=-=1=5=9=
2 2$2(2,20242
9 9$9(9,90989
4!4L4G4K4o4w4
1=2"3<3;4
6 6$6(6,60646
<#<'< 
9%9s9
3 373<3]3
3#3-3A3Q3m3}3
= =$=(=,=0=4=8=<=
UntKeylogger
KWindows
UrlMon
UntActivePorts
UntControlKey
UntCaptureWebcam
UntWebCam
_UntUDPFlood
YUntScanPorts
0UntPasswordAndData
XUntHTTPFlood
UntCPU
UntFTP
66006666
No help found for %s#No context-sensitive help installed
No help found for context$No topic-based help system installedNUnable to retrieve a pointer to a running object registered with OLE for %s/%s
Invalid clipboard format Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Not enough timers available@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Unsupported clipboard format
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to create key %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
No argument for format '%s'"Variant method calls not supported
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
!'%s' is not a valid integer value('%s' is not a valid floating point value!'%s' is not a valid date and time
'%s' is not a valid GUID value
I/O error %d
1, 0, 0, 1
MSRSAAP.EXE
4, 0, 0, 0

notepad.exe_1912:


.text
`.data
.rsrc
comdlg32.dll
SHELL32.dll
WINSPOOL.DRV
COMCTL32.dll
msvcrt.dll
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
notepad.chm
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
notepad.pdb
t%SSh
_acmdln
RegCloseKey
RegCreateKeyW
RegOpenKeyExA
SetViewportExtEx
GetKeyboardLayout
name="Microsoft.Windows.Shell.notepad"
version="5.1.0.0"
Windows Shell
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
&*$#$$#$*
MMMrMMM`MMMRMMMFMMM:MMM.MMM"MMM
*.txt
/.SETUP
Text Documents (*.txt)
5.1.2600.5512 (xpsp.080413-2105)
NOTEPAD.EXE
Windows
Operating System
5.1.2600.5512
notepad.hlp
You cannot quit Windows because the Save As dialog
dialog box, and then try quitting Windows again.
Common Dialog error (0xx)
Not enough memory available to complete this operation. Quit one or more applications to increase available memory, and then try again.KThe %% file is too large for Notepad.
Not a valid file name.MCannot create the %% file.
Make sure that the path and filename are correct.RCannot carry out the Word Wrap command because there is too much text in the file.
Page %d
Ln %d, Col %d

notepad.exe_1912_rwx_000A0000_00001000:


kernel32.dll

notepad.exe_1912_rwx_000B0000_00001000:


user32.dll

notepad.exe_1912_rwx_001A0000_00001000:


%Documents and Settings%\All Users\Start Menu\Programs\Microsoft Network\Redupdater.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   Redupdater.exe:812
   D9IZAPWZPPYB151IYACOGMKG6BFQLQ8H..COM:120
   %original file name%.exe:1380
   attrib.exe:1188
   attrib.exe:1180
   notepad.exe:612
   

2. Delete the original Backdoor file.
   
3. Delete or disinfect the following files created/modified by the Backdoor:
   

   %Documents and Settings%\All Users\Start Menu\Programs\Microsoft Network\Redupdater.exe (4545 bytes)
   %System%\drivers\etc\hosts (771 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\D9IZAPWZPPYB151IYACOGMKG6BFQLQ8H..COM (3749 bytes)
   %Documents and Settings%\%current user%\Application Data\%original file name%.exe (2105 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Connections" = "%Documents and Settings%\All Users\Start Menu\Programs\Microsoft Network\Redupdater.exe"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "rakabulle" = "%Documents and Settings%\%current user%\Application Data\%original file name%.exe"

5. Remove the references to the Backdoor by modifying the following registry value(s) (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   "UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\Start Menu\Programs\Microsoft Network\Redupdater.exe"

6. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.