MD5: 0e2c8fd5db7e641451f4ab21bd0dd470
SHA1: 4552a019f563832bd451830d6a0d2cb15a73c326
SHA256: 1cce3d2661afa030fd96d64a72312d01be8d6fa0e745455c7924cab97c72df88
SSDeep: 12288:EzI/Huum1yxUnKBerFY6Dc0ABb5eSlzPQwNzabmUCWpIIbxkD26kQFuIseahiPFf:cIfwSuDUt
Size: 1753088 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualBasicv50v60
Company: no certificate found
Created at: 2011-06-11 23:06:35
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

Lskmkx.exe:1752
Lskmkx.exe:264
%original file name%.exe:188
%original file name%.exe:1772

The Trojan injects its code into the following process(es):

vmacthlp.exe:924
csrss.exe:688
winlogon.exe:712
services.exe:756
lsass.exe:768
wmiprvse.exe:800
svchost.exe:940
svchost.exe:1020
svchost.exe:1104
svchost.exe:1152
svchost.exe:1216
spoolsv.exe:1440
Explorer.EXE:1572
jqs.exe:1592

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Lskmkx.exe (11518 bytes)

Registry activity

The process Lskmkx.exe:1752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E A2 7B 24 72 A7 8B 27 DD B8 60 2C BC 2D FA 9F"

The process Lskmkx.exe:264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 A1 95 83 13 8E 32 8E AA FC 68 A2 A4 BE 02 4A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process %original file name%.exe:188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 4F D9 63 9C 35 A8 7C D4 9A 01 8C 20 2C 95 6F"

The process %original file name%.exe:1772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 E0 5D 3C 0F 72 DB 98 07 F8 03 86 11 95 11 08"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"Shell" = "explorer.exe,%Documents and Settings%\%current user%\Application Data\Lskmkx.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"Shell" = "explorer.exe,%Documents and Settings%\%current user%\Application Data\Lskmkx.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Lskmkx" = "%Documents and Settings%\%current user%\Application Data\Lskmkx.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lskmkx" = "%Documents and Settings%\%current user%\Application Data\Lskmkx.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Lskmkx" = "%Documents and Settings%\%current user%\Application Data\Lskmkx.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestW
InternetWriteFile
HttpSendRequestA

The Trojan installs the following user-mode hooks in WS2_32.dll:

send

The Trojan installs the following user-mode hooks in kernel32.dll:

MoveFileA
CopyFileW
CopyFileA
MoveFileW
CreateFileW
CreateFileA

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtResumeThread
NtQueryDirectoryFile
NtEnumerateValueKey

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.

VersionInfo

Company Name: x
Product Name: yvakbcyotu
Product Version: 27.09.0010
Legal Copyright: omsbgatre ehajdwv
Legal Trademarks: cncgoj xkypnqcft
Original Filename: rfdr.exe
Internal Name: rfdr
File Version: 27.09.0010
File Description: pfnwddvsmni
Comments: hyl
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSShl

ShellExecuteA

SHELL32.dll

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

GetWindowsDirectoryW

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s"

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Link sent!

%s.p21-> Link sent!

msnmsg

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.. Removing at reboot

PRIVMSG #

%s.PTF://%s:%s@%s:%d (p='%S')

PASS %s

USER %s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

1.0.0

hXXp://VVV.nobrain.dk

msn.set

msn.int

w00t.edu

dns.photomarket.me

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v ="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S"

[d="%s" s="%d bytes"] Executed file "%S"

[Slowloris]: Starting flood on "%s" for %d minutes

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s" for %d seconds

[UDP]: Finished flood on "%s"

[SSYN]: Starting flood on "%s" for %d seconds

[SSYN]: Finished flood on "%s"

[USB]: Infected %s

[MSN]: Updated MSN spread link to "%s"

[MSN]: Updated MSN spread interval to "%s"

[Visit]: Visited "%s"

[d="%s" s="%d bytes"] Error update md5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type.. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Removing "%s" at reboot

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

ftplog

ftpinfect

httplogin

httptraff

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

<iframe src ="hXXp://VVV.google.co.uk" width="100%" height="300"></iframe>

print '%s<br>';

%s<br>%s

.webroot.

.fortinet.

.virusbuster..nprotect.

.gdatasoftware.

.virus.

.precisesecurity.

.lavasoft.

check.tc

.emsisoft.

.onlinemalwarescanner.

onecare.live.

.bullguard.

.clamav.

.pandasecurity.

.sophos.

.malwarebytes.

.sunbeltsoftware.

.norton.

.norman.

.mcafee.

.symantec

.comodo.

.avast.

.avira.

.avg.

.bitdefender.

.eset.

.kaspersky.

.trendmicro.

.iseclab.

.virscan.

.garyshood.

.viruschief.

.jotti.

.threatexpert.

.novirusthanks.

.virustotal.

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s:%d

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s}%s

n{%s|%s}%s

%s|%s

%s|%s|%s

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

/c "start Í%

&&%windir%\explorer.exe

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%s.exe

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s.disable

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

\??\%System%\csrss.exe

%Documents and Settings%\%current user%\Application Data\Lskmkx.exe

%WinDir%

wlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

"%s" %S

Internet Explorer\iexplore.exe

lol.exe

explorer.exe

urlmon.dll

nspr4.dll

dnsapi.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

\Device\HarddiskVolume1\WINDOWS\system32\csrss.exe

winlogon.exe_712_rwx_00AD0000_00024000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSShl

ShellExecuteA

SHELL32.dll

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

GetWindowsDirectoryW

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s"

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Link sent!

%s.p21-> Link sent!

msnmsg

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.. Removing at reboot

PRIVMSG #

%s.PTF://%s:%s@%s:%d (p='%S')

PASS %s

USER %s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

1.0.0

hXXp://VVV.nobrain.dk

msn.set

msn.int

w00t.edu

dns.photomarket.me

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v ="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S"

[d="%s" s="%d bytes"] Executed file "%S"

[Slowloris]: Starting flood on "%s" for %d minutes

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s" for %d seconds

[UDP]: Finished flood on "%s"

[SSYN]: Starting flood on "%s" for %d seconds

[SSYN]: Finished flood on "%s"

[USB]: Infected %s

[MSN]: Updated MSN spread link to "%s"

[MSN]: Updated MSN spread interval to "%s"

[Visit]: Visited "%s"

[d="%s" s="%d bytes"] Error update md5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type.. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Removing "%s" at reboot

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

ftplog

ftpinfect

httplogin

httptraff

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

<iframe src ="hXXp://VVV.google.co.uk" width="100%" height="300"></iframe>

print '%s<br>';

%s<br>%s

.webroot.

.fortinet.

.virusbuster..nprotect.

.gdatasoftware.

.virus.

.precisesecurity.

.lavasoft.

check.tc

.emsisoft.

.onlinemalwarescanner.

onecare.live.

.bullguard.

.clamav.

.pandasecurity.

.sophos.

.malwarebytes.

.sunbeltsoftware.

.norton.

.norman.

.mcafee.

.symantec

.comodo.

.avast.

.avira.

.avg.

.bitdefender.

.eset.

.kaspersky.

.trendmicro.

.iseclab.

.virscan.

.garyshood.

.viruschief.

.jotti.

.threatexpert.

.novirusthanks.

.virustotal.

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s:%d

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s}%s

n{%s|%s}%s

%s|%s

%s|%s|%s

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

/c "start Í%

&&%windir%\explorer.exe

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%s.exe

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s.disable

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

\??\%System%\winlogon.exe

%Documents and Settings%\%current user%\Application Data\Lskmkx.exe

%WinDir%

wlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

"%s" %S

Internet Explorer\iexplore.exe

lol.exe

explorer.exe

urlmon.dll

nspr4.dll

dnsapi.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

\Device\HarddiskVolume1\WINDOWS\system32\winlogon.exe

services.exe_756_rwx_00AF0000_00024000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSShl

ShellExecuteA

SHELL32.dll

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

GetWindowsDirectoryW

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s"

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Link sent!

%s.p21-> Link sent!

msnmsg

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.. Removing at reboot

PRIVMSG #

%s.PTF://%s:%s@%s:%d (p='%S')

PASS %s

USER %s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

1.0.0

hXXp://VVV.nobrain.dk

msn.set

msn.int

w00t.edu

dns.photomarket.me

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v ="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S"

[d="%s" s="%d bytes"] Executed file "%S"

[Slowloris]: Starting flood on "%s" for %d minutes

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s" for %d seconds

[UDP]: Finished flood on "%s"

[SSYN]: Starting flood on "%s" for %d seconds

[SSYN]: Finished flood on "%s"

[USB]: Infected %s

[MSN]: Updated MSN spread link to "%s"

[MSN]: Updated MSN spread interval to "%s"

[Visit]: Visited "%s"

[d="%s" s="%d bytes"] Error update md5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type.. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Removing "%s" at reboot

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

ftplog

ftpinfect

httplogin

httptraff

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

<iframe src ="hXXp://VVV.google.co.uk" width="100%" height="300"></iframe>

print '%s<br>';

%s<br>%s

.webroot.

.fortinet.

.virusbuster..nprotect.

.gdatasoftware.

.virus.

.precisesecurity.

.lavasoft.

check.tc

.emsisoft.

.onlinemalwarescanner.

onecare.live.

.bullguard.

.clamav.

.pandasecurity.

.sophos.

.malwarebytes.

.sunbeltsoftware.

.norton.

.norman.

.mcafee.

.symantec

.comodo.

.avast.

.avira.

.avg.

.bitdefender.

.eset.

.kaspersky.

.trendmicro.

.iseclab.

.virscan.

.garyshood.

.viruschief.

.jotti.

.threatexpert.

.novirusthanks.

.virustotal.

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s:%d

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s}%s

n{%s|%s}%s

%s|%s

%s|%s|%s

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

/c "start Í%

&&%windir%\explorer.exe

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%s.exe

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s.disable

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%System%\services.exe

%Documents and Settings%\%current user%\Application Data\Lskmkx.exe

%WinDir%

wlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

"%s" %S

Internet Explorer\iexplore.exe

lol.exe

explorer.exe

urlmon.dll

nspr4.dll

dnsapi.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

\Device\HarddiskVolume1\WINDOWS\system32\services.exe

lsass.exe_768_rwx_00B60000_00024000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSShl

ShellExecuteA

SHELL32.dll

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

GetWindowsDirectoryW

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s"

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Link sent!

%s.p21-> Link sent!

msnmsg

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.. Removing at reboot

PRIVMSG #

%s.PTF://%s:%s@%s:%d (p='%S')

PASS %s

USER %s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

1.0.0

hXXp://VVV.nobrain.dk

msn.set

msn.int

w00t.edu

dns.photomarket.me

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v ="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S"

[d="%s" s="%d bytes"] Executed file "%S"

[Slowloris]: Starting flood on "%s" for %d minutes

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s" for %d seconds

[UDP]: Finished flood on "%s"

[SSYN]: Starting flood on "%s" for %d seconds

[SSYN]: Finished flood on "%s"

[USB]: Infected %s

[MSN]: Updated MSN spread link to "%s"

[MSN]: Updated MSN spread interval to "%s"

[Visit]: Visited "%s"

[d="%s" s="%d bytes"] Error update md5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type.. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Removing "%s" at reboot

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

ftplog

ftpinfect

httplogin

httptraff

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

<iframe src ="hXXp://VVV.google.co.uk" width="100%" height="300"></iframe>

print '%s<br>';

%s<br>%s

.webroot.

.fortinet.

.virusbuster..nprotect.

.gdatasoftware.

.virus.

.precisesecurity.

.lavasoft.

check.tc

.emsisoft.

.onlinemalwarescanner.

onecare.live.

.bullguard.

.clamav.

.pandasecurity.

.sophos.

.malwarebytes.

.sunbeltsoftware.

.norton.

.norman.

.mcafee.

.symantec

.comodo.

.avast.

.avira.

.avg.

.bitdefender.

.eset.

.kaspersky.

.trendmicro.

.iseclab.

.virscan.

.garyshood.

.viruschief.

.jotti.

.threatexpert.

.novirusthanks.

.virustotal.

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s:%d

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s}%s

n{%s|%s}%s

%s|%s

%s|%s|%s

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

/c "start Í%

&&%windir%\explorer.exe

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%s.exe

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s.disable

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%System%\lsass.exe

%Documents and Settings%\%current user%\Application Data\Lskmkx.exe

%WinDir%

wlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

"%s" %S

Internet Explorer\iexplore.exe

lol.exe

explorer.exe

urlmon.dll

nspr4.dll

dnsapi.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

\Device\HarddiskVolume1\WINDOWS\system32\lsass.exe

wmiprvse.exe_800_rwx_00DE0000_00024000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSShl

ShellExecuteA

SHELL32.dll

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

GetWindowsDirectoryW

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s"

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Link sent!

%s.p21-> Link sent!

msnmsg

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.. Removing at reboot

PRIVMSG #

%s.PTF://%s:%s@%s:%d (p='%S')

PASS %s

USER %s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

1.0.0

hXXp://VVV.nobrain.dk

msn.set

msn.int

w00t.edu

dns.photomarket.me

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v ="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S"

[d="%s" s="%d bytes"] Executed file "%S"

[Slowloris]: Starting flood on "%s" for %d minutes

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s" for %d seconds

[UDP]: Finished flood on "%s"

[SSYN]: Starting flood on "%s" for %d seconds

[SSYN]: Finished flood on "%s"

[USB]: Infected %s

[MSN]: Updated MSN spread link to "%s"

[MSN]: Updated MSN spread interval to "%s"

[Visit]: Visited "%s"

[d="%s" s="%d bytes"] Error update md5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type.. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Removing "%s" at reboot

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

ftplog

ftpinfect

httplogin

httptraff

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

<iframe src ="hXXp://VVV.google.co.uk" width="100%" height="300"></iframe>

print '%s<br>';

%s<br>%s

.webroot.

.fortinet.

.virusbuster..nprotect.

.gdatasoftware.

.virus.

.precisesecurity.

.lavasoft.

check.tc

.emsisoft.

.onlinemalwarescanner.

onecare.live.

.bullguard.

.clamav.

.pandasecurity.

.sophos.

.malwarebytes.

.sunbeltsoftware.

.norton.

.norman.

.mcafee.

.symantec

.comodo.

.avast.

.avira.

.avg.

.bitdefender.

.eset.

.kaspersky.

.trendmicro.

.iseclab.

.virscan.

.garyshood.

.viruschief.

.jotti.

.threatexpert.

.novirusthanks.

.virustotal.

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s:%d

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s}%s

n{%s|%s}%s

%s|%s

%s|%s|%s

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

/c "start Í%

&&%windir%\explorer.exe

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%s.exe

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s.disable

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%System%\wbem\wmiprvse.exe

%Documents and Settings%\%current user%\Application Data\Lskmkx.exe

%WinDir%

wlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

"%s" %S

Internet Explorer\iexplore.exe

lol.exe

explorer.exe

urlmon.dll

nspr4.dll

dnsapi.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

\Device\HarddiskVolume1\WINDOWS\system32\wbem\wmiprvse.exe

svchost.exe_940_rwx_005C0000_00024000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSShl

ShellExecuteA

SHELL32.dll

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

GetWindowsDirectoryW

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s"

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Link sent!

%s.p21-> Link sent!

msnmsg

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.. Removing at reboot

PRIVMSG #

%s.PTF://%s:%s@%s:%d (p='%S')

PASS %s

USER %s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

1.0.0

hXXp://VVV.nobrain.dk

msn.set

msn.int

w00t.edu

dns.photomarket.me

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v ="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S"

[d="%s" s="%d bytes"] Executed file "%S"

[Slowloris]: Starting flood on "%s" for %d minutes

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s" for %d seconds

[UDP]: Finished flood on "%s"

[SSYN]: Starting flood on "%s" for %d seconds

[SSYN]: Finished flood on "%s"

[USB]: Infected %s

[MSN]: Updated MSN spread link to "%s"

[MSN]: Updated MSN spread interval to "%s"

[Visit]: Visited "%s"

[d="%s" s="%d bytes"] Error update md5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type.. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Removing "%s" at reboot

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

ftplog

ftpinfect

httplogin

httptraff

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

<iframe src ="hXXp://VVV.google.co.uk" width="100%" height="300"></iframe>

print '%s<br>';

%s<br>%s

.webroot.

.fortinet.

.virusbuster..nprotect.

.gdatasoftware.

.virus.

.precisesecurity.

.lavasoft.

check.tc

.emsisoft.

.onlinemalwarescanner.

onecare.live.

.bullguard.

.clamav.

.pandasecurity.

.sophos.

.malwarebytes.

.sunbeltsoftware.

.norton.

.norman.

.mcafee.

.symantec

.comodo.

.avast.

.avira.

.avg.

.bitdefender.

.eset.

.kaspersky.

.trendmicro.

.iseclab.

.virscan.

.garyshood.

.viruschief.

.jotti.

.threatexpert.

.novirusthanks.

.virustotal.

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s:%d

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s}%s

n{%s|%s}%s

%s|%s

%s|%s|%s

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

/c "start Í%

&&%windir%\explorer.exe

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%s.exe

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s.disable

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%System%\svchost.exe

%Documents and Settings%\%current user%\Application Data\Lskmkx.exe

%WinDir%

wlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

"%s" %S

Internet Explorer\iexplore.exe

lol.exe

explorer.exe

urlmon.dll

nspr4.dll

dnsapi.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

]\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

svchost.exe_1020_rwx_00B50000_00024000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSShl

ShellExecuteA

SHELL32.dll

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

GetWindowsDirectoryW

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s"

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Link sent!

%s.p21-> Link sent!

msnmsg

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.. Removing at reboot

PRIVMSG #

%s.PTF://%s:%s@%s:%d (p='%S')

PASS %s

USER %s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

1.0.0

hXXp://VVV.nobrain.dk

msn.set

msn.int

w00t.edu

dns.photomarket.me

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v ="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S"

[d="%s" s="%d bytes"] Executed file "%S"

[Slowloris]: Starting flood on "%s" for %d minutes

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s" for %d seconds

[UDP]: Finished flood on "%s"

[SSYN]: Starting flood on "%s" for %d seconds

[SSYN]: Finished flood on "%s"

[USB]: Infected %s

[MSN]: Updated MSN spread link to "%s"

[MSN]: Updated MSN spread interval to "%s"

[Visit]: Visited "%s"

[d="%s" s="%d bytes"] Error update md5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type.. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Removing "%s" at reboot

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

ftplog

ftpinfect

httplogin

httptraff

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

<iframe src ="hXXp://VVV.google.co.uk" width="100%" height="300"></iframe>

print '%s<br>';

%s<br>%s

.webroot.

.fortinet.

.virusbuster..nprotect.

.gdatasoftware.

.virus.

.precisesecurity.

.lavasoft.

check.tc

.emsisoft.

.onlinemalwarescanner.

onecare.live.

.bullguard.

.clamav.

.pandasecurity.

.sophos.

.malwarebytes.

.sunbeltsoftware.

.norton.

.norman.

.mcafee.

.symantec

.comodo.

.avast.

.avira.

.avg.

.bitdefender.

.eset.

.kaspersky.

.trendmicro.

.iseclab.

.virscan.

.garyshood.

.viruschief.

.jotti.

.threatexpert.

.novirusthanks.

.virustotal.

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s:%d

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s}%s

n{%s|%s}%s

%s|%s

%s|%s|%s

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

/c "start Í%

&&%windir%\explorer.exe

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%s.exe

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s.disable

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%System%\svchost.exe

%Documents and Settings%\%current user%\Application Data\Lskmkx.exe

%WinDir%

wlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

"%s" %S

Internet Explorer\iexplore.exe

lol.exe

explorer.exe

urlmon.dll

nspr4.dll

dnsapi.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

svchost.exe_1104_rwx_01CB0000_00024000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSShl

ShellExecuteA

SHELL32.dll

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

GetWindowsDirectoryW

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s"

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Link sent!

%s.p21-> Link sent!

msnmsg

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.. Removing at reboot

PRIVMSG #

%s.PTF://%s:%s@%s:%d (p='%S')

PASS %s

USER %s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

1.0.0

hXXp://VVV.nobrain.dk

msn.set

msn.int

w00t.edu

dns.photomarket.me

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v ="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S"

[d="%s" s="%d bytes"] Executed file "%S"

[Slowloris]: Starting flood on "%s" for %d minutes

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s" for %d seconds

[UDP]: Finished flood on "%s"

[SSYN]: Starting flood on "%s" for %d seconds

[SSYN]: Finished flood on "%s"

[USB]: Infected %s

[MSN]: Updated MSN spread link to "%s"

[MSN]: Updated MSN spread interval to "%s"

[Visit]: Visited "%s"

[d="%s" s="%d bytes"] Error update md5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type.. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Removing "%s" at reboot

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

ftplog

ftpinfect

httplogin

httptraff

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

<iframe src ="hXXp://VVV.google.co.uk" width="100%" height="300"></iframe>

print '%s<br>';

%s<br>%s

.webroot.

.fortinet.

.virusbuster..nprotect.

.gdatasoftware.

.virus.

.precisesecurity.

.lavasoft.

check.tc

.emsisoft.

.onlinemalwarescanner.

onecare.live.

.bullguard.

.clamav.

.pandasecurity.

.sophos.

.malwarebytes.

.sunbeltsoftware.

.norton.

.norman.

.mcafee.

.symantec

.comodo.

.avast.

.avira.

.avg.

.bitdefender.

.eset.

.kaspersky.

.trendmicro.

.iseclab.

.virscan.

.garyshood.

.viruschief.

.jotti.

.threatexpert.

.novirusthanks.

.virustotal.

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s:%d

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s}%s

n{%s|%s}%s

%s|%s

%s|%s|%s

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

/c "start Í%

&&%windir%\explorer.exe

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%s.exe

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s.disable

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%WinDir%\System32\svchost.exe

%Documents and Settings%\%current user%\Application Data\Lskmkx.exe

%WinDir%

wlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

"%s" %S

Internet Explorer\iexplore.exe

lol.exe

explorer.exe

urlmon.dll

nspr4.dll

dnsapi.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

svchost.exe_1152_rwx_006F0000_00024000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSShl

ShellExecuteA

SHELL32.dll

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

GetWindowsDirectoryW

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s"

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Link sent!

%s.p21-> Link sent!

msnmsg

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.. Removing at reboot

PRIVMSG #

%s.PTF://%s:%s@%s:%d (p='%S')

PASS %s

USER %s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

1.0.0

hXXp://VVV.nobrain.dk

msn.set

msn.int

w00t.edu

dns.photomarket.me

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v ="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S"

[d="%s" s="%d bytes"] Executed file "%S"

[Slowloris]: Starting flood on "%s" for %d minutes

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s" for %d seconds

[UDP]: Finished flood on "%s"

[SSYN]: Starting flood on "%s" for %d seconds

[SSYN]: Finished flood on "%s"

[USB]: Infected %s

[MSN]: Updated MSN spread link to "%s"

[MSN]: Updated MSN spread interval to "%s"

[Visit]: Visited "%s"

[d="%s" s="%d bytes"] Error update md5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type.. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Removing "%s" at reboot

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

ftplog

ftpinfect

httplogin

httptraff

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

<iframe src ="hXXp://VVV.google.co.uk" width="100%" height="300"></iframe>

print '%s<br>';

%s<br>%s

.webroot.

.fortinet.

.virusbuster..nprotect.

.gdatasoftware.

.virus.

.precisesecurity.

.lavasoft.

check.tc

.emsisoft.

.onlinemalwarescanner.

onecare.live.

.bullguard.

.clamav.

.pandasecurity.

.sophos.

.malwarebytes.

.sunbeltsoftware.

.norton.

.norman.

.mcafee.

.symantec

.comodo.

.avast.

.avira.

.avg.

.bitdefender.

.eset.

.kaspersky.

.trendmicro.

.iseclab.

.virscan.

.garyshood.

.viruschief.

.jotti.

.threatexpert.

.novirusthanks.

.virustotal.

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s:%d

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s}%s

n{%s|%s}%s

%s|%s

%s|%s|%s

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

/c "start Í%

&&%windir%\explorer.exe

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%s.exe

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s.disable

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%System%\svchost.exe

%Documents and Settings%\%current user%\Application Data\Lskmkx.exe

%WinDir%

wlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

"%s" %S

Internet Explorer\iexplore.exe

lol.exe

explorer.exe

urlmon.dll

nspr4.dll

dnsapi.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

p\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

svchost.exe_1216_rwx_00B80000_00024000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSShl

ShellExecuteA

SHELL32.dll

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

GetWindowsDirectoryW

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s"

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Link sent!

%s.p21-> Link sent!

msnmsg

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.. Removing at reboot

PRIVMSG #

%s.PTF://%s:%s@%s:%d (p='%S')

PASS %s

USER %s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

1.0.0

hXXp://VVV.nobrain.dk

msn.set

msn.int

w00t.edu

dns.photomarket.me

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v ="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S"

[d="%s" s="%d bytes"] Executed file "%S"

[Slowloris]: Starting flood on "%s" for %d minutes

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s" for %d seconds

[UDP]: Finished flood on "%s"

[SSYN]: Starting flood on "%s" for %d seconds

[SSYN]: Finished flood on "%s"

[USB]: Infected %s

[MSN]: Updated MSN spread link to "%s"

[MSN]: Updated MSN spread interval to "%s"

[Visit]: Visited "%s"

[d="%s" s="%d bytes"] Error update md5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type.. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Removing "%s" at reboot

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

ftplog

ftpinfect

httplogin

httptraff

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

<iframe src ="hXXp://VVV.google.co.uk" width="100%" height="300"></iframe>

print '%s<br>';

%s<br>%s

.webroot.

.fortinet.

.virusbuster..nprotect.

.gdatasoftware.

.virus.

.precisesecurity.

.lavasoft.

check.tc

.emsisoft.

.onlinemalwarescanner.

onecare.live.

.bullguard.

.clamav.

.pandasecurity.

.sophos.

.malwarebytes.

.sunbeltsoftware.

.norton.

.norman.

.mcafee.

.symantec

.comodo.

.avast.

.avira.

.avg.

.bitdefender.

.eset.

.kaspersky.

.trendmicro.

.iseclab.

.virscan.

.garyshood.

.viruschief.

.jotti.

.threatexpert.

.novirusthanks.

.virustotal.

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s:%d

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s}%s

n{%s|%s}%s

%s|%s

%s|%s|%s

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

/c "start Í%

&&%windir%\explorer.exe

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%s.exe

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s.disable

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%System%\svchost.exe

%Documents and Settings%\%current user%\Application Data\Lskmkx.exe

%WinDir%

wlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

"%s" %S

Internet Explorer\iexplore.exe

lol.exe

explorer.exe

urlmon.dll

nspr4.dll

dnsapi.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

spoolsv.exe_1440_rwx_00B30000_00024000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSShl

ShellExecuteA

SHELL32.dll

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

GetWindowsDirectoryW

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s"

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Link sent!

%s.p21-> Link sent!

msnmsg

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.. Removing at reboot

PRIVMSG #

%s.PTF://%s:%s@%s:%d (p='%S')

PASS %s

USER %s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

1.0.0

hXXp://VVV.nobrain.dk

msn.set

msn.int

w00t.edu

dns.photomarket.me

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v ="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S"

[d="%s" s="%d bytes"] Executed file "%S"

[Slowloris]: Starting flood on "%s" for %d minutes

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s" for %d seconds

[UDP]: Finished flood on "%s"

[SSYN]: Starting flood on "%s" for %d seconds

[SSYN]: Finished flood on "%s"

[USB]: Infected %s

[MSN]: Updated MSN spread link to "%s"

[MSN]: Updated MSN spread interval to "%s"

[Visit]: Visited "%s"

[d="%s" s="%d bytes"] Error update md5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type.. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Removing "%s" at reboot

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

ftplog

ftpinfect

httplogin

httptraff

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

<iframe src ="hXXp://VVV.google.co.uk" width="100%" height="300"></iframe>

print '%s<br>';

%s<br>%s

.webroot.

.fortinet.

.virusbuster..nprotect.

.gdatasoftware.

.virus.

.precisesecurity.

.lavasoft.

check.tc

.emsisoft.

.onlinemalwarescanner.

onecare.live.

.bullguard.

.clamav.

.pandasecurity.

.sophos.

.malwarebytes.

.sunbeltsoftware.

.norton.

.norman.

.mcafee.

.symantec

.comodo.

.avast.

.avira.

.avg.

.bitdefender.

.eset.

.kaspersky.

.trendmicro.

.iseclab.

.virscan.

.garyshood.

.viruschief.

.jotti.

.threatexpert.

.novirusthanks.

.virustotal.

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s:%d

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s}%s

n{%s|%s}%s

%s|%s

%s|%s|%s

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

/c "start Í%

&&%windir%\explorer.exe

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%s.exe

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s.disable

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%System%\spoolsv.exe

%Documents and Settings%\%current user%\Application Data\Lskmkx.exe

%WinDir%

wlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

"%s" %S

Internet Explorer\iexplore.exe

lol.exe

explorer.exe

urlmon.dll

nspr4.dll

dnsapi.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

\Device\HarddiskVolume1\WINDOWS\system32\spoolsv.exe

Explorer.EXE_1572_rwx_01E20000_00024000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSShl

ShellExecuteA

SHELL32.dll

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

GetWindowsDirectoryW

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s"

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Link sent!

%s.p21-> Link sent!

msnmsg

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.. Removing at reboot

PRIVMSG #

%s.PTF://%s:%s@%s:%d (p='%S')

PASS %s

USER %s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

1.0.0

hXXp://VVV.nobrain.dk

msn.set

msn.int

w00t.edu

dns.photomarket.me

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v ="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S"

[d="%s" s="%d bytes"] Executed file "%S"

[Slowloris]: Starting flood on "%s" for %d minutes

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s" for %d seconds

[UDP]: Finished flood on "%s"

[SSYN]: Starting flood on "%s" for %d seconds

[SSYN]: Finished flood on "%s"

[USB]: Infected %s

[MSN]: Updated MSN spread link to "%s"

[MSN]: Updated MSN spread interval to "%s"

[Visit]: Visited "%s"

[d="%s" s="%d bytes"] Error update md5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type.. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Removing "%s" at reboot

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

ftplog

ftpinfect

httplogin

httptraff

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

<iframe src ="hXXp://VVV.google.co.uk" width="100%" height="300"></iframe>

print '%s<br>';

%s<br>%s

.webroot.

.fortinet.

.virusbuster..nprotect.

.gdatasoftware.

.virus.

.precisesecurity.

.lavasoft.

check.tc

.emsisoft.

.onlinemalwarescanner.

onecare.live.

.bullguard.

.clamav.

.pandasecurity.

.sophos.

.malwarebytes.

.sunbeltsoftware.

.norton.

.norman.

.mcafee.

.symantec

.comodo.

.avast.

.avira.

.avg.

.bitdefender.

.eset.

.kaspersky.

.trendmicro.

.iseclab.

.virscan.

.garyshood.

.viruschief.

.jotti.

.threatexpert.

.novirusthanks.

.virustotal.

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s:%d

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s}%s

n{%s|%s}%s

%s|%s

%s|%s|%s

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

/c "start Í%

&&%windir%\explorer.exe

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%s.exe

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s.disable

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%WinDir%\Explorer.EXE

%Documents and Settings%\%current user%\Application Data\Lskmkx.exe

%WinDir%

Lskmkx.exe

wlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

"%s" %S

Internet Explorer\iexplore.exe

lol.exe

explorer.exe

urlmon.dll

nspr4.dll

dnsapi.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

\Device\HarddiskVolume1\WINDOWS\explorer.exe

jqs.exe_1592_rwx_010C0000_00024000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSShl

ShellExecuteA

SHELL32.dll

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

GetWindowsDirectoryW

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s"

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Link sent!

%s.p21-> Link sent!

msnmsg

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.. Removing at reboot

PRIVMSG #

%s.PTF://%s:%s@%s:%d (p='%S')

PASS %s

USER %s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

1.0.0

hXXp://VVV.nobrain.dk

msn.set

msn.int

w00t.edu

dns.photomarket.me

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v ="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S"

[d="%s" s="%d bytes"] Executed file "%S"

[Slowloris]: Starting flood on "%s" for %d minutes

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s" for %d seconds

[UDP]: Finished flood on "%s"

[SSYN]: Starting flood on "%s" for %d seconds

[SSYN]: Finished flood on "%s"

[USB]: Infected %s

[MSN]: Updated MSN spread link to "%s"

[MSN]: Updated MSN spread interval to "%s"

[Visit]: Visited "%s"

[d="%s" s="%d bytes"] Error update md5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type.. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Removing "%s" at reboot

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

ftplog

ftpinfect

httplogin

httptraff

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

<iframe src ="hXXp://VVV.google.co.uk" width="100%" height="300"></iframe>

print '%s<br>';

%s<br>%s

.webroot.

.fortinet.

.virusbuster..nprotect.

.gdatasoftware.

.virus.

.precisesecurity.

.lavasoft.

check.tc

.emsisoft.

.onlinemalwarescanner.

onecare.live.

.bullguard.

.clamav.

.pandasecurity.

.sophos.

.malwarebytes.

.sunbeltsoftware.

.norton.

.norman.

.mcafee.

.symantec

.comodo.

.avast.

.avira.

.avg.

.bitdefender.

.eset.

.kaspersky.

.trendmicro.

.iseclab.

.virscan.

.garyshood.

.viruschief.

.jotti.

.threatexpert.

.novirusthanks.

.virustotal.

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s:%d

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s}%s

n{%s|%s}%s

%s|%s

%s|%s|%s

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

/c "start Í%

&&%windir%\explorer.exe

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%s.exe

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s.disable

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%Program Files%\Java\jre6\bin\jqs.exe

%Documents and Settings%\%current user%\Application Data\Lskmkx.exe

%WinDir%

wlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

"%s" %S

Internet Explorer\iexplore.exe

lol.exe

explorer.exe

urlmon.dll

nspr4.dll

dnsapi.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

\Device\HarddiskVolume1\Program Files\Java\jre6\bin\jqs.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   Lskmkx.exe:1752
   Lskmkx.exe:264
   %original file name%.exe:188
   %original file name%.exe:1772
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Application Data\Lskmkx.exe (11518 bytes)

5. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
   "Lskmkx" = "%Documents and Settings%\%current user%\Application Data\Lskmkx.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Lskmkx" = "%Documents and Settings%\%current user%\Application Data\Lskmkx.exe"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Lskmkx" = "%Documents and Settings%\%current user%\Application Data\Lskmkx.exe"

6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.